program:
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1c, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r1 = syz_open_dev$video(&(0x7f0000000180), 0x485, 0x109202)
r2 = syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2)
r3 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r4, 0xffffffffffffffff, &(0x7f0000fd7000/0x18000)=nil, &(0x7f00000000c0)=[@textreal={0x8, 0x0}], 0x1, 0x38, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000006c0)={0x9, 0x4, &(0x7f0000000400)=ANY=[], 0x0, 0x1ff, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @cgroup_sock=0xc, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
ioctl$KVM_SET_CPUID2(r5, 0x4048aecb, &(0x7f00000002c0)=ANY=[])
ioctl$KVM_GET_VCPU_EVENTS(r5, 0x4048aecb, &(0x7f0000000080))
ioctl$VIDIOC_S_INPUT(r2, 0xc0045627, &(0x7f00000001c0)=0x2)
r6 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000540)={0x78, 0x2, 0x6, 0x401, 0x0, 0x0, {0xa, 0x0, 0x9}, [@IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_DATA={0x44, 0x7, 0x0, 0x1, [@IPSET_ATTR_TIMEOUT={0x8}, @IPSET_ATTR_MAXELEM={0x8}, @IPSET_ATTR_MAXELEM={0x8, 0x13, 0x1, 0x0, 0x800}, @IPSET_ATTR_PORT_TO={0x6, 0x5, 0x1, 0x0, 0x4e24}, @IPSET_ATTR_NETMASK={0x5, 0x14, 0x9}, @IPSET_ATTR_CADT_FLAGS={0x8, 0x8, 0x1, 0x0, 0x25}, @IPSET_ATTR_PROTO={0x5, 0x7, 0x5c}, @IPSET_ATTR_PORT_TO={0x6, 0x5, 0x1, 0x0, 0x4e21}]}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x1}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0xe}]}, 0x78}}, 0x40028040)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_LIST(r7, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=ANY=[@ANYBLOB="24000000070605000000000000000000008b665586000100070000000800064000000006"], 0x24}}, 0x0)
r8 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2)
r9 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x0)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r9, 0xc04064a0, &(0x7f0000000300)={0x0, &(0x7f0000000240)=[<r10=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r9, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r10, <r11=>0x0})
ioctl$DRM_IOCTL_MODE_SETCRTC(r9, 0xc06864a2, &(0x7f00000007c0)={0x0, 0x0, r10, r11, 0x117, 0x9, 0x1, 0x2, {0x5, 0x4, 0x6, 0x4, 0xada3, 0x3b, 0x5, 0x0, 0x9, 0x6, 0xe, 0x1ff, 0xa3a, 0xad, "696e2f1e9009b37f550c69fa195512b14b0e43219fe7d84ed382ce66c0af80e7"}})
ioctl$vim2m_VIDIOC_S_CTRL(r8, 0xc008561c, &(0x7f0000000e80)={0xf0f020})
ioctl$VIDIOC_S_SELECTION(r1, 0xc040565f, &(0x7f0000000080)={0x9})
pread64(r8, &(0x7f0000000400)=""/137, 0x89, 0x1)
r12 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r12, 0x400448c8, &(0x7f0000000340)={r0, r0, 0x2002, 0x0, 0x0, 0x6, 0x4a, 0x15c2, 0x5887, 0x1ff, 0x0, 0x8, 'syz0\x00'})
mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xb)
ioctl$sock_bt_hidp_HIDPGETCONNLIST(r12, 0x800448d2, &(0x7f00000000c0)={0x0, 0x0})
socket$unix(0x1, 0x5, 0x0)

[   75.946080][ T4669] Bluetooth: hci0: command tx timeout
[   76.082267][ T5315] netlink: 16 bytes leftover after parsing attributes in process `syz.0.0'.
[   76.134760][ T5317] ==================================================================
[   76.138364][ T5317] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.142215][ T5317] Write of size 1440 at addr ffffc9000d2a7da0 by task vivid-000-vid-c/5317
[   76.146185][ T5317] 
[   76.147259][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: vivid-000-vid-c Not tainted 6.15.0-syzkaller-03589-gfeacb1774bd5 #0 PREEMPT(full) 
[   76.147273][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.147279][ T5317] Call Trace:
[   76.147286][ T5317]  <TASK>
[   76.147292][ T5317]  dump_stack_lvl+0x189/0x250
[   76.147310][ T5317]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.147323][ T5317]  ? __pfx__printk+0x10/0x10
[   76.147334][ T5317]  ? __pfx__printk+0x10/0x10
[   76.147342][ T5317]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   76.147355][ T5317]  ? __virt_addr_valid+0xdc/0x5c0
[   76.147364][ T5317]  print_report+0xd2/0x2b0
[   76.147376][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.147388][ T5317]  kasan_report+0x118/0x150
[   76.147441][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.147455][ T5317]  kasan_check_range+0x2b0/0x2c0
[   76.147467][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.147479][ T5317]  __asan_memcpy+0x40/0x70
[   76.147490][ T5317]  tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.147518][ T5317]  vivid_thread_vid_cap_tick+0xfff/0x5fe0
[   76.147531][ T5317]  ? finish_task_switch+0x18b/0x950
[   76.147546][ T5317]  ? __schedule+0x1713/0x4d00
[   76.147560][ T5317]  ? ktime_get+0x3e/0x1f0
[   76.147575][ T5317]  ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10
[   76.147593][ T5317]  vivid_thread_vid_cap+0x8d8/0x10d0
[   76.147610][ T5317]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.147622][ T5317]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.147634][ T5317]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.147648][ T5317]  ? __kthread_parkme+0x7b/0x200
[   76.147661][ T5317]  ? __kthread_parkme+0x1a1/0x200
[   76.147675][ T5317]  kthread+0x70e/0x8a0
[   76.147685][ T5317]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.147696][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.147705][ T5317]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.147717][ T5317]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.147731][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.147740][ T5317]  ret_from_fork+0x3fc/0x770
[   76.147753][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   76.147766][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.147775][ T5317]  ret_from_fork_asm+0x1a/0x30
[   76.147789][ T5317]  </TASK>
[   76.147793][ T5317] 
[   76.240803][ T5317] The buggy address belongs to the virtual mapping at
[   76.240803][ T5317]  [ffffc9000d291000, ffffc9000d2a9000) created by:
[   76.240803][ T5317]  vb2_vmalloc_alloc+0xef/0x340
[   76.248182][ T5317] 
[   76.249226][ T5317] The buggy address belongs to the physical page:
[   76.252036][ T5317] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040abb000 pfn:0x40abb
[   76.256328][ T5317] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   76.259436][ T5317] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   76.263017][ T5317] raw: ffff888040abb000 0000000000000000 00000001ffffffff 0000000000000000
[   76.266631][ T5317] page dumped because: kasan: bad access detected
[   76.269536][ T5317] page_owner tracks the page as allocated
[   76.271800][ T5317] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 5315, tgid 5314 (syz.0.0), ts 76089053262, free_ts 74069260785
[   76.279745][ T5317]  post_alloc_hook+0x240/0x2a0
[   76.281825][ T5317]  get_page_from_freelist+0x21ce/0x22b0
[   76.284062][ T5317]  __alloc_frozen_pages_noprof+0x181/0x370
[   76.286774][ T5317]  alloc_pages_mpol+0x232/0x4a0
[   76.289101][ T5317]  alloc_pages_noprof+0xa9/0x190
[   76.291380][ T5317]  __vmalloc_node_range_noprof+0x97d/0x1340
[   76.294079][ T5317]  vmalloc_user_noprof+0xad/0xf0
[   76.296306][ T5317]  vb2_vmalloc_alloc+0xef/0x340
[   76.298449][ T5317]  __vb2_queue_alloc+0x9c2/0x15a0
[   76.300513][ T5317]  vb2_core_reqbufs+0xc31/0x1420
[   76.302719][ T5317]  __vb2_init_fileio+0x318/0xff0
[   76.304886][ T5317]  __vb2_perform_fileio+0x284/0x1600
[   76.307169][ T5317]  vb2_fop_read+0x273/0x360
[   76.309121][ T5317]  v4l2_read+0x19c/0x2c0
[   76.310859][ T5317]  vfs_read+0x1fd/0x980
[   76.312673][ T5317]  __x64_sys_pread64+0x193/0x220
[   76.314918][ T5317] page last free pid 5298 tgid 5298 stack trace:
[   76.317513][ T5317]  __free_frozen_pages+0xc68/0xe50
[   76.319533][ T5317]  __slab_free+0x326/0x400
[   76.321290][ T5317]  qlist_free_all+0x97/0x140
[   76.323185][ T5317]  kasan_quarantine_reduce+0x148/0x160
[   76.325520][ T5317]  __kasan_slab_alloc+0x22/0x80
[   76.327660][ T5317]  __kmalloc_noprof+0x224/0x4f0
[   76.329780][ T5317]  ieee80211_register_hw+0x1ebd/0x4120
[   76.332232][ T5317]  mac80211_hwsim_new_radio+0x2f0e/0x5340
[   76.334639][ T5317]  hwsim_new_radio_nl+0xea4/0x1b10
[   76.336864][ T5317]  genl_family_rcv_msg_doit+0x215/0x300
[   76.339141][ T5317]  genl_rcv_msg+0x60e/0x790
[   76.341019][ T5317]  netlink_rcv_skb+0x21c/0x490
[   76.343074][ T5317]  genl_rcv+0x28/0x40
[   76.344915][ T5317]  netlink_unicast+0x758/0x8d0
[   76.347122][ T5317]  netlink_sendmsg+0x805/0xb30
[   76.349187][ T5317]  __sock_sendmsg+0x219/0x270
[   76.351211][ T5317] 
[   76.352295][ T5317] Memory state around the buggy address:
[   76.354984][ T5317]  ffffc9000d2a7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   76.358338][ T5317]  ffffc9000d2a7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   76.361920][ T5317] >ffffc9000d2a8000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   76.365411][ T5317]                    ^
[   76.367153][ T5317]  ffffc9000d2a8080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   76.370970][ T5317]  ffffc9000d2a8100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   76.374472][ T5317] ==================================================================
[   76.391189][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   76.393617][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   76.400666][ T5316] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   76.487561][ T5317] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.490834][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: vivid-000-vid-c Not tainted 6.15.0-syzkaller-03589-gfeacb1774bd5 #0 PREEMPT(full) 
[   76.496743][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.501570][ T5317] Call Trace:
[   76.503133][ T5317]  <TASK>
[   76.504452][ T5317]  dump_stack_lvl+0x99/0x250
[   76.506562][ T5317]  ? __asan_memcpy+0x40/0x70
[   76.508706][ T5317]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.511128][ T5317]  ? __pfx__printk+0x10/0x10
[   76.513259][ T5317]  panic+0x2db/0x790
[   76.515006][ T5317]  ? __pfx_panic+0x10/0x10
[   76.516932][ T5317]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   76.519602][ T5317]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.522285][ T5317]  ? print_memory_metadata+0x314/0x400
[   76.524894][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.527349][ T5317]  check_panic_on_warn+0x89/0xb0
[   76.529454][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.531828][ T5317]  end_report+0x78/0x160
[   76.533641][ T5317]  kasan_report+0x129/0x150
[   76.535576][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.537950][ T5317]  kasan_check_range+0x2b0/0x2c0
[   76.540117][ T5317]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.542370][ T5317]  __asan_memcpy+0x40/0x70
[   76.544172][ T5317]  tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.546482][ T5317]  vivid_thread_vid_cap_tick+0xfff/0x5fe0
[   76.548808][ T5317]  ? finish_task_switch+0x18b/0x950
[   76.551054][ T5317]  ? __schedule+0x1713/0x4d00
[   76.553000][ T5317]  ? ktime_get+0x3e/0x1f0
[   76.554800][ T5317]  ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10
[   76.557341][ T5317]  vivid_thread_vid_cap+0x8d8/0x10d0
[   76.559600][ T5317]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.561912][ T5317]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.564285][ T5317]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.567008][ T5317]  ? __kthread_parkme+0x7b/0x200
[   76.569148][ T5317]  ? __kthread_parkme+0x1a1/0x200
[   76.571266][ T5317]  kthread+0x70e/0x8a0
[   76.573051][ T5317]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.575533][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.577197][ T5317]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.579077][ T5317]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.581186][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.582822][ T5317]  ret_from_fork+0x3fc/0x770
[   76.584688][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   76.586913][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.588930][ T5317]  ret_from_fork_asm+0x1a/0x30
[   76.591150][ T5317]  </TASK>
[   76.592851][ T5317] Kernel Offset: disabled
[   76.594748][ T5317] Rebooting in 86400 seconds..