program:
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2])
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ftruncate(r4, 0x80)
sendfile(r3, r4, 0x0, 0x7ffff000)

[   58.816555][ T5326] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   58.821285][ T5326] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   58.824308][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.14.0-rc1-syzkaller-00020-g0de63bb7d919 #0
[   58.828028][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.831984][ T5326] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   58.834811][ T5326] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 ac 15 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 9a 14 df ff 48 8b 44 24 20 48 8b
[   58.841708][ T5326] RSP: 0018:ffffc9000d4c7780 EFLAGS: 00010202
[   58.843840][ T5326] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   58.846826][ T5326] RDX: ffffc9000e31a000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   58.849665][ T5326] RBP: ffffc9000d4c7a30 R08: ffffffff8246e164 R09: 1ffff11008aa901b
[   58.852725][ T5326] R10: dffffc0000000000 R11: ffffffff82036080 R12: ffff8880395f9038
[   58.855657][ T5326] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   58.858467][ T5326] FS:  00007f61fc25f6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   58.861950][ T5326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   58.864446][ T5326] CR2: 00007f61fc0dd9b8 CR3: 000000003efe8000 CR4: 0000000000352ef0
[   58.867458][ T5326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   58.870346][ T5326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   58.873236][ T5326] Call Trace:
[   58.874526][ T5326]  <TASK>
[   58.875597][ T5326]  ? __die_body+0x5f/0xb0
[   58.877245][ T5326]  ? die_addr+0xb0/0xe0
[   58.878781][ T5326]  ? exc_general_protection+0x3dd/0x5d0
[   58.880878][ T5326]  ? asm_exc_general_protection+0x26/0x30
[   58.883016][ T5326]  ? __pfx_zero_pipe_buf_release+0x10/0x10
[   58.885416][ T5326]  ? iter_file_splice_write+0xd84/0x1510
[   58.887593][ T5326]  ? iter_file_splice_write+0xe07/0x1510
[   58.889844][ T5326]  ? __pfx_iter_file_splice_write+0x10/0x10
[   58.892560][ T5326]  ? rcu_read_lock_any_held+0xb7/0x160
[   58.894823][ T5326]  ? __pfx_iter_file_splice_write+0x10/0x10
[   58.897093][ T5326]  direct_splice_actor+0x11b/0x220
[   58.899082][ T5326]  splice_direct_to_actor+0x586/0xc80
[   58.901092][ T5326]  ? __pfx_direct_splice_actor+0x10/0x10
[   58.903427][ T5326]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   58.905734][ T5326]  ? __fget_files+0x2a/0x410
[   58.909574][ T5326]  ? __pfx_lock_release+0x10/0x10
[   58.911475][ T5326]  do_splice_direct+0x289/0x3e0
[   58.913247][ T5326]  ? __pfx_do_splice_direct+0x10/0x10
[   58.915042][ T5326]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   58.917027][ T5326]  ? rw_verify_area+0x243/0x630
[   58.918644][ T5326]  do_sendfile+0x564/0x8a0
[   58.920074][ T5326]  ? __pfx_do_sendfile+0x10/0x10
[   58.921632][ T5326]  ? __rseq_handle_notify_resume+0x34d/0x14e0
[   58.923575][ T5326]  __se_sys_sendfile64+0x17c/0x1e0
[   58.925217][ T5326]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   58.927128][ T5326]  ? do_syscall_64+0x100/0x230
[   58.928830][ T5326]  ? do_syscall_64+0xb6/0x230
[   58.930487][ T5326]  do_syscall_64+0xf3/0x230
[   58.932110][ T5326]  ? clear_bhb_loop+0x35/0x90
[   58.933880][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.936146][ T5326] RIP: 0033:0x7f61fb38cda9
[   58.937816][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   58.944742][ T5326] RSP: 002b:00007f61fc25f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   58.947874][ T5326] RAX: ffffffffffffffda RBX: 00007f61fb5a5fa0 RCX: 00007f61fb38cda9
[   58.950905][ T5326] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007
[   58.953804][ T5326] RBP: 00007f61fb40e2a0 R08: 0000000000000000 R09: 0000000000000000
[   58.956864][ T5326] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   58.960013][ T5326] R13: 0000000000000000 R14: 00007f61fb5a5fa0 R15: 00007ffffb5bae78
[   58.962988][ T5326]  </TASK>
[   58.964127][ T5326] Modules linked in:
[   58.965953][ T5326] ---[ end trace 0000000000000000 ]---
[   58.973130][ T5326] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   58.975511][ T5326] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 ac 15 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 9a 14 df ff 48 8b 44 24 20 48 8b
[   58.984392][ T5311] Bluetooth: hci0: command tx timeout
[   58.986663][ T5326] RSP: 0018:ffffc9000d4c7780 EFLAGS: 00010202
[   58.990058][ T5326] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   58.993220][ T5326] RDX: ffffc9000e31a000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   58.995855][ T5326] RBP: ffffc9000d4c7a30 R08: ffffffff8246e164 R09: 1ffff11008aa901b
[   58.999250][ T5326] R10: dffffc0000000000 R11: ffffffff82036080 R12: ffff8880395f9038
[   59.002451][ T5326] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   59.005474][ T5326] FS:  00007f61fc25f6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   59.009495][ T5326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.012440][ T5326] CR2: 00007f61fb57d538 CR3: 000000003efe8000 CR4: 0000000000352ef0
[   59.015520][ T5326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   59.018903][ T5326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   59.022006][ T5326] Kernel panic - not syncing: Fatal exception
[   59.024507][ T5326] Kernel Offset: disabled
[   59.026137][ T5326] Rebooting in 86400 seconds..