When vivid is unloaded it used vfree to free dev->bitmap_out, but it was actually allocated using kmalloc. Use vzalloc instead, conform what vivid-vid-cap.c does. Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx> --- drivers/media/platform/vivid/vivid-vid-out.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/media/platform/vivid/vivid-vid-out.c b/drivers/media/platform/vivid/vivid-vid-out.c index e61b91b414f9..9350ca65dd91 100644 --- a/drivers/media/platform/vivid/vivid-vid-out.c +++ b/drivers/media/platform/vivid/vivid-vid-out.c @@ -798,7 +798,7 @@ int vivid_vid_out_s_selection(struct file *file, void *fh, struct v4l2_selection s->r.height *= factor; if (dev->bitmap_out && (compose->width != s->r.width || compose->height != s->r.height)) { - kfree(dev->bitmap_out); + vfree(dev->bitmap_out); dev->bitmap_out = NULL; } *compose = s->r; @@ -941,15 +941,19 @@ int vidioc_s_fmt_vid_out_overlay(struct file *file, void *priv, return ret; if (win->bitmap) { - new_bitmap = memdup_user(win->bitmap, bitmap_size); + new_bitmap = vzalloc(bitmap_size); - if (IS_ERR(new_bitmap)) - return PTR_ERR(new_bitmap); + if (!new_bitmap) + return -ENOMEM; + if (copy_from_user(new_bitmap, win->bitmap, bitmap_size)) { + vfree(new_bitmap); + return -EFAULT; + } } dev->overlay_out_top = win->w.top; dev->overlay_out_left = win->w.left; - kfree(dev->bitmap_out); + vfree(dev->bitmap_out); dev->bitmap_out = new_bitmap; dev->clipcount_out = win->clipcount; if (dev->clipcount_out) -- 2.20.1