program:
r0 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDFONTOP_SET(r0, 0x4b72, &(0x7f0000000100)={0x0, 0x2, 0x8, 0x1, 0x200, &(0x7f0000000880)="1ae19337aa151f36ae49bb3f8cb95c5bf840d4f1e55efaaf098d47a70eb36a7309000000000000000f4743f490c585108c1331c7749299a25a705f5096cb268cbc6070d680e1be250700000000000000472471ff550c0010000007f3c7b61abe4162256004ea8ca5e5b5f379c6eb3257eda08f7e6959090000004d13184d382747e035b4722525e00ade86b4c6d1e157c75d15c1f961ebc0a64d7f2a73f8979fcecacaa64f9b9069ebcc1d5b471edbc4f6c7f1b98ae74e909aa6f25b7fa77bf9cd4ed36d5c53dc519d11c3cc1c22a3b86cf3c645413fcea0c99ded703699d2bb6a4a663b99b6069da5aaf64785a5887c31261d4b9e57ee07000000def6f255ca26108f11f02047d47f2d0fec30f7e92482f71496e184214a4e0c5fdc48b0af0c0478940016d8f0990a0e1090fd515380aae83c5eaeed338701574b64200a16ef2811fadcf1e0f49a514df529061e09ce45e3da03a03fe9b4a6bcfa7d04594e4f6d0714a2e14ea127ab37d64a5e0db630cd4f4a2e6c985a542ff20a9b2193f265f93a258a88dd6c9d6a926dd23d32425849c5d9210007660a617f22133b6cb5087f4c6057942aa18193172bd995fa70a1f949e496f2e2a3c175858575713be5ee3f7f4dcecc98123f9ded3afdebe13d79a7f7fcb2469ae0ac503111401612df7ee995f74fb97a63bf62d61f78c062f959119ab50c1f706a930121ebcd53ccb93d158186ed360750ca8e728150d988844b9a5cff46591ccaff4175b86ea6171b046b856168f403b5253a5cc393430a09a4489a0895571e597ac8846f945ffb372a88d3a2b463dc961416c80c55773f917020751ed51cfd73c1e06fbadd156d56bedc117af95d242d6d07002ce34dccd6005e944afa92b22ec9a698469c6edc06caa2cfcd61912607d459b4c28ebea9745bcd4697d75c9601fd333d3cd797963a3c71b7cc5fdc756da8d97207936e5f53b53b732533c2722e03002293517966611602f297de6ff5408777b7a93c45cee3ee5c5601a4e94266b295ea7a86812a7ab8896ec5ea1b12643e1844b185734528399e62bceb8700cc6cd491e4a4430d0a3ba329a5a2fa170fd0b1cc4ba8294de988cd35df2cd7344aa8a9f3432b96fb889c02f484f63520cc3466a3c2733d45f176931b2db18dba54991a9553cedb7f585786388d4042dbae1c95b769e3d4e036e8afea0a04c04f542b152ca1fd1f8efee60425c5a122fd1b90e98635284abd9f217d9e19cb2a64b354c9d79509cc47d7305114990148a7291cb0fe2d1c773a6664b66ae04aa62c534d072ae54c2ca0d5962cc58945d8924abfc4d5af922462507430d8f2c17479a6678b0b3700000000000000000000000000000000000000000000f800"})
r1 = openat$fb1(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x800448f0, &(0x7f0000000240)={0x3, 0x5, "272514", 0xfc, 0xba})
ioctl$FBIOPUT_CON2FBMAP(r1, 0x4610, &(0x7f00000000c0)={0x1})
syz_open_dev$tty1(0xc, 0x4, 0x1) (async)
ioctl$KDFONTOP_SET(r0, 0x4b72, &(0x7f0000000100)={0x0, 0x2, 0x8, 0x1, 0x200, &(0x7f0000000880)="1ae19337aa151f36ae49bb3f8cb95c5bf840d4f1e55efaaf098d47a70eb36a7309000000000000000f4743f490c585108c1331c7749299a25a705f5096cb268cbc6070d680e1be250700000000000000472471ff550c0010000007f3c7b61abe4162256004ea8ca5e5b5f379c6eb3257eda08f7e6959090000004d13184d382747e035b4722525e00ade86b4c6d1e157c75d15c1f961ebc0a64d7f2a73f8979fcecacaa64f9b9069ebcc1d5b471edbc4f6c7f1b98ae74e909aa6f25b7fa77bf9cd4ed36d5c53dc519d11c3cc1c22a3b86cf3c645413fcea0c99ded703699d2bb6a4a663b99b6069da5aaf64785a5887c31261d4b9e57ee07000000def6f255ca26108f11f02047d47f2d0fec30f7e92482f71496e184214a4e0c5fdc48b0af0c0478940016d8f0990a0e1090fd515380aae83c5eaeed338701574b64200a16ef2811fadcf1e0f49a514df529061e09ce45e3da03a03fe9b4a6bcfa7d04594e4f6d0714a2e14ea127ab37d64a5e0db630cd4f4a2e6c985a542ff20a9b2193f265f93a258a88dd6c9d6a926dd23d32425849c5d9210007660a617f22133b6cb5087f4c6057942aa18193172bd995fa70a1f949e496f2e2a3c175858575713be5ee3f7f4dcecc98123f9ded3afdebe13d79a7f7fcb2469ae0ac503111401612df7ee995f74fb97a63bf62d61f78c062f959119ab50c1f706a930121ebcd53ccb93d158186ed360750ca8e728150d988844b9a5cff46591ccaff4175b86ea6171b046b856168f403b5253a5cc393430a09a4489a0895571e597ac8846f945ffb372a88d3a2b463dc961416c80c55773f917020751ed51cfd73c1e06fbadd156d56bedc117af95d242d6d07002ce34dccd6005e944afa92b22ec9a698469c6edc06caa2cfcd61912607d459b4c28ebea9745bcd4697d75c9601fd333d3cd797963a3c71b7cc5fdc756da8d97207936e5f53b53b732533c2722e03002293517966611602f297de6ff5408777b7a93c45cee3ee5c5601a4e94266b295ea7a86812a7ab8896ec5ea1b12643e1844b185734528399e62bceb8700cc6cd491e4a4430d0a3ba329a5a2fa170fd0b1cc4ba8294de988cd35df2cd7344aa8a9f3432b96fb889c02f484f63520cc3466a3c2733d45f176931b2db18dba54991a9553cedb7f585786388d4042dbae1c95b769e3d4e036e8afea0a04c04f542b152ca1fd1f8efee60425c5a122fd1b90e98635284abd9f217d9e19cb2a64b354c9d79509cc47d7305114990148a7291cb0fe2d1c773a6664b66ae04aa62c534d072ae54c2ca0d5962cc58945d8924abfc4d5af922462507430d8f2c17479a6678b0b3700000000000000000000000000000000000000000000f800"}) (async)
openat$fb1(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x800448f0, &(0x7f0000000240)={0x3, 0x5, "272514", 0xfc, 0xba}) (async)
ioctl$FBIOPUT_CON2FBMAP(r1, 0x4610, &(0x7f00000000c0)={0x1}) (async)

[   68.973746][ T4658] Bluetooth: hci0: command tx timeout
[   69.122408][ T5312] ------------[ cut here ]------------
[   69.122461][ T5312] WARNING: CPU: 0 PID: 5312 at drivers/gpu/drm/vkms/vkms_crtc.c:97 vkms_get_vblank_timestamp+0x137/0x160
[   69.122649][ T5312] Modules linked in:
[   69.122679][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: syz.0.0 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full) 
[   69.122692][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.122699][ T5312] RIP: 0010:vkms_get_vblank_timestamp+0x137/0x160
[   69.122712][ T5312] Code: 42 80 3c 28 00 74 08 48 89 df e8 74 40 3d fc 4c 89 33 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 9a 4a db fb 90 <0f> 0b 90 eb e3 44 89 e1 80 e1 07 38 c1 0f 8c ff fe ff ff 4c 89 e7
[   69.122721][ T5312] RSP: 0018:ffffc9000f6af148 EFLAGS: 00010293
[   69.122732][ T5312] RAX: ffffffff85e475b6 RBX: ffffc9000f6af2c0 RCX: ffff888000258000
[   69.122741][ T5312] RDX: 0000000000000000 RSI: 000000100daac11d RDI: 000000100daac11d
[   69.122748][ T5312] RBP: 1ffff92001ed5e58 R08: ffffc90001a41000 R09: 0000000000000000
[   69.122756][ T5312] R10: ffffc90001a41000 R11: ffffffff85e47480 R12: 000000100daac11d
[   69.122763][ T5312] R13: dffffc0000000000 R14: ffff88801f1f4028 R15: 000000100daac11d
[   69.122771][ T5312] FS:  00007ff082c216c0(0000) GS:ffff88808d6cb000(0000) knlGS:0000000000000000
[   69.122780][ T5312] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.122788][ T5312] CR2: 00007fffbab96d00 CR3: 0000000041b03000 CR4: 0000000000352ef0
[   69.122818][ T5312] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   69.122827][ T5312] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   69.122834][ T5312] Call Trace:
[   69.122839][ T5312]  <TASK>
[   69.122845][ T5312]  ? __pfx_vkms_get_vblank_timestamp+0x10/0x10
[   69.122860][ T5312]  drm_crtc_next_vblank_start+0x223/0x470
[   69.122877][ T5312]  ? __pfx_drm_crtc_next_vblank_start+0x10/0x10
[   69.122891][ T5312]  ? drm_gem_fb_vmap+0x230/0x8d0
[   69.122908][ T5312]  drm_atomic_helper_wait_for_fences+0x265/0x8c0
[   69.122927][ T5312]  ? __pfx_drm_atomic_helper_wait_for_fences+0x10/0x10
[   69.122938][ T5312]  ? drm_atomic_helper_prepare_planes+0x670/0xb60
[   69.122957][ T5312]  drm_atomic_helper_commit+0x5c7/0xb10
[   69.122973][ T5312]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
[   69.122985][ T5312]  drm_atomic_commit+0x25f/0x2c0
[   69.122999][ T5312]  ? __pfx_drm_atomic_commit+0x10/0x10
[   69.123009][ T5312]  ? __pfx___drm_printfn_info+0x10/0x10
[   69.123040][ T5312]  drm_client_modeset_commit_atomic+0x620/0x760
[   69.123063][ T5312]  ? __pfx_drm_client_modeset_commit_atomic+0x10/0x10
[   69.123090][ T5312]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   69.123160][ T5312]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   69.123178][ T5312]  drm_fb_helper_pan_display+0x3e7/0xbd0
[   69.123200][ T5312]  fb_pan_display+0x39b/0x680
[   69.123213][ T5312]  ? __pfx_drm_fb_helper_pan_display+0x10/0x10
[   69.123229][ T5312]  bit_update_start+0x4d/0x1e0
[   69.123243][ T5312]  fbcon_switch+0x1379/0x1fc0
[   69.123359][ T5312]  ? __pfx_fbcon_switch+0x10/0x10
[   69.123392][ T5312]  ? __pfx_hide_cursor+0x10/0x10
[   69.123411][ T5312]  ? is_console_locked+0x9/0x20
[   69.123422][ T5312]  ? set_origin+0x346/0x480
[   69.123439][ T5312]  redraw_screen+0x56a/0xe90
[   69.123452][ T5312]  ? fb_match_mode+0x5f9/0x730
[   69.123468][ T5312]  ? is_console_locked+0x9/0x20
[   69.123479][ T5312]  ? __pfx_redraw_screen+0x10/0x10
[   69.123500][ T5312]  set_con2fb_map+0xcab/0x1220
[   69.123522][ T5312]  fbcon_set_con2fb_map_ioctl+0x18a/0x1f0
[   69.123534][ T5312]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   69.123553][ T5312]  do_fb_ioctl+0x3df/0x750
[   69.123568][ T5312]  ? __pfx_do_fb_ioctl+0x10/0x10
[   69.123592][ T5312]  ? __lock_acquire+0xaac/0xd20
[   69.123617][ T5312]  ? __fget_files+0x2a/0x420
[   69.123634][ T5312]  ? __fget_files+0x3a0/0x420
[   69.123646][ T5312]  ? __fget_files+0x2a/0x420
[   69.123662][ T5312]  ? bpf_lsm_file_ioctl+0x9/0x20
[   69.123677][ T5312]  ? __pfx_fb_ioctl+0x10/0x10
[   69.123691][ T5312]  __se_sys_ioctl+0xf9/0x170
[   69.123705][ T5312]  do_syscall_64+0xf6/0x210
[   69.123719][ T5312]  ? clear_bhb_loop+0x45/0xa0
[   69.123733][ T5312]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.123743][ T5312] RIP: 0033:0x7ff081d8e969
[   69.123755][ T5312] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.123764][ T5312] RSP: 002b:00007ff082c21038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   69.123777][ T5312] RAX: ffffffffffffffda RBX: 00007ff081fb5fa0 RCX: 00007ff081d8e969
[   69.123786][ T5312] RDX: 00002000000000c0 RSI: 0000000000004610 RDI: 0000000000000004
[   69.123794][ T5312] RBP: 00007ff081e10ab1 R08: 0000000000000000 R09: 0000000000000000
[   69.123801][ T5312] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   69.123807][ T5312] R13: 0000000000000000 R14: 00007ff081fb5fa0 R15: 00007fffbab974b8
[   69.123820][ T5312]  </TASK>
[   69.123826][ T5312] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   69.123834][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: syz.0.0 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full) 
[   69.123845][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.123850][ T5312] Call Trace:
[   69.123855][ T5312]  <TASK>
[   69.123859][ T5312]  dump_stack_lvl+0x99/0x250
[   69.123875][ T5312]  ? __asan_memcpy+0x40/0x70
[   69.123885][ T5312]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.123898][ T5312]  ? __pfx__printk+0x10/0x10
[   69.123918][ T5312]  panic+0x2db/0x790
[   69.123934][ T5312]  ? __pfx_panic+0x10/0x10
[   69.123945][ T5312]  ? show_trace_log_lvl+0x4fb/0x550
[   69.123970][ T5312]  __warn+0x31b/0x4b0
[   69.123982][ T5312]  ? vkms_get_vblank_timestamp+0x137/0x160
[   69.123997][ T5312]  ? vkms_get_vblank_timestamp+0x137/0x160
[   69.124009][ T5312]  report_bug+0x2be/0x4f0
[   69.124020][ T5312]  ? vkms_get_vblank_timestamp+0x137/0x160
[   69.124032][ T5312]  ? vkms_get_vblank_timestamp+0x137/0x160
[   69.124044][ T5312]  ? vkms_get_vblank_timestamp+0x139/0x160
[   69.124055][ T5312]  handle_bug+0x84/0x160
[   69.124070][ T5312]  exc_invalid_op+0x1a/0x50
[   69.124083][ T5312]  asm_exc_invalid_op+0x1a/0x20
[   69.124093][ T5312] RIP: 0010:vkms_get_vblank_timestamp+0x137/0x160
[   69.124105][ T5312] Code: 42 80 3c 28 00 74 08 48 89 df e8 74 40 3d fc 4c 89 33 b0 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 9a 4a db fb 90 <0f> 0b 90 eb e3 44 89 e1 80 e1 07 38 c1 0f 8c ff fe ff ff 4c 89 e7
[   69.124113][ T5312] RSP: 0018:ffffc9000f6af148 EFLAGS: 00010293
[   69.124122][ T5312] RAX: ffffffff85e475b6 RBX: ffffc9000f6af2c0 RCX: ffff888000258000
[   69.124130][ T5312] RDX: 0000000000000000 RSI: 000000100daac11d RDI: 000000100daac11d
[   69.124136][ T5312] RBP: 1ffff92001ed5e58 R08: ffffc90001a41000 R09: 0000000000000000
[   69.124143][ T5312] R10: ffffc90001a41000 R11: ffffffff85e47480 R12: 000000100daac11d
[   69.124150][ T5312] R13: dffffc0000000000 R14: ffff88801f1f4028 R15: 000000100daac11d
[   69.124161][ T5312]  ? __pfx_vkms_get_vblank_timestamp+0x10/0x10
[   69.124174][ T5312]  ? vkms_get_vblank_timestamp+0x136/0x160
[   69.124190][ T5312]  ? vkms_get_vblank_timestamp+0x136/0x160
[   69.124200][ T5312]  ? __pfx_vkms_get_vblank_timestamp+0x10/0x10
[   69.124212][ T5312]  drm_crtc_next_vblank_start+0x223/0x470
[   69.124228][ T5312]  ? __pfx_drm_crtc_next_vblank_start+0x10/0x10
[   69.124241][ T5312]  ? drm_gem_fb_vmap+0x230/0x8d0
[   69.124256][ T5312]  drm_atomic_helper_wait_for_fences+0x265/0x8c0
[   69.124273][ T5312]  ? __pfx_drm_atomic_helper_wait_for_fences+0x10/0x10
[   69.124284][ T5312]  ? drm_atomic_helper_prepare_planes+0x670/0xb60
[   69.124302][ T5312]  drm_atomic_helper_commit+0x5c7/0xb10
[   69.124315][ T5312]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
[   69.124326][ T5312]  drm_atomic_commit+0x25f/0x2c0
[   69.124340][ T5312]  ? __pfx_drm_atomic_commit+0x10/0x10
[   69.124350][ T5312]  ? __pfx___drm_printfn_info+0x10/0x10
[   69.124376][ T5312]  drm_client_modeset_commit_atomic+0x620/0x760
[   69.124392][ T5312]  ? __pfx_drm_client_modeset_commit_atomic+0x10/0x10
[   69.124408][ T5312]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   69.124420][ T5312]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   69.124436][ T5312]  drm_fb_helper_pan_display+0x3e7/0xbd0
[   69.124456][ T5312]  fb_pan_display+0x39b/0x680
[   69.124468][ T5312]  ? __pfx_drm_fb_helper_pan_display+0x10/0x10
[   69.124483][ T5312]  bit_update_start+0x4d/0x1e0
[   69.124497][ T5312]  fbcon_switch+0x1379/0x1fc0
[   69.124528][ T5312]  ? __pfx_fbcon_switch+0x10/0x10
[   69.124547][ T5312]  ? __pfx_hide_cursor+0x10/0x10
[   69.124563][ T5312]  ? is_console_locked+0x9/0x20
[   69.124573][ T5312]  ? set_origin+0x346/0x480
[   69.124588][ T5312]  redraw_screen+0x56a/0xe90
[   69.124602][ T5312]  ? fb_match_mode+0x5f9/0x730
[   69.124615][ T5312]  ? is_console_locked+0x9/0x20
[   69.124626][ T5312]  ? __pfx_redraw_screen+0x10/0x10
[   69.124646][ T5312]  set_con2fb_map+0xcab/0x1220
[   69.124661][ T5312]  fbcon_set_con2fb_map_ioctl+0x18a/0x1f0
[   69.124671][ T5312]  ? __pfx_fbcon_set_con2fb_map_ioctl+0x10/0x10
[   69.124688][ T5312]  do_fb_ioctl+0x3df/0x750
[   69.124702][ T5312]  ? __pfx_do_fb_ioctl+0x10/0x10
[   69.124724][ T5312]  ? __lock_acquire+0xaac/0xd20
[   69.124749][ T5312]  ? __fget_files+0x2a/0x420
[   69.124764][ T5312]  ? __fget_files+0x3a0/0x420
[   69.124776][ T5312]  ? __fget_files+0x2a/0x420
[   69.124791][ T5312]  ? bpf_lsm_file_ioctl+0x9/0x20
[   69.124803][ T5312]  ? __pfx_fb_ioctl+0x10/0x10
[   69.124816][ T5312]  __se_sys_ioctl+0xf9/0x170
[   69.124829][ T5312]  do_syscall_64+0xf6/0x210
[   69.124842][ T5312]  ? clear_bhb_loop+0x45/0xa0
[   69.124885][ T5312]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.124896][ T5312] RIP: 0033:0x7ff081d8e969
[   69.124905][ T5312] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.124913][ T5312] RSP: 002b:00007ff082c21038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   69.124924][ T5312] RAX: ffffffffffffffda RBX: 00007ff081fb5fa0 RCX: 00007ff081d8e969
[   69.124931][ T5312] RDX: 00002000000000c0 RSI: 0000000000004610 RDI: 0000000000000004
[   69.124938][ T5312] RBP: 00007ff081e10ab1 R08: 0000000000000000 R09: 0000000000000000
[   69.124944][ T5312] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   69.124950][ T5312] R13: 0000000000000000 R14: 00007ff081fb5fa0 R15: 00007fffbab974b8
[   69.124966][ T5312]  </TASK>
[   69.125272][ T5312] Kernel Offset: disabled