program:
r0 = openat$fb1(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$FBIOPUT_CON2FBMAP(r0, 0x4610, &(0x7f0000000140)={0x19})
ioctl$FBIOPUT_CON2FBMAP(r0, 0x4610, &(0x7f00000000c0)={0x1}) (fail_nth: 4)

[   89.818049][ T5101] Bluetooth: hci0: command tx timeout
[   90.875838][ T5116] FAULT_INJECTION: forcing a failure.
[   90.875838][ T5116] name fail_page_alloc, interval 1, probability 0, space 0, times 1
[   90.875863][ T5116] CPU: 0 UID: 0 PID: 5116 Comm: syz.0.0 Not tainted 6.11.0-rc6-syzkaller-00048-gc7fb1692dc01 #0
[   90.875880][ T5116] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.875888][ T5116] Call Trace:
[   90.875895][ T5116]  <TASK>
[   90.875902][ T5116]  dump_stack_lvl+0x241/0x360
[   90.876024][ T5116]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.876039][ T5116]  ? __pfx__printk+0x10/0x10
[   90.876062][ T5116]  should_fail_ex+0x3b0/0x4e0
[   90.876110][ T5116]  prepare_alloc_pages+0x1da/0x5d0
[   90.876137][ T5116]  __alloc_pages_noprof+0x166/0x6c0
[   90.876159][ T5116]  ? __pfx___alloc_pages_noprof+0x10/0x10
[   90.876183][ T5116]  ? fb_set_var+0x3db/0xf10
[   90.876206][ T5116]  ___kmalloc_large_node+0x8b/0x1d0
[   90.876225][ T5116]  __kmalloc_large_node_noprof+0x1a/0x80
[   90.876242][ T5116]  ? vc_do_resize+0x31b/0x17f0
[   90.876257][ T5116]  __kmalloc_noprof+0x2ae/0x400
[   90.876276][ T5116]  vc_do_resize+0x31b/0x17f0
[   90.876290][ T5116]  ? mark_lock+0x9a/0x350
[   90.876329][ T5116]  ? __pfx_vc_do_resize+0x10/0x10
[   90.876346][ T5116]  ? fb_match_mode+0x5b0/0x6f0
[   90.876363][ T5116]  ? fbcon_set_disp+0x76c/0x11d0
[   90.876379][ T5116]  ? fb_get_color_depth+0x159/0x280
[   90.876397][ T5116]  fbcon_set_disp+0xac9/0x11d0
[   90.876419][ T5116]  ? is_console_locked+0x9/0x20
[   90.876436][ T5116]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.876454][ T5116]  set_con2fb_map+0xa6c/0x10a0
[   90.876477][ T5116]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.876495][ T5116]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.876513][ T5116]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.876538][ T5116]  do_fb_ioctl+0x38f/0x7b0
[   90.876556][ T5116]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.876576][ T5116]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.876622][ T5116]  ? __fget_files+0x29/0x470
[   90.876648][ T5116]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.876666][ T5116]  ? security_file_ioctl+0x87/0xb0
[   90.876685][ T5116]  ? __pfx_fb_ioctl+0x10/0x10
[   90.876705][ T5116]  __se_sys_ioctl+0xfc/0x170
[   90.876722][ T5116]  do_syscall_64+0xf3/0x230
[   90.876737][ T5116]  ? clear_bhb_loop+0x35/0x90
[   90.876757][ T5116]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.876774][ T5116] RIP: 0033:0x7f3d02b7cef9
[   90.876787][ T5116] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.876799][ T5116] RSP: 002b:00007f3d03952038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.876817][ T5116] RAX: ffffffffffffffda RBX: 00007f3d02d35f80 RCX: 00007f3d02b7cef9
[   90.876827][ T5116] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.876837][ T5116] RBP: 00007f3d03952090 R08: 0000000000000000 R09: 0000000000000000
[   90.876846][ T5116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   90.876855][ T5116] R13: 0000000000000000 R14: 00007f3d02d35f80 R15: 00007ffcb3f857b8
[   90.876876][ T5116]  </TASK>
[   90.903765][ T5116] ==================================================================
[   90.903781][ T5116] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ec6/0x2b00
[   90.903808][ T5116] Write of size 4 at addr ffffc90001cb1000 by task syz.0.0/5116
[   90.903819][ T5116] 
[   90.903824][ T5116] CPU: 0 UID: 0 PID: 5116 Comm: syz.0.0 Not tainted 6.11.0-rc6-syzkaller-00048-gc7fb1692dc01 #0
[   90.903839][ T5116] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.903847][ T5116] Call Trace:
[   90.903854][ T5116]  <TASK>
[   90.903861][ T5116]  dump_stack_lvl+0x241/0x360
[   90.903877][ T5116]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.903892][ T5116]  ? __pfx__printk+0x10/0x10
[   90.903906][ T5116]  ? _printk+0xd5/0x120
[   90.903920][ T5116]  print_report+0x169/0x550
[   90.903939][ T5116]  ? __virt_addr_valid+0xbd/0x530
[   90.903954][ T5116]  ? sys_imageblit+0x1ec6/0x2b00
[   90.903972][ T5116]  kasan_report+0x143/0x180
[   90.903990][ T5116]  ? sys_imageblit+0x1ec6/0x2b00
[   90.904011][ T5116]  sys_imageblit+0x1ec6/0x2b00
[   90.904035][ T5116]  ? __pfx_sys_imageblit+0x10/0x10
[   90.904052][ T5116]  ? queue_work_on+0x25f/0x380
[   90.904072][ T5116]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   90.904089][ T5116]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   90.904110][ T5116]  bit_putcs+0x18ba/0x1db0
[   90.904138][ T5116]  ? __pfx_bit_putcs+0x10/0x10
[   90.904157][ T5116]  ? fb_set_cmap+0x6fb/0x880
[   90.904173][ T5116]  ? fb_get_color_depth+0x159/0x280
[   90.904190][ T5116]  fbcon_putcs+0x255/0x390
[   90.904224][ T5116]  ? __pfx_bit_putcs+0x10/0x10
[   90.904241][ T5116]  do_update_region+0x396/0x450
[   90.904258][ T5116]  redraw_screen+0x902/0xe90
[   90.904272][ T5116]  ? fb_match_mode+0x5b0/0x6f0
[   90.904289][ T5116]  ? con_is_visible+0x77/0x150
[   90.904303][ T5116]  ? __pfx_redraw_screen+0x10/0x10
[   90.904317][ T5116]  ? fbcon_set_disp+0xada/0x11d0
[   90.904332][ T5116]  ? is_console_locked+0x9/0x20
[   90.904346][ T5116]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.904363][ T5116]  set_con2fb_map+0xa6c/0x10a0
[   90.904380][ T5116]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.904396][ T5116]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.904418][ T5116]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.904439][ T5116]  do_fb_ioctl+0x38f/0x7b0
[   90.904456][ T5116]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.904475][ T5116]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.904503][ T5116]  ? __fget_files+0x29/0x470
[   90.904523][ T5116]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.904541][ T5116]  ? security_file_ioctl+0x87/0xb0
[   90.904559][ T5116]  ? __pfx_fb_ioctl+0x10/0x10
[   90.904577][ T5116]  __se_sys_ioctl+0xfc/0x170
[   90.904592][ T5116]  do_syscall_64+0xf3/0x230
[   90.904605][ T5116]  ? clear_bhb_loop+0x35/0x90
[   90.904622][ T5116]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.904638][ T5116] RIP: 0033:0x7f3d02b7cef9
[   90.904650][ T5116] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.904660][ T5116] RSP: 002b:00007f3d03952038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.904676][ T5116] RAX: ffffffffffffffda RBX: 00007f3d02d35f80 RCX: 00007f3d02b7cef9
[   90.904687][ T5116] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.904696][ T5116] RBP: 00007f3d03952090 R08: 0000000000000000 R09: 0000000000000000
[   90.904705][ T5116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   90.904713][ T5116] R13: 0000000000000000 R14: 00007f3d02d35f80 R15: 00007ffcb3f857b8
[   90.904728][ T5116]  </TASK>
[   90.904733][ T5116] 
[   90.904794][ T5116] The buggy address belongs to the virtual mapping at
[   90.904794][ T5116]  [ffffc900019b1000, ffffc90001cb2000) created by:
[   90.904794][ T5116]  drm_gem_shmem_vmap+0x3ac/0x630
[   90.904817][ T5116] 
[   90.904821][ T5116] Memory state around the buggy address:
[   90.904828][ T5116]  ffffc90001cb0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   90.904837][ T5116]  ffffc90001cb0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   90.904845][ T5116] >ffffc90001cb1000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.904851][ T5116]                    ^
[   90.904858][ T5116]  ffffc90001cb1080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.904866][ T5116]  ffffc90001cb1100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.904872][ T5116] ==================================================================
[   90.905800][ T5116] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   90.905811][ T5116] CPU: 0 UID: 0 PID: 5116 Comm: syz.0.0 Not tainted 6.11.0-rc6-syzkaller-00048-gc7fb1692dc01 #0
[   90.905826][ T5116] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.905833][ T5116] Call Trace:
[   90.905839][ T5116]  <TASK>
[   90.905844][ T5116]  dump_stack_lvl+0x241/0x360
[   90.905862][ T5116]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.905876][ T5116]  ? __pfx__printk+0x10/0x10
[   90.905888][ T5116]  ? preempt_schedule+0xe1/0xf0
[   90.905902][ T5116]  ? vscnprintf+0x5d/0x90
[   90.905919][ T5116]  panic+0x349/0x860
[   90.905931][ T5116]  ? check_panic_on_warn+0x21/0xb0
[   90.905946][ T5116]  ? __pfx_panic+0x10/0x10
[   90.905960][ T5116]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   90.905979][ T5116]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   90.905997][ T5116]  ? print_report+0x502/0x550
[   90.906017][ T5116]  check_panic_on_warn+0x86/0xb0
[   90.906030][ T5116]  ? sys_imageblit+0x1ec6/0x2b00
[   90.906049][ T5116]  end_report+0x77/0x160
[   90.906067][ T5116]  kasan_report+0x154/0x180
[   90.906085][ T5116]  ? sys_imageblit+0x1ec6/0x2b00
[   90.906106][ T5116]  sys_imageblit+0x1ec6/0x2b00
[   90.906129][ T5116]  ? __pfx_sys_imageblit+0x10/0x10
[   90.906147][ T5116]  ? queue_work_on+0x25f/0x380
[   90.906166][ T5116]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   90.906182][ T5116]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   90.906203][ T5116]  bit_putcs+0x18ba/0x1db0
[   90.906230][ T5116]  ? __pfx_bit_putcs+0x10/0x10
[   90.906248][ T5116]  ? fb_set_cmap+0x6fb/0x880
[   90.906263][ T5116]  ? fb_get_color_depth+0x159/0x280
[   90.906279][ T5116]  fbcon_putcs+0x255/0x390
[   90.906294][ T5116]  ? __pfx_bit_putcs+0x10/0x10
[   90.906310][ T5116]  do_update_region+0x396/0x450
[   90.906329][ T5116]  redraw_screen+0x902/0xe90
[   90.906342][ T5116]  ? fb_match_mode+0x5b0/0x6f0
[   90.906359][ T5116]  ? con_is_visible+0x77/0x150
[   90.906373][ T5116]  ? __pfx_redraw_screen+0x10/0x10
[   90.906386][ T5116]  ? fbcon_set_disp+0xada/0x11d0
[   90.906407][ T5116]  ? is_console_locked+0x9/0x20
[   90.906421][ T5116]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.906437][ T5116]  set_con2fb_map+0xa6c/0x10a0
[   90.906454][ T5116]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.906469][ T5116]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.906484][ T5116]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.906507][ T5116]  do_fb_ioctl+0x38f/0x7b0
[   90.906524][ T5116]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.906542][ T5116]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.906575][ T5116]  ? __fget_files+0x29/0x470
[   90.906596][ T5116]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.906614][ T5116]  ? security_file_ioctl+0x87/0xb0
[   90.906632][ T5116]  ? __pfx_fb_ioctl+0x10/0x10
[   90.906650][ T5116]  __se_sys_ioctl+0xfc/0x170
[   90.906665][ T5116]  do_syscall_64+0xf3/0x230
[   90.906678][ T5116]  ? clear_bhb_loop+0x35/0x90
[   90.906723][ T5116]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.906740][ T5116] RIP: 0033:0x7f3d02b7cef9
[   90.906752][ T5116] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.906762][ T5116] RSP: 002b:00007f3d03952038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.906776][ T5116] RAX: ffffffffffffffda RBX: 00007f3d02d35f80 RCX: 00007f3d02b7cef9
[   90.906785][ T5116] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.906794][ T5116] RBP: 00007f3d03952090 R08: 0000000000000000 R09: 0000000000000000
[   90.906803][ T5116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   90.906811][ T5116] R13: 0000000000000000 R14: 00007f3d02d35f80 R15: 00007ffcb3f857b8
[   90.906825][ T5116]  </TASK>
[   90.907084][ T5116] Kernel Offset: disabled