When vivid is unloaded it used vfree to free dev->bitmap_out,
but it was actually allocated using kmalloc. Use vzalloc
instead, conform what vivid-vid-cap.c does.
Signed-off-by: Hans Verkuil <hverkuil-ci...@xs4all.nl>
---
drivers/media/platform/vivid/vivid-vid-out.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/media/platform/vivid/vivid-vid-out.c
b/drivers/media/platform/vivid/vivid-vid-out.c
index e61b91b414f9..9350ca65dd91 100644
--- a/drivers/media/platform/vivid/vivid-vid-out.c
+++ b/drivers/media/platform/vivid/vivid-vid-out.c
@@ -798,7 +798,7 @@ int vivid_vid_out_s_selection(struct file *file, void *fh,
struct v4l2_selection
s->r.height *= factor;
if (dev->bitmap_out && (compose->width != s->r.width ||
compose->height != s->r.height)) {
- kfree(dev->bitmap_out);
+ vfree(dev->bitmap_out);
dev->bitmap_out = NULL;
}
*compose = s->r;
@@ -941,15 +941,19 @@ int vidioc_s_fmt_vid_out_overlay(struct file *file, void
*priv,
return ret;
if (win->bitmap) {
- new_bitmap = memdup_user(win->bitmap, bitmap_size);
+ new_bitmap = vzalloc(bitmap_size);
- if (IS_ERR(new_bitmap))
- return PTR_ERR(new_bitmap);
+ if (!new_bitmap)
+ return -ENOMEM;
+ if (copy_from_user(new_bitmap, win->bitmap, bitmap_size)) {
+ vfree(new_bitmap);
+ return -EFAULT;
+ }
}
dev->overlay_out_top = win->w.top;
dev->overlay_out_left = win->w.left;
- kfree(dev->bitmap_out);
+ vfree(dev->bitmap_out);
dev->bitmap_out = new_bitmap;
dev->clipcount_out = win->clipcount;
if (dev->clipcount_out)
--
2.20.1
