program:
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
syz_mount_image$hfs(&(0x7f0000000080), &(0x7f0000000100)='./file0\x00', 0x3000080, &(0x7f0000000280)=ANY=[], 0x1, 0x2e0, &(0x7f0000000880)="$eJzs3c1qE10cx/HfmSRt+jT0mb48POCyWtCN1LoRNymSixAXojYRiqGiraBurOJKRPfuvQVvQXCjeAO6cuUFRBBGzpnJa+cljUmmod8PGCYz85/zP5m38x+wIwCn1rXat/eXf9h/RiqoIL26KnmSylJR0n/6v/xo72D3oNmop2ynFTg2yiiMNEdW2tlrxMWWFUVEfPutqErvPExGEATb3yXt550IcuXO/hieNB+dnW55eeqZpXs+YtzhmPOYNaallh5rKe88AAD5iu7/XnSfr0Tjd8+TNqLb/om8/4+qlXcCExekLu25/7sqKzB2//7rFnXrPVfC2eVeu0ocpuXSwPc5hUdW3wDTZFWVLhdv4e5us3Fx536z7umFqpGe1dbcZz08dNsysl2PqU1TDNF3Ez+iXHR9KNk+bCXkvzpiiyMzn8wXc9P4eqd6Z/xXDIzdTW5P+QN7Ksx/M3mLrpe+XUvRZaNarXp9qyy7Rs5ELUQyelmOr0jUPqKW1f+AwM/K00WtDESFvbuUEbUaRm0v9EVttb8lRK31tWV70zmak9ubNPPGXDfr+qkPqvWM/z2b34ZSz8zuWWM2wluB+8XD/szFN1d02/SP3DkOdaPSP6fzK84npf4r/Zp2OqX8Js9Swl7rjq5oaf/J03uFZrPx0E7cjpl4UOnMKb2UYtc55kT7JPqb7XjqztFhd9G8wgeRR6JKY2j0uBMXxrpBe/3IXNmeZVPp4FiOhFmdqH2ewoFkL5I59nSc1yicVN2dnrnqx6kkhGlz466w/uupVzbdYM9++Cnj9MwBWbTFwI6xOxVQuS9+xU39E1vBJT1uWEyu4Iatuc6el851Zv0OMqoRP8pzNgRpQz/L1PRVt3j+DwAAAAAAAAAAAAAAAAAAMGum8d8J8u4jAAAAAAAAAAAAAAAAAAAAAACzrvP+X7Xf/6vh3v87+Je/C+EbXsby/t+3e+L9v8Dk/QkAAP//TN6FzA==")
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cpuacct.usage_sys\x00', 0x275a, 0x0)
syncfs(r2)
r3 = dup(r1)
write$FUSE_BMAP(r3, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r3])
openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000180), 0x80, 0x0)
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r4 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181)
r5 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000200)=ANY=[@ANYBLOB="120100000000001055091472000000000001090224d697e24243f72e5be8000100000000090400000303000000092100000001220500090581030000000000"], 0x0)
syz_usb_control_io(r5, 0x0, 0x0)
syz_usb_control_io$hid(r5, &(0x7f0000000340)={0xffffffffffffffcc, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x22, 0x5, {[@main=@item_4={0x3, 0x0, 0x8, "ff00"}]}}, 0x0}, 0x0)
r6 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
sendmsg$netlink(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)={0x1c, 0x14, 0x1, 0x800000, 0x0, "", [@nested={0x4}, @nested={0x8, 0x2, 0x0, 0x1, [@generic="ecc032c4"]}]}, 0x1c}], 0x1}, 0x0)
r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ioctl$sock_SIOCGIFVLAN_SET_VLAN_INGRESS_PRIORITY_CMD(r3, 0x8982, &(0x7f00000002c0)={0x2, 'bridge_slave_0\x00', {0x101}, 0x2})
ftruncate(r7, 0x80)
sendfile(r4, r7, 0x0, 0x7ffff000)

[   70.578613][ T5310] Bluetooth: hci0: command tx timeout
[   70.654362][ T5324] loop0: detected capacity change from 0 to 64
[   70.997628][    T9] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   71.140619][ T1309] ieee802154 phy0 wpan0: encryption failed: -22
[   71.143717][ T1309] ieee802154 phy1 wpan1: encryption failed: -22
[   71.149729][    T9] usb 5-1: Using ep0 maxpacket: 16
[   71.156977][    T9] usb 5-1: config index 0 descriptor too short (expected 54820, got 36)
[   71.161831][    T9] usb 5-1: config 226 has too many interfaces: 151, using maximum allowed: 32
[   71.165314][    T9] usb 5-1: config 226 has an invalid descriptor of length 46, skipping remainder of the config
[   71.170938][    T9] usb 5-1: config 226 has 0 interfaces, different from the descriptor's value: 151
[   71.174451][    T9] usb 5-1: New USB device found, idVendor=0955, idProduct=7214, bcdDevice= 0.00
[   71.179240][    T9] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   71.396171][ T5324] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   71.400802][ T5324] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   71.403791][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[   71.407309][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.411295][ T5324] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   71.413834][ T5324] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 5c 17 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 4a 16 df ff 48 8b 44 24 20 48 8b
[   71.420891][ T5324] RSP: 0018:ffffc9000d397780 EFLAGS: 00010202
[   71.423264][ T5324] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   71.426123][ T5324] RDX: ffffc9000e3aa000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   71.428944][ T5324] RBP: ffffc9000d397a30 R08: ffffffff8246eae4 R09: 1ffff11008aa901b
[   71.431758][ T5324] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888052a12838
[   71.434758][ T5324] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   71.437883][ T5324] FS:  00007fbee060a6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   71.441249][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.443595][ T5324] CR2: 0000703900000000 CR3: 000000003309a000 CR4: 0000000000352ef0
[   71.446371][ T5324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   71.449376][ T5324] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   71.452249][ T5324] Call Trace:
[   71.453607][ T5324]  <TASK>
[   71.454820][ T5324]  ? __die_body+0x5f/0xb0
[   71.456503][ T5324]  ? die_addr+0xb0/0xe0
[   71.458072][ T5324]  ? exc_general_protection+0x3dd/0x5d0
[   71.460168][ T5324]  ? asm_exc_general_protection+0x26/0x30
[   71.462398][ T5324]  ? __pfx_zero_pipe_buf_release+0x10/0x10
[   71.464704][ T5324]  ? iter_file_splice_write+0xd84/0x1510
[   71.467021][ T5324]  ? iter_file_splice_write+0xe07/0x1510
[   71.469100][ T5324]  ? __pfx_iter_file_splice_write+0x10/0x10
[   71.471198][ T5324]  ? rcu_read_lock_any_held+0xb7/0x160
[   71.473115][ T5324]  ? __pfx_iter_file_splice_write+0x10/0x10
[   71.475367][ T5324]  direct_splice_actor+0x11b/0x220
[   71.477368][ T5324]  splice_direct_to_actor+0x586/0xc80
[   71.479309][ T5324]  ? __pfx_direct_splice_actor+0x10/0x10
[   71.481295][ T5324]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   71.483384][ T5324]  ? __fget_files+0x2a/0x410
[   71.484941][ T5324]  ? __pfx_lock_release+0x10/0x10
[   71.486683][ T5324]  do_splice_direct+0x289/0x3e0
[   71.488411][ T5324]  ? __pfx_do_splice_direct+0x10/0x10
[   71.490289][ T5324]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   71.492384][ T5324]  ? rw_verify_area+0x243/0x630
[   71.494284][ T5324]  do_sendfile+0x564/0x8a0
[   71.496102][ T5324]  ? __pfx_do_sendfile+0x10/0x10
[   71.498037][ T5324]  ? __rseq_handle_notify_resume+0x34d/0x14e0
[   71.500404][ T5324]  __se_sys_sendfile64+0x17c/0x1e0
[   71.502380][ T5324]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   71.504650][ T5324]  ? do_syscall_64+0x100/0x230
[   71.506506][ T5324]  ? do_syscall_64+0xb6/0x230
[   71.508419][ T5324]  do_syscall_64+0xf3/0x230
[   71.510179][ T5324]  ? clear_bhb_loop+0x35/0x90
[   71.512023][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.514371][ T5324] RIP: 0033:0x7fbedf78cda9
[   71.516167][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   71.523344][ T5324] RSP: 002b:00007fbee060a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   71.526308][ T5324] RAX: ffffffffffffffda RBX: 00007fbedf9a5fa0 RCX: 00007fbedf78cda9
[   71.529188][ T5324] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000009
[   71.532032][ T5324] RBP: 00007fbedf80e2a0 R08: 0000000000000000 R09: 0000000000000000
[   71.534844][ T5324] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   71.537738][ T5324] R13: 0000000000000000 R14: 00007fbedf9a5fa0 R15: 00007fff79b0a828
[   71.540739][ T5324]  </TASK>
[   71.541829][ T5324] Modules linked in:
[   71.543945][ T5324] ---[ end trace 0000000000000000 ]---
[   71.551475][ T5324] RIP: 0010:iter_file_splice_write+0xe07/0x1510
[   71.553969][ T5324] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 5c 17 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 4a 16 df ff 48 8b 44 24 20 48 8b
[   71.561312][ T5324] RSP: 0018:ffffc9000d397780 EFLAGS: 00010202
[   71.563726][ T5324] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   71.566679][ T5324] RDX: ffffc9000e3aa000 RSI: 0000000000000000 RDI: 7fffffffffffff7f
[   71.569612][ T5324] RBP: ffffc9000d397a30 R08: ffffffff8246eae4 R09: 1ffff11008aa901b
[   71.572337][ T5324] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888052a12838
[   71.575285][ T5324] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f
[   71.579110][ T5324] FS:  00007fbee060a6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   71.582540][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.585078][ T5324] CR2: 0000703900000000 CR3: 000000003309a000 CR4: 0000000000352ef0
[   71.589094][ T5324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   71.592182][ T5324] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   71.595309][ T5324] Kernel panic - not syncing: Fatal exception
[   71.598030][ T5324] Kernel Offset: disabled
[   71.599733][ T5324] Rebooting in 86400 seconds..