Unable to handle kernel paging request at virtual address dfff80000000000b KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff80000000000b] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 6272 Comm: syz.4.792 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x28/0x1fc lib/list_debug.c:49 lr : __list_del_entry_valid include/linux/list.h:124 [inline] lr : __list_del_entry include/linux/list.h:215 [inline] lr : list_del_init include/linux/list.h:287 [inline] lr : drr_qlen_notify+0x2c/0x128 net/sched/sch_drr.c:238 sp : ffff80008f706f60 x29: ffff80008f706f60 x28: 1ffff00010c8ee80 x27: ffff8000864773e0 x26: 00000000000affe0 x25: ffff800086477400 x24: 0000000000000000 x23: 0000000000000000 x22: 000000000000000a x21: 0000000000000058 x20: 0000000000000050 x19: 0000000000000050 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000001 x14: 000000000002693f x13: 0000000000000000 x12: 0000000000000006 x11: 0000000000000002 x10: ffff0000153b28d0 x9 : ffff800089773000 x8 : 0000000000000000 x7 : 78a952c145b7d547 x6 : ffff0000153b2920 x5 : 0000000000000000 x4 : 0000000009400f67 x3 : 0000000000000000 x2 : 000000000000000b x1 : dfff800000000000 x0 : 0000000000000058 Call trace: __list_del_entry_valid_or_report+0x28/0x1fc lib/list_debug.c:49 (P) __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] drr_qlen_notify+0x2c/0x128 net/sched/sch_drr.c:238 qdisc_tree_reduce_backlog+0x19c/0x398 net/sched/sch_api.c:811 hhf_change+0x724/0xa48 net/sched/sch_hhf.c:571 hhf_init+0x258/0x700 net/sched/sch_hhf.c:597 qdisc_create+0x2e4/0xc04 net/sched/sch_api.c:1324 __tc_modify_qdisc net/sched/sch_api.c:1749 [inline] tc_modify_qdisc+0xb80/0x17bc net/sched/sch_api.c:1813 rtnetlink_rcv_msg+0x2e8/0x8d4 net/core/rtnetlink.c:6953 netlink_rcv_skb+0x198/0x334 net/netlink/af_netlink.c:2534 rtnetlink_rcv+0x18/0x24 net/core/rtnetlink.c:6971 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x644/0xa54 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0xc8/0x168 net/socket.c:727 ____sys_sendmsg+0x504/0x768 net/socket.c:2566 ___sys_sendmsg+0x11c/0x19c net/socket.c:2620 __sys_sendmsg+0x114/0x19c net/socket.c:2652 __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2655 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x198 arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x10c/0x138 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: 91002000 f2fbffe1 a9025bf5 d343fc02 (38e16841) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 91002000 add x0, x0, #0x8 4: f2fbffe1 movk x1, #0xdfff, lsl #48 8: a9025bf5 stp x21, x22, [sp, #32] c: d343fc02 lsr x2, x0, #3 * 10: 38e16841 ldrsb w1, [x2, x1] <-- trapping instruction