program:
r0 = openat$fb1(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$FBIOPUT_CON2FBMAP(r0, 0x4610, &(0x7f00000000c0)={0x1}) (fail_nth: 21)

[   89.094283][ T4525] Bluetooth: hci0: command tx timeout
[   90.126707][ T5106] FAULT_INJECTION: forcing a failure.
[   90.126707][ T5106] name fail_page_alloc, interval 1, probability 0, space 0, times 1
[   90.126736][ T5106] CPU: 0 UID: 0 PID: 5106 Comm: syz.0.0 Not tainted 6.11.0-rc3-syzkaller-00221-g670c12ce09a8 #0
[   90.126752][ T5106] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.126761][ T5106] Call Trace:
[   90.126767][ T5106]  <TASK>
[   90.126773][ T5106]  dump_stack_lvl+0x241/0x360
[   90.126869][ T5106]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.126881][ T5106]  ? __pfx__printk+0x10/0x10
[   90.126899][ T5106]  ? kasan_save_free_info+0x40/0x50
[   90.126913][ T5106]  ? __kasan_slab_free+0x37/0x60
[   90.126933][ T5106]  should_fail_ex+0x3b0/0x4e0
[   90.126976][ T5106]  prepare_alloc_pages+0x1da/0x5d0
[   90.126999][ T5106]  __alloc_pages_noprof+0x166/0x6c0
[   90.127015][ T5106]  ? __pfx___alloc_pages_noprof+0x10/0x10
[   90.127027][ T5106]  ? fb_set_var+0x3db/0xf10
[   90.127037][ T5106]  ? drm_modeset_acquire_fini+0x1b/0x170
[   90.127056][ T5106]  ___kmalloc_large_node+0x8b/0x1d0
[   90.127072][ T5106]  __kmalloc_large_node_noprof+0x1a/0x80
[   90.127086][ T5106]  ? vc_do_resize+0x31b/0x17f0
[   90.127101][ T5106]  __kmalloc_noprof+0x2ae/0x400
[   90.127118][ T5106]  vc_do_resize+0x31b/0x17f0
[   90.127145][ T5106]  ? __mutex_unlock_slowpath+0x21d/0x750
[   90.127161][ T5106]  ? __pfx_vc_do_resize+0x10/0x10
[   90.127178][ T5106]  ? fb_match_mode+0x5b0/0x6f0
[   90.127195][ T5106]  ? fbcon_set_disp+0x76c/0x11d0
[   90.127209][ T5106]  ? fb_get_color_depth+0x159/0x280
[   90.127226][ T5106]  fbcon_set_disp+0xac9/0x11d0
[   90.127239][ T5106]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.127249][ T5106]  set_con2fb_map+0xa6c/0x10a0
[   90.127261][ T5106]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.127271][ T5106]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.127280][ T5106]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.127291][ T5106]  do_fb_ioctl+0x38f/0x7b0
[   90.127299][ T5106]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.127307][ T5106]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.127326][ T5106]  ? __fget_files+0x29/0x470
[   90.127340][ T5106]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.127350][ T5106]  ? security_file_ioctl+0x87/0xb0
[   90.127362][ T5106]  ? __pfx_fb_ioctl+0x10/0x10
[   90.127374][ T5106]  __se_sys_ioctl+0xfc/0x170
[   90.127390][ T5106]  do_syscall_64+0xf3/0x230
[   90.127403][ T5106]  ? clear_bhb_loop+0x35/0x90
[   90.127419][ T5106]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.127432][ T5106] RIP: 0033:0x7f76311799b9
[   90.127444][ T5106] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.127455][ T5106] RSP: 002b:00007f7631f9d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.127471][ T5106] RAX: ffffffffffffffda RBX: 00007f7631315f80 RCX: 00007f76311799b9
[   90.127503][ T5106] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.127513][ T5106] RBP: 00007f7631f9d090 R08: 0000000000000000 R09: 0000000000000000
[   90.127521][ T5106] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   90.127528][ T5106] R13: 0000000000000000 R14: 00007f7631315f80 R15: 00007ffcf9b0e3e8
[   90.127546][ T5106]  </TASK>
[   90.151616][ T5106] ==================================================================
[   90.151626][ T5106] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ec6/0x2b00
[   90.151639][ T5106] Write of size 4 at addr ffffc90001c19000 by task syz.0.0/5106
[   90.151646][ T5106] 
[   90.151649][ T5106] CPU: 0 UID: 0 PID: 5106 Comm: syz.0.0 Not tainted 6.11.0-rc3-syzkaller-00221-g670c12ce09a8 #0
[   90.151658][ T5106] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.151662][ T5106] Call Trace:
[   90.151666][ T5106]  <TASK>
[   90.151669][ T5106]  dump_stack_lvl+0x241/0x360
[   90.151679][ T5106]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.151685][ T5106]  ? __pfx__printk+0x10/0x10
[   90.151695][ T5106]  ? _printk+0xd5/0x120
[   90.151704][ T5106]  print_report+0x169/0x550
[   90.151715][ T5106]  ? mark_lock+0x9a/0x350
[   90.151724][ T5106]  ? __virt_addr_valid+0xbd/0x530
[   90.151731][ T5106]  ? sys_imageblit+0x1ec6/0x2b00
[   90.151738][ T5106]  kasan_report+0x143/0x180
[   90.151747][ T5106]  ? sys_imageblit+0x1ec6/0x2b00
[   90.151755][ T5106]  sys_imageblit+0x1ec6/0x2b00
[   90.151764][ T5106]  ? queue_work_on+0x269/0x380
[   90.151773][ T5106]  ? __pfx_sys_imageblit+0x10/0x10
[   90.151782][ T5106]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   90.151791][ T5106]  bit_putcs+0x18ba/0x1db0
[   90.151805][ T5106]  ? __pfx_bit_putcs+0x10/0x10
[   90.151814][ T5106]  ? irqentry_exit+0x63/0x90
[   90.151829][ T5106]  ? lockdep_hardirqs_on+0x99/0x150
[   90.151840][ T5106]  ? fb_get_color_depth+0x159/0x280
[   90.151856][ T5106]  fbcon_putcs+0x255/0x390
[   90.151872][ T5106]  ? __pfx_bit_putcs+0x10/0x10
[   90.151886][ T5106]  do_update_region+0x396/0x450
[   90.151904][ T5106]  redraw_screen+0x902/0xe90
[   90.151916][ T5106]  ? fb_match_mode+0x5b0/0x6f0
[   90.151932][ T5106]  ? con_is_visible+0x77/0x150
[   90.151945][ T5106]  ? __pfx_redraw_screen+0x10/0x10
[   90.151958][ T5106]  ? fbcon_set_disp+0xada/0x11d0
[   90.151974][ T5106]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.151991][ T5106]  set_con2fb_map+0xa6c/0x10a0
[   90.152006][ T5106]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.152021][ T5106]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.152036][ T5106]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.152051][ T5106]  do_fb_ioctl+0x38f/0x7b0
[   90.152063][ T5106]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.152075][ T5106]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.152096][ T5106]  ? __fget_files+0x29/0x470
[   90.152115][ T5106]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.152131][ T5106]  ? security_file_ioctl+0x87/0xb0
[   90.152144][ T5106]  ? __pfx_fb_ioctl+0x10/0x10
[   90.152155][ T5106]  __se_sys_ioctl+0xfc/0x170
[   90.152170][ T5106]  do_syscall_64+0xf3/0x230
[   90.152181][ T5106]  ? clear_bhb_loop+0x35/0x90
[   90.152196][ T5106]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.152210][ T5106] RIP: 0033:0x7f76311799b9
[   90.152221][ T5106] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.152231][ T5106] RSP: 002b:00007f7631f9d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.152246][ T5106] RAX: ffffffffffffffda RBX: 00007f7631315f80 RCX: 00007f76311799b9
[   90.152255][ T5106] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.152263][ T5106] RBP: 00007f7631f9d090 R08: 0000000000000000 R09: 0000000000000000
[   90.152271][ T5106] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   90.152278][ T5106] R13: 0000000000000000 R14: 00007f7631315f80 R15: 00007ffcf9b0e3e8
[   90.152292][ T5106]  </TASK>
[   90.152296][ T5106] 
[   90.152301][ T5106] The buggy address belongs to the virtual mapping at
[   90.152301][ T5106]  [ffffc90001919000, ffffc90001c1a000) created by:
[   90.152301][ T5106]  drm_gem_shmem_vmap+0x3ac/0x630
[   90.152322][ T5106] 
[   90.152326][ T5106] Memory state around the buggy address:
[   90.152332][ T5106]  ffffc90001c18f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   90.152340][ T5106]  ffffc90001c18f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   90.152347][ T5106] >ffffc90001c19000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.152353][ T5106]                    ^
[   90.152359][ T5106]  ffffc90001c19080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.152366][ T5106]  ffffc90001c19100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   90.152371][ T5106] ==================================================================
[   90.152379][ T5106] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   90.152385][ T5106] CPU: 0 UID: 0 PID: 5106 Comm: syz.0.0 Not tainted 6.11.0-rc3-syzkaller-00221-g670c12ce09a8 #0
[   90.152398][ T5106] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   90.152404][ T5106] Call Trace:
[   90.152409][ T5106]  <TASK>
[   90.152414][ T5106]  dump_stack_lvl+0x241/0x360
[   90.152427][ T5106]  ? __pfx_dump_stack_lvl+0x10/0x10
[   90.152438][ T5106]  ? __pfx__printk+0x10/0x10
[   90.152453][ T5106]  ? rcu_is_watching+0x15/0xb0
[   90.152469][ T5106]  ? lock_release+0xbf/0xa30
[   90.152485][ T5106]  ? vscnprintf+0x5d/0x90
[   90.152499][ T5106]  panic+0x349/0x860
[   90.152515][ T5106]  ? check_panic_on_warn+0x21/0xb0
[   90.152527][ T5106]  ? __pfx_panic+0x10/0x10
[   90.152564][ T5106]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   90.152583][ T5106]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   90.152598][ T5106]  ? print_report+0x502/0x550
[   90.152616][ T5106]  check_panic_on_warn+0x86/0xb0
[   90.152628][ T5106]  ? sys_imageblit+0x1ec6/0x2b00
[   90.152640][ T5106]  end_report+0x77/0x160
[   90.152655][ T5106]  kasan_report+0x154/0x180
[   90.152672][ T5106]  ? sys_imageblit+0x1ec6/0x2b00
[   90.152687][ T5106]  sys_imageblit+0x1ec6/0x2b00
[   90.152703][ T5106]  ? queue_work_on+0x269/0x380
[   90.152719][ T5106]  ? __pfx_sys_imageblit+0x10/0x10
[   90.152735][ T5106]  drm_fbdev_shmem_defio_imageblit+0x2e/0x100
[   90.152750][ T5106]  bit_putcs+0x18ba/0x1db0
[   90.152779][ T5106]  ? __pfx_bit_putcs+0x10/0x10
[   90.152795][ T5106]  ? irqentry_exit+0x63/0x90
[   90.152811][ T5106]  ? lockdep_hardirqs_on+0x99/0x150
[   90.152831][ T5106]  ? fb_get_color_depth+0x159/0x280
[   90.152848][ T5106]  fbcon_putcs+0x255/0x390
[   90.152862][ T5106]  ? __pfx_bit_putcs+0x10/0x10
[   90.152877][ T5106]  do_update_region+0x396/0x450
[   90.152895][ T5106]  redraw_screen+0x902/0xe90
[   90.152908][ T5106]  ? fb_match_mode+0x5b0/0x6f0
[   90.152925][ T5106]  ? con_is_visible+0x77/0x150
[   90.152938][ T5106]  ? __pfx_redraw_screen+0x10/0x10
[   90.152950][ T5106]  ? fbcon_set_disp+0xada/0x11d0
[   90.152965][ T5106]  ? __pfx_drm_fb_helper_set_par+0x10/0x10
[   90.152982][ T5106]  set_con2fb_map+0xa6c/0x10a0
[   90.152999][ T5106]  fbcon_set_con2fb_map_ioctl+0x207/0x320
[   90.153014][ T5106]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   90.153029][ T5106]  ? tomoyo_path_number_perm+0x71a/0x880
[   90.153044][ T5106]  do_fb_ioctl+0x38f/0x7b0
[   90.153055][ T5106]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   90.153067][ T5106]  ? __pfx_do_fb_ioctl+0x10/0x10
[   90.153092][ T5106]  ? __fget_files+0x29/0x470
[   90.153112][ T5106]  ? bpf_lsm_file_ioctl+0x9/0x10
[   90.153128][ T5106]  ? security_file_ioctl+0x87/0xb0
[   90.153139][ T5106]  ? __pfx_fb_ioctl+0x10/0x10
[   90.153151][ T5106]  __se_sys_ioctl+0xfc/0x170
[   90.153165][ T5106]  do_syscall_64+0xf3/0x230
[   90.153177][ T5106]  ? clear_bhb_loop+0x35/0x90
[   90.153191][ T5106]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   90.153204][ T5106] RIP: 0033:0x7f76311799b9
[   90.153213][ T5106] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   90.153223][ T5106] RSP: 002b:00007f7631f9d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   90.153235][ T5106] RAX: ffffffffffffffda RBX: 00007f7631315f80 RCX: 00007f76311799b9
[   90.153242][ T5106] RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000003
[   90.153250][ T5106] RBP: 00007f7631f9d090 R08: 0000000000000000 R09: 0000000000000000
[   90.153258][ T5106] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   90.153265][ T5106] R13: 0000000000000000 R14: 00007f7631315f80 R15: 00007ffcf9b0e3e8
[   90.153279][ T5106]  </TASK>
[   90.153536][ T5106] Kernel Offset: disabled