syzbot

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 2560 at addr ffffc900040b6620 by task vivid-000-vid-c/31784

CPU: 1 UID: 0 PID: 31784 Comm: vivid-000-vid-c Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
 tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
 vivid_thread_vid_cap_tick+0xfff/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x8da/0x10d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>

The buggy address belongs to a 6-page vmalloc region starting at 0xffffc900040b1000 allocated at vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x1cac3
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: ffffffffffffffff 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x1029c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO|__GFP_HARDWALL), pid 31783, tgid 31782 (syz.9.6359), ts 1865999256697, free_ts 1865475382937
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2577
 vm_area_alloc_pages mm/vmalloc.c:3649 [inline]
 __vmalloc_area_node mm/vmalloc.c:3863 [inline]
 __vmalloc_node_range_noprof+0x795/0x16a0 mm/vmalloc.c:4051
 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4205
 vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964
 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2895
 __vb2_perform_fileio+0x284/0x1600 drivers/media/common/videobuf2/videobuf2-core.c:3041
 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1215
 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316
 vfs_read+0x200/0xa30 fs/read_write.c:570
 ksys_pread64 fs/read_write.c:763 [inline]
 __do_sys_pread64 fs/read_write.c:771 [inline]
 __se_sys_pread64 fs/read_write.c:768 [inline]
 __x64_sys_pread64+0x193/0x220 fs/read_write.c:768
page last free pid 5814 tgid 5814 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
 __slab_free+0x2ce/0x320 mm/slub.c:6004
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x37d/0x710 mm/slub.c:5270
 new_handle fs/jbd2/transaction.c:457 [inline]
 jbd2__journal_start+0x146/0x5b0 fs/jbd2/transaction.c:484
 __ext4_journal_start_sb+0x203/0x580 fs/ext4/ext4_jbd2.c:114
 __ext4_journal_start fs/ext4/ext4_jbd2.h:242 [inline]
 ext4_dirty_inode+0x93/0x110 fs/ext4/inode.c:6499
 __mark_inode_dirty+0x390/0x1330 fs/fs-writeback.c:2587
 generic_update_time fs/inode.c:2155 [inline]
 inode_update_time fs/inode.c:2168 [inline]
 file_update_time_flags+0x43c/0x4e0 fs/inode.c:2395
 ext4_page_mkwrite+0x20e/0x1190 fs/ext4/inode.c:6668
 do_page_mkwrite+0x14d/0x310 mm/memory.c:3528
 wp_page_shared mm/memory.c:3929 [inline]
 do_wp_page+0x2676/0x5810 mm/memory.c:4148
 handle_pte_fault mm/memory.c:6289 [inline]
 __handle_mm_fault mm/memory.c:6411 [inline]
 handle_mm_fault+0x14c5/0x32b0 mm/memory.c:6580
 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336

Memory state around the buggy address:
 ffffc900040b6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900040b6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900040b7000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc900040b7080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc900040b7100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================