syzbot

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 2560 at addr ffffc90004336620 by task vivid-000-vid-c/7790

CPU: 0 UID: 0 PID: 7790 Comm: vivid-000-vid-c Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
 tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
 vivid_thread_vid_cap_tick+0x1021/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x909/0x1190 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to a 6-page vmalloc region starting at 0xffffc90004331000 allocated at vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x9e0a3
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: ffffffffffffffff 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 7789, tgid 7788 (syz.5.9709), ts 1732842868988, free_ts 1732729904013
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2484
 alloc_frozen_pages_noprof mm/mempolicy.c:2555 [inline]
 alloc_pages_noprof+0xa8/0x190 mm/mempolicy.c:2575
 vm_area_alloc_pages mm/vmalloc.c:3662 [inline]
 __vmalloc_area_node mm/vmalloc.c:3876 [inline]
 __vmalloc_node_range_noprof+0x79b/0x1730 mm/vmalloc.c:4064
 vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218
 vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x9c5/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xc1f/0x1410 drivers/media/common/videobuf2/videobuf2-core.c:958
 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2879
 __vb2_perform_fileio+0x282/0x1620 drivers/media/common/videobuf2/videobuf2-core.c:3025
 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1215
 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316
 loop_rw_iter+0x42c/0x680 include/linux/uio.h:-1
 io_iter_do_read io_uring/rw.c:837 [inline]
 __io_read+0x134b/0x1520 io_uring/rw.c:951
page last free pid 7759 tgid 7756 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 mm_free_pgd kernel/fork.c:585 [inline]
 __mmdrop+0xb5/0x750 kernel/fork.c:727
 exit_mm+0x168/0x220 kernel/exit.c:581
 do_exit+0x6a2/0x23c0 kernel/exit.c:964
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1118
 get_signal+0x1284/0x1330 kernel/signal.c:3034
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffffc90004336f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004336f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004337000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004337080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004337100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================