program:
r0 = memfd_create(&(0x7f0000000280)='\x00\x00\x00\x00\x00\x00z\x9b\xb6\xe8t;\xfc\x02\x00\x00\x009\xa0\x8b\x14d\xa2\xa1\xa8!\xe8\xd1\xa0\x8a\xce0\x1c\xb7\xf1\xccm\xce\xd4\xdb\x89\xe5\x8f\xe2\xb6\xd6\x9cF\xbd\xff\x14\x05\x00\x00\x00\x00\x00\x00\x00\xf3\xdc\x91\'\x06\\8\r\xfc\xeeG\xbe\x90C\x1c)5\x98\xa3\xfa\a\xf9\x98\xbb}\xeb\x86P=\xe51\x9d,\xb7\xe6_M\xbe\x19\xea#\xff[\xd1\xc3\x9a\xa3\x1b\xf9\xe9\x1d \xce1\xc9\x9f\xb0\x14\xc2\xeb\xf9\xceE\xad\xa4\x92\f\xef\x87g\xb6\xabW\xac\rP\xf42\xb7\xc8\xaajn\xd7\n\r\x802\xd7\x1b$\x95tO*\xf4\xae\xb8\xb8m\xbf\r\xd5\xbf*\xfd\xc7\x85\x1b\x8b\xe5\x97j`c\xe0\x88?\xda\x8a#t>r\xae\xe8\xc9)', 0x0)
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r2, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r3 = dup(r2)
write$FUSE_BMAP(r3, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f00000000c0)={0x14c}, 0x137)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0xf, 0x3, &(0x7f0000000500)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_device, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x3, @void, @value}, 0x94)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./cgroup\x00', 0x0, 0x0)
bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000100)={r4, r5, 0x6, 0x0, @void}, 0x10)
r6 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./cgroup\x00', 0x0, 0x0)
bpf$BPF_PROG_QUERY(0x10, &(0x7f00000002c0)={@cgroup=r6, 0x6, 0x1, 0x0, &(0x7f000001f380)=[0x0], 0x1, 0x0, 0x0, 0x0, 0x0}, 0x40)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r3])
r7 = socket$nl_generic(0x10, 0x3, 0x10)
setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r7, 0x10e, 0xb, &(0x7f0000000000)=0x5, 0x4)
r8 = socket$inet6(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000040)={'sit0\x00', <r9=>0x0})
ioctl$sock_inet6_SIOCSIFDSTADDR(r8, 0x8918, &(0x7f0000000080)={@mcast2, 0x2f, r9})
syz_genetlink_get_family_id$nl80211(&(0x7f0000000180), r7)
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r10 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181)
r11 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
setsockopt$inet_icmp_ICMP_FILTER(r11, 0x1, 0x1, &(0x7f0000000040)={0x5}, 0x4)
ftruncate(r11, 0x80)
sendfile(r10, r11, 0x0, 0x7ffff000)
r12 = openat$apparmor_thread_exec(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$apparmor_exec(r12, &(0x7f00000001c0)={'exec ', ':\x00~\x14-\x90\x14\x05\x00\x8fQhj\x1b\x04\xe5\x8d\xa1\xc2\xaa-\xc7gD#\x03\x1c\xee\xaa\xdd\x80\x9e/\x19{S\x15\xfe\xbaO\xae\xa1z,\xde-\x8fKN\x86g\x9b\xe4\xfe\xae/\x90\xd8^O\x86\x81\x84\xabq\xeb\x8b;F\xe9\xee\xc8\xd1\xb4Q\x05\x14\xe7\xa9c(0D7[\xccB\xe1Y\x99\x05\xae\xba\x00\xc4\b1\x84\xd6\b\xb0\xf0\x9a\x98\x85;\xffUq9:\xaf\xa2\x83\x88d\xc0\xe5\xcfF\x144}\x02\xb9\xb1\x85\x7fx\xe6\'\x8c\x898\'ej\xde;+\n1\xd4\x15\xf9Q\xacw\xcfS\xed\x80\fkt\xed\xdb|\x10\xbd\xbe\xf1\x94\x99\xe1?\x10\xda\xc7\xed['}, 0xb0)
execveat(r0, &(0x7f0000000000)='\x00', 0x0, 0x0, 0x1000)

[   70.251028][ T5308] Bluetooth: hci0: command tx timeout
[   70.341300][ T5324] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   70.346006][ T5324] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   70.349111][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-09485-g72deda0abee6 #0
[   70.352705][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.356582][ T5324] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   70.359005][ T5324] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 cc 1c df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 ba 1b df ff 48 8b 44 24 20 48 8b
[   70.365998][ T5324] RSP: 0018:ffffc9000d457780 EFLAGS: 00010202
[   70.368245][ T5324] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   70.371058][ T5324] RDX: ffffc9000e6b2000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   70.373819][ T5324] RBP: ffffc9000d457a30 R08: ffffffff8246e544 R09: 1ffff110089b501b
[   70.376626][ T5324] R10: dffffc0000000000 R11: ffffffff82036d70 R12: ffff888034ef9838
[   70.379593][ T5324] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   70.382407][ T5324] FS:  00007fa304bc16c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   70.385524][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.387941][ T5324] CR2: 00007fa303f7d538 CR3: 000000003cbd2000 CR4: 0000000000352ef0
[   70.390915][ T5324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.393978][ T5324] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.397372][ T5324] Call Trace:
[   70.398630][ T5324]  <TASK>
[   70.399697][ T5324]  ? __die_body+0x5f/0xb0
[   70.401296][ T5324]  ? die_addr+0xb0/0xe0
[   70.402791][ T5324]  ? exc_general_protection+0x3dd/0x5d0
[   70.406655][ T5324]  ? asm_exc_general_protection+0x26/0x30
[   70.408910][ T5324]  ? __pfx_zero_pipe_buf_release+0x10/0x10
[   70.411033][ T5324]  ? iter_file_splice_write+0xd84/0x1510
[   70.412976][ T5324]  ? iter_file_splice_write+0xe07/0x1510
[   70.415003][ T5324]  ? __pfx_iter_file_splice_write+0x10/0x10
[   70.416982][ T5324]  ? rcu_read_lock_any_held+0xb7/0x160
[   70.419046][ T5324]  ? __pfx_iter_file_splice_write+0x10/0x10
[   70.421215][ T5324]  direct_splice_actor+0x11b/0x220
[   70.423113][ T5324]  splice_direct_to_actor+0x586/0xc80
[   70.425098][ T5324]  ? __pfx_direct_splice_actor+0x10/0x10
[   70.427336][ T5324]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   70.429734][ T5324]  ? __fget_files+0x2a/0x410
[   70.431422][ T5324]  ? __pfx_lock_release+0x10/0x10
[   70.433423][ T5324]  do_splice_direct+0x289/0x3e0
[   70.435275][ T5324]  ? __pfx_do_splice_direct+0x10/0x10
[   70.437401][ T5324]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   70.439563][ T5324]  ? rw_verify_area+0x243/0x630
[   70.441521][ T5324]  do_sendfile+0x564/0x8a0
[   70.443256][ T5324]  ? __pfx_do_sendfile+0x10/0x10
[   70.445085][ T5324]  ? __rseq_handle_notify_resume+0x34d/0x14e0
[   70.447243][ T5324]  __se_sys_sendfile64+0x17c/0x1e0
[   70.449129][ T5324]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   70.451239][ T5324]  ? do_syscall_64+0x100/0x230
[   70.453307][ T5324]  ? do_syscall_64+0xb6/0x230
[   70.455107][ T5324]  do_syscall_64+0xf3/0x230
[   70.456768][ T5324]  ? clear_bhb_loop+0x35/0x90
[   70.458570][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.460781][ T5324] RIP: 0033:0x7fa303d8cda9
[   70.462543][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   70.469320][ T5324] RSP: 002b:00007fa304bc1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   70.472513][ T5324] RAX: ffffffffffffffda RBX: 00007fa303fa5fa0 RCX: 00007fa303d8cda9
[   70.475512][ T5324] RDX: 0000000000000000 RSI: 000000000000000d RDI: 000000000000000c
[   70.478468][ T5324] RBP: 00007fa303e0e2a0 R08: 0000000000000000 R09: 0000000000000000
[   70.481372][ T5324] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   70.484304][ T5324] R13: 0000000000000000 R14: 00007fa303fa5fa0 R15: 00007fffbee49c28
[   70.487366][ T5324]  </TASK>
[   70.488491][ T5324] Modules linked in:
[   70.490571][ T5324] ---[ end trace 0000000000000000 ]---
[   70.499503][ T5325] process 'syz.0.0' launched '/dev/fd/3' with NULL argv: empty string added
[   70.503704][ T5324] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   70.506174][ T5324] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 cc 1c df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 ba 1b df ff 48 8b 44 24 20 48 8b
[   70.514060][ T5324] RSP: 0018:ffffc9000d457780 EFLAGS: 00010202
[   70.516413][ T5324] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   70.520329][ T5324] RDX: ffffc9000e6b2000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   70.523414][ T5324] RBP: ffffc9000d457a30 R08: ffffffff8246e544 R09: 1ffff110089b501b
[   70.526516][ T5324] R10: dffffc0000000000 R11: ffffffff82036d70 R12: ffff888034ef9838
[   70.530346][ T5324] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   70.533536][ T5324] FS:  00007fa304bc16c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   70.536849][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.539562][ T5324] CR2: 00007fa304b9ffe0 CR3: 000000003cbd2000 CR4: 0000000000352ef0
[   70.542585][ T5324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.545515][ T5324] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.549172][ T5324] Kernel panic - not syncing: Fatal exception
[   70.551566][ T5324] Kernel Offset: disabled
[   70.553261][ T5324] Rebooting in 86400 seconds..