program: creat(&(0x7f0000000240)='./file0\x00', 0x148) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r2 = dup(r1) write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f00000004c0), 0x10400, &(0x7f0000000700)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) chmod(&(0x7f0000000340)='./file0\x00', 0x0) r3 = open$dir(&(0x7f0000000180)='./file0\x00', 0x1, 0x0) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) write$tcp_mem(r2, &(0x7f0000000040)={0x8, 0x20, 0xfffffffffffffbcb, 0x20, 0xd572}, 0x48) ftruncate(r4, 0x57) sendfile(r3, r4, 0x0, 0x7ffff000) [ 87.399355][ T45] Bluetooth: hci0: command tx timeout [ 87.403587][ T10] cfg80211: failed to load regulatory.db [ 87.511694][ T5321] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 87.517110][ T5321] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 87.520501][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-01599-gddddf9d64f73 #0 PREEMPT(full) [ 87.525295][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.529881][ T5321] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 87.532997][ T5321] Code: 00 74 08 4c 89 f7 e8 d4 a2 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 a1 a2 e0 ff 4c 8b [ 87.541215][ T5321] RSP: 0018:ffffc9000d46f840 EFLAGS: 00010202 [ 87.543801][ T5321] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000a4c880 [ 87.547551][ T5321] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7fffffffffffffa8 [ 87.550951][ T5321] RBP: ffffc9000d46fa50 R08: ffff8880528200df R09: 1ffff1100a50401b [ 87.554536][ T5321] R10: dffffc0000000000 R11: ffffffff82009170 R12: dffffc0000000000 [ 87.558185][ T5321] R13: 7fffffffffffffa8 R14: dffffc0000000000 R15: ffff88803ffcc828 [ 87.561613][ T5321] FS: 00007fa4d81636c0(0000) GS:ffff88808d6b1000(0000) knlGS:0000000000000000 [ 87.565396][ T5321] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.568203][ T5321] CR2: 00007fa43f9a1796 CR3: 0000000043049000 CR4: 0000000000352ef0 [ 87.571724][ T5321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 87.575301][ T5321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 87.578682][ T5321] Call Trace: [ 87.580137][ T5321] [ 87.581742][ T5321] ? __pfx_iter_file_splice_write+0x10/0x10 [ 87.584705][ T5321] ? rcu_read_lock_any_held+0xb3/0x120 [ 87.587479][ T5321] ? __pfx_iter_file_splice_write+0x10/0x10 [ 87.590220][ T5321] direct_splice_actor+0xfe/0x160 [ 87.592549][ T5321] splice_direct_to_actor+0x5a8/0xcc0 [ 87.594957][ T5321] ? __pfx_direct_splice_actor+0x10/0x10 [ 87.597458][ T5321] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 87.600107][ T5321] ? __pfx_aa_file_perm+0x10/0x10 [ 87.602433][ T5321] do_splice_direct+0x181/0x270 [ 87.604669][ T5321] ? __pfx_do_splice_direct+0x10/0x10 [ 87.606970][ T5321] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 87.609505][ T5321] ? rw_verify_area+0x258/0x650 [ 87.611780][ T5321] do_sendfile+0x4da/0x7e0 [ 87.613931][ T5321] ? __pfx_do_sendfile+0x10/0x10 [ 87.616190][ T5321] ? rcu_is_watching+0x15/0xb0 [ 87.618454][ T5321] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 87.621077][ T5321] __se_sys_sendfile64+0x13e/0x190 [ 87.623284][ T5321] ? rcu_is_watching+0x15/0xb0 [ 87.625332][ T5321] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 87.627753][ T5321] ? do_syscall_64+0xba/0x210 [ 87.630116][ T5321] do_syscall_64+0xf6/0x210 [ 87.632332][ T5321] ? clear_bhb_loop+0x60/0xb0 [ 87.634527][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.637220][ T5321] RIP: 0033:0x7fa4d738e969 [ 87.639160][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 87.647369][ T5321] RSP: 002b:00007fa4d8163038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 87.650882][ T5321] RAX: ffffffffffffffda RBX: 00007fa4d75b5fa0 RCX: 00007fa4d738e969 [ 87.654218][ T5321] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007 [ 87.657875][ T5321] RBP: 00007fa4d7410ab1 R08: 0000000000000000 R09: 0000000000000000 [ 87.661532][ T5321] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 87.664926][ T5321] R13: 0000000000000000 R14: 00007fa4d75b5fa0 R15: 00007fffcb5c63e8 [ 87.668270][ T5321] [ 87.669777][ T5321] Modules linked in: [ 87.672300][ T5321] ---[ end trace 0000000000000000 ]--- [ 87.688102][ T5321] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 87.691728][ T5321] Code: 00 74 08 4c 89 f7 e8 d4 a2 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 a1 a2 e0 ff 4c 8b [ 87.701141][ T5321] RSP: 0018:ffffc9000d46f840 EFLAGS: 00010202 [ 87.704085][ T5321] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000a4c880 [ 87.708137][ T5321] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7fffffffffffffa8 [ 87.712543][ T5321] RBP: ffffc9000d46fa50 R08: ffff8880528200df R09: 1ffff1100a50401b [ 87.715975][ T5321] R10: dffffc0000000000 R11: ffffffff82009170 R12: dffffc0000000000 [ 87.720064][ T5321] R13: 7fffffffffffffa8 R14: dffffc0000000000 R15: ffff88803ffcc828 [ 87.724055][ T5321] FS: 00007fa4d81636c0(0000) GS:ffff88808d6b1000(0000) knlGS:0000000000000000 [ 87.728013][ T5321] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.731753][ T5321] CR2: 00007fa4d7584538 CR3: 0000000043049000 CR4: 0000000000352ef0 [ 87.735930][ T5321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 87.740852][ T5321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 87.744394][ T5321] Kernel panic - not syncing: Fatal exception [ 87.747448][ T5321] Kernel Offset: disabled [ 87.749392][ T5321] Rebooting in 86400 seconds..