KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane

KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2)
Status: upstream: reported C repro on 2021/09/05 20:22
Reported-by: syzbot+272ce7abd8e49c0ddf42@syzkaller.appspotmail.com
First crash: 49d, last: 2d05h

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: INFO: task hung in vivid_stop_generating_vid_cap (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer				1	644d	644d	0/22	auto-closed as invalid on 2020/05/17 19:44
linux-4.19	BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2)	syz			4	2d17h	83d	0/1	upstream: reported syz repro on 2021/08/02 00:51

Sample crash report:

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
Write of size 128 at addr ffffc9000dbe2fe0 by task vivid-001-vid-c/14838

CPU: 0 PID: 14838 Comm: vivid-001-vid-c Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:191 [inline]
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
 tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
 vivid_fillbuff+0x1ac1/0x3f00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469
 vivid_thread_vid_cap_tick+0x88b/0x2360 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
 vivid_thread_vid_cap+0x5d2/0xaf0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


Memory state around the buggy address:
 ffffc9000dbe2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000dbe2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000dbe3000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000dbe3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000dbe3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/10/04 23:43	upstream	f6274b06e326	d236a457	.config	log	report	syz	C

Crashes (3):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/09/04 23:21	upstream	f1583cb1be35	d236a457	.config	log	report	syz	C		KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce	2021/10/22 06:44	upstream	2f111a6fd5b5	55f90bc6	.config	log	report			info	KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-root	2021/10/18 03:13	upstream	d999ade1cc86	0c5d9412	.config	log	report			info	KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer