================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2582 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x133e/0x3df0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2670 Write of size 360 at addr ffffc9000ef31ea0 by task vivid-000-vid-c/14901 CPU: 0 PID: 14901 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2582 [inline] tpg_fill_plane_buffer+0x133e/0x3df0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2670 vivid_fillbuff+0x1ac1/0x3ea0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 vivid_thread_vid_cap_tick+0x800/0x2200 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729 vivid_thread_vid_cap+0x62d/0xc00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:872 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the virtual mapping at [ffffc9000ef31000, ffffc9000ef33000) created by: vb2_vmalloc_alloc+0x11e/0x3f0 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 The buggy address belongs to the physical page: page:ffffea0001abfe80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6affa flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 14900, tgid 14882 (syz-executor.1), ts 633150070969, free_ts 633148387301 prep_new_page mm/page_alloc.c:2538 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287 __alloc_pages_slowpath.constprop.0+0x36b/0x23d0 mm/page_alloc.c:5088 __alloc_pages+0x4a6/0x5a0 mm/page_alloc.c:5567 __alloc_pages_bulk+0xa02/0x15b0 mm/page_alloc.c:5502 alloc_pages_bulk_array_mempolicy+0x1b3/0x360 mm/mempolicy.c:2375 vm_area_alloc_pages mm/vmalloc.c:2947 [inline] __vmalloc_area_node mm/vmalloc.c:3043 [inline] __vmalloc_node_range+0x576/0x13a0 mm/vmalloc.c:3213 vmalloc_user+0x67/0x80 mm/vmalloc.c:3367 vb2_vmalloc_alloc+0x11e/0x3f0 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:233 [inline] __vb2_queue_alloc+0x60b/0x1180 drivers/media/common/videobuf2/videobuf2-core.c:444 vb2_core_reqbufs+0x7e5/0xd70 drivers/media/common/videobuf2/videobuf2-core.c:838 __vb2_init_fileio+0x33d/0xd00 drivers/media/common/videobuf2/videobuf2-core.c:2636 __vb2_perform_fileio+0xc36/0x1210 drivers/media/common/videobuf2/videobuf2-core.c:2761 vb2_fop_read+0x207/0x3f0 drivers/media/common/videobuf2/videobuf2-v4l2.c:1174 v4l2_read+0x21c/0x2b0 drivers/media/v4l2-core/v4l2-dev.c:314 vfs_read+0x257/0x930 fs/read_write.c:468 ksys_read+0x127/0x250 fs/read_write.c:613 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1458 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508 free_unref_page_prepare mm/page_alloc.c:3386 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482 mm_free_pgd kernel/fork.c:734 [inline] __mmdrop+0xd1/0x400 kernel/fork.c:785 mmdrop include/linux/sched/mm.h:50 [inline] mmdrop_sched include/linux/sched/mm.h:78 [inline] finish_task_switch.isra.0+0x6d8/0xc80 kernel/sched/core.c:5095 schedule_tail+0xa/0xd0 kernel/sched/core.c:5126 ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:291 Memory state around the buggy address: ffffc9000ef31f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc9000ef31f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc9000ef32000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc9000ef32080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc9000ef32100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================