8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000294 when read

[00000294] *pgd=85c03003, *pmd=ea36c003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 32093 Comm: syz.5.14346 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at hfsc_qlen_notify+0xc/0x60 net/sched/sch_hfsc.c:1238
LR is at qdisc_tree_reduce_backlog+0x7c/0x138 net/sched/sch_api.c:811
pc : [<816155a8>]    lr : [<815ebea0>]    psr: 60000013
sp : dff01a38  ip : dff01a50  fp : dff01a4c
r10: 86c0f000  r9 : 00000000  r8 : 00000000
r7 : 00000000  r6 : ffff0000  r5 : 81e60560  r4 : 85821c00
r3 : 8161559c  r2 : 86233c40  r1 : 00000000  r0 : 85821c00
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 86233500  DAC: 00000000
Register r0 information: slab kmalloc-1k start 85821c00 pointer offset 0 size 1024
Register r1 information: NULL pointer
Register r2 information: slab kmalloc-64 start 86233c40 pointer offset 0 size 64
Register r3 information: non-slab/vmalloc memory
Register r4 information: slab kmalloc-1k start 85821c00 pointer offset 0 size 1024
Register r5 information: non-slab/vmalloc memory
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: NULL pointer
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-cg-2k start 86c0f000 pointer offset 0 size 2048
Register r11 information: 2-page vmalloc region starting at 0xdff00000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Register r12 information: 2-page vmalloc region starting at 0xdff00000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Process syz.5.14346 (pid: 32093, stack limit = 0xdff00000)
Stack: (0xdff01a38 to 0xdff02000)
1a20:                                                       85821c00 81e60560
1a40: dff01a84 dff01a50 815ebea0 816155a8 dff01a84 00000000 85821c00 84fbdc00
1a60: 85821c00 85b456b0 dff01b68 00000000 829dd480 80050000 dff01ae4 dff01a88
1a80: 8162e8c4 815ebe30 81e617f0 00000000 00000000 81533430 80200060 00000000
1aa0: 00000000 00000000 00000000 00000000 00000000 3963fbd1 00000000 84fbdc00
1ac0: 00000000 85b456b0 dff01b68 00008000 829dd480 80050000 dff01b04 dff01ae8
1ae0: 8162ea28 8162e6c4 84fbdc00 86c0f000 82810254 dff01b68 dff01b44 dff01b08
1b00: 815ec6ac 8162e9b8 dff01b2c dff01b18 dff01b2c 000a0009 81a39170 85b45680
1b20: 84c7c9c0 00000000 dff01c50 86c0f000 85821c00 000a0009 dff01bec dff01b48
1b40: 815eecdc 815ec578 dff01b68 dff01b64 dff01c50 00000002 00000000 3963fbd1
1b60: 00000000 00000000 00000000 85b456a4 85b456b0 00000000 00000000 00000000
1b80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ba0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3963fbd1
1bc0: 0000000c 85b45680 00000014 82c1d6d8 84c7c9c0 82c1d558 00000000 00000000
1be0: dff01c4c dff01bf0 8157db2c 815ee8f8 83851180 dff01c50 ff9c65c0 00000002
1c00: 00000000 3963fbd1 00000000 85822800 00400000 00233780 00000000 3963fbd1
1c20: 84c7c9c0 84c7c9c0 8157d9f4 85b45680 00000034 8543c100 00000000 00000000
1c40: dff01cdc dff01c50 8165e948 8157da00 00000000 00000000 00000000 00000000
1c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3963fbd1
1cc0: 85ec3c00 00000034 8588f8c0 84c7c9c0 dff01cec dff01ce0 8157c8a0 8165e894
1ce0: dff01d1c dff01cf0 8165e130 8157c894 7fffffff 3963fbd1 dff01f20 84c7c9c0
1d00: 00000034 85822800 00000000 00000000 dff01d84 dff01d20 8165e3fc 8165dfa0
1d20: 00000000 00000000 00000000 3963fbd1 00000000 00000034 858c9980 00000000
1d40: 000004cd 00000000 00000000 00000000 80792a84 3963fbd1 dff01d84 00000000
1d60: dff01f20 836e5400 00000000 dff01dc4 dff01dc4 00000000 dff01da4 dff01d88
1d80: 815308b4 8165e23c dff01f20 00004000 836e5400 00000000 dff01e14 dff01da8
1da0: 81531124 8153087c dff01e20 dff01f30 00000000 00000000 dff01e14 00000000
1dc0: 81532e3c 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1de0: 00000000 3963fbd1 20000040 00000000 dff01f20 836e5400 00000000 00004000
1e00: 20000280 dff01e24 dff01f14 dff01e18 81532f30 81530e98 00000000 8665b000
1e20: 00000000 20000300 00000034 00000000 00000000 00000000 00000000 00000000
1e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ee0: 00000000 3963fbd1 dff01f14 00000003 85e14241 20000280 00004000 85e14240
1f00: 8665b000 00000128 dff01f94 dff01f18 815333c8 81532ea0 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00010000 00000034 20000300 00000000
1f40: 00000001 00000000 00000000 00000001 00004000 00000000 00000000 00000000
1f60: 00000000 00000000 ecac8b10 3963fbd1 00000000 00000000 00000000 002f6300
1f80: 00000128 8020029c dff01fa4 dff01f98 81533430 81533348 00000000 dff01fa8
1fa0: 80200060 81533428 00000000 00000000 00000003 20000280 00004000 00000000
1fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b040bc
1fe0: 76b03ec0 76b03eb0 000193a4 00131f40 60000010 00000003 00000000 00000000
Call trace: 
[<8161559c>] (hfsc_qlen_notify) from [<815ebea0>] (qdisc_tree_reduce_backlog+0x7c/0x138 net/sched/sch_api.c:811)
 r5:81e60560 r4:85821c00
[<815ebe24>] (qdisc_tree_reduce_backlog) from [<8162e8c4>] (codel_change+0x20c/0x2f4 net/sched/sch_codel.c:153)
 r10:80050000 r9:829dd480 r8:00000000 r7:dff01b68 r6:85b456b0 r5:85821c00
 r4:84fbdc00
[<8162e6b8>] (codel_change) from [<8162ea28>] (codel_init+0x7c/0xb0 net/sched/sch_codel.c:172)
 r10:80050000 r9:829dd480 r8:00008000 r7:dff01b68 r6:85b456b0 r5:00000000
 r4:84fbdc00
[<8162e9ac>] (codel_init) from [<815ec6ac>] (qdisc_create+0x140/0x484 net/sched/sch_api.c:1324)
 r7:dff01b68 r6:82810254 r5:86c0f000 r4:84fbdc00
[<815ec56c>] (qdisc_create) from [<815eecdc>] (__tc_modify_qdisc net/sched/sch_api.c:1749 [inline])
[<815ec56c>] (qdisc_create) from [<815eecdc>] (tc_modify_qdisc+0x3f0/0x8d4 net/sched/sch_api.c:1813)
 r10:000a0009 r9:85821c00 r8:86c0f000 r7:dff01c50 r6:00000000 r5:84c7c9c0
 r4:85b45680
[<815ee8ec>] (tc_modify_qdisc) from [<8157db2c>] (rtnetlink_rcv_msg+0x138/0x334 net/core/rtnetlink.c:6953)
 r10:00000000 r9:00000000 r8:82c1d558 r7:84c7c9c0 r6:82c1d6d8 r5:00000014
 r4:85b45680
[<8157d9f4>] (rtnetlink_rcv_msg) from [<8165e948>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2534)
 r10:00000000 r9:00000000 r8:8543c100 r7:00000034 r6:85b45680 r5:8157d9f4
 r4:84c7c9c0
[<8165e888>] (netlink_rcv_skb) from [<8157c8a0>] (rtnetlink_rcv+0x18/0x1c net/core/rtnetlink.c:6971)
 r7:84c7c9c0 r6:8588f8c0 r5:00000034 r4:85ec3c00
[<8157c888>] (rtnetlink_rcv) from [<8165e130>] (netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline])
[<8157c888>] (rtnetlink_rcv) from [<8165e130>] (netlink_unicast+0x19c/0x29c net/netlink/af_netlink.c:1339)
[<8165df94>] (netlink_unicast) from [<8165e3fc>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1883)
 r9:00000000 r8:00000000 r7:85822800 r6:00000034 r5:84c7c9c0 r4:dff01f20
[<8165e230>] (netlink_sendmsg) from [<815308b4>] (sock_sendmsg_nosec net/socket.c:712 [inline])
[<8165e230>] (netlink_sendmsg) from [<815308b4>] (__sock_sendmsg+0x44/0x78 net/socket.c:727)
 r10:00000000 r9:dff01dc4 r8:dff01dc4 r7:00000000 r6:836e5400 r5:dff01f20
 r4:00000000
[<81530870>] (__sock_sendmsg) from [<81531124>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2566)
 r7:00000000 r6:836e5400 r5:00004000 r4:dff01f20
[<81530e8c>] (____sys_sendmsg) from [<81532f30>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2620)
 r10:dff01e24 r9:20000280 r8:00004000 r7:00000000 r6:836e5400 r5:dff01f20
 r4:00000000
[<81532e94>] (___sys_sendmsg) from [<815333c8>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2652)
 r10:00000128 r9:8665b000 r8:85e14240 r7:00004000 r6:20000280 r5:85e14241
 r4:00000003
[<8153333c>] (__sys_sendmsg) from [<81533430>] (__do_sys_sendmsg net/socket.c:2657 [inline])
[<8153333c>] (__sys_sendmsg) from [<81533430>] (sys_sendmsg+0x14/0x18 net/socket.c:2655)
 r8:8020029c r7:00000128 r6:002f6300 r5:00000000 r4:00000000
[<8153341c>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdff01fa8 to 0xdff01ff0)
1fa0:                   00000000 00000000 00000003 20000280 00004000 00000000
1fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b040bc
1fe0: 76b03ec0 76b03eb0 000193a4 00131f40
Code: eaffffcc e1a0c00d e92dd830 e24cb004 (e5913294) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eaffffcc 	b	0xffffff38
   4:	e1a0c00d 	mov	ip, sp
   8:	e92dd830 	push	{r4, r5, fp, ip, lr, pc}
   c:	e24cb004 	sub	fp, ip, #4
* 10:	e5913294 	ldr	r3, [r1, #660]	@ 0x294 <-- trapping instruction