program:
r0 = socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', <r2=>0x0})
sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000440)=@newqdisc={0x44, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r2, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_USC={0x10, 0x3, {0x1, 0x81, 0xc}}}}]}, 0x44}}, 0x44080)
sendmsg$nl_route_sched(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000300)=@newqdisc={0x34, 0x24, 0xd0f, 0x70bd25, 0x0, {0x60, 0x0, 0x0, r2, {}, {0x9, 0xa}, {0x0, 0x15}}, [@qdisc_kind_options=@q_codel={{0xa}, {0x4}}]}, 0x34}, 0x1, 0x0, 0x0, 0x20000040}, 0x4000)

[   85.188204][ T5326] Bluetooth: hci0: command tx timeout
[   85.288244][ T5348] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005d: 0000 [#1] SMP KASAN NOPTI
[   85.293340][ T5348] KASAN: null-ptr-deref in range [0x00000000000002e8-0x00000000000002ef]
[   85.297013][ T5348] CPU: 0 UID: 0 PID: 5348 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full) 
[   85.301148][ T5348] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.305689][ T5348] RIP: 0010:hfsc_qlen_notify+0x2e/0x160
[   85.308133][ T5348] Code: 55 41 57 41 56 41 55 41 54 53 48 89 f3 49 bc 00 00 00 00 00 fc ff df e8 e0 74 3d f8 4c 8d b3 ec 02 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 e8 00 00 00 41 8b 2e 31 ff 89 ee e8 f9
[   85.316345][ T5348] RSP: 0018:ffffc9000d58f0b0 EFLAGS: 00010203
[   85.318935][ T5348] RAX: 000000000000005d RBX: 0000000000000000 RCX: 0000000000100000
[   85.322350][ T5348] RDX: ffffc9000e09a000 RSI: 00000000000002fd RDI: 00000000000002fe
[   85.325802][ T5348] RBP: dffffc0000000000 R08: ffff888033090000 R09: 0000000000000002
[   85.329142][ T5348] R10: 00000000ffffffff R11: ffffffff8982b100 R12: dffffc0000000000
[   85.332631][ T5348] R13: ffff88803362e000 R14: 00000000000002ec R15: ffff88803362e000
[   85.336073][ T5348] FS:  00007fc954dc46c0(0000) GS:ffff88808d21d000(0000) knlGS:0000000000000000
[   85.339980][ T5348] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.342833][ T5348] CR2: 00005632a830e168 CR3: 000000004351d000 CR4: 0000000000352ef0
[   85.346229][ T5348] Call Trace:
[   85.347618][ T5348]  <TASK>
[   85.348898][ T5348]  qdisc_tree_reduce_backlog+0x29c/0x480
[   85.351389][ T5348]  ? qdisc_tree_reduce_backlog+0x3c/0x480
[   85.353873][ T5348]  codel_change+0x859/0xae0
[   85.355840][ T5348]  ? is_dynamic_key+0xd6/0x1c0
[   85.357947][ T5348]  ? qdisc_alloc+0x789/0xaa0
[   85.359963][ T5348]  ? qdisc_create+0x12c/0xea0
[   85.362031][ T5348]  ? rtnetlink_rcv_msg+0x779/0xb70
[   85.364282][ T5348]  ? netlink_rcv_skb+0x208/0x470
[   85.366380][ T5348]  ? netlink_unicast+0x75b/0x8d0
[   85.368490][ T5348]  ? netlink_sendmsg+0x805/0xb30
[   85.370637][ T5348]  ? __sock_sendmsg+0x21c/0x270
[   85.372797][ T5348]  ? ____sys_sendmsg+0x505/0x830
[   85.374901][ T5348]  ? ___sys_sendmsg+0x21f/0x2a0
[   85.376767][ T5348]  ? __x64_sys_sendmsg+0x19b/0x260
[   85.378889][ T5348]  ? __pfx_codel_change+0x10/0x10
[   85.380992][ T5348]  codel_init+0x1f7/0x3e0
[   85.382826][ T5348]  ? __pfx_codel_init+0x10/0x10
[   85.384989][ T5348]  qdisc_create+0x7ac/0xea0
[   85.386960][ T5348]  tc_modify_qdisc+0x1426/0x2010
[   85.389086][ T5348]  ? __pfx_tc_modify_qdisc+0x10/0x10
[   85.391167][ T5348]  ? __pfx_tc_modify_qdisc+0x10/0x10
[   85.393270][ T5348]  rtnetlink_rcv_msg+0x779/0xb70
[   85.395305][ T5348]  ? rtnetlink_rcv_msg+0x1ab/0xb70
[   85.397310][ T5348]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   85.399402][ T5348]  ? ref_tracker_free+0x63a/0x7d0
[   85.401556][ T5348]  ? __copy_skb_header+0xa7/0x550
[   85.403866][ T5348]  ? __pfx_ref_tracker_free+0x10/0x10
[   85.406191][ T5348]  ? __skb_clone+0x63/0x7a0
[   85.408147][ T5348]  netlink_rcv_skb+0x208/0x470
[   85.410151][ T5348]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   85.412539][ T5348]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   85.414796][ T5348]  ? netlink_deliver_tap+0x2e/0x1b0
[   85.417006][ T5348]  ? netlink_deliver_tap+0x2e/0x1b0
[   85.419382][ T5348]  netlink_unicast+0x75b/0x8d0
[   85.421490][ T5348]  netlink_sendmsg+0x805/0xb30
[   85.423530][ T5348]  ? __pfx_netlink_sendmsg+0x10/0x10
[   85.425825][ T5348]  ? aa_sock_msg_perm+0x94/0x160
[   85.427958][ T5348]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   85.430384][ T5348]  ? __pfx_netlink_sendmsg+0x10/0x10
[   85.433470][ T5348]  __sock_sendmsg+0x21c/0x270
[   85.436241][ T5348]  ____sys_sendmsg+0x505/0x830
[   85.439165][ T5348]  ? __pfx_____sys_sendmsg+0x10/0x10
[   85.441417][ T5348]  ? import_iovec+0x74/0xa0
[   85.443319][ T5348]  ___sys_sendmsg+0x21f/0x2a0
[   85.445290][ T5348]  ? __pfx____sys_sendmsg+0x10/0x10
[   85.447546][ T5348]  ? __fget_files+0x2a/0x420
[   85.449498][ T5348]  ? __fget_files+0x3a0/0x420
[   85.451552][ T5348]  __x64_sys_sendmsg+0x19b/0x260
[   85.453963][ T5348]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   85.456411][ T5348]  ? rcu_is_watching+0x15/0xb0
[   85.458506][ T5348]  ? do_syscall_64+0xbe/0x3b0
[   85.460592][ T5348]  do_syscall_64+0xfa/0x3b0
[   85.462595][ T5348]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.464894][ T5348]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.467602][ T5348]  ? clear_bhb_loop+0x60/0xb0
[   85.469628][ T5348]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.472076][ T5348] RIP: 0033:0x7fc953f8e929
[   85.474014][ T5348] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   85.482288][ T5348] RSP: 002b:00007fc954dc4038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   85.485774][ T5348] RAX: ffffffffffffffda RBX: 00007fc9541b5fa0 RCX: 00007fc953f8e929
[   85.489289][ T5348] RDX: 0000000000004000 RSI: 0000200000000280 RDI: 0000000000000003
[   85.492813][ T5348] RBP: 00007fc954010b39 R08: 0000000000000000 R09: 0000000000000000
[   85.496159][ T5348] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.499483][ T5348] R13: 0000000000000000 R14: 00007fc9541b5fa0 R15: 00007ffce2036dd8
[   85.503169][ T5348]  </TASK>
[   85.504847][ T5348] Modules linked in:
[   85.506958][ T5348] ---[ end trace 0000000000000000 ]---
[   85.509286][ T5348] RIP: 0010:hfsc_qlen_notify+0x2e/0x160
[   85.511806][ T5348] Code: 55 41 57 41 56 41 55 41 54 53 48 89 f3 49 bc 00 00 00 00 00 fc ff df e8 e0 74 3d f8 4c 8d b3 ec 02 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 e8 00 00 00 41 8b 2e 31 ff 89 ee e8 f9
[   85.520724][ T5348] RSP: 0018:ffffc9000d58f0b0 EFLAGS: 00010203
[   85.523564][ T5348] RAX: 000000000000005d RBX: 0000000000000000 RCX: 0000000000100000
[   85.526932][ T5348] RDX: ffffc9000e09a000 RSI: 00000000000002fd RDI: 00000000000002fe
[   85.530392][ T5348] RBP: dffffc0000000000 R08: ffff888033090000 R09: 0000000000000002
[   85.533728][ T5348] R10: 00000000ffffffff R11: ffffffff8982b100 R12: dffffc0000000000
[   85.537128][ T5348] R13: ffff88803362e000 R14: 00000000000002ec R15: ffff88803362e000
[   85.540580][ T5348] FS:  00007fc954dc46c0(0000) GS:ffff88808d21d000(0000) knlGS:0000000000000000
[   85.544393][ T5348] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.547219][ T5348] CR2: 00005632a830e168 CR3: 000000004351d000 CR4: 0000000000352ef0
[   85.550744][ T5348] Kernel panic - not syncing: Fatal exception in interrupt
[   85.554103][ T5348] Kernel Offset: disabled
[   85.555968][ T5348] Rebooting in 86400 seconds..