================================================================== BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1280 at addr ffffc90003a6bb40 by task vivid-000-vid-c/15544 CPU: 0 UID: 0 PID: 15544 Comm: vivid-000-vid-c Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:-1 [inline] tpg_fill_plane_buffer+0x1b9b/0x5ec0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0x1035/0x6040 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x909/0x1190 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to a 3-page vmalloc region starting at 0xffffc90003a69000 allocated at vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xabcc7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_ZERO|__GFP_NOWARN), pid 15540, tgid 15538 (syz.2.2679), ts 809846144583, free_ts 809846081794 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1888 prep_new_page mm/page_alloc.c:1896 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3961 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5249 __alloc_pages_noprof mm/page_alloc.c:5283 [inline] alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5203 alloc_pages_bulk_mempolicy_noprof+0x34e/0x1680 mm/mempolicy.c:2793 vm_area_alloc_pages mm/vmalloc.c:3706 [inline] __vmalloc_area_node mm/vmalloc.c:3876 [inline] __vmalloc_node_range_noprof+0xa32/0x1730 mm/vmalloc.c:4064 vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x9c5/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xc1f/0x1410 drivers/media/common/videobuf2/videobuf2-core.c:958 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2879 __vb2_perform_fileio+0x282/0x1620 drivers/media/common/videobuf2/videobuf2-core.c:3025 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1215 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316 loop_rw_iter+0x425/0x660 include/linux/uio.h:-1 io_iter_do_read io_uring/rw.c:836 [inline] __io_read+0x134b/0x1520 io_uring/rw.c:950 page last free pid 15540 tgid 15538 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1432 [inline] __free_frozen_pages+0xc00/0xd90 mm/page_alloc.c:2977 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline] __kasan_populate_vmalloc+0x1b2/0x1d0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd73/0x14b0 mm/vmalloc.c:2129 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3232 __vmalloc_node_range_noprof+0x372/0x1730 mm/vmalloc.c:4024 vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 vb2_vmalloc_alloc+0xef/0x360 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:242 [inline] __vb2_queue_alloc+0x9c5/0x15a0 drivers/media/common/videobuf2/videobuf2-core.c:523 vb2_core_reqbufs+0xc1f/0x1410 drivers/media/common/videobuf2/videobuf2-core.c:958 __vb2_init_fileio+0x318/0xff0 drivers/media/common/videobuf2/videobuf2-core.c:2879 __vb2_perform_fileio+0x282/0x1620 drivers/media/common/videobuf2/videobuf2-core.c:3025 vb2_fop_read+0x273/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:1215 v4l2_read+0x19c/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:316 loop_rw_iter+0x425/0x660 include/linux/uio.h:-1 io_iter_do_read io_uring/rw.c:836 [inline] __io_read+0x134b/0x1520 io_uring/rw.c:950 io_read+0x4a/0x1c0 io_uring/rw.c:1030 Memory state around the buggy address: ffffc90003a6bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90003a6bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90003a6c000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90003a6c080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90003a6c100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================