| User: | Jiri Slaby |
| Error type: | Invalid Pointer Dereference |
| Error type description: | A pointer which is invalid is being dereferenced |
| File location: | drivers/media/video/gspca/mars.c |
| Line in file: | 256 |
| Project: | Linux Kernel |
| Project version: | 2.6.28 |
| Tools: |
Stanse
(1.2)
Smatch (1.59) |
| Entered: | 2011-11-07 22:22:22 UTC |
1/* 2 * Mars-Semi MR97311A library 3 * Copyright (C) 2005 <bradlch@hotmail.com> 4 * 5 * V4L2 by Jean-Francois Moine <http://moinejf.free.fr> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 */ 21 22#define MODULE_NAME "mars" 23 24#include "gspca.h" 25#include "jpeg.h" 26 27MODULE_AUTHOR("Michel Xhaard <mxhaard@users.sourceforge.net>"); 28MODULE_DESCRIPTION("GSPCA/Mars USB Camera Driver"); 29MODULE_LICENSE("GPL"); 30 31/* specific webcam descriptor */ 32struct sd { 33 struct gspca_dev gspca_dev; /* !! must be the first item */ 34 35 char qindex; 36}; 37 38/* V4L2 controls supported by the driver */ 39static struct ctrl sd_ctrls[] = { 40}; 41 42static struct v4l2_pix_format vga_mode[] = { 43 {320, 240, V4L2_PIX_FMT_JPEG, V4L2_FIELD_NONE, 44 .bytesperline = 320, 45 .sizeimage = 320 * 240 * 3 / 8 + 589, 46 .colorspace = V4L2_COLORSPACE_JPEG, 47 .priv = 2}, 48 {640, 480, V4L2_PIX_FMT_JPEG, V4L2_FIELD_NONE, 49 .bytesperline = 640, 50 .sizeimage = 640 * 480 * 3 / 8 + 590, 51 .colorspace = V4L2_COLORSPACE_JPEG, 52 .priv = 1}, 53}; 54 55/* MI Register table //elvis */ 56enum { 57 REG_HW_MI_0, 58 REG_HW_MI_1, 59 REG_HW_MI_2, 60 REG_HW_MI_3, 61 REG_HW_MI_4, 62 REG_HW_MI_5, 63 REG_HW_MI_6, 64 REG_HW_MI_7, 65 REG_HW_MI_9 = 0x09, 66 REG_HW_MI_B = 0x0B, 67 REG_HW_MI_C, 68 REG_HW_MI_D, 69 REG_HW_MI_1E = 0x1E, 70 REG_HW_MI_20 = 0x20, 71 REG_HW_MI_2B = 0x2B, 72 REG_HW_MI_2C, 73 REG_HW_MI_2D, 74 REG_HW_MI_2E, 75 REG_HW_MI_35 = 0x35, 76 REG_HW_MI_5F = 0x5f, 77 REG_HW_MI_60, 78 REG_HW_MI_61, 79 REG_HW_MI_62, 80 REG_HW_MI_63, 81 REG_HW_MI_64, 82 REG_HW_MI_F1 = 0xf1, 83 ATTR_TOTAL_MI_REG = 0xf2 84}; 85 86/* the bytes to write are in gspca_dev->usb_buf */ 87static int reg_w(struct gspca_dev *gspca_dev, 88 __u16 index, int len) 89{ 90 int rc; 91 92 rc = usb_control_msg(gspca_dev->dev, 93 usb_sndbulkpipe(gspca_dev->dev, 4), 94 0x12, 95 0xc8, /* ?? */ 96 0, /* value */ 97 index, gspca_dev->usb_buf, len, 500); 98 if (rc < 0) 99 PDEBUG(D_ERR, "reg write [%02x] error %d", index, rc); 100 return rc; 101} 102 103static void bulk_w(struct gspca_dev *gspca_dev, 104 __u16 *pch, 105 __u16 Address) 106{ 107 gspca_dev->usb_buf[0] = 0x1f; 108 gspca_dev->usb_buf[1] = 0; /* control byte */ 109 gspca_dev->usb_buf[2] = Address; 110 gspca_dev->usb_buf[3] = *pch >> 8; /* high byte */ 111 gspca_dev->usb_buf[4] = *pch; /* low byte */ 112 113 reg_w(gspca_dev, Address, 5); 114} 115 116/* this function is called at probe time */ 117static int sd_config(struct gspca_dev *gspca_dev, 118 const struct usb_device_id *id) 119{ 120 struct sd *sd = (struct sd *) gspca_dev; 121 struct cam *cam; 122 123 cam = &gspca_dev->cam; 124 cam->epaddr = 0x01; 125 cam->cam_mode = vga_mode; 126 cam->nmodes = sizeof vga_mode / sizeof vga_mode[0]; 127 sd->qindex = 1; /* set the quantization table */ 128 return 0; 129} 130 131/* this function is called at probe and resume time */ 132static int sd_init(struct gspca_dev *gspca_dev) 133{ 134 return 0; 135} 136 137static int sd_start(struct gspca_dev *gspca_dev) 138{ 139 int err_code; 140 __u8 *data; 141 __u16 *MI_buf; 142 int h_size, v_size; 143 int intpipe; 144 145 PDEBUG(D_STREAM, "camera start, iface %d, alt 8", gspca_dev->iface); 146 err_code = usb_set_interface(gspca_dev->dev, gspca_dev->iface, 8); 147 if (err_code < 0) { 148 PDEBUG(D_ERR|D_STREAM, "Set packet size: set interface error"); 149 return err_code; 150 } 151 152 data = gspca_dev->usb_buf; 153 data[0] = 0x01; /* address */ 154 data[1] = 0x01; 155 156 err_code = reg_w(gspca_dev, data[0], 2); 157 if (err_code < 0) 158 return err_code; 159 160 /* 161 Initialize the MR97113 chip register 162 */ 163 data[0] = 0x00; /* address */ 164 data[1] = 0x0c | 0x01; /* reg 0 */ 165 data[2] = 0x01; /* reg 1 */ 166 h_size = gspca_dev->width; 167 v_size = gspca_dev->height; 168 data[3] = h_size / 8; /* h_size , reg 2 */ 169 data[4] = v_size / 8; /* v_size , reg 3 */ 170 data[5] = 0x30; /* reg 4, MI, PAS5101 : 171 * 0x30 for 24mhz , 0x28 for 12mhz */ 172 data[6] = 4; /* reg 5, H start */ 173 data[7] = 0xc0; /* reg 6, gamma 1.5 */ 174 data[8] = 3; /* reg 7, V start */ 175/* if (h_size == 320 ) */ 176/* data[9]= 0x56; * reg 8, 24MHz, 2:1 scale down */ 177/* else */ 178 data[9] = 0x52; /* reg 8, 24MHz, no scale down */ 179 data[10] = 0x5d; /* reg 9, I2C device address 180 * [for PAS5101 (0x40)] [for MI (0x5d)] */ 181 182 err_code = reg_w(gspca_dev, data[0], 11); 183 if (err_code < 0) 184 return err_code; 185 186 data[0] = 0x23; /* address */ 187 data[1] = 0x09; /* reg 35, append frame header */ 188 189 err_code = reg_w(gspca_dev, data[0], 2); 190 if (err_code < 0) 191 return err_code; 192 193 data[0] = 0x3c; /* address */ 194/* if (gspca_dev->width == 1280) */ 195/* data[1] = 200; * reg 60, pc-cam frame size 196 * (unit: 4KB) 800KB */ 197/* else */ 198 data[1] = 50; /* 50 reg 60, pc-cam frame size 199 * (unit: 4KB) 200KB */ 200 err_code = reg_w(gspca_dev, data[0], 2); 201 if (err_code < 0) 202 return err_code; 203 204 if (0) { /* fixed dark-gain */ 205 data[1] = 0; /* reg 94, Y Gain (1.75) */ 206 data[2] = 0; /* reg 95, UV Gain (1.75) */ 207 data[3] = 0x3f; /* reg 96, Y Gain/UV Gain/disable 208 * auto dark-gain */ 209 data[4] = 0; /* reg 97, set fixed dark level */ 210 data[5] = 0; /* reg 98, don't care */ 211 } else { /* auto dark-gain */ 212 data[1] = 0; /* reg 94, Y Gain (auto) */ 213 data[2] = 0; /* reg 95, UV Gain (1.75) */ 214 data[3] = 0x78; /* reg 96, Y Gain/UV Gain/disable 215 * auto dark-gain */ 216 switch (gspca_dev->width) { 217/* case 1280: */ 218/* data[4] = 154; 219 * reg 97, %3 shadow point (unit: 256 pixel) */ 220/* data[5] = 51; 221 * reg 98, %1 highlight point 222 * (uint: 256 pixel) */ 223/* break; */ 224 default: 225/* case 640: */ 226 data[4] = 36; /* reg 97, %3 shadow point 227 * (unit: 256 pixel) */ 228 data[5] = 12; /* reg 98, %1 highlight point 229 * (uint: 256 pixel) */ 230 break; 231 case 320: 232 data[4] = 9; /* reg 97, %3 shadow point 233 * (unit: 256 pixel) */ 234 data[5] = 3; /* reg 98, %1 highlight point 235 * (uint: 256 pixel) */ 236 break; 237 } 238 } 239 /* auto dark-gain */ 240 data[0] = 0x5e; /* address */ 241 242 err_code = reg_w(gspca_dev, data[0], 6); 243 if (err_code < 0) 244 return err_code; 245 246 data[0] = 0x67; 247 data[1] = 0x13; /* reg 103, first pixel B, disable sharpness */ 248 err_code = reg_w(gspca_dev, data[0], 2); 249 if (err_code < 0) 250 return err_code; 251 252 /* 253 * initialize the value of MI sensor... 254 */ 255 MI_buf = kzalloc(ATTR_TOTAL_MI_REG * sizeof *MI_buf, GFP_KERNEL); 256 MI_buf[REG_HW_MI_1] = 0x000a; 257 MI_buf[REG_HW_MI_2] = 0x000c; 258 MI_buf[REG_HW_MI_3] = 0x0405; 259 MI_buf[REG_HW_MI_4] = 0x0507; 260 /* mi_Attr_Reg_[REG_HW_MI_5] = 0x01ff;//13 */ 261 MI_buf[REG_HW_MI_5] = 0x0013; /* 13 */ 262 MI_buf[REG_HW_MI_6] = 0x001f; /* vertical blanking */ 263 /* mi_Attr_Reg_[REG_HW_MI_6] = 0x0400; // vertical blanking */ 264 MI_buf[REG_HW_MI_7] = 0x0002; 265 /* mi_Attr_Reg_[REG_HW_MI_9] = 0x015f; */ 266 /* mi_Attr_Reg_[REG_HW_MI_9] = 0x030f; */ 267 MI_buf[REG_HW_MI_9] = 0x0374; 268 MI_buf[REG_HW_MI_B] = 0x0000; 269 MI_buf[REG_HW_MI_C] = 0x0000; 270 MI_buf[REG_HW_MI_D] = 0x0000; 271 MI_buf[REG_HW_MI_1E] = 0x8000; 272/* mi_Attr_Reg_[REG_HW_MI_20] = 0x1104; */ 273 MI_buf[REG_HW_MI_20] = 0x1104; /* 0x111c; */ 274 MI_buf[REG_HW_MI_2B] = 0x0008; 275/* mi_Attr_Reg_[REG_HW_MI_2C] = 0x000f; */ 276 MI_buf[REG_HW_MI_2C] = 0x001f; /* lita suggest */ 277 MI_buf[REG_HW_MI_2D] = 0x0008; 278 MI_buf[REG_HW_MI_2E] = 0x0008; 279 MI_buf[REG_HW_MI_35] = 0x0051; 280 MI_buf[REG_HW_MI_5F] = 0x0904; /* fail to write */ 281 MI_buf[REG_HW_MI_60] = 0x0000; 282 MI_buf[REG_HW_MI_61] = 0x0000; 283 MI_buf[REG_HW_MI_62] = 0x0498; 284 MI_buf[REG_HW_MI_63] = 0x0000; 285 MI_buf[REG_HW_MI_64] = 0x0000; 286 MI_buf[REG_HW_MI_F1] = 0x0001; 287 /* changing while setting up the different value of dx/dy */ 288 289 if (gspca_dev->width != 1280) { 290 MI_buf[0x01] = 0x010a; 291 MI_buf[0x02] = 0x014c; 292 MI_buf[0x03] = 0x01e5; 293 MI_buf[0x04] = 0x0287; 294 } 295 MI_buf[0x20] = 0x1104; 296 297 bulk_w(gspca_dev, MI_buf + 1, 1); 298 bulk_w(gspca_dev, MI_buf + 2, 2); 299 bulk_w(gspca_dev, MI_buf + 3, 3); 300 bulk_w(gspca_dev, MI_buf + 4, 4); 301 bulk_w(gspca_dev, MI_buf + 5, 5); 302 bulk_w(gspca_dev, MI_buf + 6, 6); 303 bulk_w(gspca_dev, MI_buf + 7, 7); 304 bulk_w(gspca_dev, MI_buf + 9, 9); 305 bulk_w(gspca_dev, MI_buf + 0x0b, 0x0b); 306 bulk_w(gspca_dev, MI_buf + 0x0c, 0x0c); 307 bulk_w(gspca_dev, MI_buf + 0x0d, 0x0d); 308 bulk_w(gspca_dev, MI_buf + 0x1e, 0x1e); 309 bulk_w(gspca_dev, MI_buf + 0x20, 0x20); 310 bulk_w(gspca_dev, MI_buf + 0x2b, 0x2b); 311 bulk_w(gspca_dev, MI_buf + 0x2c, 0x2c); 312 bulk_w(gspca_dev, MI_buf + 0x2d, 0x2d); 313 bulk_w(gspca_dev, MI_buf + 0x2e, 0x2e); 314 bulk_w(gspca_dev, MI_buf + 0x35, 0x35); 315 bulk_w(gspca_dev, MI_buf + 0x5f, 0x5f); 316 bulk_w(gspca_dev, MI_buf + 0x60, 0x60); 317 bulk_w(gspca_dev, MI_buf + 0x61, 0x61); 318 bulk_w(gspca_dev, MI_buf + 0x62, 0x62); 319 bulk_w(gspca_dev, MI_buf + 0x63, 0x63); 320 bulk_w(gspca_dev, MI_buf + 0x64, 0x64); 321 bulk_w(gspca_dev, MI_buf + 0xf1, 0xf1); 322 kfree(MI_buf); 323 324 intpipe = usb_sndintpipe(gspca_dev->dev, 0); 325 err_code = usb_clear_halt(gspca_dev->dev, intpipe); 326 327 data[0] = 0x00; 328 data[1] = 0x4d; /* ISOC transfering enable... */ 329 reg_w(gspca_dev, data[0], 2); 330 return err_code; 331} 332 333static void sd_stopN(struct gspca_dev *gspca_dev) 334{ 335 int result; 336 337 gspca_dev->usb_buf[0] = 1; 338 gspca_dev->usb_buf[1] = 0; 339 result = reg_w(gspca_dev, gspca_dev->usb_buf[0], 2); 340 if (result < 0) 341 PDEBUG(D_ERR, "Camera Stop failed"); 342} 343 344static void sd_pkt_scan(struct gspca_dev *gspca_dev, 345 struct gspca_frame *frame, /* target */ 346 __u8 *data, /* isoc packet */ 347 int len) /* iso packet length */ 348{ 349 struct sd *sd = (struct sd *) gspca_dev; 350 int p; 351 352 if (len < 6) { 353/* gspca_dev->last_packet_type = DISCARD_PACKET; */ 354 return; 355 } 356 for (p = 0; p < len - 6; p++) { 357 if (data[0 + p] == 0xff 358 && data[1 + p] == 0xff 359 && data[2 + p] == 0x00 360 && data[3 + p] == 0xff 361 && data[4 + p] == 0x96) { 362 if (data[5 + p] == 0x64 363 || data[5 + p] == 0x65 364 || data[5 + p] == 0x66 365 || data[5 + p] == 0x67) { 366 PDEBUG(D_PACK, "sof offset: %d leng: %d", 367 p, len); 368 frame = gspca_frame_add(gspca_dev, LAST_PACKET, 369 frame, data, 0); 370 371 /* put the JPEG header */ 372 jpeg_put_header(gspca_dev, frame, 373 sd->qindex, 0x21); 374 data += 16; 375 len -= 16; 376 break; 377 } 378 } 379 } 380 gspca_frame_add(gspca_dev, INTER_PACKET, frame, data, len); 381} 382 383/* sub-driver description */ 384static const struct sd_desc sd_desc = { 385 .name = MODULE_NAME, 386 .ctrls = sd_ctrls, 387 .nctrls = ARRAY_SIZE(sd_ctrls), 388 .config = sd_config, 389 .init = sd_init, 390 .start = sd_start, 391 .stopN = sd_stopN, 392 .pkt_scan = sd_pkt_scan, 393}; 394 395/* -- module initialisation -- */ 396static const __devinitdata struct usb_device_id device_table[] = { 397 {USB_DEVICE(0x093a, 0x050f)}, 398 {} 399}; 400MODULE_DEVICE_TABLE(usb, device_table); 401 402/* -- device connect -- */ 403static int sd_probe(struct usb_interface *intf, 404 const struct usb_device_id *id) 405{ 406 return gspca_dev_probe(intf, id, &sd_desc, sizeof(struct sd), 407 THIS_MODULE); 408} 409 410static struct usb_driver sd_driver = { 411 .name = MODULE_NAME, 412 .id_table = device_table, 413 .probe = sd_probe, 414 .disconnect = gspca_disconnect, 415#ifdef CONFIG_PM 416 .suspend = gspca_suspend, 417 .resume = gspca_resume, 418#endif 419}; 420 421/* -- module insert / remove -- */ 422static int __init sd_mod_init(void) 423{ 424 if (usb_register(&sd_driver) < 0) 425 return -1; 426 PDEBUG(D_PROBE, "registered"); 427 return 0; 428} 429static void __exit sd_mod_exit(void) 430{ 431 usb_deregister(&sd_driver); 432 PDEBUG(D_PROBE, "deregistered"); 433} 434 435module_init(sd_mod_init); 436module_exit(sd_mod_exit);