program:
creat(&(0x7f0000000240)='./file0\x00', 0x0)
pipe2$9p(&(0x7f0000001900)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000040)={'lo\x00', <r5=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_USC={0x10}}}]}, 0x44}}, 0x0)
r6 = socket(0x2a, 0x2, 0x0)
getsockname$packet(r6, &(0x7f0000000200)={0x11, 0x0, <r7=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
sendmsg$nl_route_sched(r6, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000180)=@gettclass={0x24, 0x2a, 0x20, 0x70bd27, 0x25dfdbff, {0x0, 0x0, 0x0, r5, {0x7ff8, 0xe}, {0xd, 0xb}, {0xb, 0x10}}}, 0x24}, 0x1, 0x0, 0x0, 0x810}, 0x0)
sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@newtfilter={0x34, 0x2c, 0xd27, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r7, {0xe}, {}, {0x8, 0xffff}}, [@filter_kind_options=@f_flower={{0xb}, {0x4}}]}, 0x34}}, 0x4000)
r8 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r8, &(0x7f00000002c0), 0x40000000000009f, 0x0)
r9 = socket$kcm(0xa, 0x3, 0x3a)
sendmsg$kcm(r9, &(0x7f0000000080)={&(0x7f0000000000)=@l2tp6={0xa, 0x0, 0x0, @loopback={0x0, 0xac14140c}, 0x60ea}, 0x80, &(0x7f00000013c0)=[{&(0x7f00000000c0)="fcf47e6bb4", 0x5}], 0x1, 0x0, 0x0, 0x900}, 0x0)
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000180)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[], [], 0x6b}})
chmod(&(0x7f0000000140)='./file0\x00', 0x0)
r10 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x0)
r11 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.throttle.io_serviced\x00', 0x275a, 0x0)
ftruncate(r11, 0x5)
sendfile(r10, r11, 0x0, 0x7ffff000)

[   94.482416][ T5313] Bluetooth: hci0: command tx timeout
[   94.684021][ T5335] Zero length message leads to an empty skb
[   94.716840][ T5335] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
[   94.722246][ T5335] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   94.725979][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-04055-g14bed9bc81ba #0 PREEMPT(full) 
[   94.730798][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   94.734894][ T5335] RIP: 0010:iter_file_splice_write+0xa9b/0x1000
[   94.738620][ T5335] Code: 00 74 08 4c 89 f7 e8 f4 81 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 81 e0 ff 4c 8b
[   94.747325][ T5335] RSP: 0018:ffffc9000d577820 EFLAGS: 00010202
[   94.750000][ T5335] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000752440
[   94.753456][ T5335] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa
[   94.756952][ T5335] RBP: ffffc9000d577a30 R08: ffff8880442d00df R09: 1ffff1100885a01b
[   94.760493][ T5335] R10: dffffc0000000000 R11: ffffffff820189f0 R12: dffffc0000000000
[   94.764089][ T5335] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff8880536db828
[   94.767772][ T5335] FS:  00007ff2d2f156c0(0000) GS:ffff88808d27b000(0000) knlGS:0000000000000000
[   94.771652][ T5335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   94.774482][ T5335] CR2: 00007ff2d2eed9b8 CR3: 0000000044794000 CR4: 0000000000352ef0
[   94.778039][ T5335] Call Trace:
[   94.779502][ T5335]  <TASK>
[   94.780853][ T5335]  ? __pfx_iter_file_splice_write+0x10/0x10
[   94.783707][ T5335]  ? rcu_read_lock_any_held+0xb3/0x120
[   94.786301][ T5335]  ? __pfx_iter_file_splice_write+0x10/0x10
[   94.788964][ T5335]  direct_splice_actor+0xfe/0x160
[   94.791218][ T5335]  splice_direct_to_actor+0x5a8/0xcc0
[   94.793713][ T5335]  ? __pfx_direct_splice_actor+0x10/0x10
[   94.796190][ T5335]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   94.798882][ T5335]  ? __pfx_aa_file_perm+0x10/0x10
[   94.801083][ T5335]  do_splice_direct+0x181/0x270
[   94.803221][ T5335]  ? __pfx_do_splice_direct+0x10/0x10
[   94.805403][ T5335]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   94.807976][ T5335]  ? rw_verify_area+0x258/0x650
[   94.810082][ T5335]  do_sendfile+0x4da/0x7e0
[   94.812066][ T5335]  ? __pfx_do_sendfile+0x10/0x10
[   94.814222][ T5335]  ? rcu_is_watching+0x15/0xb0
[   94.816210][ T5335]  ? __rseq_handle_notify_resume+0x37e/0x11f0
[   94.818769][ T5335]  __se_sys_sendfile64+0x13e/0x190
[   94.820951][ T5335]  ? __pfx___se_sys_sendfile64+0x10/0x10
[   94.823444][ T5335]  ? rcu_is_watching+0x15/0xb0
[   94.825645][ T5335]  ? do_syscall_64+0xbe/0x3b0
[   94.827870][ T5335]  do_syscall_64+0xfa/0x3b0
[   94.829906][ T5335]  ? lockdep_hardirqs_on+0x9c/0x150
[   94.832233][ T5335]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   94.834824][ T5335]  ? clear_bhb_loop+0x60/0xb0
[   94.837324][ T5335]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   94.839892][ T5335] RIP: 0033:0x7ff2d218e9a9
[   94.841787][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   94.849941][ T5335] RSP: 002b:00007ff2d2f15038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   94.853549][ T5335] RAX: ffffffffffffffda RBX: 00007ff2d23b5fa0 RCX: 00007ff2d218e9a9
[   94.856821][ T5335] RDX: 0000000000000000 RSI: 000000000000000d RDI: 000000000000000c
[   94.860150][ T5335] RBP: 00007ff2d2210d69 R08: 0000000000000000 R09: 0000000000000000
[   94.863474][ T5335] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
[   94.866890][ T5335] R13: 0000000000000000 R14: 00007ff2d23b5fa0 R15: 00007ffe31043578
[   94.870316][ T5335]  </TASK>
[   94.871733][ T5335] Modules linked in:
[   94.873945][ T5335] ---[ end trace 0000000000000000 ]---
[   94.881375][ T5335] RIP: 0010:iter_file_splice_write+0xa9b/0x1000
[   94.884238][ T5335] Code: 00 74 08 4c 89 f7 e8 f4 81 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 81 e0 ff 4c 8b
[   94.894294][ T5335] RSP: 0018:ffffc9000d577820 EFLAGS: 00010202
[   94.897073][ T5335] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000752440
[   94.902135][ T5335] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa
[   94.906340][ T5335] RBP: ffffc9000d577a30 R08: ffff8880442d00df R09: 1ffff1100885a01b
[   94.910114][ T5335] R10: dffffc0000000000 R11: ffffffff820189f0 R12: dffffc0000000000
[   94.914378][ T5335] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff8880536db828
[   94.918236][ T5335] FS:  00007ff2d2f156c0(0000) GS:ffff88808d27b000(0000) knlGS:0000000000000000
[   94.922314][ T5335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   94.925277][ T5335] CR2: 00007ff2d2387538 CR3: 0000000044794000 CR4: 0000000000352ef0
[   94.928986][ T5335] Kernel panic - not syncing: Fatal exception
[   94.932103][ T5335] Kernel Offset: disabled
[   94.934233][ T5335] Rebooting in 86400 seconds..