8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000048 when read
[00000048] *pgd=84e0b003, *pmd=ecf42003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 19814 Comm: syz.1.1561 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at __list_del_entry_valid_or_report+0xc/0x108 lib/list_debug.c:49
LR is at __list_del_entry_valid include/linux/list.h:124 [inline]
LR is at __list_del_entry include/linux/list.h:215 [inline]
LR is at list_del_init include/linux/list.h:287 [inline]
LR is at drr_qlen_notify+0x1c/0x38 net/sched/sch_drr.c:238
pc : [<808d5254>]    lr : [<81626474>]    psr: 60000013
sp : dfd29a18  ip : dfd29a38  fp : dfd29a34
r10: 873a5000  r9 : 00000000  r8 : 00000000
r7 : 00000000  r6 : ffff0000  r5 : 00000048  r4 : 00000000
r3 : 81626458  r2 : 84953380  r1 : 00000000  r0 : 00000048
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 84953100  DAC: 00000000
Register r0 information: non-paged memory
Register r1 information: NULL pointer
Register r2 information: slab kmalloc-64 start 84953380 pointer offset 0 size 64
Register r3 information: non-slab/vmalloc memory
Register r4 information: NULL pointer
Register r5 information: non-paged memory
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: NULL pointer
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-cg-2k start 873a5000 pointer offset 0 size 2048
Register r11 information: 2-page vmalloc region starting at 0xdfd28000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Register r12 information: 2-page vmalloc region starting at 0xdfd28000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Process syz.1.1561 (pid: 19814, stack limit = 0xdfd28000)
Stack: (0xdfd29a18 to 0xdfd2a000)
9a00:                                                       00000000 00000048
9a20: ffff0000 00000000 dfd29a4c dfd29a38 81626474 808d5254 89e7e000 81e61000
9a40: dfd29a84 dfd29a50 815ecd20 81626464 dfd29a84 00000000 00000002 89e7e200
9a60: 00000002 00000012 89e7e000 00000000 00000000 80060000 dfd29ae4 dfd29a88
9a80: 8163be24 815eccb0 81e61c38 00000000 00000000 00000000 00000000 00000000
9aa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 d11187c4
9ac0: 89e7e200 8496602c dfd29c50 dfd29b68 00008000 829dd4c0 dfd29b04 dfd29ae8
9ae0: 8163bfa4 8163bc58 89e7e200 873a5000 828103e8 dfd29b68 dfd29b44 dfd29b08
9b00: 815ed52c 8163bf20 dfd29b2c dfd29b18 dfd29b2c 000affe0 81a39ff0 84966000
9b20: 84850d80 00000000 dfd29c50 873a5000 89e7e000 000affe0 dfd29bec dfd29b48
9b40: 815efb5c 815ed3f8 dfd29b68 dfd29b64 dfd29c50 00000001 00000000 d11187c4
9b60: 00000000 00000000 00000000 84966024 8496602c 00000000 00000000 00000000
9b80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ba0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 d11187c4
9bc0: 0000000c 84966000 00000014 82c1d6d8 84850d80 82c1d558 00000000 00000000
9be0: dfd29c4c dfd29bf0 8157e9ac 815ef778 8336d740 dfd29c50 ff9c65c0 00000001
9c00: 00000000 d11187c4 00000000 87d3b800 00400000 009534c0 00000000 d11187c4
9c20: 84850d80 84850d80 8157e874 84966000 00000030 8499e800 00000000 00000000
9c40: dfd29cdc dfd29c50 8165f7c8 8157e880 00000000 00000000 00000000 00000000
9c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 d11187c4
9cc0: 84201000 00000030 85869bc0 84850d80 dfd29cec dfd29ce0 8157d720 8165f714
9ce0: dfd29d1c dfd29cf0 8165efb0 8157d714 7fffffff d11187c4 dfd29f20 84850d80
9d00: 00000030 87d3b800 00000000 00000000 dfd29d84 dfd29d20 8165f27c 8165ee20
9d20: 00000000 00000000 00000000 d11187c4 00000000 00000030 8414cf00 00000000
9d40: 000002f3 00000000 00000000 00000000 80793904 d11187c4 dfd29d84 00000000
9d60: dfd29f20 8503ef00 00000000 dfd29dc4 dfd29dc4 00000000 dfd29da4 dfd29d88
9d80: 81531734 8165f0bc dfd29f20 00004800 8503ef00 00000000 dfd29e14 dfd29da8
9da0: 81531fa4 815316fc dfd29e20 dfd29f30 00000000 00000000 dfd29e14 00000000
9dc0: 81533cbc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9de0: 00000000 d11187c4 0000c051 00000000 dfd29f20 8503ef00 00000000 00004800
9e00: 20000280 dfd29e24 dfd29f14 dfd29e18 81533db0 81531d18 00000000 00000088
9e20: 00000000 20000380 00000030 00000000 00000000 00000000 00000000 00000000
9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 d11187c4 dfd29f14 00000003 84d95301 20000280 00004800 84d95300
9f00: 8544e000 00000128 dfd29f94 dfd29f18 81534248 81533d20 00000000 00000000
9f20: 00000000 00000000 00000000 00000000 00010000 00000030 20000380 00000000
9f40: 00000001 00000000 00000000 00000001 00004800 00000000 00000000 00000000
9f60: 00000000 00000000 ecac8b10 d11187c4 00000000 00000000 00000000 002f6300
9f80: 00000128 8020029c dfd29fa4 dfd29f98 815342b0 815341c8 00000000 dfd29fa8
9fa0: 80200060 815342a8 00000000 00000000 00000003 20000280 00004800 00000000
9fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b4a0bc
9fe0: 76b49ec0 76b49eb0 000193a4 00131f40 60000010 00000003 00000000 00000000
Call trace: 
[<808d5248>] (__list_del_entry_valid_or_report) from [<81626474>] (__list_del_entry_valid include/linux/list.h:124 [inline])
[<808d5248>] (__list_del_entry_valid_or_report) from [<81626474>] (__list_del_entry include/linux/list.h:215 [inline])
[<808d5248>] (__list_del_entry_valid_or_report) from [<81626474>] (list_del_init include/linux/list.h:287 [inline])
[<808d5248>] (__list_del_entry_valid_or_report) from [<81626474>] (drr_qlen_notify+0x1c/0x38 net/sched/sch_drr.c:238)
 r7:00000000 r6:ffff0000 r5:00000048 r4:00000000
[<81626458>] (drr_qlen_notify) from [<815ecd20>] (qdisc_tree_reduce_backlog+0x7c/0x138 net/sched/sch_api.c:811)
 r5:81e61000 r4:89e7e000
[<815ecca4>] (qdisc_tree_reduce_backlog) from [<8163be24>] (hhf_change+0x1d8/0x2c8 net/sched/sch_hhf.c:571)
 r10:80060000 r9:00000000 r8:00000000 r7:89e7e000 r6:00000012 r5:00000002
 r4:89e7e200
[<8163bc4c>] (hhf_change) from [<8163bfa4>] (hhf_init+0x90/0x19c net/sched/sch_hhf.c:597)
 r9:829dd4c0 r8:00008000 r7:dfd29b68 r6:dfd29c50 r5:8496602c r4:89e7e200
[<8163bf14>] (hhf_init) from [<815ed52c>] (qdisc_create+0x140/0x484 net/sched/sch_api.c:1324)
 r7:dfd29b68 r6:828103e8 r5:873a5000 r4:89e7e200
[<815ed3ec>] (qdisc_create) from [<815efb5c>] (__tc_modify_qdisc net/sched/sch_api.c:1749 [inline])
[<815ed3ec>] (qdisc_create) from [<815efb5c>] (tc_modify_qdisc+0x3f0/0x8d4 net/sched/sch_api.c:1813)
 r10:000affe0 r9:89e7e000 r8:873a5000 r7:dfd29c50 r6:00000000 r5:84850d80
 r4:84966000
[<815ef76c>] (tc_modify_qdisc) from [<8157e9ac>] (rtnetlink_rcv_msg+0x138/0x334 net/core/rtnetlink.c:6953)
 r10:00000000 r9:00000000 r8:82c1d558 r7:84850d80 r6:82c1d6d8 r5:00000014
 r4:84966000
[<8157e874>] (rtnetlink_rcv_msg) from [<8165f7c8>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2534)
 r10:00000000 r9:00000000 r8:8499e800 r7:00000030 r6:84966000 r5:8157e874
 r4:84850d80
[<8165f708>] (netlink_rcv_skb) from [<8157d720>] (rtnetlink_rcv+0x18/0x1c net/core/rtnetlink.c:6971)
 r7:84850d80 r6:85869bc0 r5:00000030 r4:84201000
[<8157d708>] (rtnetlink_rcv) from [<8165efb0>] (netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline])
[<8157d708>] (rtnetlink_rcv) from [<8165efb0>] (netlink_unicast+0x19c/0x29c net/netlink/af_netlink.c:1339)
[<8165ee14>] (netlink_unicast) from [<8165f27c>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1883)
 r9:00000000 r8:00000000 r7:87d3b800 r6:00000030 r5:84850d80 r4:dfd29f20
[<8165f0b0>] (netlink_sendmsg) from [<81531734>] (sock_sendmsg_nosec net/socket.c:712 [inline])
[<8165f0b0>] (netlink_sendmsg) from [<81531734>] (__sock_sendmsg+0x44/0x78 net/socket.c:727)
 r10:00000000 r9:dfd29dc4 r8:dfd29dc4 r7:00000000 r6:8503ef00 r5:dfd29f20
 r4:00000000
[<815316f0>] (__sock_sendmsg) from [<81531fa4>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2566)
 r7:00000000 r6:8503ef00 r5:00004800 r4:dfd29f20
[<81531d0c>] (____sys_sendmsg) from [<81533db0>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2620)
 r10:dfd29e24 r9:20000280 r8:00004800 r7:00000000 r6:8503ef00 r5:dfd29f20
 r4:00000000
[<81533d14>] (___sys_sendmsg) from [<81534248>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2652)
 r10:00000128 r9:8544e000 r8:84d95300 r7:00004800 r6:20000280 r5:84d95301
 r4:00000003
[<815341bc>] (__sys_sendmsg) from [<815342b0>] (__do_sys_sendmsg net/socket.c:2657 [inline])
[<815341bc>] (__sys_sendmsg) from [<815342b0>] (sys_sendmsg+0x14/0x18 net/socket.c:2655)
 r8:8020029c r7:00000128 r6:002f6300 r5:00000000 r4:00000000
[<8153429c>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfd29fa8 to 0xdfd29ff0)
9fa0:                   00000000 00000000 00000003 20000280 00004800 00000000
9fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b4a0bc
9fe0: 76b49ec0 76b49eb0 000193a4 00131f40
Code: e7f001f2 e1a0c00d e92dd8f0 e24cb004 (e1c040d0) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e7f001f2 	udf	#18
   4:	e1a0c00d 	mov	ip, sp
   8:	e92dd8f0 	push	{r4, r5, r6, r7, fp, ip, lr, pc}
   c:	e24cb004 	sub	fp, ip, #4
* 10:	e1c040d0 	ldrd	r4, [r0] <-- trapping instruction