program: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x3, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x200) ioctl$KVM_SET_LAPIC(r4, 0x4400ae8f, &(0x7f0000000380)={"f9bef8d1aaeadafa287efdb9450ae3e2d260489591c42ab93a0c7bca18e9a19fa8e6cd61e9f62f91123f1311f81f85b4044554cb6e3ca1b6d1fc011bd71bdda82f37ccfa5b87dd5dcd311dbbb67f240dc02c53b7eabf3651660ce801e3878538da8bb24e1dbc480dae36207bf6b7b946c7a8ec08468f9a75ec797b8c11807655272833a7c70ccfc9a8259e7a148eca4d16b6ff519973a20b65f91a7261cdd2440a5a0566d843fa334b0280f0aacc3b417322b9b56098dd842c44139da4bd1e2212a40ba043bd72b995b172b26b71d434e9f3bf74b4ed480b264e0e9d6f628732534db36bfb92ee6419fb244db44abf0cd9357755ce9c4c9a584e5eb89ffd10c8a6c3c6115265f25f798570751917cd7cfc2ca71729e268c3b30c05b3dfdb18cbbfd3036a889f5fefb0f9d56bf970bdbf2524f8e435b721c809e73a5fdafbf1594088ad1974908bf5fc752d564c1a4989a7d1e59564567d9b437442c5c1cfec93526395d18b1ecb18dedd713ced403a00a2cd27b2dc857808287ea88157b3c19075eb33f7cc60a6161a88ad37fb04d0ce0fda24176406391a5ac521299143bdf59a474a17272105e55e9870cec2942a6705993e821e54441c877a64450e739b1321ad17e1ed552e65654bbfcc8ebd1d64fc4e888609a90410f780fe5031c27737f2de05a7ddf00129eb746a2e990438d9bf6a3211779707d615d79111b3fe71c26433482306ce7563c11cdf6f8da283ae147311465af80ba5350e6d65438cd5a20ec155d78227e5336d504f8f1145f4b942180f7ba6e5c9a070d4e31289d4845229780e53713090e782a75b32729c10da28c1f2702dad57a37416fc138040064347a0a290803f51a619402d88d0a4b2bef39bf92696b6d7052459a78a258edfe2e66f2e10a80b168b483c90a1a1dd67c6d6c9b7a2336d1678131ca38552d9acff05dcd57f9f4164064b7781d8a8b5507e21edfe35d65d726bf24799535648cd04f3b7e85c3f6762f353a8f65afdc7ba63bc0eb65d7188cb1adee1d8d14c0413458d2ff65093d972ac3696fa12defc0f8dedf2309e1b80fc672205e6ccfc6b494233c4d00b5471cb52d896c73cddee40e5e51ee8a9bbe453a1a7d5b9832cacc5965220145504ccb2a157a7c1d9d718c0bf96cd350ac5ca330c827bedbff299774707f5840a0d954ae39c9421975d48e05d87a1ceddefbecae936e15ffb308364b69eefd345d6200cd128e48c162a4ebd026fefb7cc73e80204b21ff30d63e8707292f60682c6f6a587fff9c5a0fae24e0406df5363c7c9d31f72829b6a9d9237a84e83e22c33bf6313ee4072f09f9c6254d0eb7239d51cdda77b8e3d42a89449a3e1b6be8953a27651486383879490486fd11b6ac4e1b86f8a71fc294e0ebf572f4ef00582be189ee5a38c18d4d51cd3221fb1475a56cdf3cc7258bf8c559bf1a9"}) ioctl$KVM_SET_GSI_ROUTING(r1, 0x4008ae6a, &(0x7f0000000080)={0x5, 0x0, [{0x80, 0x6, 0x1, 0x0, @irqchip={0xffff, 0x6}}, {0xd, 0x3, 0x1, 0x0, @sint={0x5, 0xfffffbff}}, {0x7, 0x5, 0x0, 0x0, @irqchip={0x80000000, 0xf}}, {0xfffffff7, 0x5, 0x0, 0x0, @sint={0x10, 0xd43}}, {0x8, 0x4, 0x1, 0x0, @irqchip={0xfffffff7, 0x1e}}]}) ioctl$KVM_SET_IRQCHIP(r3, 0x8208ae63, &(0x7f0000000780)={0x2, 0x0, @ioapic={0x10000, 0xffffffff, 0x4, 0xefffffff, 0x0, [{0x2, 0x8, 0xfc, '\x00', 0x3}, {0xbe, 0x9, 0xfc, '\x00', 0x7d}, {0xbc, 0x81, 0x4, '\x00', 0x1}, {0x11, 0xb, 0x0, '\x00', 0xea}, {0x3}, {0x0, 0x0, 0x4, '\x00', 0x2}, {0x1f, 0x1, 0x6}, {0xfd, 0x0, 0x0, '\x00', 0x2}, {0x0, 0xf, 0xd7, '\x00', 0xfc}, {0xa8, 0x6, 0x0, '\x00', 0x11}, {0x7}, {0x1, 0x9, 0x42, '\x00', 0x3c}, {0x0, 0x0, 0x2, '\x00', 0x1}, {0x6, 0x0, 0x6}, {0xc2, 0x0, 0x0, '\x00', 0x8}, {0x1, 0x7f, 0x80}, {0x3, 0x0, 0x0, '\x00', 0x80}, {0x0, 0x2, 0x5, '\x00', 0x10}, {0x48, 0x4, 0xd, '\x00', 0xfd}, {0x8, 0xf, 0x3}, {0x0, 0xf, 0x7, '\x00', 0x35}, {0x6, 0x9, 0x0, '\x00', 0x5}, {0x2, 0x2, 0x9}, {0x8, 0xff, 0x7, '\x00', 0x7}]}}) ioctl$KVM_CAP_HALT_POLL(r1, 0x4068aea3, &(0x7f00000002c0)={0xb6, 0x0, 0x20000000000000}) creat(&(0x7f0000000240)='./file0\x00', 0x0) pipe2$9p(&(0x7f0000001900)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r6, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r7 = dup(r6) write$FUSE_BMAP(r7, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r7, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000180)={'trans=fd,', {'rfdno', 0x3d, r5}, 0x2c, {'wfdno', 0x3d, r7}, 0x2c, {[], [], 0x6b}}) chmod(&(0x7f0000000140)='./file0\x00', 0x0) r8 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x0) r9 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.throttle.io_serviced\x00', 0x275a, 0x0) ftruncate(r9, 0x5) sendfile(r8, r9, 0x0, 0x7ffff000) bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x6, 0x13, &(0x7f0000000240)=@framed={{0x18, 0x2}, [@printk={@p, {0x3, 0x3, 0x3, 0xa, 0xa}, {0x5, 0x1, 0xb, 0x1, 0xa, 0x6}, {0x7, 0x0, 0x4}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, @printk={@lx, {0x3, 0x3, 0x6, 0xa, 0x1, 0xfff8, 0x51}, {0x5}}]}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) [ 75.323542][ T5310] Bluetooth: hci0: command tx timeout [ 75.426531][ T5330] kvm: Disabled LAPIC found during irq injection [ 75.446939][ T5330] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 75.452383][ T5330] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 75.456212][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-02094-g86aa72182095 #0 PREEMPT(full) [ 75.462154][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.467404][ T5330] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 75.470263][ T5330] Code: 00 74 08 4c 89 f7 e8 f4 81 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 81 e0 ff 4c 8b [ 75.479083][ T5330] RSP: 0018:ffffc9000d4d7820 EFLAGS: 00010202 [ 75.482662][ T5330] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8880339b4880 [ 75.487104][ T5330] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 75.491422][ T5330] RBP: ffffc9000d4d7a30 R08: ffff888043b100df R09: 1ffff1100876201b [ 75.495434][ T5330] R10: dffffc0000000000 R11: ffffffff820133f0 R12: dffffc0000000000 [ 75.499024][ T5330] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff8880337c4028 [ 75.502450][ T5330] FS: 00007fdbce31c6c0(0000) GS:ffff88808d27c000(0000) knlGS:0000000000000000 [ 75.506167][ T5330] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.509098][ T5330] CR2: 00007fdbce2ed9b8 CR3: 0000000042fd7000 CR4: 0000000000352ef0 [ 75.512617][ T5330] Call Trace: [ 75.514066][ T5330] [ 75.515300][ T5330] ? __pfx_iter_file_splice_write+0x10/0x10 [ 75.517825][ T5330] ? rcu_read_lock_any_held+0xb3/0x120 [ 75.520110][ T5330] ? __pfx_iter_file_splice_write+0x10/0x10 [ 75.522589][ T5330] direct_splice_actor+0xfe/0x160 [ 75.524745][ T5330] splice_direct_to_actor+0x5a8/0xcc0 [ 75.527076][ T5330] ? __pfx_direct_splice_actor+0x10/0x10 [ 75.529536][ T5330] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 75.532355][ T5330] ? __pfx_aa_file_perm+0x10/0x10 [ 75.534599][ T5330] do_splice_direct+0x181/0x270 [ 75.536653][ T5330] ? __pfx_do_splice_direct+0x10/0x10 [ 75.539115][ T5330] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 75.541744][ T5330] ? rw_verify_area+0x258/0x650 [ 75.543813][ T5330] do_sendfile+0x4da/0x7e0 [ 75.545849][ T5330] ? __pfx_do_sendfile+0x10/0x10 [ 75.548078][ T5330] ? rcu_is_watching+0x15/0xb0 [ 75.550260][ T5330] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 75.552926][ T5330] __se_sys_sendfile64+0x13e/0x190 [ 75.555146][ T5330] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 75.557538][ T5330] ? rcu_is_watching+0x15/0xb0 [ 75.559578][ T5330] ? do_syscall_64+0xbe/0x3b0 [ 75.561677][ T5330] do_syscall_64+0xfa/0x3b0 [ 75.563711][ T5330] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.565958][ T5330] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.568697][ T5330] ? clear_bhb_loop+0x60/0xb0 [ 75.571034][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.573888][ T5330] RIP: 0033:0x7fdbcd58e9a9 [ 75.575980][ T5330] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.584377][ T5330] RSP: 002b:00007fdbce31c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 75.587962][ T5330] RAX: ffffffffffffffda RBX: 00007fdbcd7b5fa0 RCX: 00007fdbcd58e9a9 [ 75.591379][ T5330] RDX: 0000000000000000 RSI: 000000000000000d RDI: 000000000000000c [ 75.595181][ T5330] RBP: 00007fdbcd610d69 R08: 0000000000000000 R09: 0000000000000000 [ 75.598895][ T5330] R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000 [ 75.602365][ T5330] R13: 0000000000000000 R14: 00007fdbcd7b5fa0 R15: 00007fff994023e8 [ 75.605880][ T5330] [ 75.607326][ T5330] Modules linked in: [ 75.609759][ T5330] ---[ end trace 0000000000000000 ]--- [ 75.622877][ T5330] RIP: 0010:iter_file_splice_write+0xa9b/0x1000 [ 75.628107][ T5330] Code: 00 74 08 4c 89 f7 e8 f4 81 e0 ff 49 8b 1e 49 c7 06 00 00 00 00 48 83 c3 08 48 89 d8 48 c1 e8 03 49 be 00 00 00 00 00 fc ff df <42> 80 3c 30 00 44 8b 64 24 04 74 08 48 89 df e8 c1 81 e0 ff 4c 8b [ 75.636748][ T5330] RSP: 0018:ffffc9000d4d7820 EFLAGS: 00010202 [ 75.639963][ T5330] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8880339b4880 [ 75.644500][ T5330] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 7ffffffffffffffa [ 75.648052][ T5330] RBP: ffffc9000d4d7a30 R08: ffff888043b100df R09: 1ffff1100876201b [ 75.651617][ T5330] R10: dffffc0000000000 R11: ffffffff820133f0 R12: dffffc0000000000 [ 75.655856][ T5330] R13: 7ffffffffffffffa R14: dffffc0000000000 R15: ffff8880337c4028 [ 75.660750][ T5330] FS: 00007fdbce31c6c0(0000) GS:ffff88808d27c000(0000) knlGS:0000000000000000 [ 75.665384][ T5330] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.668598][ T5330] CR2: 00007fdbcd787538 CR3: 0000000042fd7000 CR4: 0000000000352ef0 [ 75.672277][ T5330] Kernel panic - not syncing: Fatal exception [ 75.675739][ T5330] Kernel Offset: disabled [ 75.678060][ T5330] Rebooting in 86400 seconds..