syzbot

 sign-in | mailing list | source | docs
🐞 Open [1502]
Subsystems
🐞 Fixed [6668]
🐞 Invalid [17085]
Missing Backports [214]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4)

Status: upstream: reported on 2025/07/14 07:23
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+dac8f5eaa46837e97b89@syzkaller.appspotmail.com
First crash: 105d, last: 1d08h
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] Monthly media report (Sep 2025) 0 (1) 2025/09/26 05:14
[syzbot] Monthly media report (Aug 2025) 0 (1) 2025/08/26 07:14
[syzbot] Monthly media report (Jul 2025) 0 (1) 2025/07/26 20:43
[syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) 0 (1) 2025/07/14 07:23
Similar bugs (8)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 23 3 129d 165d 0/3 auto-obsoleted due to no activity on 2025/09/22 17:26
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (3) media 23 C 271 107d 461d 29/29 fixed on 2025/07/08 00:33
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer media 23 1 2103d 2103d 0/29 auto-closed as invalid on 2020/05/17 19:44
linux-5.15 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 23 1 916d 916d 0/3 auto-obsoleted due to no activity on 2023/08/17 04:37
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2) media 23 C inconclusive done 14 995d 1506d 22/29 fixed on 2023/02/24 13:51
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 syz error 8 1041d 1541d 0/1 upstream: reported syz repro on 2021/08/02 00:51
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 1 1375d 1375d 0/1 auto-closed as invalid on 2022/05/15 07:48
upstream BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) media 8 1 925d 921d 0/29 auto-obsoleted due to no activity on 2023/07/09 12:46

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b76/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 2160 at addr ffffc9001c8957b0 by task vivid-000-vid-c/5034

CPU: 0 UID: 0 PID: 5034 Comm: vivid-000-vid-c Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline]
 tpg_fill_plane_buffer+0x1b76/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
 vivid_thread_vid_cap_tick+0xfff/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x8da/0x10d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to a vmalloc virtual mapping
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1b pfn:0x68ab3
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 000000000000001b 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 5033, tgid 5032 (syz.1.15024), ts 729967973112, free_ts 729944698774
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 vm_area_alloc_pages mm/vmalloc.c:3647 [inline]
 __vmalloc_area_node mm/vmalloc.c:3724 [inline]
 __vmalloc_node_range_noprof+0x96c/0x12d0 mm/vmalloc.c:3897
 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4050
 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x9c2/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964
 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2895
 __vb2_perform_fileio+0x284/0x1600 drivers/media/common/videobuf2/videobuf2-core.c:3041
 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1210
 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316
 vfs_read+0x200/0xa30 fs/read_write.c:570
 ksys_pread64 fs/read_write.c:763 [inline]
 __do_sys_pread64 fs/read_write.c:771 [inline]
 __se_sys_pread64 fs/read_write.c:768 [inline]
 __x64_sys_pread64+0x193/0x220 fs/read_write.c:768
page last free pid 15 tgid 15 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffffc9001c895f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9001c895f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9001c896000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9001c896080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9001c896100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (45):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/20 11:53 upstream 211ddde0823f 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/10 21:17 upstream 8bd9238e511d ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/10 19:58 upstream 5472d60c129f ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/19 08:21 upstream cbf658dd0941 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/16 17:57 upstream 46a51f4f5eda e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/07 10:17 upstream b236920731dd d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/31 04:04 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/31 03:53 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/26 08:18 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/25 22:12 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/11 02:44 upstream 8f5ae30d69d7 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/04 09:37 upstream 352af6a011d5 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/02 15:02 upstream a6923c06a3b2 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/31 09:02 upstream e8d780dcd957 f8f2b4da .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/30 12:17 upstream 4b290aae788e f8f2b4da .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/24 01:39 upstream 01a412d06bc5 0c1d6ded .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/16 04:00 upstream 155a3c003e55 03fcfc4b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/09 05:53 upstream d006330be3f7 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/08 19:00 upstream d006330be3f7 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/23 06:55 upstream cec1e6e5d1ab 0ac7291c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/21 02:07 upstream 3b08f56fbbb9 67c37560 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/18 01:24 upstream e2291551827f 0d1223f1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/15 23:57 upstream 1f4a222b0e33 82df6b00 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/10 14:19 upstream 5472d60c129f ff1712fe .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/10 07:12 upstream 5472d60c129f ff1712fe .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/09 20:56 upstream ec714e371f22 7e2882b3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/08 20:48 upstream cd5a0afbdf80 7e2882b3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/27 16:38 upstream fec734e8d564 001c9061 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/19 08:52 upstream cbf658dd0941 e2beed91 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/19 05:37 upstream cbf658dd0941 e2beed91 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/02 05:53 upstream b320789d6883 807a3b61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/01 23:28 upstream b320789d6883 807a3b61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/31 12:56 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/30 03:02 upstream fb679c832b64 807a3b61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/19 08:23 upstream be48bcf004f9 6e8d317a .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/06 16:18 upstream fd94619c4336 91305dbe .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/10/04 13:32 upstream 2ccb4d203fe4 49379ee0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/12 15:13 upstream 320475fbd590 e2beed91 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/06 03:19 upstream c8ed9b5c02a5 d291dd2d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/08 11:08 upstream bec077162bd0 56444e07 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/30 06:56 upstream 4b290aae788e f8f2b4da .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/07/23 12:01 upstream 89be9a83ccf1 e1dd4f22 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/09/13 17:42 linux-next 590b221ed425 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/16 11:55 linux-next 931e46dcbc7e 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2025/08/10 19:23 linux-next b1549501188c 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
* Struck through repros no longer work on HEAD.