program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
set_mempolicy(0x1, 0x0, 0x32)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000400)={r0, 0x20, &(0x7f00000003c0)={&(0x7f0000000240)=""/169, 0xa9, <r1=>0x0, &(0x7f0000000300)=""/159, 0x9f}}, 0x10)
r2 = creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff}, 0x0)
r5 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
getsockopt$inet6_int(r5, 0x29, 0x3e, 0x0, &(0x7f00000000c0))
write$P9_RVERSION(r4, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r6 = dup(r4)
r7 = syz_open_procfs(0x0, &(0x7f0000000000)='timerslack_ns\x00')
getsockname$packet(r2, &(0x7f0000000440)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f0000000480)=0x14)
copy_file_range(r7, &(0x7f0000000040)=0xfffffffffffff3e1, r7, 0x0, 0xf3e1, 0x0)
write$FUSE_BMAP(r6, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r6, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r6])
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r8 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181)
r9 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ftruncate(r9, 0x80)
sendfile(r8, r9, 0x0, 0x7ffff000)
bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x8, 0x5, &(0x7f0000000540)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, [@map_val={0x18, 0x5, 0x2, 0x0, r9, 0x0, 0x0, 0x0, 0x2aa5}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="600000001000410400"/20, @ANYRES32=0x0, @ANYBLOB="bd4dda1ae61868171c785691a070532780c76facc89e659441b5c58dd8c07b1fb5c976a608b1a9a1561e6782f33148711fdbf319b0d3dcab5a1f0dfaafe497bae33889976abddef0a2e06c9ff539c18a7b8e5232f0fa35588ec71b45560c3524d669acf2f2a3480196135fe539cb1402a3f9252a3d8bf36e834003583653c90068ad99c3f503a903e6cd05ecaff3493ba0374cd5dae44d02da9d46d0c8747ef3328b6dd633d2559449f622ec277bf3f8aaefb9ab2c20164369d1ba488edccbc8281703b1aac2e2d3ecaa595d94d999a8d8592cf90c6b0794d7d3811b9b4c7949e997b8b7a7"], 0x6c}, 0x1, 0x0, 0x0, 0x4000000}, 0x2404c844)
r10 = socket(0x10, 0x3, 0x0)
sendmmsg$alg(r10, &(0x7f0000000140), 0x4924b68, 0x0)

[   66.177628][ T4662] Bluetooth: hci0: command tx timeout
[   66.301416][ T5313] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   66.306419][ T5313] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   66.309334][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-08291-g805ba04cb7cc #0
[   66.312652][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   66.316327][ T5313] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   66.318868][ T5313] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 0c 1e df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 fa 1c df ff 48 8b 44 24 20 48 8b
[   66.325903][ T5313] RSP: 0018:ffffc9000d4a7780 EFLAGS: 00010202
[   66.328199][ T5313] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   66.330676][ T5313] RDX: ffffc9000e702000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   66.333406][ T5313] RBP: ffffc9000d4a7a30 R08: ffffffff8246e424 R09: 1ffff1100255501b
[   66.336141][ T5313] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888036f9d038
[   66.338755][ T5313] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   66.341507][ T5313] FS:  00007f8ce2e886c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   66.344756][ T5313] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   66.347062][ T5313] CR2: 000055c5f3e83e78 CR3: 000000004321e000 CR4: 0000000000352ef0
[   66.350038][ T5313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   66.352851][ T5313] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   66.355783][ T5313] Call Trace:
[   66.357108][ T5313]  <TASK>
[   66.358252][ T5313]  ? __die_body+0x5f/0xb0
[   66.359883][ T5313]  ? die_addr+0xb0/0xe0
[   66.361561][ T5313]  ? exc_general_protection+0x3dd/0x5d0
[   66.363802][ T5313]  ? asm_exc_general_protection+0x26/0x30
[   66.365941][ T5313]  ? __pfx_zero_pipe_buf_release+0x10/0x10
[   66.368229][ T5313]  ? iter_file_splice_write+0xd84/0x1510
[   66.370349][ T5313]  ? iter_file_splice_write+0xe07/0x1510
[   66.372451][ T5313]  ? __pfx_iter_file_splice_write+0x10/0x10
[   66.374733][ T5313]  ? rcu_read_lock_any_held+0xb7/0x160
[   66.376923][ T5313]  ? __pfx_iter_file_splice_write+0x10/0x10
[   66.379242][ T5313]  direct_splice_actor+0x11b/0x220
[   66.381381][ T5313]  splice_direct_to_actor+0x586/0xc80
[   66.383513][ T5313]  ? __pfx_direct_splice_actor+0x10/0x10
[   66.385574][ T5313]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   66.387677][ T5313]  ? __fget_files+0x2a/0x410
[   66.389427][ T5313]  ? __pfx_lock_release+0x10/0x10
[   66.391381][ T5313]  do_splice_direct+0x289/0x3e0
[   66.393169][ T5313]  ? __pfx_do_splice_direct+0x10/0x10
[   66.395385][ T5313]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   66.397813][ T5313]  ? rw_verify_area+0x243/0x630
[   66.400001][ T5313]  do_sendfile+0x564/0x8a0
[   66.402054][ T5313]  ? __pfx_do_sendfile+0x10/0x10
[   66.403926][ T5313]  ? __rseq_handle_notify_resume+0x34d/0x14e0
[   66.406182][ T5313]  __se_sys_sendfile64+0x17c/0x1e0
[   66.408040][ T5313]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   66.410141][ T5313]  ? do_syscall_64+0x100/0x230
[   66.411976][ T5313]  ? do_syscall_64+0xb6/0x230
[   66.413745][ T5313]  do_syscall_64+0xf3/0x230
[   66.415389][ T5313]  ? clear_bhb_loop+0x35/0x90
[   66.417055][ T5313]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   66.419438][ T5313] RIP: 0033:0x7f8ce1f8cda9
[   66.421279][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   66.428229][ T5313] RSP: 002b:00007f8ce2e88038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   66.431362][ T5313] RAX: ffffffffffffffda RBX: 00007f8ce21a5fa0 RCX: 00007f8ce1f8cda9
[   66.434425][ T5313] RDX: 0000000000000000 RSI: 000000000000000b RDI: 000000000000000a
[   66.437633][ T5313] RBP: 00007f8ce200e2a0 R08: 0000000000000000 R09: 0000000000000000
[   66.440533][ T5313] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   66.443512][ T5313] R13: 0000000000000000 R14: 00007f8ce21a5fa0 R15: 00007ffd3eba8168
[   66.446363][ T5313]  </TASK>
[   66.447482][ T5313] Modules linked in:
[   66.449335][ T5313] ---[ end trace 0000000000000000 ]---
[   66.456942][ T5314] netlink: 64 bytes leftover after parsing attributes in process `syz.0.0'.
[   66.460864][ T5314] netlink: 64 bytes leftover after parsing attributes in process `syz.0.0'.
[   66.464210][ T5313] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   66.466568][ T5313] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 0c 1e df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 fa 1c df ff 48 8b 44 24 20 48 8b
[   66.474894][ T5313] RSP: 0018:ffffc9000d4a7780 EFLAGS: 00010202
[   66.477499][ T5313] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   66.480507][ T5313] RDX: ffffc9000e702000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   66.483406][ T5313] RBP: ffffc9000d4a7a30 R08: ffffffff8246e424 R09: 1ffff1100255501b
[   66.486273][ T5313] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888036f9d038
[   66.489882][ T5313] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   66.492873][ T5313] FS:  00007f8ce2e886c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   66.496322][ T5313] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   66.499002][ T5313] CR2: 0000000500000008 CR3: 000000004321e000 CR4: 0000000000352ef0
[   66.502068][ T5313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   66.504938][ T5313] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   66.508457][ T5313] Kernel panic - not syncing: Fatal exception
[   66.510975][ T5313] Kernel Offset: disabled
[   66.512754][ T5313] Rebooting in 86400 seconds..