program:
r0 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDFONTOP_SET(r0, 0x4b72, &(0x7f0000000100)={0x0, 0x0, 0x8, 0x1, 0x200, &(0x7f0000000880)="1ae19337aa151f36ae49bb3f8cb95c5bf840d4f1e55efaaf098d47a70eb36a7309000000000000000f4743f490c585108c1331c7749299a25a705f5096cb268cbc6070d680e1be250700000000000000472471ff550c0010000007f3c7b61abe4162256004ea8ca5e5b5f379c6eb3257eda08f7e6959090000004d13184d382747e035b4722525e00ade86b4c6d1e157c75d15c1f961ebc0a64d7f2a73f8979fcecacaa64f9b9069ebcc1d5b471edbc4f6c7f1b98ae74e909aa6f25b7fa77bf9cd4ed36d5c53dc519d11c3cc1c22a3b86cf3c645413fcea0c99ded703699d2bb6a4a663b99b6069da5aaf64785a5887c31261d4b9e57ee07000000def6f255ca26108f11f02047d47f2d0fec30f7e92482f71496e184214a4e0c5fdc48b0af0c0478940016d8f0990a0e1090fd515380aae83c5eaeed338701574b64200a16ef2811fadcf1e0f49a514df529061e09ce45e3da03a03fe9b4a6bcfa7d04594e4f6d0714a2e14ea127ab37d64a5e0db630cd4f4a2e6c985a542ff20a9b2193f265f93a258a88dd6c9d6a926dd23d32425849c5d9210007660a617f22133b6cb5087f4c6057942aa18193172bd995fa70a1f949e496f2e2a3c175858575713be5ee3f7f4dcecc98123f9ded3afdebe13d79a7f7fcb2469ae0ac503111401612df7ee995f74fb97a63bf62d61f78c062f959119ab50c1f706a930121ebcd53ccb93d158186ed360750ca8e728150d988844b9a5cff46591ccaff4175b86ea6171b046b856168f403b5253a5cc393430a09a4489a0895571e597ac8846f945ffb372a88d3a2b463dc961416c80c55773f917020751ed51cfd73c1e06fbadd156d56bedc117af95d242d6d07002ce34dccd6005e944afa92b22ec9a698469c6edc06caa2cfcd61912607d459b4c28ebea9745bcd4697d75c9601fd333d3cd797963a3c71b7cc5fdc756da8d97207936e5f53b53b732533c2722e03002293517966611602f297de6ff5408777b7a93c45cee3ee5c5601a4e94266b295ea7a86812a7ab8896ec5ea1b12643e1844b185734528399e62bceb8700cc6cd491e4a4430d0a3ba329a5a2fa170fd0b1cc4ba8294de988cd35df2cd7344aa8a9f3432b96fb889c02f484f63520cc3466a3c2733d45f176931b2db18dba54991a9553cedb7f585786388d4042dbae1c95b769e3d4e036e8afea0a04c04f542b152ca1fd1f8efee60425c5a122fd1b90e98635284abd9f217d9e19cb2a64b354c9d79509cc47d7305114990148a7291cb0fe2d1c773a6664b66ae04aa62c534d072ae54c2ca0d5962cc58945d8924abfc4d5af922462507430d8f2c17479a6678b0b3700000000000000000000000000000000000000000000f800"})
r1 = openat$fb1(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$FBIOPUT_CON2FBMAP(r1, 0x4610, &(0x7f00000000c0)={0x1}) (fail_nth: 23)

[   70.132471][ T4666] Bluetooth: hci0: command tx timeout
[   70.278319][ T5320] FAULT_INJECTION: forcing a failure.
[   70.278319][ T5320] name fail_page_alloc, interval 1, probability 0, space 0, times 1
[   70.278349][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-05182-ge0b1f5914274 #0
[   70.278361][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.278367][ T5320] Call Trace:
[   70.278372][ T5320]  <TASK>
[   70.278377][ T5320]  dump_stack_lvl+0x241/0x360
[   70.278483][ T5320]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.278492][ T5320]  ? __pfx__printk+0x10/0x10
[   70.278503][ T5320]  should_fail_ex+0x3b0/0x4e0
[   70.278538][ T5320]  prepare_alloc_pages+0x1da/0x5b0
[   70.278555][ T5320]  __alloc_pages_noprof+0x16f/0x710
[   70.278568][ T5320]  ? __pfx___alloc_pages_noprof+0x10/0x10
[   70.278586][ T5320]  ? fb_set_var+0x3db/0xf10
[   70.278603][ T5320]  ___kmalloc_large_node+0x8b/0x1d0
[   70.278621][ T5320]  __kmalloc_large_node_noprof+0x1a/0x80
[   70.278639][ T5320]  __kmalloc_noprof+0x339/0x4c0
[   70.278652][ T5320]  ? vc_do_resize+0x31b/0x17f0
[   70.278671][ T5320]  vc_do_resize+0x31b/0x17f0
[   70.278691][ T5320]  ? __mutex_unlock_slowpath+0x227/0x800
[   70.278734][ T5320]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   70.278748][ T5320]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   70.278759][ T5320]  ? __pfx_vc_do_resize+0x10/0x10
[   70.278774][ T5320]  ? fb_match_mode+0x5b0/0x6f0
[   70.278788][ T5320]  ? fb_get_color_depth+0x159/0x280
[   70.278798][ T5320]  fbcon_set_disp+0xac9/0x11d0
[   70.278812][ T5320]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   70.278828][ T5320]  set_con2fb_map+0xb34/0x11e0
[   70.278850][ T5320]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   70.278861][ T5320]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   70.278872][ T5320]  ? tomoyo_path_number_perm+0x6f9/0x860
[   70.278887][ T5320]  ? __lock_acquire+0x1397/0x2100
[   70.278903][ T5320]  do_fb_ioctl+0x38f/0x7b0
[   70.278917][ T5320]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   70.278951][ T5320]  ? __pfx_do_fb_ioctl+0x10/0x10
[   70.278974][ T5320]  ? __fget_files+0x2a/0x410
[   70.278989][ T5320]  ? __fget_files+0x2a/0x410
[   70.279005][ T5320]  ? __pfx_fb_ioctl+0x10/0x10
[   70.279019][ T5320]  __se_sys_ioctl+0xf5/0x170
[   70.279032][ T5320]  do_syscall_64+0xf3/0x230
[   70.279043][ T5320]  ? clear_bhb_loop+0x35/0x90
[   70.279057][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.279068][ T5320] RIP: 0033:0x7f9e5238cd29
[   70.279078][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   70.279086][ T5320] RSP: 002b:00007f9e53105038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   70.279099][ T5320] RAX: ffffffffffffffda RBX: 00007f9e525a5fa0 RCX: 00007f9e5238cd29
[   70.279106][ T5320] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000004
[   70.279113][ T5320] RBP: 00007f9e53105090 R08: 0000000000000000 R09: 0000000000000000
[   70.279119][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   70.279125][ T5320] R13: 0000000000000000 R14: 00007f9e525a5fa0 R15: 00007fff37da6758
[   70.279141][ T5320]  </TASK>
[   70.314912][ T5320] ==================================================================
[   70.314926][ T5320] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ec6/0x2b00
[   70.314948][ T5320] Write of size 4 at addr ffffc90001e79000 by task syz.0.0/5320
[   70.314958][ T5320] 
[   70.314963][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-05182-ge0b1f5914274 #0
[   70.314973][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.314979][ T5320] Call Trace:
[   70.314984][ T5320]  <TASK>
[   70.314988][ T5320]  dump_stack_lvl+0x241/0x360
[   70.315006][ T5320]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.315020][ T5320]  ? __pfx__printk+0x10/0x10
[   70.315038][ T5320]  ? _printk+0xd5/0x120
[   70.315051][ T5320]  print_report+0x169/0x550
[   70.315065][ T5320]  ? __virt_addr_valid+0xbd/0x530
[   70.315078][ T5320]  ? sys_imageblit+0x1ec6/0x2b00
[   70.315113][ T5320]  kasan_report+0x143/0x180
[   70.315126][ T5320]  ? sys_imageblit+0x1ec6/0x2b00
[   70.315140][ T5320]  sys_imageblit+0x1ec6/0x2b00
[   70.315157][ T5320]  ? __pfx_sys_imageblit+0x10/0x10
[   70.315169][ T5320]  ? queue_work_on+0x25f/0x380
[   70.315184][ T5320]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   70.315201][ T5320]  bit_putcs+0x18ba/0x1db0
[   70.315216][ T5320]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   70.315228][ T5320]  ? trace_irq_disable+0x2c/0x120
[   70.315240][ T5320]  ? __pfx_bit_putcs+0x10/0x10
[   70.315253][ T5320]  ? __sanitizer_cov_trace_switch+0xe/0x120
[   70.315264][ T5320]  ? fb_get_color_depth+0x159/0x280
[   70.315276][ T5320]  fbcon_putcs+0x2e0/0x450
[   70.315286][ T5320]  ? __pfx_bit_putcs+0x10/0x10
[   70.315295][ T5320]  do_update_region+0x396/0x450
[   70.315309][ T5320]  redraw_screen+0x902/0xe90
[   70.315321][ T5320]  ? fb_match_mode+0x5b0/0x6f0
[   70.315333][ T5320]  ? __pfx_redraw_screen+0x10/0x10
[   70.315346][ T5320]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   70.315361][ T5320]  set_con2fb_map+0xb34/0x11e0
[   70.315377][ T5320]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   70.315388][ T5320]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   70.315399][ T5320]  ? tomoyo_path_number_perm+0x6f9/0x860
[   70.315414][ T5320]  ? __lock_acquire+0x1397/0x2100
[   70.315425][ T5320]  do_fb_ioctl+0x38f/0x7b0
[   70.315437][ T5320]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   70.315451][ T5320]  ? __pfx_do_fb_ioctl+0x10/0x10
[   70.315471][ T5320]  ? __fget_files+0x2a/0x410
[   70.315493][ T5320]  ? __fget_files+0x2a/0x410
[   70.315506][ T5320]  ? __pfx_fb_ioctl+0x10/0x10
[   70.315518][ T5320]  __se_sys_ioctl+0xf5/0x170
[   70.315529][ T5320]  do_syscall_64+0xf3/0x230
[   70.315540][ T5320]  ? clear_bhb_loop+0x35/0x90
[   70.315553][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.315563][ T5320] RIP: 0033:0x7f9e5238cd29
[   70.315572][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   70.315581][ T5320] RSP: 002b:00007f9e53105038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   70.315594][ T5320] RAX: ffffffffffffffda RBX: 00007f9e525a5fa0 RCX: 00007f9e5238cd29
[   70.315601][ T5320] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000004
[   70.315608][ T5320] RBP: 00007f9e53105090 R08: 0000000000000000 R09: 0000000000000000
[   70.315614][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   70.315619][ T5320] R13: 0000000000000000 R14: 00007f9e525a5fa0 R15: 00007fff37da6758
[   70.315630][ T5320]  </TASK>
[   70.315636][ T5320] 
[   70.315642][ T5320] The buggy address belongs to the virtual mapping at
[   70.315642][ T5320]  [ffffc90001b79000, ffffc90001e7a000) created by:
[   70.315642][ T5320]  drm_gem_shmem_vmap+0x3ac/0x630
[   70.315659][ T5320] 
[   70.315663][ T5320] Memory state around the buggy address:
[   70.315670][ T5320]  ffffc90001e78f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.315677][ T5320]  ffffc90001e78f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.315683][ T5320] >ffffc90001e79000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   70.315688][ T5320]                    ^
[   70.315694][ T5320]  ffffc90001e79080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   70.315700][ T5320]  ffffc90001e79100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   70.315705][ T5320] ==================================================================
[   70.315814][ T5320] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   70.315822][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-05182-ge0b1f5914274 #0
[   70.315831][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.315838][ T5320] Call Trace:
[   70.315842][ T5320]  <TASK>
[   70.315847][ T5320]  dump_stack_lvl+0x241/0x360
[   70.315865][ T5320]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.315878][ T5320]  ? __pfx__printk+0x10/0x10
[   70.315891][ T5320]  ? preempt_schedule+0xe1/0xf0
[   70.315907][ T5320]  ? vscnprintf+0x5d/0x90
[   70.315920][ T5320]  panic+0x349/0x880
[   70.315933][ T5320]  ? check_panic_on_warn+0x21/0xb0
[   70.315945][ T5320]  ? __pfx_panic+0x10/0x10
[   70.315959][ T5320]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   70.315974][ T5320]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   70.315987][ T5320]  ? print_report+0x502/0x550
[   70.316000][ T5320]  check_panic_on_warn+0x86/0xb0
[   70.316011][ T5320]  ? sys_imageblit+0x1ec6/0x2b00
[   70.316026][ T5320]  end_report+0x77/0x160
[   70.316037][ T5320]  kasan_report+0x154/0x180
[   70.316054][ T5320]  ? sys_imageblit+0x1ec6/0x2b00
[   70.316069][ T5320]  sys_imageblit+0x1ec6/0x2b00
[   70.316085][ T5320]  ? __pfx_sys_imageblit+0x10/0x10
[   70.316098][ T5320]  ? queue_work_on+0x25f/0x380
[   70.316112][ T5320]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   70.316126][ T5320]  bit_putcs+0x18ba/0x1db0
[   70.316139][ T5320]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   70.316150][ T5320]  ? trace_irq_disable+0x2c/0x120
[   70.316164][ T5320]  ? __pfx_bit_putcs+0x10/0x10
[   70.316176][ T5320]  ? __sanitizer_cov_trace_switch+0xe/0x120
[   70.316187][ T5320]  ? fb_get_color_depth+0x159/0x280
[   70.316199][ T5320]  fbcon_putcs+0x2e0/0x450
[   70.316211][ T5320]  ? __pfx_bit_putcs+0x10/0x10
[   70.316222][ T5320]  do_update_region+0x396/0x450
[   70.316236][ T5320]  redraw_screen+0x902/0xe90
[   70.316247][ T5320]  ? fb_match_mode+0x5b0/0x6f0
[   70.316260][ T5320]  ? __pfx_redraw_screen+0x10/0x10
[   70.316274][ T5320]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   70.316290][ T5320]  set_con2fb_map+0xb34/0x11e0
[   70.316306][ T5320]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   70.316317][ T5320]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   70.316328][ T5320]  ? tomoyo_path_number_perm+0x6f9/0x860
[   70.316342][ T5320]  ? __lock_acquire+0x1397/0x2100
[   70.316355][ T5320]  do_fb_ioctl+0x38f/0x7b0
[   70.316368][ T5320]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   70.316382][ T5320]  ? __pfx_do_fb_ioctl+0x10/0x10
[   70.316401][ T5320]  ? __fget_files+0x2a/0x410
[   70.316415][ T5320]  ? __fget_files+0x2a/0x410
[   70.316427][ T5320]  ? __pfx_fb_ioctl+0x10/0x10
[   70.316440][ T5320]  __se_sys_ioctl+0xf5/0x170
[   70.316451][ T5320]  do_syscall_64+0xf3/0x230
[   70.316462][ T5320]  ? clear_bhb_loop+0x35/0x90
[   70.316475][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.316493][ T5320] RIP: 0033:0x7f9e5238cd29
[   70.316503][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   70.316511][ T5320] RSP: 002b:00007f9e53105038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   70.316521][ T5320] RAX: ffffffffffffffda RBX: 00007f9e525a5fa0 RCX: 00007f9e5238cd29
[   70.316529][ T5320] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000004
[   70.316536][ T5320] RBP: 00007f9e53105090 R08: 0000000000000000 R09: 0000000000000000
[   70.316542][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   70.316548][ T5320] R13: 0000000000000000 R14: 00007f9e525a5fa0 R15: 00007fff37da6758
[   70.316559][ T5320]  </TASK>
[   70.316845][ T5320] Kernel Offset: disabled