syzbot

 sign-in | mailing list | source | docs
🐞 Open [485]
🐞 Fixed [24]
🐞 Invalid [268]
Missing Backports [16]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer

Status: upstream: reported on 2026/06/24 12:36
Reported-by: syzbot+1e64bdbe1c18b03975c1@syzkaller.appspotmail.com
First crash: 4d01h, last: 4d01h
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 21 3 378d 414d 0/3 auto-obsoleted due to no activity on 2025/09/22 17:26
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4) prio:normal media 21 219 5d03h 349d 27/29 upstream: reported on 2025/07/14 07:23
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (3) media 21 C 271 357d 711d 29/29 fixed on 2025/07/08 00:33
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer media 21 1 2352d 2352d 0/29 auto-closed as invalid on 2020/05/17 19:44
linux-5.15 KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 21 1 1166d 1166d 0/3 auto-obsoleted due to no activity on 2023/08/17 04:37
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2) media 21 C inconclusive done 14 1244d 1756d 22/29 fixed on 2023/02/24 13:51
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 syz error 8 1290d 1791d 0/1 upstream: reported syz repro on 2021/08/02 00:51
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 8 1 1625d 1625d 0/1 auto-closed as invalid on 2022/05/15 07:48
upstream BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) media 8 1 1175d 1171d 0/29 auto-obsoleted due to no activity on 2023/07/09 12:46

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
Write of size 1 at addr ffffc9000d62b000 by task vivid-000-vid-c/22365

CPU: 1 PID: 22365 Comm: vivid-000-vid-c Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xa8/0x210 mm/kasan/report.c:468
 kasan_report+0x117/0x150 mm/kasan/report.c:581
 tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
 tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:449 [inline]
 vivid_thread_vid_cap_tick+0x1f71/0x5e10 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:605
 vivid_thread_vid_cap+0x8d3/0x1140 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:743
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

The buggy address belongs to a 18-page vmalloc region starting at 0xffffc9000d619000 allocated at vb2_vmalloc_alloc+0xef/0x330 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
Memory state around the buggy address:
 ffffc9000d62af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000d62af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000d62b000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000d62b080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000d62b100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/24 12:36 linux-6.6.y d1cfde2d5d15 302586aa .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
* Struck through repros no longer work on HEAD.