program:
r0 = syz_open_dev$swradio(&(0x7f0000000380), 0x1, 0x2)
r1 = syz_open_dev$video(&(0x7f0000000000), 0x485, 0x0)
r2 = syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2)
ioctl$VIDIOC_S_INPUT(r2, 0xc0045627, &(0x7f00000001c0)=0x2)
r3 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2)
ioctl$vim2m_VIDIOC_S_CTRL(r3, 0xc008561c, &(0x7f0000000e80)={0xf0f020})
ioctl$VIDIOC_S_SELECTION(r1, 0xc040565f, &(0x7f0000000080)={0x9})
r4 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0)
lseek(r4, 0x1, 0x0)
getdents(r4, &(0x7f0000000200)=""/76, 0x4c)
read(r1, &(0x7f0000000000)=""/180, 0xb4)
ioctl$VIDIOC_SUBSCRIBE_EVENT(r0, 0x4020565a, &(0x7f0000000400)={0x5, 0x89})
close(r0)

[   75.575999][ T4659] Bluetooth: hci0: command tx timeout
[   75.718818][ T5318] ==================================================================
[   75.722954][ T5318] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.728490][ T5318] Write of size 1440 at addr ffffc9000d537da0 by task vivid-000-vid-c/5318
[   75.731716][ T5318] 
[   75.732614][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: vivid-000-vid-c Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) 
[   75.732628][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.732635][ T5318] Call Trace:
[   75.732642][ T5318]  <TASK>
[   75.732648][ T5318]  dump_stack_lvl+0x189/0x250
[   75.732667][ T5318]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.732681][ T5318]  ? __pfx__printk+0x10/0x10
[   75.732690][ T5318]  ? __pfx__printk+0x10/0x10
[   75.732699][ T5318]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   75.732712][ T5318]  ? __virt_addr_valid+0xc3/0x540
[   75.732725][ T5318]  print_report+0xb4/0x290
[   75.732737][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.732750][ T5318]  kasan_report+0x118/0x150
[   75.732801][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.732816][ T5318]  kasan_check_range+0x29a/0x2b0
[   75.732828][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.732836][ T5318]  __asan_memcpy+0x40/0x70
[   75.732843][ T5318]  tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.732862][ T5318]  vivid_thread_vid_cap_tick+0xfff/0x5fe0
[   75.732870][ T5318]  ? finish_task_switch+0x18b/0x950
[   75.732884][ T5318]  ? __schedule+0x1700/0x4cd0
[   75.732895][ T5318]  ? __lock_acquire+0xaac/0xd20
[   75.732909][ T5318]  ? ktime_get+0x3e/0x1f0
[   75.732922][ T5318]  ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10
[   75.732941][ T5318]  vivid_thread_vid_cap+0x8d8/0x10d0
[   75.732958][ T5318]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   75.732970][ T5318]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   75.732979][ T5318]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   75.732987][ T5318]  ? __kthread_parkme+0x7b/0x200
[   75.732994][ T5318]  ? __kthread_parkme+0x1a1/0x200
[   75.733001][ T5318]  kthread+0x70e/0x8a0
[   75.733009][ T5318]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   75.733016][ T5318]  ? __pfx_kthread+0x10/0x10
[   75.733024][ T5318]  ? __pfx_kthread+0x10/0x10
[   75.733031][ T5318]  ? _raw_spin_unlock_irq+0x23/0x50
[   75.733038][ T5318]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.733046][ T5318]  ? __pfx_kthread+0x10/0x10
[   75.733055][ T5318]  ret_from_fork+0x4b/0x80
[   75.733065][ T5318]  ? __pfx_kthread+0x10/0x10
[   75.733075][ T5318]  ret_from_fork_asm+0x1a/0x30
[   75.733088][ T5318]  </TASK>
[   75.733091][ T5318] 
[   75.821884][ T5318] The buggy address belongs to the virtual mapping at
[   75.821884][ T5318]  [ffffc9000d521000, ffffc9000d539000) created by:
[   75.821884][ T5318]  vb2_vmalloc_alloc+0xef/0x340
[   75.829231][ T5318] 
[   75.830256][ T5318] The buggy address belongs to the physical page:
[   75.832949][ T5318] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888042f733c0 pfn:0x42f73
[   75.836804][ T5318] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   75.839700][ T5318] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   75.843493][ T5318] raw: ffff888042f733c0 0000000000000000 00000001ffffffff 0000000000000000
[   75.847077][ T5318] page dumped because: kasan: bad access detected
[   75.849502][ T5318] page_owner tracks the page as allocated
[   75.851822][ T5318] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 5316, tgid 5315 (syz.0.0), ts 75644846198, free_ts 73749767929
[   75.859186][ T5318]  post_alloc_hook+0x1d8/0x230
[   75.861127][ T5318]  get_page_from_freelist+0x21ce/0x22b0
[   75.863261][ T5318]  __alloc_frozen_pages_noprof+0x181/0x370
[   75.865581][ T5318]  alloc_pages_mpol+0x232/0x4a0
[   75.867664][ T5318]  alloc_pages_noprof+0xa9/0x190
[   75.869692][ T5318]  __vmalloc_node_range_noprof+0x8fe/0x12c0
[   75.872006][ T5318]  vmalloc_user_noprof+0x74/0x80
[   75.874045][ T5318]  vb2_vmalloc_alloc+0xef/0x340
[   75.876112][ T5318]  __vb2_queue_alloc+0x9bf/0x15a0
[   75.878234][ T5318]  vb2_core_reqbufs+0xc31/0x1420
[   75.880218][ T5318]  __vb2_init_fileio+0x318/0xff0
[   75.882196][ T5318]  __vb2_perform_fileio+0x284/0x1600
[   75.884403][ T5318]  vb2_fop_read+0x273/0x360
[   75.886207][ T5318]  v4l2_read+0x199/0x2c0
[   75.887864][ T5318]  vfs_read+0x1fd/0x980
[   75.889557][ T5318]  ksys_read+0x145/0x250
[   75.891221][ T5318] page last free pid 15 tgid 15 stack trace:
[   75.893690][ T5318]  __free_frozen_pages+0xb0e/0xcd0
[   75.895801][ T5318]  rcu_core+0xca8/0x1710
[   75.897444][ T5318]  handle_softirqs+0x286/0x870
[   75.899356][ T5318]  run_ksoftirqd+0x9b/0x100
[   75.901344][ T5318]  smpboot_thread_fn+0x542/0xa60
[   75.903488][ T5318]  kthread+0x70e/0x8a0
[   75.905184][ T5318]  ret_from_fork+0x4b/0x80
[   75.907072][ T5318]  ret_from_fork_asm+0x1a/0x30
[   75.909111][ T5318] 
[   75.910101][ T5318] Memory state around the buggy address:
[   75.912452][ T5318]  ffffc9000d537f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.915812][ T5318]  ffffc9000d537f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.918992][ T5318] >ffffc9000d538000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   75.922127][ T5318]                    ^
[   75.923848][ T5318]  ffffc9000d538080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   75.927300][ T5318]  ffffc9000d538100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   75.930703][ T5318] ==================================================================
[   75.944999][ T5318] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   75.948140][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: vivid-000-vid-c Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) 
[   75.953393][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.957780][ T5318] Call Trace:
[   75.959164][ T5318]  <TASK>
[   75.960273][ T5318]  dump_stack_lvl+0x99/0x250
[   75.962117][ T5318]  ? __asan_memcpy+0x40/0x70
[   75.963964][ T5318]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.965918][ T5318]  ? __pfx__printk+0x10/0x10
[   75.967792][ T5318]  panic+0x2db/0x790
[   75.969384][ T5318]  ? __pfx_panic+0x10/0x10
[   75.971167][ T5318]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   75.973480][ T5318]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   75.976146][ T5318]  ? print_memory_metadata+0x314/0x400
[   75.978453][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.980861][ T5318]  check_panic_on_warn+0x89/0xb0
[   75.982978][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.985385][ T5318]  end_report+0x78/0x160
[   75.987232][ T5318]  kasan_report+0x129/0x150
[   75.989160][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.991596][ T5318]  kasan_check_range+0x29a/0x2b0
[   75.993725][ T5318]  ? tpg_fill_plane_buffer+0x1b76/0x5ec0
[   75.996172][ T5318]  __asan_memcpy+0x40/0x70
[   75.998191][ T5318]  tpg_fill_plane_buffer+0x1b76/0x5ec0
[   76.000644][ T5318]  vivid_thread_vid_cap_tick+0xfff/0x5fe0
[   76.003168][ T5318]  ? finish_task_switch+0x18b/0x950
[   76.005512][ T5318]  ? __schedule+0x1700/0x4cd0
[   76.007676][ T5318]  ? __lock_acquire+0xaac/0xd20
[   76.009865][ T5318]  ? ktime_get+0x3e/0x1f0
[   76.011769][ T5318]  ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10
[   76.014542][ T5318]  vivid_thread_vid_cap+0x8d8/0x10d0
[   76.016911][ T5318]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.019502][ T5318]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.022208][ T5318]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.025107][ T5318]  ? __kthread_parkme+0x7b/0x200
[   76.027435][ T5318]  ? __kthread_parkme+0x1a1/0x200
[   76.029721][ T5318]  kthread+0x70e/0x8a0
[   76.031601][ T5318]  ? __pfx_vivid_thread_vid_cap+0x10/0x10
[   76.034218][ T5318]  ? __pfx_kthread+0x10/0x10
[   76.036124][ T5318]  ? __pfx_kthread+0x10/0x10
[   76.038125][ T5318]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.040453][ T5318]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.042733][ T5318]  ? __pfx_kthread+0x10/0x10
[   76.044758][ T5318]  ret_from_fork+0x4b/0x80
[   76.046657][ T5318]  ? __pfx_kthread+0x10/0x10
[   76.048682][ T5318]  ret_from_fork_asm+0x1a/0x30
[   76.050795][ T5318]  </TASK>
[   76.052468][ T5318] Kernel Offset: disabled
[   76.054471][ T5318] Rebooting in 86400 seconds..