syzbot


KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4)

Status: upstream: reported on 2025/07/14 07:23
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+dac8f5eaa46837e97b89@syzkaller.appspotmail.com
First crash: 17d, last: 2d03h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) 0 (1) 2025/07/14 07:23
Similar bugs (8)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 23 3 41d 77d 0/3 upstream: reported on 2025/05/09 16:36
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (3) media 23 C 271 19d 373d 29/29 fixed on 2025/07/08 00:33
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer media 23 1 2015d 2015d 0/29 auto-closed as invalid on 2020/05/17 19:44
linux-5.15 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 23 1 829d 829d 0/3 auto-obsoleted due to no activity on 2023/08/17 04:37
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2) media 23 C inconclusive done 14 907d 1419d 22/29 fixed on 2023/02/24 13:51
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 syz error 8 953d 1454d 0/1 upstream: reported syz repro on 2021/08/02 00:51
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 1 1287d 1287d 0/1 auto-closed as invalid on 2022/05/15 07:48
upstream BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) media 8 1 837d 833d 0/29 auto-obsoleted due to no activity on 2023/07/09 12:46

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1280 at addr ffffc90005531b40 by task vivid-000-vid-c/15810

CPU: 0 UID: 0 PID: 15810 Comm: vivid-000-vid-c Not tainted 6.16.0-rc7-syzkaller-00018-g01a412d06bc5 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
 tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
 vivid_thread_vid_cap_tick+0xfff/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x8da/0x10d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address ffffc90005531b40 belongs to a vmalloc virtual mapping
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804dfef000 pfn:0x4dfef
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88804dfef000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 15808, tgid 15807 (syz.0.2831), ts 781182113015, free_ts 781182004816
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510
 vm_area_alloc_pages mm/vmalloc.c:3642 [inline]
 __vmalloc_area_node mm/vmalloc.c:3720 [inline]
 __vmalloc_node_range_noprof+0x97d/0x12f0 mm/vmalloc.c:3893
 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4046
 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964
 vb2_ioctl_reqbufs+0x4c0/0x830 drivers/media/common/videobuf2/videobuf2-v4l2.c:1035
 __video_do_ioctl+0xc98/0xdb0 drivers/media/v4l2-core/v4l2-ioctl.c:3132
 video_usercopy+0x871/0x14f0 drivers/media/v4l2-core/v4l2-ioctl.c:3473
 v4l2_ioctl+0x18d/0x1e0 drivers/media/v4l2-core/v4l2-dev.c:366
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
page last free pid 15808 tgid 15807 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 ___free_pages_bulk mm/kasan/shadow.c:332 [inline]
 __kasan_populate_vmalloc mm/kasan/shadow.c:375 [inline]
 kasan_populate_vmalloc+0x118/0x1a0 mm/kasan/shadow.c:417
 alloc_vmap_area+0xd51/0x1490 mm/vmalloc.c:2092
 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3187
 __vmalloc_node_range_noprof+0x301/0x12f0 mm/vmalloc.c:3853
 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4046
 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964
 vb2_ioctl_reqbufs+0x4c0/0x830 drivers/media/common/videobuf2/videobuf2-v4l2.c:1035
 __video_do_ioctl+0xc98/0xdb0 drivers/media/v4l2-core/v4l2-ioctl.c:3132
 video_usercopy+0x871/0x14f0 drivers/media/v4l2-core/v4l2-ioctl.c:3473
 v4l2_ioctl+0x18d/0x1e0 drivers/media/v4l2-core/v4l2-dev.c:366
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffffc90005531f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90005531f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90005532000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90005532080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90005532100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/24 01:39 upstream 01a412d06bc5 0c1d6ded .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/16 04:00 upstream 155a3c003e55 03fcfc4b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/09 05:53 upstream d006330be3f7 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/08 19:00 upstream d006330be3f7 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/18 01:24 upstream e2291551827f 0d1223f1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/23 12:01 upstream 89be9a83ccf1 e1dd4f22 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
* Struck through repros no longer work on HEAD.