program:
r0 = socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', <r2=>0x0})
sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000080)=@newqdisc={0x38, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r2, {0x0, 0xa}, {0xffff, 0xffff}, {0x10, 0xffff}}, [@qdisc_kind_options=@q_pfifo={{0xa}, {0x8, 0x2, 0x5}}]}, 0x38}}, 0x44080)
sendmsg$nl_route_sched(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=@newqdisc={0x3c, 0x24, 0xd0f, 0x70bd26, 0x0, {0x60, 0x0, 0x0, r2, {}, {0xfff2, 0xa}}, [@qdisc_kind_options=@q_codel={{0xa}, {0xc, 0x2, [@TCA_CODEL_CE_THRESHOLD={0x8, 0x5, 0xfffffffc}]}}]}, 0x3c}}, 0x800)
r3 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r3, &(0x7f0000000040)={0x2, 0x4e21, @local}, 0x10)
connect$inet(r3, &(0x7f0000000180)={0x2, 0x4e21, @local}, 0x10)

[   75.603473][ T5320] Bluetooth: hci0: command tx timeout
[   75.674537][ T5341] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] SMP KASAN NOPTI
[   75.679562][ T5341] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
[   75.683233][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) 
[   75.688316][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.692976][ T5341] RIP: 0010:qdisc_tree_reduce_backlog+0x223/0x480
[   75.695845][ T5341] Code: 89 ef e8 50 04 ab f8 4d 89 ef 85 db 74 0d e8 94 81 47 f8 4c 89 f5 e9 88 00 00 00 48 8b 6d 00 48 8d 45 20 48 89 c3 48 c1 eb 03 <42> 80 3c 33 00 48 89 04 24 74 0d 48 8b 3c 24 e8 19 04 ab f8 48 8b
[   75.703963][ T5341] RSP: 0018:ffffc9000d6070e8 EFLAGS: 00010202
[   75.706537][ T5341] RAX: 0000000000000020 RBX: 0000000000000004 RCX: 0000000000000002
[   75.709895][ T5341] RDX: ffff88801fa60000 RSI: 0000000000000000 RDI: 0000000000000000
[   75.713476][ T5341] RBP: 0000000000000000 R08: ffff88801fa60000 R09: 0000000000000002
[   75.717052][ T5341] R10: 00000000ffffffff R11: 0000000000000002 R12: 00000000000afff2
[   75.720499][ T5341] R13: ffff888053036800 R14: dffffc0000000000 R15: ffff888053036800
[   75.723883][ T5341] FS:  00007f533b8816c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000
[   75.727786][ T5341] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.730718][ T5341] CR2: 0000200000000240 CR3: 0000000033d74000 CR4: 0000000000352ef0
[   75.734235][ T5341] Call Trace:
[   75.735746][ T5341]  <TASK>
[   75.737092][ T5341]  ? qdisc_tree_reduce_backlog+0x3c/0x480
[   75.739578][ T5341]  codel_change+0x859/0xae0
[   75.741636][ T5341]  ? is_dynamic_key+0xd6/0x1c0
[   75.743894][ T5341]  ? qdisc_alloc+0x789/0xaa0
[   75.745980][ T5341]  ? qdisc_create+0x12c/0xea0
[   75.748113][ T5341]  ? rtnetlink_rcv_msg+0x77c/0xb70
[   75.750307][ T5341]  ? netlink_rcv_skb+0x205/0x470
[   75.752595][ T5341]  ? netlink_unicast+0x758/0x8d0
[   75.754786][ T5341]  ? netlink_sendmsg+0x805/0xb30
[   75.757129][ T5341]  ? __sock_sendmsg+0x219/0x270
[   75.759423][ T5341]  ? ____sys_sendmsg+0x505/0x830
[   75.761716][ T5341]  ? ___sys_sendmsg+0x21f/0x2a0
[   75.763990][ T5341]  ? __x64_sys_sendmsg+0x19b/0x260
[   75.766283][ T5341]  ? __pfx_codel_change+0x10/0x10
[   75.768450][ T5341]  codel_init+0x1f7/0x3e0
[   75.770376][ T5341]  ? __pfx_codel_init+0x10/0x10
[   75.773095][ T5341]  qdisc_create+0x7a9/0xea0
[   75.775606][ T5341]  tc_modify_qdisc+0x1426/0x2010
[   75.778007][ T5341]  ? __pfx_tc_modify_qdisc+0x10/0x10
[   75.780414][ T5341]  ? __pfx_tc_modify_qdisc+0x10/0x10
[   75.782636][ T5341]  rtnetlink_rcv_msg+0x77c/0xb70
[   75.784809][ T5341]  ? rtnetlink_rcv_msg+0x1ab/0xb70
[   75.787041][ T5341]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.789496][ T5341]  ? ref_tracker_free+0x63a/0x7d0
[   75.791823][ T5341]  ? __copy_skb_header+0xa7/0x550
[   75.794224][ T5341]  ? __pfx_ref_tracker_free+0x10/0x10
[   75.797012][ T5341]  ? __skb_clone+0x63/0x7a0
[   75.799198][ T5341]  netlink_rcv_skb+0x205/0x470
[   75.801259][ T5341]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.803764][ T5341]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   75.806358][ T5341]  ? netlink_deliver_tap+0x2e/0x1b0
[   75.809084][ T5341]  ? netlink_deliver_tap+0x2e/0x1b0
[   75.811833][ T5341]  netlink_unicast+0x758/0x8d0
[   75.814137][ T5341]  netlink_sendmsg+0x805/0xb30
[   75.816663][ T5341]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.819051][ T5341]  ? aa_sock_msg_perm+0x94/0x160
[   75.821321][ T5341]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   75.823699][ T5341]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.826084][ T5341]  __sock_sendmsg+0x219/0x270
[   75.828160][ T5341]  ____sys_sendmsg+0x505/0x830
[   75.830292][ T5341]  ? __pfx_____sys_sendmsg+0x10/0x10
[   75.832651][ T5341]  ? import_iovec+0x74/0xa0
[   75.834673][ T5341]  ___sys_sendmsg+0x21f/0x2a0
[   75.836732][ T5341]  ? __pfx____sys_sendmsg+0x10/0x10
[   75.839122][ T5341]  ? __fget_files+0x2a/0x420
[   75.841148][ T5341]  ? __fget_files+0x3a0/0x420
[   75.843312][ T5341]  __x64_sys_sendmsg+0x19b/0x260
[   75.845716][ T5341]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   75.848078][ T5341]  ? rcu_is_watching+0x15/0xb0
[   75.850203][ T5341]  ? do_syscall_64+0xbe/0x3b0
[   75.852357][ T5341]  do_syscall_64+0xfa/0x3b0
[   75.854336][ T5341]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.856625][ T5341]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.859140][ T5341]  ? clear_bhb_loop+0x60/0xb0
[   75.861212][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.863745][ T5341] RIP: 0033:0x7f533a98e929
[   75.865681][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.873717][ T5341] RSP: 002b:00007f533b881038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   75.877295][ T5341] RAX: ffffffffffffffda RBX: 00007f533abb5fa0 RCX: 00007f533a98e929
[   75.880698][ T5341] RDX: 0000000000000800 RSI: 0000200000000100 RDI: 0000000000000003
[   75.884071][ T5341] RBP: 00007f533aa10b39 R08: 0000000000000000 R09: 0000000000000000
[   75.887393][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.890769][ T5341] R13: 0000000000000000 R14: 00007f533abb5fa0 R15: 00007ffd07ff69b8
[   75.894087][ T5341]  </TASK>
[   75.895401][ T5341] Modules linked in:
[   75.897228][ T5341] ---[ end trace 0000000000000000 ]---
[   75.899582][ T5341] RIP: 0010:qdisc_tree_reduce_backlog+0x223/0x480
[   75.902435][ T5341] Code: 89 ef e8 50 04 ab f8 4d 89 ef 85 db 74 0d e8 94 81 47 f8 4c 89 f5 e9 88 00 00 00 48 8b 6d 00 48 8d 45 20 48 89 c3 48 c1 eb 03 <42> 80 3c 33 00 48 89 04 24 74 0d 48 8b 3c 24 e8 19 04 ab f8 48 8b
[   75.910339][ T5341] RSP: 0018:ffffc9000d6070e8 EFLAGS: 00010202
[   75.912961][ T5341] RAX: 0000000000000020 RBX: 0000000000000004 RCX: 0000000000000002
[   75.916464][ T5341] RDX: ffff88801fa60000 RSI: 0000000000000000 RDI: 0000000000000000
[   75.919980][ T5341] RBP: 0000000000000000 R08: ffff88801fa60000 R09: 0000000000000002
[   75.923493][ T5341] R10: 00000000ffffffff R11: 0000000000000002 R12: 00000000000afff2
[   75.927038][ T5341] R13: ffff888053036800 R14: dffffc0000000000 R15: ffff888053036800
[   75.930492][ T5341] FS:  00007f533b8816c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000
[   75.934432][ T5341] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.937283][ T5341] CR2: 0000200000000240 CR3: 0000000033d74000 CR4: 0000000000352ef0
[   75.940911][ T5341] Kernel panic - not syncing: Fatal exception in interrupt
[   75.944340][ T5341] Kernel Offset: disabled
[   75.946230][ T5341] Rebooting in 86400 seconds..