1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Joystick device driver for the input driver suite.
4  *
5  * Copyright (c) 1999-2002 Vojtech Pavlik
6  * Copyright (c) 1999 Colin Van Dyke
7  */
8 
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 
11 #include <asm/io.h>
12 #include <linux/delay.h>
13 #include <linux/errno.h>
14 #include <linux/joystick.h>
15 #include <linux/input.h>
16 #include <linux/kernel.h>
17 #include <linux/major.h>
18 #include <linux/sched.h>
19 #include <linux/slab.h>
20 #include <linux/mm.h>
21 #include <linux/module.h>
22 #include <linux/poll.h>
23 #include <linux/init.h>
24 #include <linux/device.h>
25 #include <linux/cdev.h>
26 
27 MODULE_AUTHOR("Vojtech Pavlik <vojtech@ucw.cz>");
28 MODULE_DESCRIPTION("Joystick device interfaces");
29 MODULE_LICENSE("GPL");
30 
31 #define JOYDEV_MINOR_BASE	0
32 #define JOYDEV_MINORS		16
33 #define JOYDEV_BUFFER_SIZE	64
34 
35 struct joydev {
36 	int open;
37 	struct input_handle handle;
38 	wait_queue_head_t wait;
39 	struct list_head client_list;
40 	spinlock_t client_lock; /* protects client_list */
41 	struct mutex mutex;
42 	struct device dev;
43 	struct cdev cdev;
44 	bool exist;
45 
46 	struct js_corr corr[ABS_CNT];
47 	struct JS_DATA_SAVE_TYPE glue;
48 	int nabs;
49 	int nkey;
50 	__u16 keymap[KEY_MAX - BTN_MISC + 1];
51 	__u16 keypam[KEY_MAX - BTN_MISC + 1];
52 	__u8 absmap[ABS_CNT];
53 	__u8 abspam[ABS_CNT];
54 	__s16 abs[ABS_CNT];
55 };
56 
57 struct joydev_client {
58 	struct js_event buffer[JOYDEV_BUFFER_SIZE];
59 	int head;
60 	int tail;
61 	int startup;
62 	spinlock_t buffer_lock; /* protects access to buffer, head and tail */
63 	struct fasync_struct *fasync;
64 	struct joydev *joydev;
65 	struct list_head node;
66 };
67 
joydev_correct(int value,struct js_corr * corr)68 static int joydev_correct(int value, struct js_corr *corr)
69 {
70 	switch (corr->type) {
71 
72 	case JS_CORR_NONE:
73 		break;
74 
75 	case JS_CORR_BROKEN:
76 		value = value > corr->coef[0] ? (value < corr->coef[1] ? 0 :
77 			((corr->coef[3] * (value - corr->coef[1])) >> 14)) :
78 			((corr->coef[2] * (value - corr->coef[0])) >> 14);
79 		break;
80 
81 	default:
82 		return 0;
83 	}
84 
85 	return clamp(value, -32767, 32767);
86 }
87 
joydev_pass_event(struct joydev_client * client,struct js_event * event)88 static void joydev_pass_event(struct joydev_client *client,
89 			      struct js_event *event)
90 {
91 	struct joydev *joydev = client->joydev;
92 
93 	/*
94 	 * IRQs already disabled, just acquire the lock
95 	 */
96 	spin_lock(&client->buffer_lock);
97 
98 	client->buffer[client->head] = *event;
99 
100 	if (client->startup == joydev->nabs + joydev->nkey) {
101 		client->head++;
102 		client->head &= JOYDEV_BUFFER_SIZE - 1;
103 		if (client->tail == client->head)
104 			client->startup = 0;
105 	}
106 
107 	spin_unlock(&client->buffer_lock);
108 
109 	kill_fasync(&client->fasync, SIGIO, POLL_IN);
110 }
111 
joydev_event(struct input_handle * handle,unsigned int type,unsigned int code,int value)112 static void joydev_event(struct input_handle *handle,
113 			 unsigned int type, unsigned int code, int value)
114 {
115 	struct joydev *joydev = handle->private;
116 	struct joydev_client *client;
117 	struct js_event event;
118 
119 	switch (type) {
120 
121 	case EV_KEY:
122 		if (code < BTN_MISC || value == 2)
123 			return;
124 		event.type = JS_EVENT_BUTTON;
125 		event.number = joydev->keymap[code - BTN_MISC];
126 		event.value = value;
127 		break;
128 
129 	case EV_ABS:
130 		event.type = JS_EVENT_AXIS;
131 		event.number = joydev->absmap[code];
132 		event.value = joydev_correct(value,
133 					&joydev->corr[event.number]);
134 		if (event.value == joydev->abs[event.number])
135 			return;
136 		joydev->abs[event.number] = event.value;
137 		break;
138 
139 	default:
140 		return;
141 	}
142 
143 	event.time = jiffies_to_msecs(jiffies);
144 
145 	rcu_read_lock();
146 	list_for_each_entry_rcu(client, &joydev->client_list, node)
147 		joydev_pass_event(client, &event);
148 	rcu_read_unlock();
149 
150 	wake_up_interruptible(&joydev->wait);
151 }
152 
joydev_fasync(int fd,struct file * file,int on)153 static int joydev_fasync(int fd, struct file *file, int on)
154 {
155 	struct joydev_client *client = file->private_data;
156 
157 	return fasync_helper(fd, file, on, &client->fasync);
158 }
159 
joydev_free(struct device * dev)160 static void joydev_free(struct device *dev)
161 {
162 	struct joydev *joydev = container_of(dev, struct joydev, dev);
163 
164 	input_put_device(joydev->handle.dev);
165 	kfree(joydev);
166 }
167 
joydev_attach_client(struct joydev * joydev,struct joydev_client * client)168 static void joydev_attach_client(struct joydev *joydev,
169 				 struct joydev_client *client)
170 {
171 	spin_lock(&joydev->client_lock);
172 	list_add_tail_rcu(&client->node, &joydev->client_list);
173 	spin_unlock(&joydev->client_lock);
174 }
175 
joydev_detach_client(struct joydev * joydev,struct joydev_client * client)176 static void joydev_detach_client(struct joydev *joydev,
177 				 struct joydev_client *client)
178 {
179 	spin_lock(&joydev->client_lock);
180 	list_del_rcu(&client->node);
181 	spin_unlock(&joydev->client_lock);
182 	synchronize_rcu();
183 }
184 
joydev_refresh_state(struct joydev * joydev)185 static void joydev_refresh_state(struct joydev *joydev)
186 {
187 	struct input_dev *dev = joydev->handle.dev;
188 	int i, val;
189 
190 	for (i = 0; i < joydev->nabs; i++) {
191 		val = input_abs_get_val(dev, joydev->abspam[i]);
192 		joydev->abs[i] = joydev_correct(val, &joydev->corr[i]);
193 	}
194 }
195 
joydev_open_device(struct joydev * joydev)196 static int joydev_open_device(struct joydev *joydev)
197 {
198 	int retval;
199 
200 	retval = mutex_lock_interruptible(&joydev->mutex);
201 	if (retval)
202 		return retval;
203 
204 	if (!joydev->exist)
205 		retval = -ENODEV;
206 	else if (!joydev->open++) {
207 		retval = input_open_device(&joydev->handle);
208 		if (retval)
209 			joydev->open--;
210 		else
211 			joydev_refresh_state(joydev);
212 	}
213 
214 	mutex_unlock(&joydev->mutex);
215 	return retval;
216 }
217 
joydev_close_device(struct joydev * joydev)218 static void joydev_close_device(struct joydev *joydev)
219 {
220 	mutex_lock(&joydev->mutex);
221 
222 	if (joydev->exist && !--joydev->open)
223 		input_close_device(&joydev->handle);
224 
225 	mutex_unlock(&joydev->mutex);
226 }
227 
228 /*
229  * Wake up users waiting for IO so they can disconnect from
230  * dead device.
231  */
joydev_hangup(struct joydev * joydev)232 static void joydev_hangup(struct joydev *joydev)
233 {
234 	struct joydev_client *client;
235 
236 	spin_lock(&joydev->client_lock);
237 	list_for_each_entry(client, &joydev->client_list, node)
238 		kill_fasync(&client->fasync, SIGIO, POLL_HUP);
239 	spin_unlock(&joydev->client_lock);
240 
241 	wake_up_interruptible(&joydev->wait);
242 }
243 
joydev_release(struct inode * inode,struct file * file)244 static int joydev_release(struct inode *inode, struct file *file)
245 {
246 	struct joydev_client *client = file->private_data;
247 	struct joydev *joydev = client->joydev;
248 
249 	joydev_detach_client(joydev, client);
250 	kfree(client);
251 
252 	joydev_close_device(joydev);
253 
254 	return 0;
255 }
256 
joydev_open(struct inode * inode,struct file * file)257 static int joydev_open(struct inode *inode, struct file *file)
258 {
259 	struct joydev *joydev =
260 			container_of(inode->i_cdev, struct joydev, cdev);
261 	struct joydev_client *client;
262 	int error;
263 
264 	client = kzalloc(sizeof(struct joydev_client), GFP_KERNEL);
265 	if (!client)
266 		return -ENOMEM;
267 
268 	spin_lock_init(&client->buffer_lock);
269 	client->joydev = joydev;
270 	joydev_attach_client(joydev, client);
271 
272 	error = joydev_open_device(joydev);
273 	if (error)
274 		goto err_free_client;
275 
276 	file->private_data = client;
277 	stream_open(inode, file);
278 
279 	return 0;
280 
281  err_free_client:
282 	joydev_detach_client(joydev, client);
283 	kfree(client);
284 	return error;
285 }
286 
joydev_generate_startup_event(struct joydev_client * client,struct input_dev * input,struct js_event * event)287 static int joydev_generate_startup_event(struct joydev_client *client,
288 					 struct input_dev *input,
289 					 struct js_event *event)
290 {
291 	struct joydev *joydev = client->joydev;
292 	int have_event;
293 
294 	spin_lock_irq(&client->buffer_lock);
295 
296 	have_event = client->startup < joydev->nabs + joydev->nkey;
297 
298 	if (have_event) {
299 
300 		event->time = jiffies_to_msecs(jiffies);
301 		if (client->startup < joydev->nkey) {
302 			event->type = JS_EVENT_BUTTON | JS_EVENT_INIT;
303 			event->number = client->startup;
304 			event->value = !!test_bit(joydev->keypam[event->number],
305 						  input->key);
306 		} else {
307 			event->type = JS_EVENT_AXIS | JS_EVENT_INIT;
308 			event->number = client->startup - joydev->nkey;
309 			event->value = joydev->abs[event->number];
310 		}
311 		client->startup++;
312 	}
313 
314 	spin_unlock_irq(&client->buffer_lock);
315 
316 	return have_event;
317 }
318 
joydev_fetch_next_event(struct joydev_client * client,struct js_event * event)319 static int joydev_fetch_next_event(struct joydev_client *client,
320 				   struct js_event *event)
321 {
322 	int have_event;
323 
324 	spin_lock_irq(&client->buffer_lock);
325 
326 	have_event = client->head != client->tail;
327 	if (have_event) {
328 		*event = client->buffer[client->tail++];
329 		client->tail &= JOYDEV_BUFFER_SIZE - 1;
330 	}
331 
332 	spin_unlock_irq(&client->buffer_lock);
333 
334 	return have_event;
335 }
336 
337 /*
338  * Old joystick interface
339  */
joydev_0x_read(struct joydev_client * client,struct input_dev * input,char __user * buf)340 static ssize_t joydev_0x_read(struct joydev_client *client,
341 			      struct input_dev *input,
342 			      char __user *buf)
343 {
344 	struct joydev *joydev = client->joydev;
345 	struct JS_DATA_TYPE data;
346 	int i;
347 
348 	spin_lock_irq(&input->event_lock);
349 
350 	/*
351 	 * Get device state
352 	 */
353 	for (data.buttons = i = 0; i < 32 && i < joydev->nkey; i++)
354 		data.buttons |=
355 			test_bit(joydev->keypam[i], input->key) ? (1 << i) : 0;
356 	data.x = (joydev->abs[0] / 256 + 128) >> joydev->glue.JS_CORR.x;
357 	data.y = (joydev->abs[1] / 256 + 128) >> joydev->glue.JS_CORR.y;
358 
359 	/*
360 	 * Reset reader's event queue
361 	 */
362 	spin_lock(&client->buffer_lock);
363 	client->startup = 0;
364 	client->tail = client->head;
365 	spin_unlock(&client->buffer_lock);
366 
367 	spin_unlock_irq(&input->event_lock);
368 
369 	if (copy_to_user(buf, &data, sizeof(struct JS_DATA_TYPE)))
370 		return -EFAULT;
371 
372 	return sizeof(struct JS_DATA_TYPE);
373 }
374 
joydev_data_pending(struct joydev_client * client)375 static inline int joydev_data_pending(struct joydev_client *client)
376 {
377 	struct joydev *joydev = client->joydev;
378 
379 	return client->startup < joydev->nabs + joydev->nkey ||
380 		client->head != client->tail;
381 }
382 
joydev_read(struct file * file,char __user * buf,size_t count,loff_t * ppos)383 static ssize_t joydev_read(struct file *file, char __user *buf,
384 			   size_t count, loff_t *ppos)
385 {
386 	struct joydev_client *client = file->private_data;
387 	struct joydev *joydev = client->joydev;
388 	struct input_dev *input = joydev->handle.dev;
389 	struct js_event event;
390 	int retval;
391 
392 	if (!joydev->exist)
393 		return -ENODEV;
394 
395 	if (count < sizeof(struct js_event))
396 		return -EINVAL;
397 
398 	if (count == sizeof(struct JS_DATA_TYPE))
399 		return joydev_0x_read(client, input, buf);
400 
401 	if (!joydev_data_pending(client) && (file->f_flags & O_NONBLOCK))
402 		return -EAGAIN;
403 
404 	retval = wait_event_interruptible(joydev->wait,
405 			!joydev->exist || joydev_data_pending(client));
406 	if (retval)
407 		return retval;
408 
409 	if (!joydev->exist)
410 		return -ENODEV;
411 
412 	while (retval + sizeof(struct js_event) <= count &&
413 	       joydev_generate_startup_event(client, input, &event)) {
414 
415 		if (copy_to_user(buf + retval, &event, sizeof(struct js_event)))
416 			return -EFAULT;
417 
418 		retval += sizeof(struct js_event);
419 	}
420 
421 	while (retval + sizeof(struct js_event) <= count &&
422 	       joydev_fetch_next_event(client, &event)) {
423 
424 		if (copy_to_user(buf + retval, &event, sizeof(struct js_event)))
425 			return -EFAULT;
426 
427 		retval += sizeof(struct js_event);
428 	}
429 
430 	return retval;
431 }
432 
433 /* No kernel lock - fine */
joydev_poll(struct file * file,poll_table * wait)434 static __poll_t joydev_poll(struct file *file, poll_table *wait)
435 {
436 	struct joydev_client *client = file->private_data;
437 	struct joydev *joydev = client->joydev;
438 
439 	poll_wait(file, &joydev->wait, wait);
440 	return (joydev_data_pending(client) ? (EPOLLIN | EPOLLRDNORM) : 0) |
441 		(joydev->exist ?  0 : (EPOLLHUP | EPOLLERR));
442 }
443 
joydev_handle_JSIOCSAXMAP(struct joydev * joydev,void __user * argp,size_t len)444 static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
445 				     void __user *argp, size_t len)
446 {
447 	__u8 *abspam;
448 	int i;
449 	int retval = 0;
450 
451 	len = min(len, sizeof(joydev->abspam));
452 
453 	/* Validate the map. */
454 	abspam = memdup_user(argp, len);
455 	if (IS_ERR(abspam))
456 		return PTR_ERR(abspam);
457 
458 	for (i = 0; i < len && i < joydev->nabs; i++) {
459 		if (abspam[i] > ABS_MAX) {
460 			retval = -EINVAL;
461 			goto out;
462 		}
463 	}
464 
465 	memcpy(joydev->abspam, abspam, len);
466 
467 	for (i = 0; i < joydev->nabs; i++)
468 		joydev->absmap[joydev->abspam[i]] = i;
469 
470  out:
471 	kfree(abspam);
472 	return retval;
473 }
474 
joydev_handle_JSIOCSBTNMAP(struct joydev * joydev,void __user * argp,size_t len)475 static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
476 				      void __user *argp, size_t len)
477 {
478 	__u16 *keypam;
479 	int i;
480 	int retval = 0;
481 
482 	if (len % sizeof(*keypam))
483 		return -EINVAL;
484 
485 	len = min(len, sizeof(joydev->keypam));
486 
487 	/* Validate the map. */
488 	keypam = memdup_user(argp, len);
489 	if (IS_ERR(keypam))
490 		return PTR_ERR(keypam);
491 
492 	for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
493 		if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
494 			retval = -EINVAL;
495 			goto out;
496 		}
497 	}
498 
499 	memcpy(joydev->keypam, keypam, len);
500 
501 	for (i = 0; i < joydev->nkey; i++)
502 		joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
503 
504  out:
505 	kfree(keypam);
506 	return retval;
507 }
508 
509 
joydev_ioctl_common(struct joydev * joydev,unsigned int cmd,void __user * argp)510 static int joydev_ioctl_common(struct joydev *joydev,
511 				unsigned int cmd, void __user *argp)
512 {
513 	struct input_dev *dev = joydev->handle.dev;
514 	size_t len;
515 	int i;
516 	const char *name;
517 
518 	/* Process fixed-sized commands. */
519 	switch (cmd) {
520 
521 	case JS_SET_CAL:
522 		return copy_from_user(&joydev->glue.JS_CORR, argp,
523 				sizeof(joydev->glue.JS_CORR)) ? -EFAULT : 0;
524 
525 	case JS_GET_CAL:
526 		return copy_to_user(argp, &joydev->glue.JS_CORR,
527 				sizeof(joydev->glue.JS_CORR)) ? -EFAULT : 0;
528 
529 	case JS_SET_TIMEOUT:
530 		return get_user(joydev->glue.JS_TIMEOUT, (s32 __user *) argp);
531 
532 	case JS_GET_TIMEOUT:
533 		return put_user(joydev->glue.JS_TIMEOUT, (s32 __user *) argp);
534 
535 	case JSIOCGVERSION:
536 		return put_user(JS_VERSION, (__u32 __user *) argp);
537 
538 	case JSIOCGAXES:
539 		return put_user(joydev->nabs, (__u8 __user *) argp);
540 
541 	case JSIOCGBUTTONS:
542 		return put_user(joydev->nkey, (__u8 __user *) argp);
543 
544 	case JSIOCSCORR:
545 		if (copy_from_user(joydev->corr, argp,
546 			      sizeof(joydev->corr[0]) * joydev->nabs))
547 			return -EFAULT;
548 
549 		for (i = 0; i < joydev->nabs; i++) {
550 			int val = input_abs_get_val(dev, joydev->abspam[i]);
551 			joydev->abs[i] = joydev_correct(val, &joydev->corr[i]);
552 		}
553 		return 0;
554 
555 	case JSIOCGCORR:
556 		return copy_to_user(argp, joydev->corr,
557 			sizeof(joydev->corr[0]) * joydev->nabs) ? -EFAULT : 0;
558 
559 	}
560 
561 	/*
562 	 * Process variable-sized commands (the axis and button map commands
563 	 * are considered variable-sized to decouple them from the values of
564 	 * ABS_MAX and KEY_MAX).
565 	 */
566 	switch (cmd & ~IOCSIZE_MASK) {
567 
568 	case (JSIOCSAXMAP & ~IOCSIZE_MASK):
569 		return joydev_handle_JSIOCSAXMAP(joydev, argp, _IOC_SIZE(cmd));
570 
571 	case (JSIOCGAXMAP & ~IOCSIZE_MASK):
572 		len = min_t(size_t, _IOC_SIZE(cmd), sizeof(joydev->abspam));
573 		return copy_to_user(argp, joydev->abspam, len) ? -EFAULT : len;
574 
575 	case (JSIOCSBTNMAP & ~IOCSIZE_MASK):
576 		return joydev_handle_JSIOCSBTNMAP(joydev, argp, _IOC_SIZE(cmd));
577 
578 	case (JSIOCGBTNMAP & ~IOCSIZE_MASK):
579 		len = min_t(size_t, _IOC_SIZE(cmd), sizeof(joydev->keypam));
580 		return copy_to_user(argp, joydev->keypam, len) ? -EFAULT : len;
581 
582 	case JSIOCGNAME(0):
583 		name = dev->name;
584 		if (!name)
585 			return 0;
586 
587 		len = min_t(size_t, _IOC_SIZE(cmd), strlen(name) + 1);
588 		return copy_to_user(argp, name, len) ? -EFAULT : len;
589 	}
590 
591 	return -EINVAL;
592 }
593 
594 #ifdef CONFIG_COMPAT
joydev_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)595 static long joydev_compat_ioctl(struct file *file,
596 				unsigned int cmd, unsigned long arg)
597 {
598 	struct joydev_client *client = file->private_data;
599 	struct joydev *joydev = client->joydev;
600 	void __user *argp = (void __user *)arg;
601 	s32 tmp32;
602 	struct JS_DATA_SAVE_TYPE_32 ds32;
603 	int retval;
604 
605 	retval = mutex_lock_interruptible(&joydev->mutex);
606 	if (retval)
607 		return retval;
608 
609 	if (!joydev->exist) {
610 		retval = -ENODEV;
611 		goto out;
612 	}
613 
614 	switch (cmd) {
615 
616 	case JS_SET_TIMELIMIT:
617 		retval = get_user(tmp32, (s32 __user *) arg);
618 		if (retval == 0)
619 			joydev->glue.JS_TIMELIMIT = tmp32;
620 		break;
621 
622 	case JS_GET_TIMELIMIT:
623 		tmp32 = joydev->glue.JS_TIMELIMIT;
624 		retval = put_user(tmp32, (s32 __user *) arg);
625 		break;
626 
627 	case JS_SET_ALL:
628 		retval = copy_from_user(&ds32, argp,
629 					sizeof(ds32)) ? -EFAULT : 0;
630 		if (retval == 0) {
631 			joydev->glue.JS_TIMEOUT    = ds32.JS_TIMEOUT;
632 			joydev->glue.BUSY          = ds32.BUSY;
633 			joydev->glue.JS_EXPIRETIME = ds32.JS_EXPIRETIME;
634 			joydev->glue.JS_TIMELIMIT  = ds32.JS_TIMELIMIT;
635 			joydev->glue.JS_SAVE       = ds32.JS_SAVE;
636 			joydev->glue.JS_CORR       = ds32.JS_CORR;
637 		}
638 		break;
639 
640 	case JS_GET_ALL:
641 		ds32.JS_TIMEOUT    = joydev->glue.JS_TIMEOUT;
642 		ds32.BUSY          = joydev->glue.BUSY;
643 		ds32.JS_EXPIRETIME = joydev->glue.JS_EXPIRETIME;
644 		ds32.JS_TIMELIMIT  = joydev->glue.JS_TIMELIMIT;
645 		ds32.JS_SAVE       = joydev->glue.JS_SAVE;
646 		ds32.JS_CORR       = joydev->glue.JS_CORR;
647 
648 		retval = copy_to_user(argp, &ds32, sizeof(ds32)) ? -EFAULT : 0;
649 		break;
650 
651 	default:
652 		retval = joydev_ioctl_common(joydev, cmd, argp);
653 		break;
654 	}
655 
656  out:
657 	mutex_unlock(&joydev->mutex);
658 	return retval;
659 }
660 #endif /* CONFIG_COMPAT */
661 
joydev_ioctl(struct file * file,unsigned int cmd,unsigned long arg)662 static long joydev_ioctl(struct file *file,
663 			 unsigned int cmd, unsigned long arg)
664 {
665 	struct joydev_client *client = file->private_data;
666 	struct joydev *joydev = client->joydev;
667 	void __user *argp = (void __user *)arg;
668 	int retval;
669 
670 	retval = mutex_lock_interruptible(&joydev->mutex);
671 	if (retval)
672 		return retval;
673 
674 	if (!joydev->exist) {
675 		retval = -ENODEV;
676 		goto out;
677 	}
678 
679 	switch (cmd) {
680 
681 	case JS_SET_TIMELIMIT:
682 		retval = get_user(joydev->glue.JS_TIMELIMIT,
683 				  (long __user *) arg);
684 		break;
685 
686 	case JS_GET_TIMELIMIT:
687 		retval = put_user(joydev->glue.JS_TIMELIMIT,
688 				  (long __user *) arg);
689 		break;
690 
691 	case JS_SET_ALL:
692 		retval = copy_from_user(&joydev->glue, argp,
693 					sizeof(joydev->glue)) ? -EFAULT : 0;
694 		break;
695 
696 	case JS_GET_ALL:
697 		retval = copy_to_user(argp, &joydev->glue,
698 				      sizeof(joydev->glue)) ? -EFAULT : 0;
699 		break;
700 
701 	default:
702 		retval = joydev_ioctl_common(joydev, cmd, argp);
703 		break;
704 	}
705  out:
706 	mutex_unlock(&joydev->mutex);
707 	return retval;
708 }
709 
710 static const struct file_operations joydev_fops = {
711 	.owner		= THIS_MODULE,
712 	.read		= joydev_read,
713 	.poll		= joydev_poll,
714 	.open		= joydev_open,
715 	.release	= joydev_release,
716 	.unlocked_ioctl	= joydev_ioctl,
717 #ifdef CONFIG_COMPAT
718 	.compat_ioctl	= joydev_compat_ioctl,
719 #endif
720 	.fasync		= joydev_fasync,
721 	.llseek		= no_llseek,
722 };
723 
724 /*
725  * Mark device non-existent. This disables writes, ioctls and
726  * prevents new users from opening the device. Already posted
727  * blocking reads will stay, however new ones will fail.
728  */
joydev_mark_dead(struct joydev * joydev)729 static void joydev_mark_dead(struct joydev *joydev)
730 {
731 	mutex_lock(&joydev->mutex);
732 	joydev->exist = false;
733 	mutex_unlock(&joydev->mutex);
734 }
735 
joydev_cleanup(struct joydev * joydev)736 static void joydev_cleanup(struct joydev *joydev)
737 {
738 	struct input_handle *handle = &joydev->handle;
739 
740 	joydev_mark_dead(joydev);
741 	joydev_hangup(joydev);
742 
743 	/* joydev is marked dead so no one else accesses joydev->open */
744 	if (joydev->open)
745 		input_close_device(handle);
746 }
747 
748 /*
749  * These codes are copied from hid-ids.h, unfortunately there is no common
750  * usb_ids/bt_ids.h header.
751  */
752 #define USB_VENDOR_ID_SONY			0x054c
753 #define USB_DEVICE_ID_SONY_PS3_CONTROLLER		0x0268
754 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER		0x05c4
755 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2		0x09cc
756 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE	0x0ba0
757 
758 #define USB_VENDOR_ID_THQ			0x20d6
759 #define USB_DEVICE_ID_THQ_PS3_UDRAW			0xcb17
760 
761 #define USB_VENDOR_ID_NINTENDO		0x057e
762 #define USB_DEVICE_ID_NINTENDO_JOYCONL	0x2006
763 #define USB_DEVICE_ID_NINTENDO_JOYCONR	0x2007
764 #define USB_DEVICE_ID_NINTENDO_PROCON	0x2009
765 #define USB_DEVICE_ID_NINTENDO_CHRGGRIP	0x200E
766 
767 #define ACCEL_DEV(vnd, prd)						\
768 	{								\
769 		.flags = INPUT_DEVICE_ID_MATCH_VENDOR |			\
770 				INPUT_DEVICE_ID_MATCH_PRODUCT |		\
771 				INPUT_DEVICE_ID_MATCH_PROPBIT,		\
772 		.vendor = (vnd),					\
773 		.product = (prd),					\
774 		.propbit = { BIT_MASK(INPUT_PROP_ACCELEROMETER) },	\
775 	}
776 
777 static const struct input_device_id joydev_blacklist[] = {
778 	/* Avoid touchpads and touchscreens */
779 	{
780 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
781 				INPUT_DEVICE_ID_MATCH_KEYBIT,
782 		.evbit = { BIT_MASK(EV_KEY) },
783 		.keybit = { [BIT_WORD(BTN_TOUCH)] = BIT_MASK(BTN_TOUCH) },
784 	},
785 	/* Avoid tablets, digitisers and similar devices */
786 	{
787 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
788 				INPUT_DEVICE_ID_MATCH_KEYBIT,
789 		.evbit = { BIT_MASK(EV_KEY) },
790 		.keybit = { [BIT_WORD(BTN_DIGI)] = BIT_MASK(BTN_DIGI) },
791 	},
792 	/* Disable accelerometers on composite devices */
793 	ACCEL_DEV(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER),
794 	ACCEL_DEV(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER),
795 	ACCEL_DEV(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
796 	ACCEL_DEV(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE),
797 	ACCEL_DEV(USB_VENDOR_ID_THQ, USB_DEVICE_ID_THQ_PS3_UDRAW),
798 	ACCEL_DEV(USB_VENDOR_ID_NINTENDO, USB_DEVICE_ID_NINTENDO_PROCON),
799 	ACCEL_DEV(USB_VENDOR_ID_NINTENDO, USB_DEVICE_ID_NINTENDO_CHRGGRIP),
800 	ACCEL_DEV(USB_VENDOR_ID_NINTENDO, USB_DEVICE_ID_NINTENDO_JOYCONL),
801 	ACCEL_DEV(USB_VENDOR_ID_NINTENDO, USB_DEVICE_ID_NINTENDO_JOYCONR),
802 	{ /* sentinel */ }
803 };
804 
joydev_dev_is_blacklisted(struct input_dev * dev)805 static bool joydev_dev_is_blacklisted(struct input_dev *dev)
806 {
807 	const struct input_device_id *id;
808 
809 	for (id = joydev_blacklist; id->flags; id++) {
810 		if (input_match_device_id(dev, id)) {
811 			dev_dbg(&dev->dev,
812 				"joydev: blacklisting '%s'\n", dev->name);
813 			return true;
814 		}
815 	}
816 
817 	return false;
818 }
819 
joydev_dev_is_absolute_mouse(struct input_dev * dev)820 static bool joydev_dev_is_absolute_mouse(struct input_dev *dev)
821 {
822 	DECLARE_BITMAP(jd_scratch, KEY_CNT);
823 	bool ev_match = false;
824 
825 	BUILD_BUG_ON(ABS_CNT > KEY_CNT || EV_CNT > KEY_CNT);
826 
827 	/*
828 	 * Virtualization (VMware, etc) and remote management (HP
829 	 * ILO2) solutions use absolute coordinates for their virtual
830 	 * pointing devices so that there is one-to-one relationship
831 	 * between pointer position on the host screen and virtual
832 	 * guest screen, and so their mice use ABS_X, ABS_Y and 3
833 	 * primary button events. This clashes with what joydev
834 	 * considers to be joysticks (a device with at minimum ABS_X
835 	 * axis).
836 	 *
837 	 * Here we are trying to separate absolute mice from
838 	 * joysticks. A device is, for joystick detection purposes,
839 	 * considered to be an absolute mouse if the following is
840 	 * true:
841 	 *
842 	 * 1) Event types are exactly
843 	 *      EV_ABS, EV_KEY and EV_SYN
844 	 *    or
845 	 *      EV_ABS, EV_KEY, EV_SYN and EV_MSC
846 	 *    or
847 	 *      EV_ABS, EV_KEY, EV_SYN, EV_MSC and EV_REL.
848 	 * 2) Absolute events are exactly ABS_X and ABS_Y.
849 	 * 3) Keys are exactly BTN_LEFT, BTN_RIGHT and BTN_MIDDLE.
850 	 * 4) Device is not on "Amiga" bus.
851 	 */
852 
853 	bitmap_zero(jd_scratch, EV_CNT);
854 	/* VMware VMMouse, HP ILO2 */
855 	__set_bit(EV_ABS, jd_scratch);
856 	__set_bit(EV_KEY, jd_scratch);
857 	__set_bit(EV_SYN, jd_scratch);
858 	if (bitmap_equal(jd_scratch, dev->evbit, EV_CNT))
859 		ev_match = true;
860 
861 	/* HP ILO2, AMI BMC firmware */
862 	__set_bit(EV_MSC, jd_scratch);
863 	if (bitmap_equal(jd_scratch, dev->evbit, EV_CNT))
864 		ev_match = true;
865 
866 	/* VMware Virtual USB Mouse, QEMU USB Tablet, ATEN BMC firmware */
867 	__set_bit(EV_REL, jd_scratch);
868 	if (bitmap_equal(jd_scratch, dev->evbit, EV_CNT))
869 		ev_match = true;
870 
871 	if (!ev_match)
872 		return false;
873 
874 	bitmap_zero(jd_scratch, ABS_CNT);
875 	__set_bit(ABS_X, jd_scratch);
876 	__set_bit(ABS_Y, jd_scratch);
877 	if (!bitmap_equal(dev->absbit, jd_scratch, ABS_CNT))
878 		return false;
879 
880 	bitmap_zero(jd_scratch, KEY_CNT);
881 	__set_bit(BTN_LEFT, jd_scratch);
882 	__set_bit(BTN_RIGHT, jd_scratch);
883 	__set_bit(BTN_MIDDLE, jd_scratch);
884 
885 	if (!bitmap_equal(dev->keybit, jd_scratch, KEY_CNT))
886 		return false;
887 
888 	/*
889 	 * Amiga joystick (amijoy) historically uses left/middle/right
890 	 * button events.
891 	 */
892 	if (dev->id.bustype == BUS_AMIGA)
893 		return false;
894 
895 	return true;
896 }
897 
joydev_match(struct input_handler * handler,struct input_dev * dev)898 static bool joydev_match(struct input_handler *handler, struct input_dev *dev)
899 {
900 	/* Disable blacklisted devices */
901 	if (joydev_dev_is_blacklisted(dev))
902 		return false;
903 
904 	/* Avoid absolute mice */
905 	if (joydev_dev_is_absolute_mouse(dev))
906 		return false;
907 
908 	return true;
909 }
910 
joydev_connect(struct input_handler * handler,struct input_dev * dev,const struct input_device_id * id)911 static int joydev_connect(struct input_handler *handler, struct input_dev *dev,
912 			  const struct input_device_id *id)
913 {
914 	struct joydev *joydev;
915 	int i, j, t, minor, dev_no;
916 	int error;
917 
918 	minor = input_get_new_minor(JOYDEV_MINOR_BASE, JOYDEV_MINORS, true);
919 	if (minor < 0) {
920 		error = minor;
921 		pr_err("failed to reserve new minor: %d\n", error);
922 		return error;
923 	}
924 
925 	joydev = kzalloc(sizeof(struct joydev), GFP_KERNEL);
926 	if (!joydev) {
927 		error = -ENOMEM;
928 		goto err_free_minor;
929 	}
930 
931 	INIT_LIST_HEAD(&joydev->client_list);
932 	spin_lock_init(&joydev->client_lock);
933 	mutex_init(&joydev->mutex);
934 	init_waitqueue_head(&joydev->wait);
935 	joydev->exist = true;
936 
937 	dev_no = minor;
938 	/* Normalize device number if it falls into legacy range */
939 	if (dev_no < JOYDEV_MINOR_BASE + JOYDEV_MINORS)
940 		dev_no -= JOYDEV_MINOR_BASE;
941 	dev_set_name(&joydev->dev, "js%d", dev_no);
942 
943 	joydev->handle.dev = input_get_device(dev);
944 	joydev->handle.name = dev_name(&joydev->dev);
945 	joydev->handle.handler = handler;
946 	joydev->handle.private = joydev;
947 
948 	for_each_set_bit(i, dev->absbit, ABS_CNT) {
949 		joydev->absmap[i] = joydev->nabs;
950 		joydev->abspam[joydev->nabs] = i;
951 		joydev->nabs++;
952 	}
953 
954 	for (i = BTN_JOYSTICK - BTN_MISC; i < KEY_MAX - BTN_MISC + 1; i++)
955 		if (test_bit(i + BTN_MISC, dev->keybit)) {
956 			joydev->keymap[i] = joydev->nkey;
957 			joydev->keypam[joydev->nkey] = i + BTN_MISC;
958 			joydev->nkey++;
959 		}
960 
961 	for (i = 0; i < BTN_JOYSTICK - BTN_MISC; i++)
962 		if (test_bit(i + BTN_MISC, dev->keybit)) {
963 			joydev->keymap[i] = joydev->nkey;
964 			joydev->keypam[joydev->nkey] = i + BTN_MISC;
965 			joydev->nkey++;
966 		}
967 
968 	for (i = 0; i < joydev->nabs; i++) {
969 		j = joydev->abspam[i];
970 		if (input_abs_get_max(dev, j) == input_abs_get_min(dev, j)) {
971 			joydev->corr[i].type = JS_CORR_NONE;
972 			continue;
973 		}
974 		joydev->corr[i].type = JS_CORR_BROKEN;
975 		joydev->corr[i].prec = input_abs_get_fuzz(dev, j);
976 
977 		t = (input_abs_get_max(dev, j) + input_abs_get_min(dev, j)) / 2;
978 		joydev->corr[i].coef[0] = t - input_abs_get_flat(dev, j);
979 		joydev->corr[i].coef[1] = t + input_abs_get_flat(dev, j);
980 
981 		t = (input_abs_get_max(dev, j) - input_abs_get_min(dev, j)) / 2
982 			- 2 * input_abs_get_flat(dev, j);
983 		if (t) {
984 			joydev->corr[i].coef[2] = (1 << 29) / t;
985 			joydev->corr[i].coef[3] = (1 << 29) / t;
986 		}
987 	}
988 
989 	joydev->dev.devt = MKDEV(INPUT_MAJOR, minor);
990 	joydev->dev.class = &input_class;
991 	joydev->dev.parent = &dev->dev;
992 	joydev->dev.release = joydev_free;
993 	device_initialize(&joydev->dev);
994 
995 	error = input_register_handle(&joydev->handle);
996 	if (error)
997 		goto err_free_joydev;
998 
999 	cdev_init(&joydev->cdev, &joydev_fops);
1000 
1001 	error = cdev_device_add(&joydev->cdev, &joydev->dev);
1002 	if (error)
1003 		goto err_cleanup_joydev;
1004 
1005 	return 0;
1006 
1007  err_cleanup_joydev:
1008 	joydev_cleanup(joydev);
1009 	input_unregister_handle(&joydev->handle);
1010  err_free_joydev:
1011 	put_device(&joydev->dev);
1012  err_free_minor:
1013 	input_free_minor(minor);
1014 	return error;
1015 }
1016 
joydev_disconnect(struct input_handle * handle)1017 static void joydev_disconnect(struct input_handle *handle)
1018 {
1019 	struct joydev *joydev = handle->private;
1020 
1021 	cdev_device_del(&joydev->cdev, &joydev->dev);
1022 	joydev_cleanup(joydev);
1023 	input_free_minor(MINOR(joydev->dev.devt));
1024 	input_unregister_handle(handle);
1025 	put_device(&joydev->dev);
1026 }
1027 
1028 static const struct input_device_id joydev_ids[] = {
1029 	{
1030 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1031 				INPUT_DEVICE_ID_MATCH_ABSBIT,
1032 		.evbit = { BIT_MASK(EV_ABS) },
1033 		.absbit = { BIT_MASK(ABS_X) },
1034 	},
1035 	{
1036 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1037 				INPUT_DEVICE_ID_MATCH_ABSBIT,
1038 		.evbit = { BIT_MASK(EV_ABS) },
1039 		.absbit = { BIT_MASK(ABS_Z) },
1040 	},
1041 	{
1042 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1043 				INPUT_DEVICE_ID_MATCH_ABSBIT,
1044 		.evbit = { BIT_MASK(EV_ABS) },
1045 		.absbit = { BIT_MASK(ABS_WHEEL) },
1046 	},
1047 	{
1048 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1049 				INPUT_DEVICE_ID_MATCH_ABSBIT,
1050 		.evbit = { BIT_MASK(EV_ABS) },
1051 		.absbit = { BIT_MASK(ABS_THROTTLE) },
1052 	},
1053 	{
1054 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1055 				INPUT_DEVICE_ID_MATCH_KEYBIT,
1056 		.evbit = { BIT_MASK(EV_KEY) },
1057 		.keybit = {[BIT_WORD(BTN_JOYSTICK)] = BIT_MASK(BTN_JOYSTICK) },
1058 	},
1059 	{
1060 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1061 				INPUT_DEVICE_ID_MATCH_KEYBIT,
1062 		.evbit = { BIT_MASK(EV_KEY) },
1063 		.keybit = { [BIT_WORD(BTN_GAMEPAD)] = BIT_MASK(BTN_GAMEPAD) },
1064 	},
1065 	{
1066 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
1067 				INPUT_DEVICE_ID_MATCH_KEYBIT,
1068 		.evbit = { BIT_MASK(EV_KEY) },
1069 		.keybit = { [BIT_WORD(BTN_TRIGGER_HAPPY)] = BIT_MASK(BTN_TRIGGER_HAPPY) },
1070 	},
1071 	{ }	/* Terminating entry */
1072 };
1073 
1074 MODULE_DEVICE_TABLE(input, joydev_ids);
1075 
1076 static struct input_handler joydev_handler = {
1077 	.event		= joydev_event,
1078 	.match		= joydev_match,
1079 	.connect	= joydev_connect,
1080 	.disconnect	= joydev_disconnect,
1081 	.legacy_minors	= true,
1082 	.minor		= JOYDEV_MINOR_BASE,
1083 	.name		= "joydev",
1084 	.id_table	= joydev_ids,
1085 };
1086 
joydev_init(void)1087 static int __init joydev_init(void)
1088 {
1089 	return input_register_handler(&joydev_handler);
1090 }
1091 
joydev_exit(void)1092 static void __exit joydev_exit(void)
1093 {
1094 	input_unregister_handler(&joydev_handler);
1095 }
1096 
1097 module_init(joydev_init);
1098 module_exit(joydev_exit);
1099