From: Arjan van de Ven Patch below fixes a thinko in the frame buffer drivers; the code does cursor.image.data = kmalloc(size, GFP_KERNEL); .... cursor.mask = kmalloc(size, GFP_KERNEL); .... if (copy_from_user(&cursor.image.data, sprite->image.data, size) || copy_from_user(cursor.mask, sprite->mask, size)) { .... where it's clear that the & in the first copy_from_user is utterly bogus since the destination is the content of the newly allocated buffer, and not the pointer to it as the code does. --- 25-akpm/drivers/video/fbmem.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/video/fbmem.c~framebuffer-bugfix drivers/video/fbmem.c --- 25/drivers/video/fbmem.c~framebuffer-bugfix 2004-04-09 21:05:10.150488400 -0700 +++ 25-akpm/drivers/video/fbmem.c 2004-04-09 21:05:10.169485512 -0700 @@ -911,7 +911,7 @@ fb_cursor(struct fb_info *info, struct f return -ENOMEM; } - if (copy_from_user(&cursor.image.data, sprite->image.data, size) || + if (copy_from_user(cursor.image.data, sprite->image.data, size) || copy_from_user(cursor.mask, sprite->mask, size)) { kfree(cursor.image.data); kfree(cursor.mask); _