================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2624 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x21d2/0x43c0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 5120 at addr ffffc90000b1e000 by task vivid-000-vid-c/21449 CPU: 0 UID: 0 PID: 21449 Comm: vivid-000-vid-c Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2624 [inline] tpg_fill_plane_buffer+0x21d2/0x43c0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff+0x8d2/0x4250 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 vivid_thread_vid_cap_tick+0x814/0x15d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x454/0xda0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to a 1-page vmalloc region starting at 0xffffc90000b1e000 allocated at vb2_vmalloc_alloc+0x135/0x3f0 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880645c7dc0 pfn:0x645c7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff8880645c7dc0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 21447, tgid 21446 (syz.2.4344), ts 1070830608077, free_ts 1070830582872 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148 __alloc_pages_noprof mm/page_alloc.c:5182 [inline] alloc_pages_bulk_noprof+0x71c/0x1410 mm/page_alloc.c:5102 alloc_pages_bulk_mempolicy_noprof+0x244/0x1280 mm/mempolicy.c:2724 vm_area_alloc_pages mm/vmalloc.c:3616 [inline] __vmalloc_area_node mm/vmalloc.c:3720 [inline] __vmalloc_node_range_noprof+0x526/0x14b0 mm/vmalloc.c:3893 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4046 vb2_vmalloc_alloc+0x135/0x3f0 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x8c9/0x1280 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xa90/0xfe0 drivers/media/common/videobuf2/videobuf2-core.c:964 __vb2_init_fileio+0x3f1/0x1100 drivers/media/common/videobuf2/videobuf2-core.c:2895 vb2_core_poll+0x5ec/0x700 drivers/media/common/videobuf2/videobuf2-core.c:2729 vb2_poll+0x33/0x150 drivers/media/common/videobuf2/videobuf2-v4l2.c:979 vb2_fop_poll+0x10f/0x2c0 drivers/media/common/videobuf2/videobuf2-v4l2.c:1244 v4l2_poll+0x163/0x320 drivers/media/v4l2-core/v4l2-dev.c:350 vfs_poll include/linux/poll.h:82 [inline] do_pollfd fs/select.c:870 [inline] do_poll fs/select.c:913 [inline] do_sys_poll+0x559/0xdf0 fs/select.c:1009 page last free pid 21447 tgid 21446 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895 __kasan_populate_vmalloc mm/kasan/shadow.c:401 [inline] kasan_populate_vmalloc+0x160/0x2d0 mm/kasan/shadow.c:435 alloc_vmap_area+0x960/0x29c0 mm/vmalloc.c:2092 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3187 __vmalloc_node_range_noprof+0x271/0x14b0 mm/vmalloc.c:3853 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4046 vb2_vmalloc_alloc+0x135/0x3f0 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x8c9/0x1280 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xa90/0xfe0 drivers/media/common/videobuf2/videobuf2-core.c:964 __vb2_init_fileio+0x3f1/0x1100 drivers/media/common/videobuf2/videobuf2-core.c:2895 vb2_core_poll+0x5ec/0x700 drivers/media/common/videobuf2/videobuf2-core.c:2729 vb2_poll+0x33/0x150 drivers/media/common/videobuf2/videobuf2-v4l2.c:979 vb2_fop_poll+0x10f/0x2c0 drivers/media/common/videobuf2/videobuf2-v4l2.c:1244 v4l2_poll+0x163/0x320 drivers/media/v4l2-core/v4l2-dev.c:350 vfs_poll include/linux/poll.h:82 [inline] do_pollfd fs/select.c:870 [inline] do_poll fs/select.c:913 [inline] do_sys_poll+0x559/0xdf0 fs/select.c:1009 __do_sys_poll fs/select.c:1074 [inline] __se_sys_poll fs/select.c:1062 [inline] __x64_sys_poll+0x1a6/0x450 fs/select.c:1062 Memory state around the buggy address: ffffc90000b1ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000b1ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90000b1f000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90000b1f080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000b1f100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================