bisecting fixing commit since f1583cb1be35c23df60b1c39e3e7e6704d749d0b building syzkaller on d236a457274375e5273ac4e958722659929c469f testing commit f1583cb1be35c23df60b1c39e3e7e6704d749d0b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b5d030fad2b29b4cea2b7dfdb28a2032f387540eab76a89a135b4e04cc8968fe all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer testing current HEAD 438645193e59e91761ccb3fa55f6ce70b615ff93 testing commit 438645193e59e91761ccb3fa55f6ce70b615ff93 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4d1b8b799bc3e24a31aaa69c2de45515e1243d3277a5636d73d7451e855b1804 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer revisions tested: 2, total time: 20m50.802845758s (build: 13m13.98235347s, test: 6m58.555350257s) the crash still happens on HEAD commit msg: Merge tag 'pinctrl-v5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl crash: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer ================================================================== BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0xca9/0x42a0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626 Write of size 640 at addr ffffc900037b7fe0 by task vivid-001-vid-c/4324 CPU: 0 PID: 4324 Comm: vivid-001-vid-c Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline] tpg_fill_plane_buffer+0xca9/0x42a0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626 vivid_fillbuff+0x1821/0x4530 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469 vivid_thread_vid_cap_tick+0xadd/0x1f90 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729 vivid_thread_vid_cap+0x4f3/0xa40 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868 kthread+0x3ab/0x480 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffffc900037b7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900037b7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900037b8000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900037b8080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900037b8100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================