general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 56 Comm: kworker/u4:4 Not tainted 5.18.0-syzkaller-11817-g8171acb8bc9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:qfq_reset_qdisc+0x14d/0x4d0 net/sched/sch_qfq.c:1455
Code: f5 f9 4c 8d 73 50 4c 89 f0 48 c1 e8 03 80 3c 28 00 0f 85 70 02 00 00 4c 8b 63 50 49 8d bc 24 e8 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 74 08 3c 03 0f 8e 64 02 00 00 45 8b ac 24 e8 00
RSP: 0018:ffffc900013f78f8 EFLAGS: 00010206
RAX: 000000000000001d RBX: ffff88807a7e9300 RCX: 0000000000000000
RDX: ffff8880176ae1c0 RSI: ffffffff8783d9e5 RDI: 00000000000000e9
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8880742d49d8 R14: ffff88807a7e9350 R15: ffff8880709d8000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f159a36a9ee CR3: 000000000ba8e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_reset+0xdb/0x6e0 net/sched/sch_generic.c:1026
qdisc_destroy+0x91/0x4f0 net/sched/sch_generic.c:1064
qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1086
dev_shutdown+0x2b5/0x520 net/sched/sch_generic.c:1473
unregister_netdevice_many+0x7d3/0x1890 net/core/dev.c:10825
default_device_exit_batch+0x449/0x590 net/core/dev.c:11328
ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:qfq_reset_qdisc+0x14d/0x4d0 net/sched/sch_qfq.c:1455
Code: f5 f9 4c 8d 73 50 4c 89 f0 48 c1 e8 03 80 3c 28 00 0f 85 70 02 00 00 4c 8b 63 50 49 8d bc 24 e8 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 74 08 3c 03 0f 8e 64 02 00 00 45 8b ac 24 e8 00
RSP: 0018:ffffc900013f78f8 EFLAGS: 00010206
RAX: 000000000000001d RBX: ffff88807a7e9300 RCX: 0000000000000000
RDX: ffff8880176ae1c0 RSI: ffffffff8783d9e5 RDI: 00000000000000e9
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8880742d49d8 R14: ffff88807a7e9350 R15: ffff8880709d8000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f159a36a9ee CR3: 000000007ea74000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f5 cmc
1: f9 stc
2: 4c 8d 73 50 lea 0x50(%rbx),%r14
6: 4c 89 f0 mov %r14,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
11: 0f 85 70 02 00 00 jne 0x287
17: 4c 8b 63 50 mov 0x50(%rbx),%r12
1b: 49 8d bc 24 e8 00 00 lea 0xe8(%r12),%rdi
22: 00
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 0f b6 04 28 movzbl (%rax,%rbp,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e 64 02 00 00 jle 0x29e
3a: 45 rex.RB
3b: 8b .byte 0x8b
3c: ac lods %ds:(%rsi),%al
3d: 24 e8 and $0xe8,%al