================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x159c/0x4cdc drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffff80009ef1fda0 by task vivid-000-vid-c/8015 CPU: 1 UID: 0 PID: 8015 Comm: vivid-000-vid-c Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __asan_memcpy+0x54/0x84 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] tpg_fill_plane_buffer+0x159c/0x4cdc drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xcdc/0x4c9c drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x688/0xd98 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 The buggy address belongs to the virtual mapping at [ffff80009ef09000, ffff80009ef21000) created by: vb2_vmalloc_alloc+0xf8/0x2d4 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d41d0dc0 pfn:0x1141d0 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff0000d41d0dc0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80009ef1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80009ef1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80009ef1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80009ef20000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80009ef20080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80009ef20100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Unable to handle kernel paging request at virtual address ffff80009ef20340 KASAN: probably user-memory-access in range [0x00000004f7901a00-0x00000004f7901a07] Mem abort info: ESR = 0x0000000096000047 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000047, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000002079fa000 [ffff80009ef20340] pgd=0000000000000000, p4d=1000000210124003, pud=1000000210125003, pmd=10000001098b0403, pte=0000000000000000 Internal error: Oops: 0000000096000047 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 8015 Comm: vivid-000-vid-c Tainted: G B 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x128/0x22c arch/arm64/lib/memcpy.S:161 lr : __asan_memcpy+0x68/0x84 mm/kasan/shadow.c:109 sp : ffff80009f757420 x29: ffff80009f757420 x28: ffff8000a2bc9000 x27: 0000000000000042 x26: 0000000000000009 x25: ffff80009ef20340 x24: ffff8000a2bc9000 x23: 0000000000000000 x22: ffff80008706c0bc x21: ffff80009ef20340 x20: ffff8000a2bc9000 x19: 00000000000005a0 x18: 1fffe0003386aa76 x17: 0000000000000000 x16: ffff80008adbe9e4 x15: ffff700013de4068 x14: 0000000000000000 x13: 80b380b380b380b3 x12: 80b380b380b380b3 x11: ffff700013de4068 x10: dfff800000000000 x9 : ffff800096fd6780 x8 : 0000000000000001 x7 : 80b380b380b380b3 x6 : 80b380b380b380b3 x5 : ffff80009ef208e0 x4 : ffff8000a2bc95a0 x3 : ffff80009ef20340 x2 : 00000000000005a0 x1 : ffff8000a2bc9000 x0 : ffff80009ef20340 Call trace: __pi_memcpy_generic+0x128/0x22c arch/arm64/lib/memcpy.S:160 (P) tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] tpg_fill_plane_buffer+0x159c/0x4cdc drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xcdc/0x4c9c drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x688/0xd98 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 927cec03 and x3, x0, #0xfffffffffffffff0 4: cb0e0021 sub x1, x1, x14 8: 8b0e0042 add x2, x2, x14 c: a9411c26 ldp x6, x7, [x1, #16] * 10: a900340c stp x12, x13, [x0] <-- trapping instruction