Merge tag 'pstore-v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees...
[platform/kernel/linux-rpi.git] / drivers / hid / uhid.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * User-space I/O driver support for HID subsystem
4  * Copyright (c) 2012 David Herrmann
5  */
6
7 /*
8  */
9
10 #include <linux/atomic.h>
11 #include <linux/compat.h>
12 #include <linux/cred.h>
13 #include <linux/device.h>
14 #include <linux/fs.h>
15 #include <linux/hid.h>
16 #include <linux/input.h>
17 #include <linux/miscdevice.h>
18 #include <linux/module.h>
19 #include <linux/mutex.h>
20 #include <linux/poll.h>
21 #include <linux/sched.h>
22 #include <linux/spinlock.h>
23 #include <linux/uhid.h>
24 #include <linux/wait.h>
25
26 #define UHID_NAME       "uhid"
27 #define UHID_BUFSIZE    32
28
29 struct uhid_device {
30         struct mutex devlock;
31         bool running;
32
33         __u8 *rd_data;
34         uint rd_size;
35
36         struct hid_device *hid;
37         struct uhid_event input_buf;
38
39         wait_queue_head_t waitq;
40         spinlock_t qlock;
41         __u8 head;
42         __u8 tail;
43         struct uhid_event *outq[UHID_BUFSIZE];
44
45         /* blocking GET_REPORT support; state changes protected by qlock */
46         struct mutex report_lock;
47         wait_queue_head_t report_wait;
48         bool report_running;
49         u32 report_id;
50         u32 report_type;
51         struct uhid_event report_buf;
52         struct work_struct worker;
53 };
54
55 static struct miscdevice uhid_misc;
56
57 static void uhid_device_add_worker(struct work_struct *work)
58 {
59         struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
60         int ret;
61
62         ret = hid_add_device(uhid->hid);
63         if (ret) {
64                 hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
65
66                 hid_destroy_device(uhid->hid);
67                 uhid->hid = NULL;
68                 uhid->running = false;
69         }
70 }
71
72 static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
73 {
74         __u8 newhead;
75
76         newhead = (uhid->head + 1) % UHID_BUFSIZE;
77
78         if (newhead != uhid->tail) {
79                 uhid->outq[uhid->head] = ev;
80                 uhid->head = newhead;
81                 wake_up_interruptible(&uhid->waitq);
82         } else {
83                 hid_warn(uhid->hid, "Output queue is full\n");
84                 kfree(ev);
85         }
86 }
87
88 static int uhid_queue_event(struct uhid_device *uhid, __u32 event)
89 {
90         unsigned long flags;
91         struct uhid_event *ev;
92
93         ev = kzalloc(sizeof(*ev), GFP_KERNEL);
94         if (!ev)
95                 return -ENOMEM;
96
97         ev->type = event;
98
99         spin_lock_irqsave(&uhid->qlock, flags);
100         uhid_queue(uhid, ev);
101         spin_unlock_irqrestore(&uhid->qlock, flags);
102
103         return 0;
104 }
105
106 static int uhid_hid_start(struct hid_device *hid)
107 {
108         struct uhid_device *uhid = hid->driver_data;
109         struct uhid_event *ev;
110         unsigned long flags;
111
112         ev = kzalloc(sizeof(*ev), GFP_KERNEL);
113         if (!ev)
114                 return -ENOMEM;
115
116         ev->type = UHID_START;
117
118         if (hid->report_enum[HID_FEATURE_REPORT].numbered)
119                 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_FEATURE_REPORTS;
120         if (hid->report_enum[HID_OUTPUT_REPORT].numbered)
121                 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_OUTPUT_REPORTS;
122         if (hid->report_enum[HID_INPUT_REPORT].numbered)
123                 ev->u.start.dev_flags |= UHID_DEV_NUMBERED_INPUT_REPORTS;
124
125         spin_lock_irqsave(&uhid->qlock, flags);
126         uhid_queue(uhid, ev);
127         spin_unlock_irqrestore(&uhid->qlock, flags);
128
129         return 0;
130 }
131
132 static void uhid_hid_stop(struct hid_device *hid)
133 {
134         struct uhid_device *uhid = hid->driver_data;
135
136         hid->claimed = 0;
137         uhid_queue_event(uhid, UHID_STOP);
138 }
139
140 static int uhid_hid_open(struct hid_device *hid)
141 {
142         struct uhid_device *uhid = hid->driver_data;
143
144         return uhid_queue_event(uhid, UHID_OPEN);
145 }
146
147 static void uhid_hid_close(struct hid_device *hid)
148 {
149         struct uhid_device *uhid = hid->driver_data;
150
151         uhid_queue_event(uhid, UHID_CLOSE);
152 }
153
154 static int uhid_hid_parse(struct hid_device *hid)
155 {
156         struct uhid_device *uhid = hid->driver_data;
157
158         return hid_parse_report(hid, uhid->rd_data, uhid->rd_size);
159 }
160
161 /* must be called with report_lock held */
162 static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
163                                         struct uhid_event *ev,
164                                         __u32 *report_id)
165 {
166         unsigned long flags;
167         int ret;
168
169         spin_lock_irqsave(&uhid->qlock, flags);
170         *report_id = ++uhid->report_id;
171         uhid->report_type = ev->type + 1;
172         uhid->report_running = true;
173         uhid_queue(uhid, ev);
174         spin_unlock_irqrestore(&uhid->qlock, flags);
175
176         ret = wait_event_interruptible_timeout(uhid->report_wait,
177                                 !uhid->report_running || !uhid->running,
178                                 5 * HZ);
179         if (!ret || !uhid->running || uhid->report_running)
180                 ret = -EIO;
181         else if (ret < 0)
182                 ret = -ERESTARTSYS;
183         else
184                 ret = 0;
185
186         uhid->report_running = false;
187
188         return ret;
189 }
190
191 static void uhid_report_wake_up(struct uhid_device *uhid, u32 id,
192                                 const struct uhid_event *ev)
193 {
194         unsigned long flags;
195
196         spin_lock_irqsave(&uhid->qlock, flags);
197
198         /* id for old report; drop it silently */
199         if (uhid->report_type != ev->type || uhid->report_id != id)
200                 goto unlock;
201         if (!uhid->report_running)
202                 goto unlock;
203
204         memcpy(&uhid->report_buf, ev, sizeof(*ev));
205         uhid->report_running = false;
206         wake_up_interruptible(&uhid->report_wait);
207
208 unlock:
209         spin_unlock_irqrestore(&uhid->qlock, flags);
210 }
211
212 static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
213                                u8 *buf, size_t count, u8 rtype)
214 {
215         struct uhid_device *uhid = hid->driver_data;
216         struct uhid_get_report_reply_req *req;
217         struct uhid_event *ev;
218         int ret;
219
220         if (!uhid->running)
221                 return -EIO;
222
223         ev = kzalloc(sizeof(*ev), GFP_KERNEL);
224         if (!ev)
225                 return -ENOMEM;
226
227         ev->type = UHID_GET_REPORT;
228         ev->u.get_report.rnum = rnum;
229         ev->u.get_report.rtype = rtype;
230
231         ret = mutex_lock_interruptible(&uhid->report_lock);
232         if (ret) {
233                 kfree(ev);
234                 return ret;
235         }
236
237         /* this _always_ takes ownership of @ev */
238         ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.get_report.id);
239         if (ret)
240                 goto unlock;
241
242         req = &uhid->report_buf.u.get_report_reply;
243         if (req->err) {
244                 ret = -EIO;
245         } else {
246                 ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
247                 memcpy(buf, req->data, ret);
248         }
249
250 unlock:
251         mutex_unlock(&uhid->report_lock);
252         return ret;
253 }
254
255 static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
256                                const u8 *buf, size_t count, u8 rtype)
257 {
258         struct uhid_device *uhid = hid->driver_data;
259         struct uhid_event *ev;
260         int ret;
261
262         if (!uhid->running || count > UHID_DATA_MAX)
263                 return -EIO;
264
265         ev = kzalloc(sizeof(*ev), GFP_KERNEL);
266         if (!ev)
267                 return -ENOMEM;
268
269         ev->type = UHID_SET_REPORT;
270         ev->u.set_report.rnum = rnum;
271         ev->u.set_report.rtype = rtype;
272         ev->u.set_report.size = count;
273         memcpy(ev->u.set_report.data, buf, count);
274
275         ret = mutex_lock_interruptible(&uhid->report_lock);
276         if (ret) {
277                 kfree(ev);
278                 return ret;
279         }
280
281         /* this _always_ takes ownership of @ev */
282         ret = __uhid_report_queue_and_wait(uhid, ev, &ev->u.set_report.id);
283         if (ret)
284                 goto unlock;
285
286         if (uhid->report_buf.u.set_report_reply.err)
287                 ret = -EIO;
288         else
289                 ret = count;
290
291 unlock:
292         mutex_unlock(&uhid->report_lock);
293         return ret;
294 }
295
296 static int uhid_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
297                                 __u8 *buf, size_t len, unsigned char rtype,
298                                 int reqtype)
299 {
300         u8 u_rtype;
301
302         switch (rtype) {
303         case HID_FEATURE_REPORT:
304                 u_rtype = UHID_FEATURE_REPORT;
305                 break;
306         case HID_OUTPUT_REPORT:
307                 u_rtype = UHID_OUTPUT_REPORT;
308                 break;
309         case HID_INPUT_REPORT:
310                 u_rtype = UHID_INPUT_REPORT;
311                 break;
312         default:
313                 return -EINVAL;
314         }
315
316         switch (reqtype) {
317         case HID_REQ_GET_REPORT:
318                 return uhid_hid_get_report(hid, reportnum, buf, len, u_rtype);
319         case HID_REQ_SET_REPORT:
320                 return uhid_hid_set_report(hid, reportnum, buf, len, u_rtype);
321         default:
322                 return -EIO;
323         }
324 }
325
326 static int uhid_hid_output_raw(struct hid_device *hid, __u8 *buf, size_t count,
327                                unsigned char report_type)
328 {
329         struct uhid_device *uhid = hid->driver_data;
330         __u8 rtype;
331         unsigned long flags;
332         struct uhid_event *ev;
333
334         switch (report_type) {
335         case HID_FEATURE_REPORT:
336                 rtype = UHID_FEATURE_REPORT;
337                 break;
338         case HID_OUTPUT_REPORT:
339                 rtype = UHID_OUTPUT_REPORT;
340                 break;
341         default:
342                 return -EINVAL;
343         }
344
345         if (count < 1 || count > UHID_DATA_MAX)
346                 return -EINVAL;
347
348         ev = kzalloc(sizeof(*ev), GFP_KERNEL);
349         if (!ev)
350                 return -ENOMEM;
351
352         ev->type = UHID_OUTPUT;
353         ev->u.output.size = count;
354         ev->u.output.rtype = rtype;
355         memcpy(ev->u.output.data, buf, count);
356
357         spin_lock_irqsave(&uhid->qlock, flags);
358         uhid_queue(uhid, ev);
359         spin_unlock_irqrestore(&uhid->qlock, flags);
360
361         return count;
362 }
363
364 static int uhid_hid_output_report(struct hid_device *hid, __u8 *buf,
365                                   size_t count)
366 {
367         return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
368 }
369
370 struct hid_ll_driver uhid_hid_driver = {
371         .start = uhid_hid_start,
372         .stop = uhid_hid_stop,
373         .open = uhid_hid_open,
374         .close = uhid_hid_close,
375         .parse = uhid_hid_parse,
376         .raw_request = uhid_hid_raw_request,
377         .output_report = uhid_hid_output_report,
378 };
379 EXPORT_SYMBOL_GPL(uhid_hid_driver);
380
381 #ifdef CONFIG_COMPAT
382
383 /* Apparently we haven't stepped on these rakes enough times yet. */
384 struct uhid_create_req_compat {
385         __u8 name[128];
386         __u8 phys[64];
387         __u8 uniq[64];
388
389         compat_uptr_t rd_data;
390         __u16 rd_size;
391
392         __u16 bus;
393         __u32 vendor;
394         __u32 product;
395         __u32 version;
396         __u32 country;
397 } __attribute__((__packed__));
398
399 static int uhid_event_from_user(const char __user *buffer, size_t len,
400                                 struct uhid_event *event)
401 {
402         if (in_compat_syscall()) {
403                 u32 type;
404
405                 if (get_user(type, buffer))
406                         return -EFAULT;
407
408                 if (type == UHID_CREATE) {
409                         /*
410                          * This is our messed up request with compat pointer.
411                          * It is largish (more than 256 bytes) so we better
412                          * allocate it from the heap.
413                          */
414                         struct uhid_create_req_compat *compat;
415
416                         compat = kzalloc(sizeof(*compat), GFP_KERNEL);
417                         if (!compat)
418                                 return -ENOMEM;
419
420                         buffer += sizeof(type);
421                         len -= sizeof(type);
422                         if (copy_from_user(compat, buffer,
423                                            min(len, sizeof(*compat)))) {
424                                 kfree(compat);
425                                 return -EFAULT;
426                         }
427
428                         /* Shuffle the data over to proper structure */
429                         event->type = type;
430
431                         memcpy(event->u.create.name, compat->name,
432                                 sizeof(compat->name));
433                         memcpy(event->u.create.phys, compat->phys,
434                                 sizeof(compat->phys));
435                         memcpy(event->u.create.uniq, compat->uniq,
436                                 sizeof(compat->uniq));
437
438                         event->u.create.rd_data = compat_ptr(compat->rd_data);
439                         event->u.create.rd_size = compat->rd_size;
440
441                         event->u.create.bus = compat->bus;
442                         event->u.create.vendor = compat->vendor;
443                         event->u.create.product = compat->product;
444                         event->u.create.version = compat->version;
445                         event->u.create.country = compat->country;
446
447                         kfree(compat);
448                         return 0;
449                 }
450                 /* All others can be copied directly */
451         }
452
453         if (copy_from_user(event, buffer, min(len, sizeof(*event))))
454                 return -EFAULT;
455
456         return 0;
457 }
458 #else
459 static int uhid_event_from_user(const char __user *buffer, size_t len,
460                                 struct uhid_event *event)
461 {
462         if (copy_from_user(event, buffer, min(len, sizeof(*event))))
463                 return -EFAULT;
464
465         return 0;
466 }
467 #endif
468
469 static int uhid_dev_create2(struct uhid_device *uhid,
470                             const struct uhid_event *ev)
471 {
472         struct hid_device *hid;
473         size_t rd_size, len;
474         void *rd_data;
475         int ret;
476
477         if (uhid->running)
478                 return -EALREADY;
479
480         rd_size = ev->u.create2.rd_size;
481         if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
482                 return -EINVAL;
483
484         rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
485         if (!rd_data)
486                 return -ENOMEM;
487
488         uhid->rd_size = rd_size;
489         uhid->rd_data = rd_data;
490
491         hid = hid_allocate_device();
492         if (IS_ERR(hid)) {
493                 ret = PTR_ERR(hid);
494                 goto err_free;
495         }
496
497         /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */
498         len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
499         strncpy(hid->name, ev->u.create2.name, len);
500         len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
501         strncpy(hid->phys, ev->u.create2.phys, len);
502         len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
503         strncpy(hid->uniq, ev->u.create2.uniq, len);
504
505         hid->ll_driver = &uhid_hid_driver;
506         hid->bus = ev->u.create2.bus;
507         hid->vendor = ev->u.create2.vendor;
508         hid->product = ev->u.create2.product;
509         hid->version = ev->u.create2.version;
510         hid->country = ev->u.create2.country;
511         hid->driver_data = uhid;
512         hid->dev.parent = uhid_misc.this_device;
513
514         uhid->hid = hid;
515         uhid->running = true;
516
517         /* Adding of a HID device is done through a worker, to allow HID drivers
518          * which use feature requests during .probe to work, without they would
519          * be blocked on devlock, which is held by uhid_char_write.
520          */
521         schedule_work(&uhid->worker);
522
523         return 0;
524
525 err_free:
526         kfree(uhid->rd_data);
527         uhid->rd_data = NULL;
528         uhid->rd_size = 0;
529         return ret;
530 }
531
532 static int uhid_dev_create(struct uhid_device *uhid,
533                            struct uhid_event *ev)
534 {
535         struct uhid_create_req orig;
536
537         orig = ev->u.create;
538
539         if (orig.rd_size <= 0 || orig.rd_size > HID_MAX_DESCRIPTOR_SIZE)
540                 return -EINVAL;
541         if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
542                 return -EFAULT;
543
544         memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
545         memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
546         memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
547         ev->u.create2.rd_size = orig.rd_size;
548         ev->u.create2.bus = orig.bus;
549         ev->u.create2.vendor = orig.vendor;
550         ev->u.create2.product = orig.product;
551         ev->u.create2.version = orig.version;
552         ev->u.create2.country = orig.country;
553
554         return uhid_dev_create2(uhid, ev);
555 }
556
557 static int uhid_dev_destroy(struct uhid_device *uhid)
558 {
559         if (!uhid->running)
560                 return -EINVAL;
561
562         uhid->running = false;
563         wake_up_interruptible(&uhid->report_wait);
564
565         cancel_work_sync(&uhid->worker);
566
567         hid_destroy_device(uhid->hid);
568         kfree(uhid->rd_data);
569
570         return 0;
571 }
572
573 static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
574 {
575         if (!uhid->running)
576                 return -EINVAL;
577
578         hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
579                          min_t(size_t, ev->u.input.size, UHID_DATA_MAX), 0);
580
581         return 0;
582 }
583
584 static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
585 {
586         if (!uhid->running)
587                 return -EINVAL;
588
589         hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
590                          min_t(size_t, ev->u.input2.size, UHID_DATA_MAX), 0);
591
592         return 0;
593 }
594
595 static int uhid_dev_get_report_reply(struct uhid_device *uhid,
596                                      struct uhid_event *ev)
597 {
598         if (!uhid->running)
599                 return -EINVAL;
600
601         uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
602         return 0;
603 }
604
605 static int uhid_dev_set_report_reply(struct uhid_device *uhid,
606                                      struct uhid_event *ev)
607 {
608         if (!uhid->running)
609                 return -EINVAL;
610
611         uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
612         return 0;
613 }
614
615 static int uhid_char_open(struct inode *inode, struct file *file)
616 {
617         struct uhid_device *uhid;
618
619         uhid = kzalloc(sizeof(*uhid), GFP_KERNEL);
620         if (!uhid)
621                 return -ENOMEM;
622
623         mutex_init(&uhid->devlock);
624         mutex_init(&uhid->report_lock);
625         spin_lock_init(&uhid->qlock);
626         init_waitqueue_head(&uhid->waitq);
627         init_waitqueue_head(&uhid->report_wait);
628         uhid->running = false;
629         INIT_WORK(&uhid->worker, uhid_device_add_worker);
630
631         file->private_data = uhid;
632         stream_open(inode, file);
633
634         return 0;
635 }
636
637 static int uhid_char_release(struct inode *inode, struct file *file)
638 {
639         struct uhid_device *uhid = file->private_data;
640         unsigned int i;
641
642         uhid_dev_destroy(uhid);
643
644         for (i = 0; i < UHID_BUFSIZE; ++i)
645                 kfree(uhid->outq[i]);
646
647         kfree(uhid);
648
649         return 0;
650 }
651
652 static ssize_t uhid_char_read(struct file *file, char __user *buffer,
653                                 size_t count, loff_t *ppos)
654 {
655         struct uhid_device *uhid = file->private_data;
656         int ret;
657         unsigned long flags;
658         size_t len;
659
660         /* they need at least the "type" member of uhid_event */
661         if (count < sizeof(__u32))
662                 return -EINVAL;
663
664 try_again:
665         if (file->f_flags & O_NONBLOCK) {
666                 if (uhid->head == uhid->tail)
667                         return -EAGAIN;
668         } else {
669                 ret = wait_event_interruptible(uhid->waitq,
670                                                 uhid->head != uhid->tail);
671                 if (ret)
672                         return ret;
673         }
674
675         ret = mutex_lock_interruptible(&uhid->devlock);
676         if (ret)
677                 return ret;
678
679         if (uhid->head == uhid->tail) {
680                 mutex_unlock(&uhid->devlock);
681                 goto try_again;
682         } else {
683                 len = min(count, sizeof(**uhid->outq));
684                 if (copy_to_user(buffer, uhid->outq[uhid->tail], len)) {
685                         ret = -EFAULT;
686                 } else {
687                         kfree(uhid->outq[uhid->tail]);
688                         uhid->outq[uhid->tail] = NULL;
689
690                         spin_lock_irqsave(&uhid->qlock, flags);
691                         uhid->tail = (uhid->tail + 1) % UHID_BUFSIZE;
692                         spin_unlock_irqrestore(&uhid->qlock, flags);
693                 }
694         }
695
696         mutex_unlock(&uhid->devlock);
697         return ret ? ret : len;
698 }
699
700 static ssize_t uhid_char_write(struct file *file, const char __user *buffer,
701                                 size_t count, loff_t *ppos)
702 {
703         struct uhid_device *uhid = file->private_data;
704         int ret;
705         size_t len;
706
707         /* we need at least the "type" member of uhid_event */
708         if (count < sizeof(__u32))
709                 return -EINVAL;
710
711         ret = mutex_lock_interruptible(&uhid->devlock);
712         if (ret)
713                 return ret;
714
715         memset(&uhid->input_buf, 0, sizeof(uhid->input_buf));
716         len = min(count, sizeof(uhid->input_buf));
717
718         ret = uhid_event_from_user(buffer, len, &uhid->input_buf);
719         if (ret)
720                 goto unlock;
721
722         switch (uhid->input_buf.type) {
723         case UHID_CREATE:
724                 /*
725                  * 'struct uhid_create_req' contains a __user pointer which is
726                  * copied from, so it's unsafe to allow this with elevated
727                  * privileges (e.g. from a setuid binary) or via kernel_write().
728                  */
729                 if (file->f_cred != current_cred() || uaccess_kernel()) {
730                         pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
731                                     task_tgid_vnr(current), current->comm);
732                         ret = -EACCES;
733                         goto unlock;
734                 }
735                 ret = uhid_dev_create(uhid, &uhid->input_buf);
736                 break;
737         case UHID_CREATE2:
738                 ret = uhid_dev_create2(uhid, &uhid->input_buf);
739                 break;
740         case UHID_DESTROY:
741                 ret = uhid_dev_destroy(uhid);
742                 break;
743         case UHID_INPUT:
744                 ret = uhid_dev_input(uhid, &uhid->input_buf);
745                 break;
746         case UHID_INPUT2:
747                 ret = uhid_dev_input2(uhid, &uhid->input_buf);
748                 break;
749         case UHID_GET_REPORT_REPLY:
750                 ret = uhid_dev_get_report_reply(uhid, &uhid->input_buf);
751                 break;
752         case UHID_SET_REPORT_REPLY:
753                 ret = uhid_dev_set_report_reply(uhid, &uhid->input_buf);
754                 break;
755         default:
756                 ret = -EOPNOTSUPP;
757         }
758
759 unlock:
760         mutex_unlock(&uhid->devlock);
761
762         /* return "count" not "len" to not confuse the caller */
763         return ret ? ret : count;
764 }
765
766 static __poll_t uhid_char_poll(struct file *file, poll_table *wait)
767 {
768         struct uhid_device *uhid = file->private_data;
769
770         poll_wait(file, &uhid->waitq, wait);
771
772         if (uhid->head != uhid->tail)
773                 return EPOLLIN | EPOLLRDNORM;
774
775         return 0;
776 }
777
778 static const struct file_operations uhid_fops = {
779         .owner          = THIS_MODULE,
780         .open           = uhid_char_open,
781         .release        = uhid_char_release,
782         .read           = uhid_char_read,
783         .write          = uhid_char_write,
784         .poll           = uhid_char_poll,
785         .llseek         = no_llseek,
786 };
787
788 static struct miscdevice uhid_misc = {
789         .fops           = &uhid_fops,
790         .minor          = UHID_MINOR,
791         .name           = UHID_NAME,
792 };
793 module_misc_device(uhid_misc);
794
795 MODULE_LICENSE("GPL");
796 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
797 MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem");
798 MODULE_ALIAS_MISCDEV(UHID_MINOR);
799 MODULE_ALIAS("devname:" UHID_NAME);