program: r0 = socket(0x10, 0x3, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r1, 0x0) setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000200)=0x8, 0x4) syz_emit_ethernet(0x36, &(0x7f00000003c0)={@local, @link_local, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @empty, @empty}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x10}}}}}}, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) r4 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct]}}, 0x0, 0x26}, 0x20) r5 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0xd, 0x3, &(0x7f0000000040)=@framed, &(0x7f0000000080)='GPL\x00', 0x5, 0x1f6, &(0x7f00000002c0)=""/168, 0x0, 0x0, '\x00', 0x0, @sock_ops, r4, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200), 0x1}, 0x6d) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f00000006c0)={r5, 0xe0, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000014c0), 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x8, 0x0, 0x0}}, 0x10) sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000007c0)=@newqdisc={0x2c, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r3, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_qfg={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4040014}, 0x0) r6 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000002340)=@newqdisc={0x40, 0x24, 0xd0f, 0x0, 0x0, {0x60, 0x0, 0x0, r8, {}, {0xfff2, 0xa}, {0x2}}, [@qdisc_kind_options=@q_fq_codel={{0xd}, {0xc, 0x2, [@TCA_FQ_CODEL_CE_THRESHOLD={0x8, 0x7, 0x1}]}}]}, 0x40}}, 0x4000) bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0xd, 0x4, &(0x7f0000000000)=@framed={{}, [@ldst={0x1, 0x2, 0x3, 0x0, 0x1, 0xad}]}, &(0x7f0000000100)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sock_ops, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) r9 = socket$inet6_sctp(0xa, 0x1, 0x84) sendmmsg$inet6(r9, &(0x7f0000003c40)=[{{&(0x7f0000000080)={0xa, 0x4e23, 0x0, @loopback}, 0x1c, &(0x7f0000000240)=[{&(0x7f0000000140)="03", 0x1}], 0x1}}], 0x1, 0x0) socket(0x10, 0x3, 0x0) (async) socket$inet6_tcp(0xa, 0x1, 0x0) (async) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async) listen(r1, 0x0) (async) setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000200)=0x8, 0x4) (async) syz_emit_ethernet(0x36, &(0x7f00000003c0)={@local, @link_local, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @empty, @empty}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x10}}}}}}, 0x0) (async) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) (async) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'lo\x00'}) (async) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct]}}, 0x0, 0x26}, 0x20) (async) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0xd, 0x3, &(0x7f0000000040)=@framed, &(0x7f0000000080)='GPL\x00', 0x5, 0x1f6, &(0x7f00000002c0)=""/168, 0x0, 0x0, '\x00', 0x0, @sock_ops, r4, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000200), 0x1}, 0x6d) (async) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f00000006c0)={r5, 0xe0, &(0x7f00000005c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000014c0), 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x8, 0x0, 0x0}}, 0x10) (async) sendmsg$nl_route_sched(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000007c0)=@newqdisc={0x2c, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r3, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_qfg={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4040014}, 0x0) (async) socket(0x10, 0x3, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)) (async) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000000)={'lo\x00'}) (async) sendmsg$nl_route_sched(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000002340)=@newqdisc={0x40, 0x24, 0xd0f, 0x0, 0x0, {0x60, 0x0, 0x0, r8, {}, {0xfff2, 0xa}, {0x2}}, [@qdisc_kind_options=@q_fq_codel={{0xd}, {0xc, 0x2, [@TCA_FQ_CODEL_CE_THRESHOLD={0x8, 0x7, 0x1}]}}]}, 0x40}}, 0x4000) (async) bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0xd, 0x4, &(0x7f0000000000)=@framed={{}, [@ldst={0x1, 0x2, 0x3, 0x0, 0x1, 0xad}]}, &(0x7f0000000100)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sock_ops, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) (async) socket$inet6_sctp(0xa, 0x1, 0x84) (async) sendmmsg$inet6(r9, &(0x7f0000003c40)=[{{&(0x7f0000000080)={0xa, 0x4e23, 0x0, @loopback}, 0x1c, &(0x7f0000000240)=[{&(0x7f0000000140)="03", 0x1}], 0x1}}], 0x1, 0x0) (async) [ 75.537822][ T4688] Bluetooth: hci0: command tx timeout [ 75.599117][ T5340] Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI [ 75.605790][ T5340] KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f] [ 75.611063][ T5340] CPU: 0 UID: 0 PID: 5340 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) [ 75.615881][ T5340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.620657][ T5340] RIP: 0010:qfq_qlen_notify+0x29/0x70 [ 75.623154][ T5340] Code: 90 f3 0f 1e fa 41 57 41 56 53 48 89 f3 49 89 fe e8 bc 35 37 f8 4c 8d 7b 58 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 49 b8 9a f8 49 8b 07 4c 39 f8 74 1c [ 75.632190][ T5340] RSP: 0018:ffffc9000d3a7088 EFLAGS: 00010202 [ 75.635283][ T5340] RAX: 000000000000000b RBX: 0000000000000000 RCX: dffffc0000000000 [ 75.638899][ T5340] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880532d4000 [ 75.642428][ T5340] RBP: dffffc0000000000 R08: ffff88801c4e2440 R09: 0000000000000002 [ 75.646438][ T5340] R10: 00000000ffffffff R11: ffffffff8988f0a0 R12: 0000000000000000 [ 75.651080][ T5340] R13: ffff8880532d4000 R14: ffff8880532d4000 R15: 0000000000000058 [ 75.654806][ T5340] FS: 00007fb604f926c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000 [ 75.659241][ T5340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.662282][ T5340] CR2: 0000200000002340 CR3: 000000003ff45000 CR4: 0000000000352ef0 [ 75.666193][ T5340] Call Trace: [ 75.667946][ T5340] [ 75.669447][ T5340] qdisc_tree_reduce_backlog+0x299/0x480 [ 75.672162][ T5340] ? qdisc_tree_reduce_backlog+0x3c/0x480 [ 75.674709][ T5340] fq_codel_change+0xa96/0xef0 [ 75.676810][ T5340] ? __kmalloc_cache_noprof+0x230/0x3d0 [ 75.679533][ T5340] ? __pfx_fq_codel_change+0x10/0x10 [ 75.682676][ T5340] ? __sock_sendmsg+0x219/0x270 [ 75.685341][ T5340] fq_codel_init+0x355/0x960 [ 75.687386][ T5340] ? lockdep_rtnl_is_held+0x26/0x40 [ 75.689495][ T5340] ? __pfx_fq_codel_init+0x10/0x10 [ 75.691614][ T5340] qdisc_create+0x7a9/0xea0 [ 75.693588][ T5340] tc_modify_qdisc+0x1426/0x2010 [ 75.695518][ T5340] ? __pfx_tc_modify_qdisc+0x10/0x10 [ 75.697853][ T5340] ? __pfx_tc_modify_qdisc+0x10/0x10 [ 75.700164][ T5340] rtnetlink_rcv_msg+0x77c/0xb70 [ 75.702499][ T5340] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 75.704965][ T5340] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.707764][ T5340] ? ref_tracker_free+0x63a/0x7d0 [ 75.710504][ T5340] ? __copy_skb_header+0xa7/0x550 [ 75.713026][ T5340] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.715240][ T5340] ? __skb_clone+0x63/0x7a0 [ 75.717107][ T5340] netlink_rcv_skb+0x205/0x470 [ 75.719073][ T5340] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.721381][ T5340] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.723663][ T5340] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.725943][ T5340] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.728632][ T5340] netlink_unicast+0x758/0x8d0 [ 75.731764][ T5340] netlink_sendmsg+0x805/0xb30 [ 75.734274][ T5340] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.736567][ T5340] ? aa_sock_msg_perm+0x94/0x160 [ 75.738806][ T5340] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.741217][ T5340] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.743635][ T5340] __sock_sendmsg+0x219/0x270 [ 75.745794][ T5340] ____sys_sendmsg+0x505/0x830 [ 75.747758][ T5340] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.750132][ T5340] ? import_iovec+0x74/0xa0 [ 75.752988][ T5340] ___sys_sendmsg+0x21f/0x2a0 [ 75.755778][ T5340] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.758640][ T5340] ? __fget_files+0x2a/0x420 [ 75.760652][ T5340] ? __fget_files+0x3a0/0x420 [ 75.762587][ T5340] __x64_sys_sendmsg+0x19b/0x260 [ 75.764768][ T5340] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.767146][ T5340] ? rcu_is_watching+0x15/0xb0 [ 75.769289][ T5340] ? do_syscall_64+0xbe/0x3b0 [ 75.771424][ T5340] do_syscall_64+0xfa/0x3b0 [ 75.773475][ T5340] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.775739][ T5340] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.778670][ T5340] ? clear_bhb_loop+0x60/0xb0 [ 75.781047][ T5340] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.784445][ T5340] RIP: 0033:0x7fb60418e929 [ 75.786856][ T5340] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.795200][ T5340] RSP: 002b:00007fb604f92038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.798878][ T5340] RAX: ffffffffffffffda RBX: 00007fb6043b5fa0 RCX: 00007fb60418e929 [ 75.802322][ T5340] RDX: 0000000000004000 RSI: 0000200000000040 RDI: 0000000000000009 [ 75.806241][ T5340] RBP: 00007fb604210b39 R08: 0000000000000000 R09: 0000000000000000 [ 75.809834][ T5340] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.813424][ T5340] R13: 0000000000000000 R14: 00007fb6043b5fa0 R15: 00007ffdbcf97058 [ 75.817117][ T5340] [ 75.819034][ T5340] Modules linked in: [ 75.821452][ T5340] ---[ end trace 0000000000000000 ]--- [ 75.824450][ T5340] RIP: 0010:qfq_qlen_notify+0x29/0x70 [ 75.826886][ T5340] Code: 90 f3 0f 1e fa 41 57 41 56 53 48 89 f3 49 89 fe e8 bc 35 37 f8 4c 8d 7b 58 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 49 b8 9a f8 49 8b 07 4c 39 f8 74 1c [ 75.835367][ T5340] RSP: 0018:ffffc9000d3a7088 EFLAGS: 00010202 [ 75.838160][ T5340] RAX: 000000000000000b RBX: 0000000000000000 RCX: dffffc0000000000 [ 75.842000][ T5340] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880532d4000 [ 75.845805][ T5340] RBP: dffffc0000000000 R08: ffff88801c4e2440 R09: 0000000000000002 [ 75.849662][ T5340] R10: 00000000ffffffff R11: ffffffff8988f0a0 R12: 0000000000000000 [ 75.853085][ T5340] R13: ffff8880532d4000 R14: ffff8880532d4000 R15: 0000000000000058 [ 75.856498][ T5340] FS: 00007fb604f926c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000 [ 75.860652][ T5340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.863886][ T5340] CR2: 0000200000002340 CR3: 000000003ff45000 CR4: 0000000000352ef0 [ 75.867939][ T5340] Kernel panic - not syncing: Fatal exception in interrupt [ 75.871414][ T5340] Kernel Offset: disabled [ 75.873352][ T5340] Rebooting in 86400 seconds..