program: creat(&(0x7f0000000240)='./file0\x00', 0x0) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r2 = dup(r1) write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000180)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[], [], 0x6b}}) chmod(&(0x7f0000000140)='./file0\x00', 0x0) r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x0) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.throttle.io_serviced\x00', 0x275a, 0x0) ftruncate(r4, 0x5) sendfile(r3, r4, 0x0, 0x7ffff000) [ 75.632616][ T5311] Bluetooth: hci0: command tx timeout [ 75.724087][ T5330] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 75.729255][ T5330] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 75.732840][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(full) [ 75.738353][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.743345][ T5330] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 75.746238][ T5330] Code: 00 74 08 4c 89 f7 e8 f4 33 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 33 e0 ff 4c 8b [ 75.755130][ T5330] RSP: 0018:ffffc9000f4f7820 EFLAGS: 00010202 [ 75.758217][ T5330] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff88803ecf2440 [ 75.762067][ T5330] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 75.765502][ T5330] RBP: ffffc9000f4f7a30 R08: ffff888043a280df R09: 1ffff1100874501b [ 75.768838][ T5330] R10: dffffc0000000000 R11: ffffffff820280c0 R12: dffffc0000000000 [ 75.772131][ T5330] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff888043e1b028 [ 75.775632][ T5330] FS: 00007fe465dc56c0(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 [ 75.779984][ T5330] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.782713][ T5330] CR2: 00007ffc8633ff32 CR3: 000000003397d000 CR4: 0000000000352ef0 [ 75.786088][ T5330] Call Trace: [ 75.787774][ T5330] [ 75.789358][ T5330] ? __pfx_iter_file_splice_write+0x10/0x10 [ 75.792452][ T5330] ? rcu_read_lock_any_held+0xb3/0x120 [ 75.794569][ T5330] ? __pfx_iter_file_splice_write+0x10/0x10 [ 75.797283][ T5330] direct_splice_actor+0x101/0x160 [ 75.799566][ T5330] splice_direct_to_actor+0x5a5/0xcc0 [ 75.802093][ T5330] ? __pfx_direct_splice_actor+0x10/0x10 [ 75.805301][ T5330] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 75.808456][ T5330] ? __pfx_aa_file_perm+0x10/0x10 [ 75.810523][ T5330] do_splice_direct+0x181/0x270 [ 75.812740][ T5330] ? __pfx_do_splice_direct+0x10/0x10 [ 75.815243][ T5330] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 75.817798][ T5330] ? rw_verify_area+0x255/0x4d0 [ 75.820011][ T5330] do_sendfile+0x4da/0x7e0 [ 75.821898][ T5330] ? __pfx_do_sendfile+0x10/0x10 [ 75.823970][ T5330] ? rcu_is_watching+0x15/0xb0 [ 75.826178][ T5330] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 75.829282][ T5330] __se_sys_sendfile64+0x13e/0x190 [ 75.831575][ T5330] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 75.834570][ T5330] ? rcu_is_watching+0x15/0xb0 [ 75.837278][ T5330] ? do_syscall_64+0xbe/0x3b0 [ 75.839985][ T5330] do_syscall_64+0xfa/0x3b0 [ 75.842538][ T5330] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.845081][ T5330] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.848150][ T5330] ? clear_bhb_loop+0x60/0xb0 [ 75.850307][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.853196][ T5330] RIP: 0033:0x7fe464f8eb69 [ 75.855674][ T5330] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.864280][ T5330] RSP: 002b:00007fe465dc5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 75.868355][ T5330] RAX: ffffffffffffffda RBX: 00007fe4651b5fa0 RCX: 00007fe464f8eb69 [ 75.872526][ T5330] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007 [ 75.876405][ T5330] RBP: 00007fe465011df1 R08: 0000000000000000 R09: 0000000000000000 [ 75.879796][ T5330] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 75.883259][ T5330] R13: 0000000000000000 R14: 00007fe4651b5fa0 R15: 00007fff746dee38 [ 75.887230][ T5330] [ 75.888803][ T5330] Modules linked in: [ 75.891686][ T5330] ---[ end trace 0000000000000000 ]--- [ 75.922266][ T5330] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 75.926231][ T5330] Code: 00 74 08 4c 89 f7 e8 f4 33 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 33 e0 ff 4c 8b [ 75.937135][ T5330] RSP: 0018:ffffc9000f4f7820 EFLAGS: 00010202 [ 75.939786][ T5330] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff88803ecf2440 [ 75.944521][ T5330] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 75.948113][ T5330] RBP: ffffc9000f4f7a30 R08: ffff888043a280df R09: 1ffff1100874501b [ 75.951429][ T5330] R10: dffffc0000000000 R11: ffffffff820280c0 R12: dffffc0000000000 [ 75.955881][ T5330] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff888043e1b028 [ 75.959735][ T5330] FS: 00007fe465dc56c0(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 [ 75.964794][ T5330] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.967928][ T5330] CR2: 00007fe465188558 CR3: 000000003397d000 CR4: 0000000000352ef0 [ 75.973088][ T5330] Kernel panic - not syncing: Fatal exception [ 75.976404][ T5330] Kernel Offset: disabled [ 75.978603][ T5330] Rebooting in 86400 seconds..