alloc_pages_current+0x173/0x350 mm/mempolicy.c:2080 alloc_pages include/linux/gfp.h:509 [inline] pte_alloc_one+0x1b/0x1a0 arch/x86/mm/pgtable.c:35 __pte_alloc+0x2a/0x350 mm/memory.c:406 copy_pte_range mm/memory.c:830 [inline] copy_pmd_range mm/memory.c:906 [inline] copy_pud_range mm/memory.c:940 [inline] copy_p4d_range mm/memory.c:962 [inline] copy_page_range+0x2017/0x2ee0 mm/memory.c:1024 ================================================================== BUG: KASAN: global-out-of-bounds in tpg_print_str_4+0xbc9/0xd70 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820 Read of size 1 at addr ffffffff88632c50 by task vivid-000-vid-c/31572 dup_mmap kernel/fork.c:585 [inline] dup_mm kernel/fork.c:1318 [inline] copy_mm kernel/fork.c:1373 [inline] copy_process+0x45e9/0x87a0 kernel/fork.c:1917 _do_fork+0x1cb/0x11d0 kernel/fork.c:2216 __do_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline] __se_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:236 [inline] __ia32_compat_sys_x86_clone+0xbc/0x140 arch/x86/ia32/sys_ia32.c:236 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f49a29 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:000000000845fd70 EFLAGS: 00000246 ORIG_RAX: 0000000000000078 RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000974c968 RBP: 000000000845fdc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 CPU: 0 PID: 31572 Comm: vivid-000-vid-c Not tainted 4.20.0-rc4+ #255 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x58/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 Task in /syz2 killed as a result of limit of /syz2 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tpg_print_str_4+0xbc9/0xd70 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820 memory: usage 307200kB, limit 307200kB, failcnt 170 tpg_gen_text+0x4ba/0x540 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1874 memory+swap: usage 0kB, limit 9007199254740988kB, failcnt 0 vivid_fillbuff+0x3ff7/0x68e0 drivers/media/platform/vivid/vivid-kthread-cap.c:532 kmem: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz2: cache:16496KB rss:262264KB rss_huge:247808KB shmem:16404KB mapped_file:0KB dirty:132KB writeback:0KB swap:0KB inactive_anon:16396KB active_anon:262344KB inactive_file:4KB active_file:0KB unevictable:0KB Memory cgroup out of memory: Kill process 5572 (syz-executor2) score 1106 or sacrifice child Killed process 5572 (syz-executor2) total-vm:70648kB, anon-rss:2216kB, file-rss:33460kB, shmem-rss:0kB vivid_thread_vid_cap_tick drivers/media/platform/vivid/vivid-kthread-cap.c:709 [inline] vivid_thread_vid_cap+0xbc1/0x2650 drivers/media/platform/vivid/vivid-kthread-cap.c:813 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 The buggy address belongs to the variable: font_vga_8x16+0x50/0x60 Memory state around the buggy address: ffffffff88632b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff88632b80: 00 00 00 00 fa fa fa fa 00 fa fa fa fa fa fa fa >ffffffff88632c00: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00 ^ ffffffff88632c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff88632d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== syz-executor1 invoked oom-killer: gfp_mask=0x6000c0(GFP_KERNEL), nodemask=(null), order=0, oom_score_adj=1000 syz-executor1 cpuset=syz1 mems_allowed=0 CPU: 0 PID: 31588 Comm: syz-executor1 Tainted: G B 4.20.0-rc4+ #255 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 dump_header+0x27b/0xf72 mm/oom_kill.c:441 oom_kill_process.cold.27+0x10/0x903 mm/oom_kill.c:953 out_of_memory+0xa84/0x1430 mm/oom_kill.c:1120 mem_cgroup_out_of_memory+0x15e/0x210 mm/memcontrol.c:1386 mem_cgroup_oom mm/memcontrol.c:1703 [inline] try_charge+0xda9/0x1700 mm/memcontrol.c:2260 mem_cgroup_try_charge+0x627/0xe20 mm/memcontrol.c:5890 mem_cgroup_try_charge_delay+0x1d/0xa0 mm/memcontrol.c:5905 do_anonymous_page mm/memory.c:2932 [inline] handle_pte_fault mm/memory.c:3763 [inline] __handle_mm_fault+0x284e/0x5be0 mm/memory.c:3889 handle_mm_fault+0x54f/0xc70 mm/memory.c:3926 do_user_addr_fault arch/x86/mm/fault.c:1423 [inline] __do_page_fault+0x5e8/0xe60 arch/x86/mm/fault.c:1489 do_page_fault+0xf2/0x7e0 arch/x86/mm/fault.c:1520 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1139 RIP: 0023:0x804f8cc Code: 64 89 42 24 8b 44 24 30 89 42 28 31 c0 8b 94 c4 20 01 00 00 89 94 81 8c af 14 08 83 c0 01 83 f8 09 75 ea 89 d8 e8 e4 b1 ff ff <83> 05 04 00 35 08 01 80 7c 24 5e 00 74 0b f6 44 24 04 01 0f 84 4f RSP: 002b:000000000845fc40 EFLAGS: 00010206 RAX: 0000000000000001 RBX: 000000000814af68 RCX: 0000000000000081 RDX: 000000000804f1cc RSI: 0000000000000000 RDI: 0000000000000000 RBP: 000000000814af6c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Task in /syz1 killed as a result of limit of /syz1 memory: usage 307200kB, limit 307200kB, failcnt 576 memory+swap: usage 0kB, limit 9007199254740988kB, failcnt 0 kmem: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz1: cache:16KB rss:270060KB rss_huge:249856KB shmem:16KB mapped_file:0KB dirty:0KB writeback:0KB swap:0KB inactive_anon:4KB active_anon:270088KB inactive_file:0KB active_file:0KB unevictable:0KB Memory cgroup out of memory: Kill process 31558 (syz-executor1) score 1106 or sacrifice child Killed process 31558 (syz-executor1) total-vm:70252kB, anon-rss:2212kB, file-rss:33464kB, shmem-rss:0kB