[thirdparty/kernel/stable-queue.git] / releases / 4.4.181 / media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch

From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Thu, 4 Apr 2019 10:56:46 -0400
Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap

From: Alexander Potapenko <glider@google.com>

commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream.

syzkaller reported crashes on kfree() called from
vivid_vid_cap_s_selection(). This looks like a simple typo, as
dev->bitmap_cap is allocated with vzalloc() throughout the file.

Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output
parts")

Signed-off-by: Alexander Potapenko <glider@google.com>
Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vivid/vivid-vid-cap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/platform/vivid/vivid-vid-cap.c
+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
@@ -993,7 +993,7 @@ int vivid_vid_cap_s_selection(struct fil
 		rect_map_inside(&s->r, &dev->fmt_cap_rect);
 		if (dev->bitmap_cap && (compose->width != s->r.width ||
 					compose->height != s->r.height)) {
-			kfree(dev->bitmap_cap);
+			vfree(dev->bitmap_cap);
 			dev->bitmap_cap = NULL;
 		}
 		*compose = s->r;
Commit	Line	Data
a39f296c GKH	1	From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001
	2	From: Alexander Potapenko <glider@google.com>
	3	Date: Thu, 4 Apr 2019 10:56:46 -0400
	4	Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
	5
	6	From: Alexander Potapenko <glider@google.com>
	7
	8	commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream.
	9
	10	syzkaller reported crashes on kfree() called from
	11	vivid_vid_cap_s_selection(). This looks like a simple typo, as
	12	dev->bitmap_cap is allocated with vzalloc() throughout the file.
	13
	14	Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output
	15	parts")
	16
	17	Signed-off-by: Alexander Potapenko <glider@google.com>
	18	Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com>
	19	Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
	20	Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22
	23	---
	24	drivers/media/platform/vivid/vivid-vid-cap.c \| 2 +-
	25	1 file changed, 1 insertion(+), 1 deletion(-)
	26
	27	--- a/drivers/media/platform/vivid/vivid-vid-cap.c
	28	+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
	29	@@ -993,7 +993,7 @@ int vivid_vid_cap_s_selection(struct fil
	30	rect_map_inside(&s->r, &dev->fmt_cap_rect);
	31	if (dev->bitmap_cap && (compose->width != s->r.width \|\|
	32	compose->height != s->r.height)) {
	33	- kfree(dev->bitmap_cap);
	34	+ vfree(dev->bitmap_cap);
	35	dev->bitmap_cap = NULL;
	36	}
	37	*compose = s->r;