Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / media / video / gspca / sq905.c
blob2fe3c29bd6b79ca2f5707e9c78b65aad14f53d7f
1 /*
2 * SQ905 subdriver
4 * Copyright (C) 2008, 2009 Adam Baker and Theodore Kilgore
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 * History and Acknowledgments
24 * The original Linux driver for SQ905 based cameras was written by
25 * Marcell Lengyel and furter developed by many other contributors
26 * and is available from http://sourceforge.net/projects/sqcam/
28 * This driver takes advantage of the reverse engineering work done for
29 * that driver and for libgphoto2 but shares no code with them.
31 * This driver has used as a base the finepix driver and other gspca
32 * based drivers and may still contain code fragments taken from those
33 * drivers.
36 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
38 #define MODULE_NAME "sq905"
40 #include <linux/workqueue.h>
41 #include <linux/slab.h>
42 #include "gspca.h"
44 MODULE_AUTHOR("Adam Baker <linux@baker-net.org.uk>, "
45 "Theodore Kilgore <kilgota@auburn.edu>");
46 MODULE_DESCRIPTION("GSPCA/SQ905 USB Camera Driver");
47 MODULE_LICENSE("GPL");
49 /* Default timeouts, in ms */
50 #define SQ905_CMD_TIMEOUT 500
51 #define SQ905_DATA_TIMEOUT 1000
53 /* Maximum transfer size to use. */
54 #define SQ905_MAX_TRANSFER 0x8000
55 #define FRAME_HEADER_LEN 64
57 /* The known modes, or registers. These go in the "value" slot. */
59 /* 00 is "none" obviously */
61 #define SQ905_BULK_READ 0x03 /* precedes any bulk read */
62 #define SQ905_COMMAND 0x06 /* precedes the command codes below */
63 #define SQ905_PING 0x07 /* when reading an "idling" command */
64 #define SQ905_READ_DONE 0xc0 /* ack bulk read completed */
66 /* Any non-zero value in the bottom 2 bits of the 2nd byte of
67 * the ID appears to indicate the camera can do 640*480. If the
68 * LSB of that byte is set the image is just upside down, otherwise
69 * it is rotated 180 degrees. */
70 #define SQ905_HIRES_MASK 0x00000300
71 #define SQ905_ORIENTATION_MASK 0x00000100
73 /* Some command codes. These go in the "index" slot. */
75 #define SQ905_ID 0xf0 /* asks for model string */
76 #define SQ905_CONFIG 0x20 /* gets photo alloc. table, not used here */
77 #define SQ905_DATA 0x30 /* accesses photo data, not used here */
78 #define SQ905_CLEAR 0xa0 /* clear everything */
79 #define SQ905_CAPTURE_LOW 0x60 /* Starts capture at 160x120 */
80 #define SQ905_CAPTURE_MED 0x61 /* Starts capture at 320x240 */
81 #define SQ905_CAPTURE_HIGH 0x62 /* Starts capture at 640x480 (some cams only) */
82 /* note that the capture command also controls the output dimensions */
84 /* Structure to hold all of our device specific stuff */
85 struct sd {
86 struct gspca_dev gspca_dev; /* !! must be the first item */
89 * Driver stuff
91 struct work_struct work_struct;
92 struct workqueue_struct *work_thread;
95 static struct v4l2_pix_format sq905_mode[] = {
96 { 160, 120, V4L2_PIX_FMT_SBGGR8, V4L2_FIELD_NONE,
97 .bytesperline = 160,
98 .sizeimage = 160 * 120,
99 .colorspace = V4L2_COLORSPACE_SRGB,
100 .priv = 0},
101 { 320, 240, V4L2_PIX_FMT_SBGGR8, V4L2_FIELD_NONE,
102 .bytesperline = 320,
103 .sizeimage = 320 * 240,
104 .colorspace = V4L2_COLORSPACE_SRGB,
105 .priv = 0},
106 { 640, 480, V4L2_PIX_FMT_SBGGR8, V4L2_FIELD_NONE,
107 .bytesperline = 640,
108 .sizeimage = 640 * 480,
109 .colorspace = V4L2_COLORSPACE_SRGB,
110 .priv = 0}
114 * Send a command to the camera.
116 static int sq905_command(struct gspca_dev *gspca_dev, u16 index)
118 int ret;
120 gspca_dev->usb_buf[0] = '\0';
121 ret = usb_control_msg(gspca_dev->dev,
122 usb_sndctrlpipe(gspca_dev->dev, 0),
123 USB_REQ_SYNCH_FRAME, /* request */
124 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
125 SQ905_COMMAND, index, gspca_dev->usb_buf, 1,
126 SQ905_CMD_TIMEOUT);
127 if (ret < 0) {
128 pr_err("%s: usb_control_msg failed (%d)\n", __func__, ret);
129 return ret;
132 ret = usb_control_msg(gspca_dev->dev,
133 usb_sndctrlpipe(gspca_dev->dev, 0),
134 USB_REQ_SYNCH_FRAME, /* request */
135 USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
136 SQ905_PING, 0, gspca_dev->usb_buf, 1,
137 SQ905_CMD_TIMEOUT);
138 if (ret < 0) {
139 pr_err("%s: usb_control_msg failed 2 (%d)\n", __func__, ret);
140 return ret;
143 return 0;
147 * Acknowledge the end of a frame - see warning on sq905_command.
149 static int sq905_ack_frame(struct gspca_dev *gspca_dev)
151 int ret;
153 gspca_dev->usb_buf[0] = '\0';
154 ret = usb_control_msg(gspca_dev->dev,
155 usb_sndctrlpipe(gspca_dev->dev, 0),
156 USB_REQ_SYNCH_FRAME, /* request */
157 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
158 SQ905_READ_DONE, 0, gspca_dev->usb_buf, 1,
159 SQ905_CMD_TIMEOUT);
160 if (ret < 0) {
161 pr_err("%s: usb_control_msg failed (%d)\n", __func__, ret);
162 return ret;
165 return 0;
169 * request and read a block of data - see warning on sq905_command.
171 static int
172 sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
174 int ret;
175 int act_len;
177 gspca_dev->usb_buf[0] = '\0';
178 if (need_lock)
179 mutex_lock(&gspca_dev->usb_lock);
180 ret = usb_control_msg(gspca_dev->dev,
181 usb_sndctrlpipe(gspca_dev->dev, 0),
182 USB_REQ_SYNCH_FRAME, /* request */
183 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
184 SQ905_BULK_READ, size, gspca_dev->usb_buf,
185 1, SQ905_CMD_TIMEOUT);
186 if (need_lock)
187 mutex_unlock(&gspca_dev->usb_lock);
188 if (ret < 0) {
189 pr_err("%s: usb_control_msg failed (%d)\n", __func__, ret);
190 return ret;
192 ret = usb_bulk_msg(gspca_dev->dev,
193 usb_rcvbulkpipe(gspca_dev->dev, 0x81),
194 data, size, &act_len, SQ905_DATA_TIMEOUT);
196 /* successful, it returns 0, otherwise negative */
197 if (ret < 0 || act_len != size) {
198 pr_err("bulk read fail (%d) len %d/%d\n", ret, act_len, size);
199 return -EIO;
201 return 0;
204 /* This function is called as a workqueue function and runs whenever the camera
205 * is streaming data. Because it is a workqueue function it is allowed to sleep
206 * so we can use synchronous USB calls. To avoid possible collisions with other
207 * threads attempting to use the camera's USB interface we take the gspca
208 * usb_lock when performing USB operations. In practice the only thing we need
209 * to protect against is the usb_set_interface call that gspca makes during
210 * stream_off as the camera doesn't provide any controls that the user could try
211 * to change.
213 static void sq905_dostream(struct work_struct *work)
215 struct sd *dev = container_of(work, struct sd, work_struct);
216 struct gspca_dev *gspca_dev = &dev->gspca_dev;
217 int bytes_left; /* bytes remaining in current frame. */
218 int data_len; /* size to use for the next read. */
219 int header_read; /* true if we have already read the frame header. */
220 int packet_type;
221 int frame_sz;
222 int ret;
223 u8 *data;
224 u8 *buffer;
226 buffer = kmalloc(SQ905_MAX_TRANSFER, GFP_KERNEL | GFP_DMA);
227 if (!buffer) {
228 pr_err("Couldn't allocate USB buffer\n");
229 goto quit_stream;
232 frame_sz = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].sizeimage
233 + FRAME_HEADER_LEN;
235 while (gspca_dev->present && gspca_dev->streaming) {
236 /* request some data and then read it until we have
237 * a complete frame. */
238 bytes_left = frame_sz;
239 header_read = 0;
241 /* Note we do not check for gspca_dev->streaming here, as
242 we must finish reading an entire frame, otherwise the
243 next time we stream we start reading in the middle of a
244 frame. */
245 while (bytes_left > 0 && gspca_dev->present) {
246 data_len = bytes_left > SQ905_MAX_TRANSFER ?
247 SQ905_MAX_TRANSFER : bytes_left;
248 ret = sq905_read_data(gspca_dev, buffer, data_len, 1);
249 if (ret < 0)
250 goto quit_stream;
251 PDEBUG(D_PACK,
252 "Got %d bytes out of %d for frame",
253 data_len, bytes_left);
254 bytes_left -= data_len;
255 data = buffer;
256 if (!header_read) {
257 packet_type = FIRST_PACKET;
258 /* The first 64 bytes of each frame are
259 * a header full of FF 00 bytes */
260 data += FRAME_HEADER_LEN;
261 data_len -= FRAME_HEADER_LEN;
262 header_read = 1;
263 } else if (bytes_left == 0) {
264 packet_type = LAST_PACKET;
265 } else {
266 packet_type = INTER_PACKET;
268 gspca_frame_add(gspca_dev, packet_type,
269 data, data_len);
270 /* If entire frame fits in one packet we still
271 need to add a LAST_PACKET */
272 if (packet_type == FIRST_PACKET &&
273 bytes_left == 0)
274 gspca_frame_add(gspca_dev, LAST_PACKET,
275 NULL, 0);
277 if (gspca_dev->present) {
278 /* acknowledge the frame */
279 mutex_lock(&gspca_dev->usb_lock);
280 ret = sq905_ack_frame(gspca_dev);
281 mutex_unlock(&gspca_dev->usb_lock);
282 if (ret < 0)
283 goto quit_stream;
286 quit_stream:
287 if (gspca_dev->present) {
288 mutex_lock(&gspca_dev->usb_lock);
289 sq905_command(gspca_dev, SQ905_CLEAR);
290 mutex_unlock(&gspca_dev->usb_lock);
292 kfree(buffer);
295 /* This function is called at probe time just before sd_init */
296 static int sd_config(struct gspca_dev *gspca_dev,
297 const struct usb_device_id *id)
299 struct cam *cam = &gspca_dev->cam;
300 struct sd *dev = (struct sd *) gspca_dev;
302 /* We don't use the buffer gspca allocates so make it small. */
303 cam->bulk = 1;
304 cam->bulk_size = 64;
306 INIT_WORK(&dev->work_struct, sq905_dostream);
308 return 0;
311 /* called on streamoff with alt==0 and on disconnect */
312 /* the usb_lock is held at entry - restore on exit */
313 static void sd_stop0(struct gspca_dev *gspca_dev)
315 struct sd *dev = (struct sd *) gspca_dev;
317 /* wait for the work queue to terminate */
318 mutex_unlock(&gspca_dev->usb_lock);
319 /* This waits for sq905_dostream to finish */
320 destroy_workqueue(dev->work_thread);
321 dev->work_thread = NULL;
322 mutex_lock(&gspca_dev->usb_lock);
325 /* this function is called at probe and resume time */
326 static int sd_init(struct gspca_dev *gspca_dev)
328 u32 ident;
329 int ret;
331 /* connect to the camera and read
332 * the model ID and process that and put it away.
334 ret = sq905_command(gspca_dev, SQ905_CLEAR);
335 if (ret < 0)
336 return ret;
337 ret = sq905_command(gspca_dev, SQ905_ID);
338 if (ret < 0)
339 return ret;
340 ret = sq905_read_data(gspca_dev, gspca_dev->usb_buf, 4, 0);
341 if (ret < 0)
342 return ret;
343 /* usb_buf is allocated with kmalloc so is aligned.
344 * Camera model number is the right way round if we assume this
345 * reverse engineered ID is supposed to be big endian. */
346 ident = be32_to_cpup((__be32 *)gspca_dev->usb_buf);
347 ret = sq905_command(gspca_dev, SQ905_CLEAR);
348 if (ret < 0)
349 return ret;
350 PDEBUG(D_CONF, "SQ905 camera ID %08x detected", ident);
351 gspca_dev->cam.cam_mode = sq905_mode;
352 gspca_dev->cam.nmodes = ARRAY_SIZE(sq905_mode);
353 if (!(ident & SQ905_HIRES_MASK))
354 gspca_dev->cam.nmodes--;
356 if (ident & SQ905_ORIENTATION_MASK)
357 gspca_dev->cam.input_flags = V4L2_IN_ST_VFLIP;
358 else
359 gspca_dev->cam.input_flags = V4L2_IN_ST_VFLIP |
360 V4L2_IN_ST_HFLIP;
361 return 0;
364 /* Set up for getting frames. */
365 static int sd_start(struct gspca_dev *gspca_dev)
367 struct sd *dev = (struct sd *) gspca_dev;
368 int ret;
370 /* "Open the shutter" and set size, to start capture */
371 switch (gspca_dev->curr_mode) {
372 default:
373 /* case 2: */
374 PDEBUG(D_STREAM, "Start streaming at high resolution");
375 ret = sq905_command(&dev->gspca_dev, SQ905_CAPTURE_HIGH);
376 break;
377 case 1:
378 PDEBUG(D_STREAM, "Start streaming at medium resolution");
379 ret = sq905_command(&dev->gspca_dev, SQ905_CAPTURE_MED);
380 break;
381 case 0:
382 PDEBUG(D_STREAM, "Start streaming at low resolution");
383 ret = sq905_command(&dev->gspca_dev, SQ905_CAPTURE_LOW);
386 if (ret < 0) {
387 PDEBUG(D_ERR, "Start streaming command failed");
388 return ret;
390 /* Start the workqueue function to do the streaming */
391 dev->work_thread = create_singlethread_workqueue(MODULE_NAME);
392 queue_work(dev->work_thread, &dev->work_struct);
394 return 0;
397 /* Table of supported USB devices */
398 static const struct usb_device_id device_table[] = {
399 {USB_DEVICE(0x2770, 0x9120)},
403 MODULE_DEVICE_TABLE(usb, device_table);
405 /* sub-driver description */
406 static const struct sd_desc sd_desc = {
407 .name = MODULE_NAME,
408 .config = sd_config,
409 .init = sd_init,
410 .start = sd_start,
411 .stop0 = sd_stop0,
414 /* -- device connect -- */
415 static int sd_probe(struct usb_interface *intf,
416 const struct usb_device_id *id)
418 return gspca_dev_probe(intf, id,
419 &sd_desc,
420 sizeof(struct sd),
421 THIS_MODULE);
424 static struct usb_driver sd_driver = {
425 .name = MODULE_NAME,
426 .id_table = device_table,
427 .probe = sd_probe,
428 .disconnect = gspca_disconnect,
429 #ifdef CONFIG_PM
430 .suspend = gspca_suspend,
431 .resume = gspca_resume,
432 #endif
435 module_usb_driver(sd_driver);