Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 3 UID: 0 PID: 9856 Comm: syz.0.6304 Not tainted 6.15.0-rc4-syzkaller-00296-ge8ab83e34bdc #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:282 [inline]
RIP: 0010:iter_file_splice_write+0xa4e/0x1150 fs/splice.c:754
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 1a 05 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 ee 04 00 00 49 8b 54 24 08 4c 89 ee 4c 89 f7 83
RSP: 0018:ffffc90004757908 EFLAGS: 00010202
RAX: 0000000000023ada RBX: dffffc0000000000 RCX: ffffc9002cc23000
RDX: 0000000000000001 RSI: ffffffff82417236 RDI: 0000000000000008
RBP: 0000000000000010 R08: 0000000000000006 R09: 0000000000000000
R10: 7ffffffffffff973 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88805d4c0000 R14: ffff888067b37400 R15: 7ffffffffffff973
FS:  0000000000000000(0000) GS:ffff888097aec000(0063) knlGS:00000000f50feb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f7320a8c CR3: 0000000051d80000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 do_splice_from fs/splice.c:935 [inline]
 direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158
 splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102
 do_splice_direct_actor fs/splice.c:1201 [inline]
 do_splice_direct+0x174/0x240 fs/splice.c:1227
 do_sendfile+0xafd/0xe50 fs/read_write.c:1368
 __do_compat_sys_sendfile fs/read_write.c:1444 [inline]
 __se_compat_sys_sendfile fs/read_write.c:1433 [inline]
 __ia32_compat_sys_sendfile+0x162/0x220 fs/read_write.c:1433
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf710e579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f50fe55c EFLAGS: 00000296 ORIG_RAX: 00000000000000bb
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000003
RDX: 0000000080000080 RSI: 0000000000007f04 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:282 [inline]
RIP: 0010:iter_file_splice_write+0xa4e/0x1150 fs/splice.c:754
Code: 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 1a 05 00 00 4d 8b 65 10 49 c7 45 10 00 00 00 00 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 ee 04 00 00 49 8b 54 24 08 4c 89 ee 4c 89 f7 83
RSP: 0018:ffffc90004757908 EFLAGS: 00010202
RAX: 0000000000023ada RBX: dffffc0000000000 RCX: ffffc9002cc23000
RDX: 0000000000000001 RSI: ffffffff82417236 RDI: 0000000000000008
RBP: 0000000000000010 R08: 0000000000000006 R09: 0000000000000000
R10: 7ffffffffffff973 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88805d4c0000 R14: ffff888067b37400 R15: 7ffffffffffff973
FS:  0000000000000000(0000) GS:ffff8880979ec000(0063) knlGS:00000000f50feb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007f10725e8bb8 CR3: 0000000051d80000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	00 48 89             	add    %cl,-0x77(%rax)
   3:	fa                   	cli
   4:	48 c1 ea 03          	shr    $0x3,%rdx
   8:	80 3c 1a 00          	cmpb   $0x0,(%rdx,%rbx,1)
   c:	0f 85 1a 05 00 00    	jne    0x52c
  12:	4d 8b 65 10          	mov    0x10(%r13),%r12
  16:	49 c7 45 10 00 00 00 	movq   $0x0,0x10(%r13)
  1d:	00
  1e:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 1a 00          	cmpb   $0x0,(%rdx,%rbx,1) <-- trapping instruction
  2e:	0f 85 ee 04 00 00    	jne    0x522
  34:	49 8b 54 24 08       	mov    0x8(%r12),%rdx
  39:	4c 89 ee             	mov    %r13,%rsi
  3c:	4c 89 f7             	mov    %r14,%rdi
  3f:	83                   	.byte 0x83