syzbot

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2624 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x209a/0x4160 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1280 at addr ffffc90004807b40 by task vivid-000-vid-c/12458

CPU: 1 UID: 0 PID: 12458 Comm: vivid-000-vid-c Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x156/0x4c9 mm/kasan/report.c:482
 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2624 [inline]
 tpg_fill_plane_buffer+0x209a/0x4160 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff+0x95d/0x3ed0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470
 vivid_thread_vid_cap_tick+0x81b/0x1470 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x454/0xd70 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x370/0x450 kernel/kthread.c:467
 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to a 3-page vmalloc region starting at 0xffffc90004805000 allocated at vb2_vmalloc_alloc+0x135/0x410 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x253 pfn:0xa77f0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000253 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 12457, tgid 12456 (syz.0.1666), ts 625271069818, free_ts 625271048055
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_mempolicy_noprof+0x250/0x1270 mm/mempolicy.c:2792
 vm_area_alloc_pages mm/vmalloc.c:3706 [inline]
 __vmalloc_area_node mm/vmalloc.c:3876 [inline]
 __vmalloc_node_range_noprof+0x54b/0x1530 mm/vmalloc.c:4064
 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4218
 vb2_vmalloc_alloc+0x135/0x410 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x8d5/0x1160 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0x899/0xf30 drivers/media/common/videobuf2/videobuf2-core.c:958
 __vb2_init_fileio+0x32d/0x1000 drivers/media/common/videobuf2/videobuf2-core.c:2879
 vb2_core_poll+0x611/0x740 drivers/media/common/videobuf2/videobuf2-core.c:2713
 vb2_poll+0x4b/0xe0 drivers/media/common/videobuf2/videobuf2-v4l2.c:979
 vb2_fop_poll+0x10e/0x350 drivers/media/common/videobuf2/videobuf2-v4l2.c:1245
 v4l2_poll+0x15f/0x220 drivers/media/v4l2-core/v4l2-dev.c:350
 vfs_poll include/linux/poll.h:82 [inline]
 do_pollfd fs/select.c:866 [inline]
 do_poll fs/select.c:909 [inline]
 do_sys_poll+0x6e5/0xeb0 fs/select.c:1004
page last free pid 12457 tgid 12456 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline]
 __kasan_populate_vmalloc+0x1ea/0x210 mm/kasan/shadow.c:424
 kasan_populate_vmalloc include/linux/kasan.h:580 [inline]
 alloc_vmap_area+0x95d/0x2bd0 mm/vmalloc.c:2129
 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3232
 __vmalloc_node_range_noprof+0x213/0x1530 mm/vmalloc.c:4024
 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4218
 vb2_vmalloc_alloc+0x135/0x410 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline]
 __vb2_queue_alloc+0x8d5/0x1160 drivers/media/common/videobuf2/videobuf2-core.c:523
 vb2_core_reqbufs+0x899/0xf30 drivers/media/common/videobuf2/videobuf2-core.c:958
 __vb2_init_fileio+0x32d/0x1000 drivers/media/common/videobuf2/videobuf2-core.c:2879
 vb2_core_poll+0x611/0x740 drivers/media/common/videobuf2/videobuf2-core.c:2713
 vb2_poll+0x4b/0xe0 drivers/media/common/videobuf2/videobuf2-v4l2.c:979
 vb2_fop_poll+0x10e/0x350 drivers/media/common/videobuf2/videobuf2-v4l2.c:1245
 v4l2_poll+0x15f/0x220 drivers/media/v4l2-core/v4l2-dev.c:350
 vfs_poll include/linux/poll.h:82 [inline]
 do_pollfd fs/select.c:866 [inline]
 do_poll fs/select.c:909 [inline]
 do_sys_poll+0x6e5/0xeb0 fs/select.c:1004
 __do_sys_ppoll fs/select.c:1106 [inline]
 __se_sys_ppoll fs/select.c:1086 [inline]
 __x64_sys_ppoll+0x2b5/0x350 fs/select.c:1086

Memory state around the buggy address:
 ffffc90004807f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004807f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004808000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004808080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004808100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================