program:
creat(&(0x7f0000000240)='./file0\x00', 0x148)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2])
chmod(&(0x7f0000000340)='./file0\x00', 0x0)
r3 = open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0)
ftruncate(r4, 0x57)
sendfile(r3, r4, 0x0, 0x7ffff000)

[   74.720158][ T4675] Bluetooth: hci0: command tx timeout
[   74.784097][ T5329] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
[   74.788447][ T5329] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   74.791525][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.15.0-rc3-syzkaller-00008-ga33b5a08cbbd #0 PREEMPT(full) 
[   74.795894][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.799859][ T5329] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   74.802350][ T5329] Code: 80 3c 06 00 74 08 4c 89 ff e8 ed 3d de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 ca 3c de
[   74.809379][ T5329] RSP: 0018:ffffc9000d64f7a0 EFLAGS: 00010202
[   74.811650][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   74.814574][ T5329] RDX: ffff88804421c034 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   74.817591][ T5329] RBP: ffffc9000d64fa30 R08: ffffffff824eb994 R09: 1ffff110089ba01b
[   74.820454][ T5329] R10: dffffc0000000000 R11: ffffffff8208c140 R12: 0000000000000000
[   74.823377][ T5329] R13: 7fffffffffffffa8 R14: 1ffff11008843807 R15: dffffc0000000000
[   74.826285][ T5329] FS:  00007fb6e61146c0(0000) GS:ffff88808c59a000(0000) knlGS:0000000000000000
[   74.829567][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.831863][ T5329] CR2: 0000564fe16323a0 CR3: 0000000033f8c000 CR4: 0000000000352ef0
[   74.834940][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   74.837882][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   74.840803][ T5329] Call Trace:
[   74.842046][ T5329]  <TASK>
[   74.843183][ T5329]  ? __pfx_iter_file_splice_write+0x10/0x10
[   74.845439][ T5329]  ? rcu_read_lock_any_held+0xbb/0x160
[   74.847502][ T5329]  ? __pfx_iter_file_splice_write+0x10/0x10
[   74.849681][ T5329]  direct_splice_actor+0x11b/0x220
[   74.851611][ T5329]  splice_direct_to_actor+0x595/0xc90
[   74.853577][ T5329]  ? __pfx_direct_splice_actor+0x10/0x10
[   74.855668][ T5329]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   74.857898][ T5329]  do_splice_direct+0x281/0x3d0
[   74.859683][ T5329]  ? __pfx_do_splice_direct+0x10/0x10
[   74.861613][ T5329]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   74.863796][ T5329]  ? rw_verify_area+0x246/0x630
[   74.865570][ T5329]  do_sendfile+0x582/0x8c0
[   74.867192][ T5329]  ? __pfx_do_sendfile+0x10/0x10
[   74.869030][ T5329]  ? __rseq_handle_notify_resume+0x3c8/0x15d0
[   74.871221][ T5329]  __se_sys_sendfile64+0x17e/0x1e0
[   74.873209][ T5329]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   74.875242][ T5329]  ? do_syscall_64+0xb6/0x210
[   74.876991][ T5329]  do_syscall_64+0xf3/0x210
[   74.878650][ T5329]  ? clear_bhb_loop+0x45/0xa0
[   74.880396][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.882563][ T5329] RIP: 0033:0x7fb6e538e169
[   74.884317][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   74.891470][ T5329] RSP: 002b:00007fb6e6114038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   74.894534][ T5329] RAX: ffffffffffffffda RBX: 00007fb6e55b5fa0 RCX: 00007fb6e538e169
[   74.897516][ T5329] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007
[   74.900421][ T5329] RBP: 00007fb6e5410a68 R08: 0000000000000000 R09: 0000000000000000
[   74.903288][ T5329] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   74.906243][ T5329] R13: 0000000000000000 R14: 00007fb6e55b5fa0 R15: 00007ffddfbb2b08
[   74.909200][ T5329]  </TASK>
[   74.910354][ T5329] Modules linked in:
[   74.912132][ T5329] ---[ end trace 0000000000000000 ]---
[   74.928171][ T5329] RIP: 0010:iter_file_splice_write+0xe1f/0x1530
[   74.931118][ T5329] Code: 80 3c 06 00 74 08 4c 89 ff e8 ed 3d de ff 49 c7 07 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 80 3c 38 00 44 8b b4 24 b0 00 00 00 74 08 48 89 df e8 ca 3c de
[   74.938429][ T5329] RSP: 0018:ffffc9000d64f7a0 EFLAGS: 00010202
[   74.941794][ T5329] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000005
[   74.944869][ T5329] RDX: ffff88804421c034 RSI: 0000000000000000 RDI: 7fffffffffffffa8
[   74.947904][ T5329] RBP: ffffc9000d64fa30 R08: ffffffff824eb994 R09: 1ffff110089ba01b
[   74.952193][ T5329] R10: dffffc0000000000 R11: ffffffff8208c140 R12: 0000000000000000
[   74.955198][ T5329] R13: 7fffffffffffffa8 R14: 1ffff11008843807 R15: dffffc0000000000
[   74.958243][ T5329] FS:  00007fb6e61146c0(0000) GS:ffff88808c59a000(0000) knlGS:0000000000000000
[   74.961886][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.964475][ T5329] CR2: 00007fb6e5584538 CR3: 0000000033f8c000 CR4: 0000000000352ef0
[   74.967478][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   74.971094][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   74.974260][ T5329] Kernel panic - not syncing: Fatal exception
[   74.976815][ T5329] Kernel Offset: disabled
[   74.978413][ T5329] Rebooting in 86400 seconds..