program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) syz_mount_image$iso9660(&(0x7f0000000940), &(0x7f0000000980)='./file0\x00', 0x0, &(0x7f0000000240)={[{}, {@hide}, {@uid}, {@cruft}, {@mode={'mode', 0x3d, 0x1}}, {@nocompress}, {@utf8}, {@check_relaxed}]}, 0x3, 0x921, &(0x7f0000000a00)="$eJzs3c9vHPXdB/D3OPaDnwVBgDw8UQRkExow4Dprp4RaXOp4185S21vZjkTUQ0NJqKJYpYJWAtRDKlU9FbWHqof2xrEnJC5wqfJX9NAL/wLqKTdXM2snDni9xnW8wX29rPH8+sz3+5md2flqf803fJutr69Xwx7nL/3tIJPlwXOh+cXHn3xUDr+5mf/JkbxSfJaMJqknw0mOJyOzzeXOYp+CbiRXktxKiiQPpTvelSsp/pBH7s7fSvHXsl7uv3X+qw36/AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAdRMdtsNCaLLLSXLr1R763qAnyH9ZvlfV71+l183rfepCiHjI5udvV9/Njd1U+V/07n6e7c01WH5BnNhw8/dfS1J4eHNrffIaED8d4HH954c23t2ruDTmRA5ltL7ZVOe3FmvlVvr3Tq0+fPN85enFupz7UXWiuXV1Zbi/XZ5dbMame5Pjb7Yn1yevpcvTVxuXNpab45s9DaXPjqd6cajfP11yd+1JpZXuksnX19YmX2Ynthob00X8WUq8uYV8sT8Yft1fpqa2axXn/7+tq1c/2SLIMmdxM01S9oqjE1NTk5NTV5/pXpV15tNIa/tqDxFflaxOBPWgZr36/hsFdDG+1/FtLOUi7ljdS3/ZtNM8vpZLHH+g2b7f+Zs60d693a/m+28sfvrj6Rqv1/tjv3bK/2v0cuB/f3Xj7Ih7mRN7OWtVzLuwPP6GD/5tPKUtpZSSftLGamWlLfWFLPdM7nfBr5SS5mLiupZy7tLKSVlVzOSlbTqs6o2SynlZmsppPl1DOW2byYeiYznemcSz2tTORyOrmUpcynmZmqlLdzvXrcz+2Q452gyd0ETe0QpP3nP3c/LuOwJ+ub7T8AAABwaBXVu+/l6/+RPFNNzbUXWo1BpwUAAADso+qT/6fL0Ug59UwKr/8BAADgsCmq39gVSWo52Z3a/CWUNwEAAADgkKg+/3+2HNXKqZMpvP4HAACAw6b/Pfb7RhTjm7f/rV/tjq9uRGzc57c2115oTcx2Fl6bzPPVXQaqXxpsW9pI9fODl3KqG3Wq1h3X7i1xtIyanHhtMi/l9MaOjD1Xjp4b2yZyqhv5QjfyhR0iz5WRAHDYne7THu+m/X8p492I8RNlY5rhE9u0rA0tKwA8KPr3sdM3ovhen9f/T9z5SsFE3so7WcvVjFe/Nqi+cbBtqbUtX0MY7/NuQG1LDy/jfd4PqG3p6GW8zzsCtS3dywDAYXK6Tzu8m/Z/vM/r/5qvFALAA+VOD/b3cWLQ+wgA3EsrDQAAAAAAAAAAAAAAAAAAAAAAAAAAAPvvIO7/b8KEiW/bxKCvTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByEIjmy3fKh5KEkjSRnDz6r++fmoBMYsOJ2buf9PDroPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpuN+/8PpTt+uLsow0PJmSRXkvx40Dnup9uDTmDAttz/vzzmWS8y3D3sKUZmm8udxfLwV30/DH3x8ScflcNe6ikLKGu4p3OJjRp6b/V4tVWtee29G7985xf15oUqyQurcwvNxfnlH9wNfKr4NKmnO2zazPfXZ/7+x232/NNyT3dX71xVb/Pr9f7/dlvvXO9Orq9dmyprWm29sfqrn19/f8uqJ3IqeW4sGbu3pp+VQ4+aTmVkp9qKL4vfFY/mz7lSHf/y0SjWi/IQPVbt//++fX3t2sRb76xd7ZHT0ZxMcjUZ3X1OJ6vrybaqs25opKy1UQWV/471KW9HW0qc7LEPj1enTO0b7UO99z5U+jzuGxmd65HRk3n+Gx/p5/vUuK3iy+KfxcX8I7/d0v/HUHn8z2Q3z84yporccqb0jBzqRlZ7PrVjmT2fldwHv89P8/07x39oy/V/41gdzPVoS40H9LyoWqRjX2mRNq4+vbbZyPNYN6pHnv+Xl5PhE9/oivJynyvK/Xr+/6UYy79yU/8/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAg69Ijmy3fCg5k+RoksfK+Xqyvh/1DdWK/Shmz24OtPbBK27ndt7Po4POAwAAAAAAAID9caH5xceffFQO1efxR/Kd4rNktPtJ/3CSo8WfRmaby53FPgWNJFeS3NpDDuV2eeTu/K1y7vgeCgIAduXfAQAA//+0Imbz") mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) lsetxattr(&(0x7f0000000100)='./file1\x00', &(0x7f0000000740)=@known='trusted.overlay.impure\x00', 0x0, 0x0, 0x1) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000340), 0x0, &(0x7f0000000080)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) r2 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000700)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) connect$can_j1939(r2, &(0x7f0000002340)={0x1d, r4, 0x3, {0x2, 0xff, 0x2}, 0x1}, 0x18) sendmsg$nl_route_sched(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000d00)=@newqdisc={0x38, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r4, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_bfifo={{0xa}, {0x8, 0x2, 0xb2d}}]}, 0x38}}, 0x44080) r5 = socket(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000100)=@newqdisc={0x30, 0x24, 0xd0f, 0x70bd2a, 0x0, {0x60, 0x0, 0x0, r4, {0x0, 0x5}, {0xc, 0xa}, {0x0, 0xc}}, [@qdisc_kind_options=@q_pie={{0x8}, {0x4}}]}, 0x30}}, 0x4810) sendmmsg$inet6(r1, &(0x7f00000031c0)=[{{&(0x7f0000000000)={0xa, 0x4e23, 0x9, @dev={0xfe, 0x80, '\x00', 0x33}, 0x9}, 0x1c, &(0x7f0000000040)=[{&(0x7f00000000c0)="8e", 0x1}], 0x1}}], 0x1, 0x4040) getsockname$packet(0xffffffffffffffff, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000b00)=@newqdisc={0x48, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x7, 0x8000}}]}}]}, 0x48}}, 0x0) r7 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r7, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r9 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r9, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000b80)=@newqdisc={0x30, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r8, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_red={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x7a00}, 0x0) r10 = socket$netlink(0x10, 0x3, 0x0) sendmmsg(r10, &(0x7f00000002c0), 0x40000000000009f, 0x0) r11 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00') read$FUSE(r11, &(0x7f0000000300)={0x2020}, 0x2020) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) ioctl$TUNSETVNETHDRSZ(r11, 0x400454d8, &(0x7f0000002380)=0x7) r12 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r12, &(0x7f0000000280)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000240)={&(0x7f00000023c0)=ANY=[@ANYBLOB="ff0000000906010400000000000000000700000824002aece24b8a479793078006001d40000900000c00028008000140ac1e0001c3436cb5270a001a002344272c5d000000050001009515000030000240ff020000000000000000000000000001100007800c00fd7f088c00080000000000000940008500060900020073797a00"/140], 0x84}, 0x1, 0x0, 0x0, 0x20000080}, 0x40000) [ 74.726065][ T4684] Bluetooth: hci0: command tx timeout [ 74.811681][ T5336] loop0: detected capacity change from 0 to 1764 [ 74.875914][ T5336] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] SMP KASAN NOPTI [ 74.880953][ T5336] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] [ 74.884505][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) [ 74.889508][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.894124][ T5336] RIP: 0010:qdisc_tree_reduce_backlog+0x223/0x480 [ 74.896976][ T5336] Code: 89 ef e8 50 04 ab f8 4d 89 ef 85 db 74 0d e8 94 81 47 f8 4c 89 f5 e9 88 00 00 00 48 8b 6d 00 48 8d 45 20 48 89 c3 48 c1 eb 03 <42> 80 3c 33 00 48 89 04 24 74 0d 48 8b 3c 24 e8 19 04 ab f8 48 8b [ 74.904971][ T5336] RSP: 0018:ffffc9000d3cf0c8 EFLAGS: 00010202 [ 74.907686][ T5336] RAX: 0000000000000020 RBX: 0000000000000004 RCX: 0000000000000002 [ 74.911131][ T5336] RDX: ffff888034da8000 RSI: 0000000000000000 RDI: 0000000000000000 [ 74.914532][ T5336] RBP: 0000000000000000 R08: ffff888034da8000 R09: 0000000000000002 [ 74.917856][ T5336] R10: 00000000ffffffff R11: 0000000000000002 R12: 00000000000a000c [ 74.921373][ T5336] R13: ffff88801234d800 R14: dffffc0000000000 R15: ffff88801234d800 [ 74.924702][ T5336] FS: 00007f2a8ceb76c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000 [ 74.928455][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.931286][ T5336] CR2: 00007f3bffb57000 CR3: 0000000040fab000 CR4: 0000000000352ef0 [ 74.934622][ T5336] Call Trace: [ 74.936158][ T5336] [ 74.937429][ T5336] ? qdisc_tree_reduce_backlog+0x3c/0x480 [ 74.940140][ T5336] pie_change+0x96d/0xca0 [ 74.942254][ T5336] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 74.945208][ T5336] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.947536][ T5336] ? __pfx_pie_change+0x10/0x10 [ 74.949637][ T5336] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 74.952316][ T5336] ? timer_init_key+0x171/0x2d0 [ 74.954659][ T5336] ? __pfx_pie_init+0x10/0x10 [ 74.956661][ T5336] pie_init+0x2a3/0x3f0 [ 74.958676][ T5336] qdisc_create+0x7a9/0xea0 [ 74.960919][ T5336] tc_modify_qdisc+0x1426/0x2010 [ 74.963308][ T5336] ? __pfx_tc_modify_qdisc+0x10/0x10 [ 74.965711][ T5336] ? __pfx_tc_modify_qdisc+0x10/0x10 [ 74.967977][ T5336] rtnetlink_rcv_msg+0x77c/0xb70 [ 74.970854][ T5336] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 74.973206][ T5336] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.975821][ T5336] ? ref_tracker_free+0x63a/0x7d0 [ 74.978038][ T5336] ? __copy_skb_header+0xa7/0x550 [ 74.980494][ T5336] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.983052][ T5336] ? __skb_clone+0x63/0x7a0 [ 74.985142][ T5336] netlink_rcv_skb+0x205/0x470 [ 74.987346][ T5336] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.989689][ T5336] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.992028][ T5336] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.994133][ T5336] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.996531][ T5336] netlink_unicast+0x758/0x8d0 [ 74.998494][ T5336] netlink_sendmsg+0x805/0xb30 [ 75.000515][ T5336] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.002654][ T5336] ? aa_sock_msg_perm+0x94/0x160 [ 75.004794][ T5336] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.007034][ T5336] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.009371][ T5336] __sock_sendmsg+0x219/0x270 [ 75.011557][ T5336] ____sys_sendmsg+0x505/0x830 [ 75.013549][ T5336] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.015939][ T5336] ? import_iovec+0x74/0xa0 [ 75.017848][ T5336] ___sys_sendmsg+0x21f/0x2a0 [ 75.019786][ T5336] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.021997][ T5336] ? __fget_files+0x2a/0x420 [ 75.023895][ T5336] ? __fget_files+0x3a0/0x420 [ 75.025919][ T5336] __x64_sys_sendmsg+0x19b/0x260 [ 75.028176][ T5336] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.030608][ T5336] ? rcu_is_watching+0x15/0xb0 [ 75.032542][ T5336] ? do_syscall_64+0xbe/0x3b0 [ 75.034463][ T5336] do_syscall_64+0xfa/0x3b0 [ 75.036397][ T5336] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.038350][ T5336] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.040546][ T5336] ? clear_bhb_loop+0x60/0xb0 [ 75.042567][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.045001][ T5336] RIP: 0033:0x7f2a8bf8e929 [ 75.046868][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.055708][ T5336] RSP: 002b:00007f2a8ceb7038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.059442][ T5336] RAX: ffffffffffffffda RBX: 00007f2a8c1b5fa0 RCX: 00007f2a8bf8e929 [ 75.063461][ T5336] RDX: 0000000000004810 RSI: 0000200000000040 RDI: 0000000000000009 [ 75.066980][ T5336] RBP: 00007f2a8c010b39 R08: 0000000000000000 R09: 0000000000000000 [ 75.070988][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.074477][ T5336] R13: 0000000000000000 R14: 00007f2a8c1b5fa0 R15: 00007ffdb9567b88 [ 75.077935][ T5336] [ 75.079416][ T5336] Modules linked in: [ 75.081258][ T5336] ---[ end trace 0000000000000000 ]--- [ 75.083715][ T5336] RIP: 0010:qdisc_tree_reduce_backlog+0x223/0x480 [ 75.086461][ T5336] Code: 89 ef e8 50 04 ab f8 4d 89 ef 85 db 74 0d e8 94 81 47 f8 4c 89 f5 e9 88 00 00 00 48 8b 6d 00 48 8d 45 20 48 89 c3 48 c1 eb 03 <42> 80 3c 33 00 48 89 04 24 74 0d 48 8b 3c 24 e8 19 04 ab f8 48 8b [ 75.094238][ T5336] RSP: 0018:ffffc9000d3cf0c8 EFLAGS: 00010202 [ 75.096543][ T5336] RAX: 0000000000000020 RBX: 0000000000000004 RCX: 0000000000000002 [ 75.099926][ T5336] RDX: ffff888034da8000 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.103474][ T5336] RBP: 0000000000000000 R08: ffff888034da8000 R09: 0000000000000002 [ 75.107189][ T5336] R10: 00000000ffffffff R11: 0000000000000002 R12: 00000000000a000c [ 75.110760][ T5336] R13: ffff88801234d800 R14: dffffc0000000000 R15: ffff88801234d800 [ 75.114252][ T5336] FS: 00007f2a8ceb76c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000 [ 75.118252][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.121229][ T5336] CR2: 00007f3bffb57000 CR3: 0000000040fab000 CR4: 0000000000352ef0 [ 75.124854][ T5336] Kernel panic - not syncing: Fatal exception in interrupt [ 75.128411][ T5336] Kernel Offset: disabled [ 75.130386][ T5336] Rebooting in 86400 seconds..