program: openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r0 = syz_open_dev$usbfs(&(0x7f0000000480), 0xb, 0x141341) ioctl$USBDEVFS_IOCTL(r0, 0xc0105512, &(0x7f0000000200)) ioctl$USBDEVFS_IOCTL(r0, 0xc0105512, &(0x7f0000000000)=@usbdevfs_driver={0x0, 0x7, 0x0}) creat(&(0x7f0000000240)='./file0\x00', 0x0) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r2, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r3 = dup(r2) write$FUSE_BMAP(r3, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000180)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[], [], 0x6b}}) chmod(&(0x7f0000000140)='./file0\x00', 0x0) r4 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x0) r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.throttle.io_serviced\x00', 0x275a, 0x0) ftruncate(r5, 0x5) sendfile(r4, r5, 0x0, 0x7ffff000) [ 85.200167][ T5335] Bluetooth: hci0: command tx timeout [ 85.235769][ T5360] usb 1-1: USB disconnect, device number 2 [ 85.334864][ T5360] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 85.339659][ T5360] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 85.342987][ T5360] CPU: 0 UID: 0 PID: 5360 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-12016-gbec077162bd0 #0 PREEMPT(full) [ 85.346834][ T5360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.350432][ T5360] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 85.352600][ T5360] Code: 00 74 08 4c 89 f7 e8 d4 29 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 a1 29 e0 ff 4c 8b [ 85.359137][ T5360] RSP: 0018:ffffc9000d387820 EFLAGS: 00010202 [ 85.361353][ T5360] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000eba440 [ 85.364273][ T5360] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 85.367202][ T5360] RBP: ffffc9000d387a30 R08: ffff8880444280df R09: 1ffff1100888501b [ 85.370013][ T5360] R10: dffffc0000000000 R11: ffffffff8202d150 R12: dffffc0000000000 [ 85.372726][ T5360] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff88801146e828 [ 85.375447][ T5360] FS: 00007fc1f51436c0(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000 [ 85.378523][ T5360] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.380736][ T5360] CR2: 00007fc1f50ed9b8 CR3: 00000000430f3000 CR4: 0000000000352ef0 [ 85.383447][ T5360] Call Trace: [ 85.384609][ T5360] [ 85.385865][ T5360] ? __pfx_iter_file_splice_write+0x10/0x10 [ 85.388275][ T5360] ? rcu_read_lock_any_held+0xb3/0x120 [ 85.390513][ T5360] ? __pfx_iter_file_splice_write+0x10/0x10 [ 85.392617][ T5360] direct_splice_actor+0xfe/0x160 [ 85.394357][ T5360] splice_direct_to_actor+0x5a8/0xcc0 [ 85.396228][ T5360] ? __pfx_direct_splice_actor+0x10/0x10 [ 85.398151][ T5360] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 85.400092][ T5360] do_splice_direct+0x181/0x270 [ 85.401729][ T5360] ? __pfx_do_splice_direct+0x10/0x10 [ 85.403540][ T5360] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 85.405539][ T5360] ? rw_verify_area+0x255/0x4d0 [ 85.407446][ T5360] do_sendfile+0x4da/0x7e0 [ 85.409053][ T5360] ? __pfx_do_sendfile+0x10/0x10 [ 85.410767][ T5360] ? rcu_is_watching+0x15/0xb0 [ 85.412400][ T5360] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 85.414488][ T5360] __se_sys_sendfile64+0x13e/0x190 [ 85.416279][ T5360] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 85.418236][ T5360] ? rcu_is_watching+0x15/0xb0 [ 85.419877][ T5360] ? do_syscall_64+0xbe/0x3b0 [ 85.421535][ T5360] do_syscall_64+0xfa/0x3b0 [ 85.423091][ T5360] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.425073][ T5360] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.427488][ T5360] ? clear_bhb_loop+0x60/0xb0 [ 85.429216][ T5360] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.431449][ T5360] RIP: 0033:0x7fc1f438ebe9 [ 85.433160][ T5360] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.440492][ T5360] RSP: 002b:00007fc1f5143038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 85.443714][ T5360] RAX: ffffffffffffffda RBX: 00007fc1f45b5fa0 RCX: 00007fc1f438ebe9 [ 85.446891][ T5360] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000009 [ 85.450160][ T5360] RBP: 00007fc1f4411e19 R08: 0000000000000000 R09: 0000000000000000 [ 85.453212][ T5360] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 85.455935][ T5360] R13: 00007fc1f45b6038 R14: 00007fc1f45b5fa0 R15: 00007ffc6ee930b8 [ 85.458804][ T5360] [ 85.459849][ T5360] Modules linked in: [ 85.461544][ T5360] ---[ end trace 0000000000000000 ]--- [ 85.467127][ T5360] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 85.469561][ T5360] Code: 00 74 08 4c 89 f7 e8 d4 29 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 a1 29 e0 ff 4c 8b [ 85.475938][ T5360] RSP: 0018:ffffc9000d387820 EFLAGS: 00010202 [ 85.478073][ T5360] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888000eba440 [ 85.481166][ T5360] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 85.483916][ T5360] RBP: ffffc9000d387a30 R08: ffff8880444280df R09: 1ffff1100888501b [ 85.486686][ T5360] R10: dffffc0000000000 R11: ffffffff8202d150 R12: dffffc0000000000 [ 85.489656][ T5360] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff88801146e828 [ 85.492395][ T5360] FS: 00007fc1f51436c0(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000 [ 85.495624][ T5360] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.497941][ T5360] CR2: 00007fc1f50ed9b8 CR3: 00000000430f3000 CR4: 0000000000352ef0 [ 85.501170][ T5360] Kernel panic - not syncing: Fatal exception [ 85.503541][ T5360] Kernel Offset: disabled [ 85.504980][ T5360] Rebooting in 86400 seconds..