[v6.6] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
0 views
Skip to first unread message
syzbot
Jun 24, 2026, 8:36:32 AM (2 days ago) Jun 24
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d1cfde2d5d15 Linux 6.6.143
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=168c801c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=441765643cbfb8d
dashboard link: https://syzkaller.appspot.com/bug?extid=1e64bdbe1c18b03975c1
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4e37bcd98892/disk-d1cfde2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64b2ed856057/vmlinux-d1cfde2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0a6949479d66/bzImage-d1cfde2d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e64bd...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
Write of size 1 at addr ffffc9000d62b000 by task vivid-000-vid-c/22365
CPU: 1 PID: 22365 Comm: vivid-000-vid-c Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:449 [inline]
vivid_thread_vid_cap_tick+0x1f71/0x5e10 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:605
vivid_thread_vid_cap+0x8d3/0x1140 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:743
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
The buggy address belongs to a 18-page vmalloc region starting at 0xffffc9000d619000 allocated at vb2_vmalloc_alloc+0xef/0x330 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
Memory state around the buggy address:
ffffc9000d62af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000d62af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000d62b000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000d62b080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000d62b100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d1cfde2d5d15 Linux 6.6.143
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=168c801c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=441765643cbfb8d
dashboard link: https://syzkaller.appspot.com/bug?extid=1e64bdbe1c18b03975c1
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4e37bcd98892/disk-d1cfde2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64b2ed856057/vmlinux-d1cfde2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0a6949479d66/bzImage-d1cfde2d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e64bd...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
Write of size 1 at addr ffffc9000d62b000 by task vivid-000-vid-c/22365
CPU: 1 PID: 22365 Comm: vivid-000-vid-c Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xa8/0x210 mm/kasan/report.c:468
kasan_report+0x117/0x150 mm/kasan/report.c:581
tpg_fill_plane_extras drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2439 [inline]
tpg_fill_plane_buffer+0x3c10/0x5c20 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2707
vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:449 [inline]
vivid_thread_vid_cap_tick+0x1f71/0x5e10 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:605
vivid_thread_vid_cap+0x8d3/0x1140 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:743
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
The buggy address belongs to a 18-page vmalloc region starting at 0xffffc9000d619000 allocated at vb2_vmalloc_alloc+0xef/0x330 drivers/media/common/videobuf2/videobuf2-vmalloc.c:47
Memory state around the buggy address:
ffffc9000d62af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000d62af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000d62b000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000d62b080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000d62b100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages