8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000158 when read
[00000158] *pgd=85ce7003, *pmd=df723003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 11885 Comm: syz.5.1499 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at htb_deactivate net/sched/sch_htb.c:613 [inline]
PC is at htb_qlen_notify+0xc/0x30 net/sched/sch_htb.c:1489
LR is at qdisc_tree_reduce_backlog+0x7c/0x138 net/sched/sch_api.c:811
pc : [<81611d30>]    lr : [<815ecd00>]    psr: 60000013
sp : dfb45a38  ip : dfb45a50  fp : dfb45a4c
r10: 8567a800  r9 : 00000000  r8 : 00000000
r7 : 00000000  r6 : ffff0000  r5 : 81e60458  r4 : 8564f800
r3 : 81611d24  r2 : 85ce5e80  r1 : 00000000  r0 : 8564f800
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 85ce5400  DAC: 00000000
Register r0 information: slab kmalloc-2k start 8564f800 pointer offset 0 size 2048
Register r1 information: NULL pointer
Register r2 information: slab kmalloc-64 start 85ce5e80 pointer offset 0 size 64
Register r3 information: non-slab/vmalloc memory
Register r4 information: slab kmalloc-2k start 8564f800 pointer offset 0 size 2048
Register r5 information: non-slab/vmalloc memory
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: NULL pointer
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-cg-2k start 8567a800 pointer offset 0 size 2048
Register r11 information: 2-page vmalloc region starting at 0xdfb44000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Register r12 information: 2-page vmalloc region starting at 0xdfb44000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Process syz.5.1499 (pid: 11885, stack limit = 0xdfb44000)
Stack: (0xdfb45a38 to 0xdfb46000)
5a20:                                                       8564f800 81e60458
5a40: dfb45a84 dfb45a50 815ecd00 81611d30 dfb45a84 00000000 8564f800 84cb1000
5a60: 8564f800 849d3d70 dfb45b68 00000000 829dd4c0 80090000 dfb45ae4 dfb45a88
5a80: 8162f724 815ecc90 81e617b0 00000000 00000000 81534290 80200060 00000000
5aa0: 00000000 00000000 00000000 00000000 00000000 22753851 00000000 84cb1000
5ac0: 00000000 849d3d70 dfb45b68 00008000 829dd4c0 80090000 dfb45b04 dfb45ae8
5ae0: 8162f888 8162f524 84cb1000 8567a800 82810254 dfb45b68 dfb45b44 dfb45b08
5b00: 815ed50c 8162f818 dfb45b2c dfb45b18 dfb45b2c 000affe0 81a39fd0 849d3d40
5b20: 84dcff00 00000000 dfb45c50 8567a800 8564f800 000affe0 dfb45bec dfb45b48
5b40: 815efb3c 815ed3d8 dfb45b68 dfb45b64 dfb45c50 00000001 00000000 22753851
5b60: 00000000 00000000 00000000 849d3d64 849d3d70 00000000 00000000 00000000
5b80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ba0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 22753851
5bc0: 0000000c 849d3d40 00000014 82c1d6d8 84dcff00 82c1d558 00000000 00000000
5be0: dfb45c4c dfb45bf0 8157e98c 815ef758 8336f400 dfb45c50 ff9c65c0 00000001
5c00: 00000000 22753851 00000000 85cc0800 00400000 00ce5b80 00000000 22753851
5c20: 84dcff00 84dcff00 8157e854 849d3d40 00000034 847f2700 00000000 00000000
5c40: dfb45cdc dfb45c50 8165f7a8 8157e860 00000000 00000000 00000000 00000000
5c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 22753851
5cc0: 85e2d000 00000034 85ba1500 84dcff00 dfb45cec dfb45ce0 8157d700 8165f6f4
5ce0: dfb45d1c dfb45cf0 8165ef90 8157d6f4 7fffffff 22753851 dfb45f20 84dcff00
5d00: 00000034 85cc0800 00000000 00000000 dfb45d84 dfb45d20 8165f25c 8165ee00
5d20: 00000000 00000000 00000000 22753851 00000000 00000034 85bf1100 00000000
5d40: 00000004 00000000 00000000 00000000 80793904 22753851 dfb45d84 00000000
5d60: dfb45f20 8367f900 00000000 dfb45dc4 dfb45dc4 00000000 dfb45da4 dfb45d88
5d80: 81531714 8165f09c dfb45f20 0000c010 8367f900 00000000 dfb45e14 dfb45da8
5da0: 81531f84 815316dc dfb45e20 dfb45f30 00000000 00000000 dfb45e14 00000000
5dc0: 81533c9c 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5de0: 00000000 22753851 00000055 00000000 dfb45f20 8367f900 00000000 0000c010
5e00: 20000280 dfb45e24 dfb45f14 dfb45e18 81533d90 81531cf8 00000000 84760c00
5e20: 00000000 200005c0 00000034 00000000 00000000 00000000 00000000 00000000
5e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ee0: 00000000 22753851 dfb45f14 00000003 8497b481 20000280 0000c010 8497b480
5f00: 84760c00 00000128 dfb45f94 dfb45f18 81534228 81533d00 00000000 00000000
5f20: 00000000 00000000 00000000 00000000 00010000 00000034 200005c0 00000000
5f40: 00000001 00000000 00000000 00000001 0000c010 00000000 00000000 00000000
5f60: 00000000 00000000 ecac8b10 22753851 00000000 00000000 00000000 002f6300
5f80: 00000128 8020029c dfb45fa4 dfb45f98 81534290 815341a8 00000000 dfb45fa8
5fa0: 80200060 81534288 00000000 00000000 00000003 20000280 0000c010 00000000
5fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b940bc
5fe0: 76b93ec0 76b93eb0 000193a4 00131f40 60000010 00000003 00000000 00000000
Call trace: 
[<81611d24>] (htb_qlen_notify) from [<815ecd00>] (qdisc_tree_reduce_backlog+0x7c/0x138 net/sched/sch_api.c:811)
 r5:81e60458 r4:8564f800
[<815ecc84>] (qdisc_tree_reduce_backlog) from [<8162f724>] (codel_change+0x20c/0x2f4 net/sched/sch_codel.c:153)
 r10:80090000 r9:829dd4c0 r8:00000000 r7:dfb45b68 r6:849d3d70 r5:8564f800
 r4:84cb1000
[<8162f518>] (codel_change) from [<8162f888>] (codel_init+0x7c/0xb0 net/sched/sch_codel.c:172)
 r10:80090000 r9:829dd4c0 r8:00008000 r7:dfb45b68 r6:849d3d70 r5:00000000
 r4:84cb1000
[<8162f80c>] (codel_init) from [<815ed50c>] (qdisc_create+0x140/0x484 net/sched/sch_api.c:1324)
 r7:dfb45b68 r6:82810254 r5:8567a800 r4:84cb1000
[<815ed3cc>] (qdisc_create) from [<815efb3c>] (__tc_modify_qdisc net/sched/sch_api.c:1749 [inline])
[<815ed3cc>] (qdisc_create) from [<815efb3c>] (tc_modify_qdisc+0x3f0/0x8d4 net/sched/sch_api.c:1813)
 r10:000affe0 r9:8564f800 r8:8567a800 r7:dfb45c50 r6:00000000 r5:84dcff00
 r4:849d3d40
[<815ef74c>] (tc_modify_qdisc) from [<8157e98c>] (rtnetlink_rcv_msg+0x138/0x334 net/core/rtnetlink.c:6953)
 r10:00000000 r9:00000000 r8:82c1d558 r7:84dcff00 r6:82c1d6d8 r5:00000014
 r4:849d3d40
[<8157e854>] (rtnetlink_rcv_msg) from [<8165f7a8>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2534)
 r10:00000000 r9:00000000 r8:847f2700 r7:00000034 r6:849d3d40 r5:8157e854
 r4:84dcff00
[<8165f6e8>] (netlink_rcv_skb) from [<8157d700>] (rtnetlink_rcv+0x18/0x1c net/core/rtnetlink.c:6971)
 r7:84dcff00 r6:85ba1500 r5:00000034 r4:85e2d000
[<8157d6e8>] (rtnetlink_rcv) from [<8165ef90>] (netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline])
[<8157d6e8>] (rtnetlink_rcv) from [<8165ef90>] (netlink_unicast+0x19c/0x29c net/netlink/af_netlink.c:1339)
[<8165edf4>] (netlink_unicast) from [<8165f25c>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1883)
 r9:00000000 r8:00000000 r7:85cc0800 r6:00000034 r5:84dcff00 r4:dfb45f20
[<8165f090>] (netlink_sendmsg) from [<81531714>] (sock_sendmsg_nosec net/socket.c:712 [inline])
[<8165f090>] (netlink_sendmsg) from [<81531714>] (__sock_sendmsg+0x44/0x78 net/socket.c:727)
 r10:00000000 r9:dfb45dc4 r8:dfb45dc4 r7:00000000 r6:8367f900 r5:dfb45f20
 r4:00000000
[<815316d0>] (__sock_sendmsg) from [<81531f84>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2566)
 r7:00000000 r6:8367f900 r5:0000c010 r4:dfb45f20
[<81531cec>] (____sys_sendmsg) from [<81533d90>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2620)
 r10:dfb45e24 r9:20000280 r8:0000c010 r7:00000000 r6:8367f900 r5:dfb45f20
 r4:00000000
[<81533cf4>] (___sys_sendmsg) from [<81534228>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2652)
 r10:00000128 r9:84760c00 r8:8497b480 r7:0000c010 r6:20000280 r5:8497b481
 r4:00000003
[<8153419c>] (__sys_sendmsg) from [<81534290>] (__do_sys_sendmsg net/socket.c:2657 [inline])
[<8153419c>] (__sys_sendmsg) from [<81534290>] (sys_sendmsg+0x14/0x18 net/socket.c:2655)
 r8:8020029c r7:00000128 r6:002f6300 r5:00000000 r4:00000000
[<8153427c>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfb45fa8 to 0xdfb45ff0)
5fa0:                   00000000 00000000 00000003 20000280 0000c010 00000000
5fc0: 00000000 00000000 002f6300 00000128 002e0000 00000000 00006364 76b940bc
5fe0: 76b93ec0 76b93eb0 000193a4 00131f40
Code: eaffffb4 e1a0c00d e92dd830 e24cb004 (e5913158) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eaffffb4 	b	0xfffffed8
   4:	e1a0c00d 	mov	ip, sp
   8:	e92dd830 	push	{r4, r5, fp, ip, lr, pc}
   c:	e24cb004 	sub	fp, ip, #4
* 10:	e5913158 	ldr	r3, [r1, #344]	@ 0x158 <-- trapping instruction