program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = creat(&(0x7f0000000240)='./file0\x00', 0x0) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r3, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r4 = dup(r3) write$FUSE_BMAP(r4, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r4, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) chmod(&(0x7f0000000140)='./file0\x00', 0x0) r5 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x181) r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) ftruncate(r6, 0x80) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000580), 0xffffffffffffffff) sendmsg$TIPC_NL_MEDIA_GET(r7, &(0x7f0000000880)={0x0, 0x0, &(0x7f0000000840)={&(0x7f0000000580)={0x20, r8, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_MEDIA={0xc, 0x5, 0x0, 0x1, [@TIPC_NLA_MEDIA_NAME={0x7, 0x1, 'ib\x00'}]}]}, 0x20}}, 0x0) sendmsg$TIPC_NL_PEER_REMOVE(r1, &(0x7f00000001c0)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x100000}, 0xc, &(0x7f0000000180)={&(0x7f00000002c0)={0xd4, r8, 0x400, 0x70bd26, 0x25dfdbfb, {}, [@TIPC_NLA_MON={0x44, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x8}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x3}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x2}, @TIPC_NLA_MON_REF={0x8, 0x2, 0xd4}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x80000}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x4}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0xfff}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8, 0x1, 0x4}]}, @TIPC_NLA_NET={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x3}]}, @TIPC_NLA_SOCK={0x14, 0x2, 0x0, 0x1, [@TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x8}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}]}, @TIPC_NLA_MON={0x14, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8, 0x2, 0x1}, @TIPC_NLA_MON_REF={0x8, 0x2, 0x9}]}, @TIPC_NLA_NODE={0x48, 0x6, 0x0, 0x1, [@TIPC_NLA_NODE_KEY={0x42, 0x4, {'gcm(aes)\x00', 0x1a, "b21f9ad8d0c9da8f84ade7257923dafc18c9df8219d9c8937d73"}}]}]}, 0xd4}, 0x1, 0x0, 0x0, 0x40}, 0x8840) sendfile(r5, r6, 0x0, 0x7ffff000) bind$bt_hci(r0, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) write(r0, &(0x7f0000000000)="2e00000001000a", 0x7) [ 58.733252][ T5320] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 58.738144][ T5320] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 58.741367][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0 [ 58.745183][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.749198][ T5320] RIP: 0010:iter_file_splice_write+0xe07/0x1510 [ 58.751447][ T5320] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 5c 17 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 4a 16 df ff 48 8b 44 24 20 48 8b [ 58.758221][ T5320] RSP: 0018:ffffc9000d587780 EFLAGS: 00010202 [ 58.760477][ T5320] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005 [ 58.763334][ T5320] RDX: ffffc9000e3f2000 RSI: 0000000000000000 RDI: 7fffffffffffff7f [ 58.766254][ T5320] RBP: ffffc9000d587a30 R08: ffffffff8246eae4 R09: 1ffff11008c2601b [ 58.769119][ T5320] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888040db9838 [ 58.771949][ T5320] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f [ 58.774921][ T5320] FS: 00007fba959dd6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 58.778212][ T5320] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 58.780746][ T5320] CR2: 00007fba94b72b40 CR3: 0000000036c6a000 CR4: 0000000000352ef0 [ 58.783803][ T5320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 58.786866][ T5320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 58.789954][ T5320] Call Trace: [ 58.791264][ T5320] [ 58.792435][ T5320] ? __die_body+0x5f/0xb0 [ 58.794148][ T5320] ? die_addr+0xb0/0xe0 [ 58.795866][ T5320] ? exc_general_protection+0x3dd/0x5d0 [ 58.798019][ T5320] ? asm_exc_general_protection+0x26/0x30 [ 58.800187][ T5320] ? __pfx_zero_pipe_buf_release+0x10/0x10 [ 58.802473][ T5320] ? iter_file_splice_write+0xd84/0x1510 [ 58.804613][ T5320] ? iter_file_splice_write+0xe07/0x1510 [ 58.806691][ T5320] ? __pfx_iter_file_splice_write+0x10/0x10 [ 58.808939][ T5320] ? rcu_read_lock_any_held+0xb7/0x160 [ 58.811092][ T5320] ? __pfx_iter_file_splice_write+0x10/0x10 [ 58.813348][ T5320] direct_splice_actor+0x11b/0x220 [ 58.815329][ T5320] splice_direct_to_actor+0x586/0xc80 [ 58.817455][ T5320] ? __pfx_direct_splice_actor+0x10/0x10 [ 58.819630][ T5320] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 58.821914][ T5320] ? __fget_files+0x2a/0x410 [ 58.823711][ T5320] ? __pfx_lock_release+0x10/0x10 [ 58.825623][ T5320] do_splice_direct+0x289/0x3e0 [ 58.827556][ T5320] ? __pfx_do_splice_direct+0x10/0x10 [ 58.829616][ T5320] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 58.831929][ T5320] ? rw_verify_area+0x243/0x630 [ 58.833823][ T5320] do_sendfile+0x564/0x8a0 [ 58.835569][ T5320] ? __pfx_do_sendfile+0x10/0x10 [ 58.837463][ T5320] ? __rseq_handle_notify_resume+0x34d/0x14e0 [ 58.839624][ T5320] __se_sys_sendfile64+0x17c/0x1e0 [ 58.841410][ T5320] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 58.843387][ T5320] ? do_syscall_64+0x100/0x230 [ 58.845032][ T5320] ? do_syscall_64+0xb6/0x230 [ 58.846739][ T5320] do_syscall_64+0xf3/0x230 [ 58.848376][ T5320] ? clear_bhb_loop+0x35/0x90 [ 58.850175][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.852468][ T5320] RIP: 0033:0x7fba94b8cda9 [ 58.854201][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 58.861361][ T5320] RSP: 002b:00007fba959dd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 58.864461][ T5320] RAX: ffffffffffffffda RBX: 00007fba94da5fa0 RCX: 00007fba94b8cda9 [ 58.867476][ T5320] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000008 [ 58.870392][ T5320] RBP: 00007fba94c0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 58.873287][ T5320] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 58.876250][ T5320] R13: 0000000000000000 R14: 00007fba94da5fa0 R15: 00007ffdb828f398 [ 58.879166][ T5320] [ 58.880387][ T5320] Modules linked in: [ 58.882284][ T5320] ---[ end trace 0000000000000000 ]--- [ 58.889065][ T5321] Bluetooth: MGMT ver 1.23 [ 58.891074][ T5320] RIP: 0010:iter_file_splice_write+0xe07/0x1510 [ 58.893444][ T5320] Code: 00 00 fc ff df 41 80 3c 06 00 49 89 c6 74 08 4c 89 e7 e8 5c 17 df ff 49 c7 04 24 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 4a 16 df ff 48 8b 44 24 20 48 8b [ 58.901342][ T5305] Bluetooth: hci0: command tx timeout [ 58.903373][ T5320] RSP: 0018:ffffc9000d587780 EFLAGS: 00010202 [ 58.906409][ T5320] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005 [ 58.909514][ T5320] RDX: ffffc9000e3f2000 RSI: 0000000000000000 RDI: 7fffffffffffff7f [ 58.912511][ T5320] RBP: ffffc9000d587a30 R08: ffffffff8246eae4 R09: 1ffff11008c2601b [ 58.916100][ T5320] R10: dffffc0000000000 R11: ffffffff82036da0 R12: ffff888040db9838 [ 58.919103][ T5320] R13: 0000000000000000 R14: dffffc0000000000 R15: 7fffffffffffff7f [ 58.921919][ T5320] FS: 00007fba959dd6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 58.925519][ T5320] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 58.928087][ T5320] CR2: 00007fba959bbfe0 CR3: 0000000036c6a000 CR4: 0000000000352ef0 [ 58.931240][ T5320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 58.934194][ T5320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 58.937832][ T5320] Kernel panic - not syncing: Fatal exception [ 58.940385][ T5320] Kernel Offset: disabled [ 58.942064][ T5320] Rebooting in 86400 seconds..