syzbot

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2617 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1fed/0x43c0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 2880 at addr ffffc900040bf500 by task vivid-000-vid-c/9512

CPU: 1 UID: 0 PID: 9512 Comm: vivid-000-vid-c Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:194 [inline]
 kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2617 [inline]
 tpg_fill_plane_buffer+0x1fed/0x43c0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff+0x8d2/0x4250 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470
 vivid_thread_vid_cap_tick+0x814/0x15d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x454/0xda0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>

The buggy address belongs to a vmalloc virtual mapping
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807a3c8c40 pfn:0x50366
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88807a3c8c40 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 9507, tgid 9505 (syz.0.18574), ts 1923718114417, free_ts 1923717996897
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x25f/0x2430 mm/page_alloc.c:5210
 __alloc_pages_noprof mm/page_alloc.c:5244 [inline]
 alloc_pages_bulk_noprof+0x77a/0x1410 mm/page_alloc.c:5164
 alloc_pages_bulk_mempolicy_noprof+0x244/0x12a0 mm/mempolicy.c:2794
 vm_area_alloc_pages mm/vmalloc.c:3693 [inline]
 __vmalloc_area_node mm/vmalloc.c:3863 [inline]
 __vmalloc_node_range_noprof+0xb98/0x16b0 mm/vmalloc.c:4051
 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4205
 vb2_vmalloc_alloc+0x135/0x410 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x8c9/0x1280 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xa90/0xfe0 drivers/media/common/videobuf2/videobuf2-core.c:964
 __vb2_init_fileio+0x3f1/0x1100 drivers/media/common/videobuf2/videobuf2-core.c:2895
 vb2_core_poll+0x5ec/0x700 drivers/media/common/videobuf2/videobuf2-core.c:2729
 vb2_poll+0x4b/0xe0 drivers/media/common/videobuf2/videobuf2-v4l2.c:979
 vb2_fop_poll+0x10f/0x2c0 drivers/media/common/videobuf2/videobuf2-v4l2.c:1245
 v4l2_poll+0x163/0x320 drivers/media/v4l2-core/v4l2-dev.c:350
 vfs_poll include/linux/poll.h:82 [inline]
 do_pollfd fs/select.c:866 [inline]
 do_poll fs/select.c:909 [inline]
 do_sys_poll+0x55c/0xdf0 fs/select.c:1005
page last free pid 9507 tgid 9505 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7df/0x1170 mm/page_alloc.c:2943
 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline]
 __kasan_populate_vmalloc+0x149/0x220 mm/kasan/shadow.c:424
 kasan_populate_vmalloc include/linux/kasan.h:579 [inline]
 alloc_vmap_area+0x98d/0x2a50 mm/vmalloc.c:2124
 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3219
 __vmalloc_node_range_noprof+0x247/0x16b0 mm/vmalloc.c:4011
 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4205
 vb2_vmalloc_alloc+0x135/0x410 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x8c9/0x1280 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xa90/0xfe0 drivers/media/common/videobuf2/videobuf2-core.c:964
 __vb2_init_fileio+0x3f1/0x1100 drivers/media/common/videobuf2/videobuf2-core.c:2895
 vb2_core_poll+0x5ec/0x700 drivers/media/common/videobuf2/videobuf2-core.c:2729
 vb2_poll+0x4b/0xe0 drivers/media/common/videobuf2/videobuf2-v4l2.c:979
 vb2_fop_poll+0x10f/0x2c0 drivers/media/common/videobuf2/videobuf2-v4l2.c:1245
 v4l2_poll+0x163/0x320 drivers/media/v4l2-core/v4l2-dev.c:350
 vfs_poll include/linux/poll.h:82 [inline]
 do_pollfd fs/select.c:866 [inline]
 do_poll fs/select.c:909 [inline]
 do_sys_poll+0x55c/0xdf0 fs/select.c:1005
 __do_sys_ppoll fs/select.c:1111 [inline]
 __se_sys_ppoll fs/select.c:1091 [inline]
 __x64_sys_ppoll+0x254/0x2d0 fs/select.c:1091

Memory state around the buggy address:
 ffffc900040bff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900040bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900040c0000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc900040c0080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc900040c0100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================