| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) | 0 (1) | 2025/07/14 07:23 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [media?] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) | 0 (1) | 2025/07/14 07:23 |
================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1280 at addr ffffc90002ef4b40 by task vivid-000-vid-c/28328 CPU: 0 UID: 0 PID: 28328 Comm: vivid-000-vid-c Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xfff/0x5fd0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8da/0x10d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The buggy address ffffc90002ef4b40 belongs to a vmalloc virtual mapping The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803d08e000 pfn:0x3d08e flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88803d08e000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_ZERO|__GFP_NOWARN), pid 28309, tgid 28308 (syz.4.5269), ts 1694608710593, free_ts 1694285901007 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline] alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510 vm_area_alloc_pages mm/vmalloc.c:3642 [inline] __vmalloc_area_node mm/vmalloc.c:3720 [inline] __vmalloc_node_range_noprof+0x97d/0x12f0 mm/vmalloc.c:3893 vmalloc_user_noprof+0xad/0xf0 mm/vmalloc.c:4046 vb2_vmalloc_alloc+0xef/0x340 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x9bf/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xc31/0x1420 drivers/media/common/videobuf2/videobuf2-core.c:964 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2895 __vb2_perform_fileio+0x284/0x1600 drivers/media/common/videobuf2/videobuf2-core.c:3041 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1214 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316 do_loop_readv_writev fs/read_write.c:847 [inline] vfs_readv+0x5aa/0x850 fs/read_write.c:1020 do_preadv fs/read_write.c:1132 [inline] __do_sys_preadv fs/read_write.c:1179 [inline] __se_sys_preadv fs/read_write.c:1174 [inline] __x64_sys_preadv+0x197/0x2a0 fs/read_write.c:1174 page last free pid 5939 tgid 5939 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706 vfree+0x25a/0x400 mm/vmalloc.c:3434 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3353 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffffc90002ef4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90002ef4f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90002ef5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90002ef5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90002ef5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/07/16 04:00 | upstream | 155a3c003e55 | 03fcfc4b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/09 05:53 | upstream | d006330be3f7 | abade794 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/08 19:00 | upstream | d006330be3f7 | abade794 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer | ||
| 2025/07/18 01:24 | upstream | e2291551827f | 0d1223f1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-386 | KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer |