| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) | 0 (1) | 2025/07/14 07:23 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) | 0 (1) | 2025/07/14 07:23 |
================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1280 at addr ffffc90005531b40 by task vivid-000-vid-c/15810 CPU: 0 UID: 0 PID: 15810 Comm: vivid-000-vid-c Not tainted 6.16.0-rc7-syzkaller-00018-g01a412d06bc5 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xfff/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8da/0x10d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The buggy address ffffc90005531b40 belongs to a vmalloc virtual mapping The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804dfef000 pfn:0x4dfef flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88804dfef000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 15808, tgid 15807 (syz.0.2831), ts 781182113015, free_ts 781182004816 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline] alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510 vm_area_alloc_pages mm/vmalloc.c:3642 [inline] __vmalloc_area_node mm/vmalloc.c:3720 [inline] __vmalloc_node_range_noprof+0x97d/0x12f0 mm/vmalloc.c:3893 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4046 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964 vb2_ioctl_reqbufs+0x4c0/0x830 drivers/media/common/videobuf2/videobuf2-v4l2.c:1035 __video_do_ioctl+0xc98/0xdb0 drivers/media/v4l2-core/v4l2-ioctl.c:3132 video_usercopy+0x871/0x14f0 drivers/media/v4l2-core/v4l2-ioctl.c:3473 v4l2_ioctl+0x18d/0x1e0 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 page last free pid 15808 tgid 15807 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706 ___free_pages_bulk mm/kasan/shadow.c:332 [inline] __kasan_populate_vmalloc mm/kasan/shadow.c:375 [inline] kasan_populate_vmalloc+0x118/0x1a0 mm/kasan/shadow.c:417 alloc_vmap_area+0xd51/0x1490 mm/vmalloc.c:2092 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3187 __vmalloc_node_range_noprof+0x301/0x12f0 mm/vmalloc.c:3853 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4046 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964 vb2_ioctl_reqbufs+0x4c0/0x830 drivers/media/common/videobuf2/videobuf2-v4l2.c:1035 __video_do_ioctl+0xc98/0xdb0 drivers/media/v4l2-core/v4l2-ioctl.c:3132 video_usercopy+0x871/0x14f0 drivers/media/v4l2-core/v4l2-ioctl.c:3473 v4l2_ioctl+0x18d/0x1e0 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffffc90005531f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90005531f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90005532000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90005532080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90005532100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/07/24 01:39 | upstream | 01a412d06bc5 | 0c1d6ded | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/16 04:00 | upstream | 155a3c003e55 | 03fcfc4b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/09 05:53 | upstream | d006330be3f7 | abade794 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/08 19:00 | upstream | d006330be3f7 | abade794 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/18 01:24 | upstream | e2291551827f | 0d1223f1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-386 | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/23 12:01 | upstream | 89be9a83ccf1 | e1dd4f22 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer |