vt: NULL dereference in vt_do_kdsk_ioctl()
[linux-2.6.git] / drivers / tty / vt / selection.c
1 /*
2  * This module exports the functions:
3  *
4  *     'int set_selection(struct tiocl_selection __user *, struct tty_struct *)'
5  *     'void clear_selection(void)'
6  *     'int paste_selection(struct tty_struct *)'
7  *     'int sel_loadlut(char __user *)'
8  *
9  * Now that /dev/vcs exists, most of this can disappear again.
10  */
11
12 #include <linux/module.h>
13 #include <linux/tty.h>
14 #include <linux/sched.h>
15 #include <linux/mm.h>
16 #include <linux/slab.h>
17 #include <linux/types.h>
18
19 #include <asm/uaccess.h>
20
21 #include <linux/kbd_kern.h>
22 #include <linux/vt_kern.h>
23 #include <linux/consolemap.h>
24 #include <linux/selection.h>
25 #include <linux/tiocl.h>
26 #include <linux/console.h>
27
28 /* Don't take this from <ctype.h>: 011-015 on the screen aren't spaces */
29 #define isspace(c)      ((c) == ' ')
30
31 extern void poke_blanked_console(void);
32
33 /* FIXME: all this needs locking */
34 /* Variables for selection control. */
35 /* Use a dynamic buffer, instead of static (Dec 1994) */
36 struct vc_data *sel_cons;               /* must not be deallocated */
37 static int use_unicode;
38 static volatile int sel_start = -1;     /* cleared by clear_selection */
39 static int sel_end;
40 static int sel_buffer_lth;
41 static char *sel_buffer;
42
43 /* clear_selection, highlight and highlight_pointer can be called
44    from interrupt (via scrollback/front) */
45
46 /* set reverse video on characters s-e of console with selection. */
47 static inline void highlight(const int s, const int e)
48 {
49         invert_screen(sel_cons, s, e-s+2, 1);
50 }
51
52 /* use complementary color to show the pointer */
53 static inline void highlight_pointer(const int where)
54 {
55         complement_pos(sel_cons, where);
56 }
57
58 static u16
59 sel_pos(int n)
60 {
61         return inverse_translate(sel_cons, screen_glyph(sel_cons, n),
62                                 use_unicode);
63 }
64
65 /**
66  *      clear_selection         -       remove current selection
67  *
68  *      Remove the current selection highlight, if any from the console
69  *      holding the selection. The caller must hold the console lock.
70  */
71 void clear_selection(void)
72 {
73         highlight_pointer(-1); /* hide the pointer */
74         if (sel_start != -1) {
75                 highlight(sel_start, sel_end);
76                 sel_start = -1;
77         }
78 }
79
80 /*
81  * User settable table: what characters are to be considered alphabetic?
82  * 256 bits. Locked by the console lock.
83  */
84 static u32 inwordLut[8]={
85   0x00000000, /* control chars     */
86   0x03FF0000, /* digits            */
87   0x87FFFFFE, /* uppercase and '_' */
88   0x07FFFFFE, /* lowercase         */
89   0x00000000,
90   0x00000000,
91   0xFF7FFFFF, /* latin-1 accented letters, not multiplication sign */
92   0xFF7FFFFF  /* latin-1 accented letters, not division sign */
93 };
94
95 static inline int inword(const u16 c) {
96         return c > 0xff || (( inwordLut[c>>5] >> (c & 0x1F) ) & 1);
97 }
98
99 /**
100  *      set loadlut             -       load the LUT table
101  *      @p: user table
102  *
103  *      Load the LUT table from user space. The caller must hold the console
104  *      lock. Make a temporary copy so a partial update doesn't make a mess.
105  */
106 int sel_loadlut(char __user *p)
107 {
108         u32 tmplut[8];
109         if (copy_from_user(tmplut, (u32 __user *)(p+4), 32))
110                 return -EFAULT;
111         memcpy(inwordLut, tmplut, 32);
112         return 0;
113 }
114
115 /* does screen address p correspond to character at LH/RH edge of screen? */
116 static inline int atedge(const int p, int size_row)
117 {
118         return (!(p % size_row) || !((p + 2) % size_row));
119 }
120
121 /* constrain v such that v <= u */
122 static inline unsigned short limit(const unsigned short v, const unsigned short u)
123 {
124         return (v > u) ? u : v;
125 }
126
127 /* stores the char in UTF8 and returns the number of bytes used (1-3) */
128 static int store_utf8(u16 c, char *p)
129 {
130         if (c < 0x80) {
131                 /*  0******* */
132                 p[0] = c;
133                 return 1;
134         } else if (c < 0x800) {
135                 /* 110***** 10****** */
136                 p[0] = 0xc0 | (c >> 6);
137                 p[1] = 0x80 | (c & 0x3f);
138                 return 2;
139         } else {
140                 /* 1110**** 10****** 10****** */
141                 p[0] = 0xe0 | (c >> 12);
142                 p[1] = 0x80 | ((c >> 6) & 0x3f);
143                 p[2] = 0x80 | (c & 0x3f);
144                 return 3;
145         }
146 }
147
148 /**
149  *      set_selection           -       set the current selection.
150  *      @sel: user selection info
151  *      @tty: the console tty
152  *
153  *      Invoked by the ioctl handle for the vt layer.
154  *
155  *      The entire selection process is managed under the console_lock. It's
156  *       a lot under the lock but its hardly a performance path
157  */
158 int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
159 {
160         struct vc_data *vc = vc_cons[fg_console].d;
161         int sel_mode, new_sel_start, new_sel_end, spc;
162         char *bp, *obp;
163         int i, ps, pe, multiplier;
164         u16 c;
165         int mode;
166
167         poke_blanked_console();
168
169         { unsigned short xs, ys, xe, ye;
170
171           if (!access_ok(VERIFY_READ, sel, sizeof(*sel)))
172                 return -EFAULT;
173           __get_user(xs, &sel->xs);
174           __get_user(ys, &sel->ys);
175           __get_user(xe, &sel->xe);
176           __get_user(ye, &sel->ye);
177           __get_user(sel_mode, &sel->sel_mode);
178           xs--; ys--; xe--; ye--;
179           xs = limit(xs, vc->vc_cols - 1);
180           ys = limit(ys, vc->vc_rows - 1);
181           xe = limit(xe, vc->vc_cols - 1);
182           ye = limit(ye, vc->vc_rows - 1);
183           ps = ys * vc->vc_size_row + (xs << 1);
184           pe = ye * vc->vc_size_row + (xe << 1);
185
186           if (sel_mode == TIOCL_SELCLEAR) {
187               /* useful for screendump without selection highlights */
188               clear_selection();
189               return 0;
190           }
191
192           if (mouse_reporting() && (sel_mode & TIOCL_SELMOUSEREPORT)) {
193               mouse_report(tty, sel_mode & TIOCL_SELBUTTONMASK, xs, ys);
194               return 0;
195           }
196         }
197
198         if (ps > pe)    /* make sel_start <= sel_end */
199         {
200                 int tmp = ps;
201                 ps = pe;
202                 pe = tmp;
203         }
204
205         if (sel_cons != vc_cons[fg_console].d) {
206                 clear_selection();
207                 sel_cons = vc_cons[fg_console].d;
208         }
209         mode = vt_do_kdgkbmode(fg_console);
210         if (mode == K_UNICODE)
211                 use_unicode = 1;
212         else
213                 use_unicode = 0;
214
215         switch (sel_mode)
216         {
217                 case TIOCL_SELCHAR:     /* character-by-character selection */
218                         new_sel_start = ps;
219                         new_sel_end = pe;
220                         break;
221                 case TIOCL_SELWORD:     /* word-by-word selection */
222                         spc = isspace(sel_pos(ps));
223                         for (new_sel_start = ps; ; ps -= 2)
224                         {
225                                 if ((spc && !isspace(sel_pos(ps))) ||
226                                     (!spc && !inword(sel_pos(ps))))
227                                         break;
228                                 new_sel_start = ps;
229                                 if (!(ps % vc->vc_size_row))
230                                         break;
231                         }
232                         spc = isspace(sel_pos(pe));
233                         for (new_sel_end = pe; ; pe += 2)
234                         {
235                                 if ((spc && !isspace(sel_pos(pe))) ||
236                                     (!spc && !inword(sel_pos(pe))))
237                                         break;
238                                 new_sel_end = pe;
239                                 if (!((pe + 2) % vc->vc_size_row))
240                                         break;
241                         }
242                         break;
243                 case TIOCL_SELLINE:     /* line-by-line selection */
244                         new_sel_start = ps - ps % vc->vc_size_row;
245                         new_sel_end = pe + vc->vc_size_row
246                                     - pe % vc->vc_size_row - 2;
247                         break;
248                 case TIOCL_SELPOINTER:
249                         highlight_pointer(pe);
250                         return 0;
251                 default:
252                         return -EINVAL;
253         }
254
255         /* remove the pointer */
256         highlight_pointer(-1);
257
258         /* select to end of line if on trailing space */
259         if (new_sel_end > new_sel_start &&
260                 !atedge(new_sel_end, vc->vc_size_row) &&
261                 isspace(sel_pos(new_sel_end))) {
262                 for (pe = new_sel_end + 2; ; pe += 2)
263                         if (!isspace(sel_pos(pe)) ||
264                             atedge(pe, vc->vc_size_row))
265                                 break;
266                 if (isspace(sel_pos(pe)))
267                         new_sel_end = pe;
268         }
269         if (sel_start == -1)    /* no current selection */
270                 highlight(new_sel_start, new_sel_end);
271         else if (new_sel_start == sel_start)
272         {
273                 if (new_sel_end == sel_end)     /* no action required */
274                         return 0;
275                 else if (new_sel_end > sel_end) /* extend to right */
276                         highlight(sel_end + 2, new_sel_end);
277                 else                            /* contract from right */
278                         highlight(new_sel_end + 2, sel_end);
279         }
280         else if (new_sel_end == sel_end)
281         {
282                 if (new_sel_start < sel_start)  /* extend to left */
283                         highlight(new_sel_start, sel_start - 2);
284                 else                            /* contract from left */
285                         highlight(sel_start, new_sel_start - 2);
286         }
287         else    /* some other case; start selection from scratch */
288         {
289                 clear_selection();
290                 highlight(new_sel_start, new_sel_end);
291         }
292         sel_start = new_sel_start;
293         sel_end = new_sel_end;
294
295         /* Allocate a new buffer before freeing the old one ... */
296         multiplier = use_unicode ? 3 : 1;  /* chars can take up to 3 bytes */
297         bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
298         if (!bp) {
299                 printk(KERN_WARNING "selection: kmalloc() failed\n");
300                 clear_selection();
301                 return -ENOMEM;
302         }
303         kfree(sel_buffer);
304         sel_buffer = bp;
305
306         obp = bp;
307         for (i = sel_start; i <= sel_end; i += 2) {
308                 c = sel_pos(i);
309                 if (use_unicode)
310                         bp += store_utf8(c, bp);
311                 else
312                         *bp++ = c;
313                 if (!isspace(c))
314                         obp = bp;
315                 if (! ((i + 2) % vc->vc_size_row)) {
316                         /* strip trailing blanks from line and add newline,
317                            unless non-space at end of line. */
318                         if (obp != bp) {
319                                 bp = obp;
320                                 *bp++ = '\r';
321                         }
322                         obp = bp;
323                 }
324         }
325         sel_buffer_lth = bp - sel_buffer;
326         return 0;
327 }
328
329 /* Insert the contents of the selection buffer into the
330  * queue of the tty associated with the current console.
331  * Invoked by ioctl().
332  *
333  * Locking: called without locks. Calls the ldisc wrongly with
334  * unsafe methods,
335  */
336 int paste_selection(struct tty_struct *tty)
337 {
338         struct vc_data *vc = tty->driver_data;
339         int     pasted = 0;
340         unsigned int count;
341         struct  tty_ldisc *ld;
342         DECLARE_WAITQUEUE(wait, current);
343
344
345         console_lock();
346         poke_blanked_console();
347         console_unlock();
348
349         /* FIXME: wtf is this supposed to achieve ? */
350         ld = tty_ldisc_ref(tty);
351         if (!ld)
352                 ld = tty_ldisc_ref_wait(tty);
353
354         /* FIXME: this is completely unsafe */
355         add_wait_queue(&vc->paste_wait, &wait);
356         while (sel_buffer && sel_buffer_lth > pasted) {
357                 set_current_state(TASK_INTERRUPTIBLE);
358                 if (test_bit(TTY_THROTTLED, &tty->flags)) {
359                         schedule();
360                         continue;
361                 }
362                 count = sel_buffer_lth - pasted;
363                 count = min(count, tty->receive_room);
364                 tty->ldisc->ops->receive_buf(tty, sel_buffer + pasted,
365                                                                 NULL, count);
366                 pasted += count;
367         }
368         remove_wait_queue(&vc->paste_wait, &wait);
369         __set_current_state(TASK_RUNNING);
370
371         tty_ldisc_deref(ld);
372         return 0;
373 }