program:
creat(&(0x7f0000000240)='./file0\x00', 0x10)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
r3 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03)
ioctl$DRM_IOCTL_SYNCOBJ_QUERY(r3, 0xc01864cb, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x1fffffff})
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2])
r4 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_buf(r4, 0x0, 0x8008000000010, &(0x7f0000000000)="170000000200010000ffbe8c5ee17688a20033000202000aff3f000057fce46d0a00d65ad90200bb6a880000d6c8db0000dba67e06020000e28900000a00df01800a000000fc0607bdff59100ac45761547ae81f009cee4a5acb3da400001fb700674f00c88ebbf9315033bf79ac2dfc060115003901000000000000ea000000000000000062068f5ee50ce5af9b1c568311ffff02ff030000ba000840024f0298e9e90539062a80e605007f71174aa951f3c63e5a1b47b6", 0xb8)
chmod(&(0x7f0000000340)='./file0\x00', 0x0)
r5 = open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x0)
read$FUSE(r2, &(0x7f0000001940)={0x2020, 0x0, <r6=>0x0}, 0x2020)
write$FUSE_DIRENT(r2, &(0x7f0000000540)=ANY=[@ANYBLOB="d0dab299786c20c1e9000000daffffff", @ANYRES64=r6, @ANYBLOB="04000000000000007f000000000000001700000005000000626c6b696f2e6266712e696f5f776169745f74696d650000060000000000000001000000000000000300000009000000397000000000000003000000000000000800000000000000020000005800000025260000000000000400000000000000080000000000000017000000ac000000626c6b696f2e6266712e696f5f776169745f74696d6500000000000000000000fbffffffffffffff04000000060000002f2e5c8f00000000"], 0xd0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0x7, &(0x7f0000000140)={0x1, 0x6, 0x7782, 0x5}, 0x10)
r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ftruncate(r7, 0x57)
sendfile(r5, r7, 0x0, 0x7ffff000)
creat(&(0x7f0000000240)='./file0\x00', 0x10) (async)
pipe2$9p(&(0x7f0000001900), 0x0) (async)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) (async)
dup(r1) (async)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18) (async)
syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03) (async)
ioctl$DRM_IOCTL_SYNCOBJ_QUERY(r3, 0xc01864cb, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x1fffffff}) (async)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) (async)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) (async)
socket$inet_icmp_raw(0x2, 0x3, 0x1) (async)
setsockopt$inet_buf(r4, 0x0, 0x8008000000010, &(0x7f0000000000)="170000000200010000ffbe8c5ee17688a20033000202000aff3f000057fce46d0a00d65ad90200bb6a880000d6c8db0000dba67e06020000e28900000a00df01800a000000fc0607bdff59100ac45761547ae81f009cee4a5acb3da400001fb700674f00c88ebbf9315033bf79ac2dfc060115003901000000000000ea000000000000000062068f5ee50ce5af9b1c568311ffff02ff030000ba000840024f0298e9e90539062a80e605007f71174aa951f3c63e5a1b47b6", 0xb8) (async)
chmod(&(0x7f0000000340)='./file0\x00', 0x0) (async)
open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x0) (async)
read$FUSE(r2, &(0x7f0000001940)={0x2020}, 0x2020) (async)
write$FUSE_DIRENT(r2, &(0x7f0000000540)=ANY=[@ANYBLOB="d0dab299786c20c1e9000000daffffff", @ANYRES64=r6, @ANYBLOB="04000000000000007f000000000000001700000005000000626c6b696f2e6266712e696f5f776169745f74696d650000060000000000000001000000000000000300000009000000397000000000000003000000000000000800000000000000020000005800000025260000000000000400000000000000080000000000000017000000ac000000626c6b696f2e6266712e696f5f776169745f74696d6500000000000000000000fbffffffffffffff04000000060000002f2e5c8f00000000"], 0xd0) (async)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0x7, &(0x7f0000000140)={0x1, 0x6, 0x7782, 0x5}, 0x10) (async)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) (async)
ftruncate(r7, 0x57) (async)
sendfile(r5, r7, 0x0, 0x7ffff000) (async)

[   78.026140][ T4675] Bluetooth: hci0: command tx timeout
[   78.029728][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   78.032413][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   78.177699][ T5329] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
[   78.182524][ T5329] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   78.185660][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.15.0-rc2-syzkaller-00278-gfc96b232f8e7 #0 PREEMPT(full) 
[   78.190008][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   78.194038][ T5329] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   78.196493][ T5329] Code: 80 3c 06 00 74 08 4c 89 ff e8 fd 42 de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 da 41 de
[   78.204014][ T5329] RSP: 0018:ffffc9000d4e77a0 EFLAGS: 00010202
[   78.206462][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   78.209441][ T5329] RDX: ffff888012ed1834 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   78.212608][ T5329] RBP: ffffc9000d4e7a30 R08: ffffffff824eb734 R09: 1ffff11008aa101b
[   78.215746][ T5329] R10: dffffc0000000000 R11: ffffffff8208c050 R12: 0000000000000000
[   78.218898][ T5329] R13: 7fffffffffffffa8 R14: 1ffff110025da307 R15: dffffc0000000000
[   78.223393][ T5329] FS:  00007ffb429ea6c0(0000) GS:ffff88808c59a000(0000) knlGS:0000000000000000
[   78.226803][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.229395][ T5329] CR2: 00007ffb41d83170 CR3: 00000000442be000 CR4: 0000000000352ef0
[   78.232608][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   78.235683][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   78.238581][ T5329] Call Trace:
[   78.239886][ T5329]  <TASK>
[   78.241064][ T5329]  ? __pfx_iter_file_splice_write+0x10/0x10
[   78.243395][ T5329]  ? rcu_read_lock_any_held+0xbb/0x160
[   78.245480][ T5329]  ? __pfx_iter_file_splice_write+0x10/0x10
[   78.247702][ T5329]  direct_splice_actor+0x11b/0x220
[   78.249690][ T5329]  splice_direct_to_actor+0x595/0xc90
[   78.251782][ T5329]  ? __pfx_direct_splice_actor+0x10/0x10
[   78.254003][ T5329]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   78.256384][ T5329]  do_splice_direct+0x281/0x3d0
[   78.258226][ T5329]  ? __pfx_do_splice_direct+0x10/0x10
[   78.260267][ T5329]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   78.262615][ T5329]  ? rw_verify_area+0x246/0x630
[   78.264527][ T5329]  do_sendfile+0x582/0x8c0
[   78.266299][ T5329]  ? __pfx_do_sendfile+0x10/0x10
[   78.268104][ T5329]  ? __rseq_handle_notify_resume+0x3c8/0x15d0
[   78.270325][ T5329]  __se_sys_sendfile64+0x17e/0x1e0
[   78.272245][ T5329]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   78.274346][ T5329]  ? do_syscall_64+0xb6/0x210
[   78.276198][ T5329]  do_syscall_64+0xf3/0x210
[   78.278065][ T5329]  ? clear_bhb_loop+0x45/0xa0
[   78.279925][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   78.282343][ T5329] RIP: 0033:0x7ffb41b8e169
[   78.284180][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   78.291633][ T5329] RSP: 002b:00007ffb429ea038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   78.294823][ T5329] RAX: ffffffffffffffda RBX: 00007ffb41db5fa0 RCX: 00007ffb41b8e169
[   78.297917][ T5329] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000009
[   78.300991][ T5329] RBP: 00007ffb41c10a68 R08: 0000000000000000 R09: 0000000000000000
[   78.303994][ T5329] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   78.307091][ T5329] R13: 0000000000000000 R14: 00007ffb41db5fa0 R15: 00007ffc035ad988
[   78.310071][ T5329]  </TASK>
[   78.311375][ T5329] Modules linked in:
[   78.314392][ T5329] ---[ end trace 0000000000000000 ]---
[   78.332648][ T5329] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   78.335093][ T5329] Code: 80 3c 06 00 74 08 4c 89 ff e8 fd 42 de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 da 41 de
[   78.343335][ T5329] RSP: 0018:ffffc9000d4e77a0 EFLAGS: 00010202
[   78.345693][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   78.349520][ T5329] RDX: ffff888012ed1834 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   78.352593][ T5329] RBP: ffffc9000d4e7a30 R08: ffffffff824eb734 R09: 1ffff11008aa101b
[   78.356713][ T5329] R10: dffffc0000000000 R11: ffffffff8208c050 R12: 0000000000000000
[   78.359871][ T5329] R13: 7fffffffffffffa8 R14: 1ffff110025da307 R15: dffffc0000000000
[   78.362969][ T5329] FS:  00007ffb429ea6c0(0000) GS:ffff88808c59a000(0000) knlGS:0000000000000000
[   78.367016][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.369480][ T5329] CR2: 00007ffc035acfc0 CR3: 00000000442be000 CR4: 0000000000352ef0
[   78.372496][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   78.375521][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   78.379397][ T5329] Kernel panic - not syncing: Fatal exception
[   78.382177][ T5329] Kernel Offset: disabled
[   78.383852][ T5329] Rebooting in 86400 seconds..