syzbot


KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2)

Status: fixed on 2023/02/24 13:51
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+272ce7abd8e49c0ddf42@syzkaller.appspotmail.com
Fix commit: 94a7ad928346 media: vivid: fix compose size exceed boundary
First crash: 1023d, last: 511d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: INFO: task hung in vivid_stop_generating_vid_cap (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 94a7ad9283464b75b12516c5512541d467cefcf8
Author: Liu Shixin <liushixin2@huawei.com>
Date: Thu Oct 27 12:38:55 2022 +0000

  media: vivid: fix compose size exceed boundary

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2) 0 (2) 2023/01/27 21:45
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer media 1 1618d 1618d 0/27 auto-closed as invalid on 2020/05/17 19:44
linux-5.15 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 1 432d 432d 0/3 auto-obsoleted due to no activity on 2023/08/17 04:37
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) syz error 8 556d 1057d 0/1 upstream: reported syz repro on 2021/08/02 00:51
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 1 891d 891d 0/1 auto-closed as invalid on 2022/05/15 07:48
upstream BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) media 1 441d 437d 0/27 auto-obsoleted due to no activity on 2023/07/09 12:46
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer 4 1502d 1775d 0/1 auto-closed as invalid on 2020/09/11 05:35
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer 1 1607d 1607d 0/1 auto-closed as invalid on 2020/05/29 08:05
upstream BUG: unable to handle kernel paging request in tpg_fill_plane_buffer media ntfs3 syz done 17 1666d 2036d 0/27 auto-obsoleted due to no activity on 2022/12/18 03:07
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2023/01/27 16:13 5h31m bisect fix upstream job log (1)
2022/11/21 00:59 22m bisect fix upstream job log (0) log
2022/07/26 05:41 21m bisect fix upstream job log (0) log
2022/06/26 02:24 20m bisect fix upstream job log (0) log
2022/05/24 04:44 20m bisect fix upstream job log (0) log
2022/01/25 07:52 21m bisect fix upstream job log (0) log
2021/12/26 07:16 20m bisect fix upstream job log (0) log
2021/11/26 04:06 21m bisect fix upstream job log (0) log
2021/10/04 23:21 21m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
Write of size 128 at addr ffffc9000dbe2fe0 by task vivid-001-vid-c/14838

CPU: 0 PID: 14838 Comm: vivid-001-vid-c Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:191 [inline]
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
 tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
 vivid_fillbuff+0x1ac1/0x3f00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469
 vivid_thread_vid_cap_tick+0x88b/0x2360 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
 vivid_thread_vid_cap+0x5d2/0xaf0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


Memory state around the buggy address:
 ffffc9000dbe2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000dbe2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000dbe3000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000dbe3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000dbe3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/09/04 23:21 upstream f1583cb1be35 d236a457 .config console log report syz C ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/10/21 11:22 upstream 6d36c728bc2e 63e790dd .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/08/24 23:36 upstream c40e8341e3b3 514514f6 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/04/07 20:33 upstream 3e732ebf7316 c6ff3e05 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/03/14 20:27 upstream 09688c0166e7 9e8eaa75 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/02/27 13:16 upstream 2293be58d6a1 45a13a73 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/02/15 14:13 upstream d567f5db412e 8b9ca619 .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2021/10/27 04:06 upstream 3906fe9bb7f1 d50eb50a .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2021/10/22 06:44 upstream 2f111a6fd5b5 55f90bc6 .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2021/10/18 03:13 upstream d999ade1cc86 0c5d9412 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/10/20 08:57 upstream aae703b02f92 b31320fc .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/10/09 04:36 upstream a6afa4199d3d aea5da89 .config console log report info ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2022/04/24 04:44 linux-next f1244c81da13 131df97d .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
2023/01/30 15:33 linux-next e2f86c02fdc9 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in tpg_fill_plane_buffer
* Struck through repros no longer work on HEAD.