program: creat(&(0x7f0000000240)='./file0\x00', 0x0) r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) ioctl$VIDIOC_S_FMT(r0, 0xc0d05605, &(0x7f0000000100)={0xa, @pix_mp={0x1ff, 0x0, 0x34324d59, 0x8, 0x1, [{0x7, 0x48}, {0x7, 0x2}, {0x91a, 0x9}, {0x7fffffff, 0x1}, {0xa, 0x3}, {0x2, 0x2}, {0x7fffffff}, {0x10000008, 0x7}], 0x98, 0x8, 0x0, 0x2, 0x3}}) ioctl$VIDIOC_S_STD(r0, 0x40085618, &(0x7f0000000280)=0x8000) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r2, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r3 = dup(r2) write$FUSE_BMAP(r3, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) chmod(&(0x7f0000000140)='./file0\x00', 0x0) r4 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181) r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) ftruncate(r5, 0x80) sendfile(r4, r5, 0x0, 0x7ffff000) creat(&(0x7f0000000240)='./file0\x00', 0x0) (async) openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) (async) ioctl$VIDIOC_S_FMT(r0, 0xc0d05605, &(0x7f0000000100)={0xa, @pix_mp={0x1ff, 0x0, 0x34324d59, 0x8, 0x1, [{0x7, 0x48}, {0x7, 0x2}, {0x91a, 0x9}, {0x7fffffff, 0x1}, {0xa, 0x3}, {0x2, 0x2}, {0x7fffffff}, {0x10000008, 0x7}], 0x98, 0x8, 0x0, 0x2, 0x3}}) (async) ioctl$VIDIOC_S_STD(r0, 0x40085618, &(0x7f0000000280)=0x8000) (async) pipe2$9p(&(0x7f0000001900), 0x0) (async) write$P9_RVERSION(r2, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) (async) dup(r2) (async) write$FUSE_BMAP(r3, &(0x7f0000000100)={0x18}, 0x18) (async) write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f00000000c0)={0x14c}, 0x137) (async) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) (async) chmod(&(0x7f0000000140)='./file0\x00', 0x0) (async) open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181) (async) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) (async) ftruncate(r5, 0x80) (async) sendfile(r4, r5, 0x0, 0x7ffff000) (async) [ 126.165250][ T4667] Bluetooth: hci0: command tx timeout [ 126.324103][ T5329] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 126.328959][ T5329] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 126.332321][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-07644-gc2da8b3f914f #0 [ 126.336317][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 126.340313][ T5329] RIP: 0010:iter_file_splice_write+0xe07/0x1510 [ 126.343081][ T5329] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 8c 47 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 7a 46 df ff 48 8b 44 24 20 48 8b [ 126.350503][ T5329] RSP: 0018:ffffc9000349f780 EFLAGS: 00010202 [ 126.352884][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005 [ 126.355933][ T5329] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 7fffffffffffff94 [ 126.358861][ T5329] RBP: ffffc9000349fa30 R08: ffffffff8246da44 R09: 1ffff11008a3601b [ 126.361920][ T5329] R10: dffffc0000000000 R11: ffffffff82035df0 R12: ffff8880438d1838 [ 126.364943][ T5329] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff94 [ 126.367895][ T5329] FS: 00007ff7f8b2c6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 126.371327][ T5329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 126.373784][ T5329] CR2: 00007ff7f7f7d538 CR3: 0000000045c46000 CR4: 0000000000352ef0 [ 126.376823][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 126.379920][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 126.382999][ T5329] Call Trace: [ 126.384341][ T5329] [ 126.385546][ T5329] ? __die_body+0x5f/0xb0 [ 126.387252][ T5329] ? die_addr+0xb0/0xe0 [ 126.388842][ T5329] ? exc_general_protection+0x3dd/0x5d0 [ 126.390998][ T5329] ? asm_exc_general_protection+0x26/0x30 [ 126.393029][ T5329] ? __pfx_zero_pipe_buf_release+0x10/0x10 [ 126.395129][ T5329] ? iter_file_splice_write+0xd84/0x1510 [ 126.397167][ T5329] ? iter_file_splice_write+0xe07/0x1510 [ 126.399314][ T5329] ? __pfx_iter_file_splice_write+0x10/0x10 [ 126.401514][ T5329] ? rcu_read_lock_any_held+0xb7/0x160 [ 126.403610][ T5329] ? __pfx_iter_file_splice_write+0x10/0x10 [ 126.405825][ T5329] direct_splice_actor+0x11b/0x220 [ 126.407740][ T5329] splice_direct_to_actor+0x586/0xc80 [ 126.409724][ T5329] ? __pfx_direct_splice_actor+0x10/0x10 [ 126.411856][ T5329] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 126.414083][ T5329] ? __fget_files+0x2a/0x410 [ 126.415823][ T5329] ? __pfx_lock_release+0x10/0x10 [ 126.417700][ T5329] do_splice_direct+0x289/0x3e0 [ 126.419527][ T5329] ? __pfx_do_splice_direct+0x10/0x10 [ 126.421510][ T5329] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 126.423755][ T5329] ? rw_verify_area+0x243/0x630 [ 126.425636][ T5329] do_sendfile+0x564/0x8a0 [ 126.427308][ T5329] ? __pfx_do_sendfile+0x10/0x10 [ 126.429178][ T5329] ? __rseq_handle_notify_resume+0x34d/0x14e0 [ 126.431609][ T5329] __se_sys_sendfile64+0x17c/0x1e0 [ 126.433663][ T5329] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 126.435881][ T5329] ? do_syscall_64+0x100/0x230 [ 126.437738][ T5329] ? do_syscall_64+0xb6/0x230 [ 126.439527][ T5329] do_syscall_64+0xf3/0x230 [ 126.441314][ T5329] ? clear_bhb_loop+0x35/0x90 [ 126.443167][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 126.445432][ T5329] RIP: 0033:0x7ff7f7d8cd29 [ 126.447149][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 126.454160][ T5329] RSP: 002b:00007ff7f8b2c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 126.457261][ T5329] RAX: ffffffffffffffda RBX: 00007ff7f7fa5fa0 RCX: 00007ff7f7d8cd29 [ 126.460213][ T5329] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000008 [ 126.463145][ T5329] RBP: 00007ff7f7e0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 126.466095][ T5329] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 126.469080][ T5329] R13: 0000000000000000 R14: 00007ff7f7fa5fa0 R15: 00007ffe669b8bd8 [ 126.471947][ T5329] [ 126.473141][ T5329] Modules linked in: [ 126.475174][ T5329] ---[ end trace 0000000000000000 ]--- [ 126.483837][ T5329] RIP: 0010:iter_file_splice_write+0xe07/0x1510 [ 126.486419][ T5329] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 8c 47 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 7a 46 df ff 48 8b 44 24 20 48 8b [ 126.494290][ T5329] RSP: 0018:ffffc9000349f780 EFLAGS: 00010202 [ 126.496718][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005 [ 126.500383][ T5329] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 7fffffffffffff94 [ 126.503557][ T5329] RBP: ffffc9000349fa30 R08: ffffffff8246da44 R09: 1ffff11008a3601b [ 126.506558][ T5329] R10: dffffc0000000000 R11: ffffffff82035df0 R12: ffff8880438d1838 [ 126.509932][ T5329] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff94 [ 126.512951][ T5329] FS: 00007ff7f8b2c6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 126.516375][ T5329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 126.518850][ T5329] CR2: 00007ff7f7f7d538 CR3: 0000000045c46000 CR4: 0000000000352ef0 [ 126.522571][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 126.525612][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 126.528707][ T5329] Kernel panic - not syncing: Fatal exception [ 126.531200][ T5329] Kernel Offset: disabled [ 126.532855][ T5329] Rebooting in 86400 seconds..