program:
creat(&(0x7f0000000240)='./file0\x00', 0x148)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2])
chmod(&(0x7f0000000340)='./file0\x00', 0x0)
r3 = open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ftruncate(r4, 0x57)
sendfile(r3, r4, 0x0, 0x7ffff000)

[   58.804476][ T4670] Bluetooth: hci0: command tx timeout
[   58.874037][ T5321] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
[   58.878402][ T5321] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   58.881462][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-09584-g7d06015d936c #0 PREEMPT(full) 
[   58.885282][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.889220][ T5321] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   58.891849][ T5321] Code: 80 3c 06 00 74 08 4c 89 ff e8 ed 9f de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 ca 9e de
[   58.899649][ T5321] RSP: 0018:ffffc9000d4977a0 EFLAGS: 00010202
[   58.901986][ T5321] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   58.905205][ T5321] RDX: ffff88804317b034 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   58.908354][ T5321] RBP: ffffc9000d497a30 R08: ffffffff824d33b4 R09: 1ffff11008b1c01b
[   58.911540][ T5321] R10: dffffc0000000000 R11: ffffffff8208aeb0 R12: 0000000000000000
[   58.914530][ T5321] R13: 7fffffffffffffa8 R14: 1ffff1100862f607 R15: dffffc0000000000
[   58.917616][ T5321] FS:  00007ff254e186c0(0000) GS:ffff88808c5b9000(0000) knlGS:0000000000000000
[   58.921093][ T5321] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   58.923687][ T5321] CR2: 00007ff254cdd9b8 CR3: 00000000433d8000 CR4: 0000000000352ef0
[   58.926879][ T5321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   58.930102][ T5321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   58.933371][ T5321] Call Trace:
[   58.934650][ T5321]  <TASK>
[   58.935826][ T5321]  ? __die_body+0x5f/0xb0
[   58.937642][ T5321]  ? die_addr+0xab/0xd0
[   58.939416][ T5321]  ? exc_general_protection+0x3e6/0x5d0
[   58.941958][ T5321]  ? asm_exc_general_protection+0x26/0x30
[   58.944475][ T5321]  ? __pfx_zero_pipe_buf_release+0x10/0x10
[   58.946789][ T5321]  ? iter_file_splice_write+0xd94/0x1530
[   58.949069][ T5321]  ? iter_file_splice_write+0xe1f/0x1530
[   58.951108][ T5321]  ? __pfx_iter_file_splice_write+0x10/0x10
[   58.953281][ T5321]  ? rcu_read_lock_any_held+0xbb/0x160
[   58.955555][ T5321]  ? __pfx_iter_file_splice_write+0x10/0x10
[   58.957884][ T5321]  direct_splice_actor+0x11b/0x220
[   58.959994][ T5321]  splice_direct_to_actor+0x595/0xc90
[   58.962011][ T5321]  ? __pfx_direct_splice_actor+0x10/0x10
[   58.964192][ T5321]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   58.966633][ T5321]  do_splice_direct+0x281/0x3d0
[   58.968584][ T5321]  ? __pfx_do_splice_direct+0x10/0x10
[   58.970672][ T5321]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   58.972718][ T5321]  ? rw_verify_area+0x246/0x630
[   58.974578][ T5321]  do_sendfile+0x582/0x8c0
[   58.976350][ T5321]  ? __pfx_do_sendfile+0x10/0x10
[   58.978190][ T5321]  ? __rseq_handle_notify_resume+0x3c8/0x15d0
[   58.980613][ T5321]  __se_sys_sendfile64+0x17e/0x1e0
[   58.982604][ T5321]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   58.984814][ T5321]  ? do_syscall_64+0xb6/0x230
[   58.986783][ T5321]  do_syscall_64+0xf3/0x230
[   58.988650][ T5321]  ? clear_bhb_loop+0x45/0xa0
[   58.990466][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.992758][ T5321] RIP: 0033:0x7ff253f8d169
[   58.994508][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   59.001980][ T5321] RSP: 002b:00007ff254e18038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   59.005205][ T5321] RAX: ffffffffffffffda RBX: 00007ff2541a5fa0 RCX: 00007ff253f8d169
[   59.008187][ T5321] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007
[   59.011414][ T5321] RBP: 00007ff25400e2a0 R08: 0000000000000000 R09: 0000000000000000
[   59.014529][ T5321] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   59.017770][ T5321] R13: 0000000000000000 R14: 00007ff2541a5fa0 R15: 00007ffd312fd838
[   59.020835][ T5321]  </TASK>
[   59.022045][ T5321] Modules linked in:
[   59.023992][ T5321] ---[ end trace 0000000000000000 ]---
[   59.031755][ T5321] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   59.034348][ T5321] Code: 80 3c 06 00 74 08 4c 89 ff e8 ed 9f de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 ca 9e de
[   59.042934][ T5321] RSP: 0018:ffffc9000d4977a0 EFLAGS: 00010202
[   59.045350][ T5321] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   59.048820][ T5321] RDX: ffff88804317b034 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   59.052690][ T5321] RBP: ffffc9000d497a30 R08: ffffffff824d33b4 R09: 1ffff11008b1c01b
[   59.055983][ T5321] R10: dffffc0000000000 R11: ffffffff8208aeb0 R12: 0000000000000000
[   59.059568][ T5321] R13: 7fffffffffffffa8 R14: 1ffff1100862f607 R15: dffffc0000000000
[   59.062550][ T5321] FS:  00007ff254e186c0(0000) GS:ffff88808c5b9000(0000) knlGS:0000000000000000
[   59.068712][ T5321] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.071532][ T5321] CR2: 00007ff25417d538 CR3: 00000000433d8000 CR4: 0000000000352ef0
[   59.074742][ T5321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   59.079418][ T5321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   59.082647][ T5321] Kernel panic - not syncing: Fatal exception
[   59.085457][ T5321] Kernel Offset: disabled
[   59.087235][ T5321] Rebooting in 86400 seconds..