syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 1 UID: 0 PID: 6032 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: events_unbound nsim_dev_trap_report_work
RIP: 0010:snd_usbmidi_do_output+0x199/0x560 sound/usb/midi.c:310
Code: 5c 24 48 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 28 7c ec f8 48 8b 1b 4c 8d ab 88 00 00 00 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 37 84 c0 0f 85 44 02 00 00 41 c7 45 00 00 00 00 00 48
RSP: 0018:ffffc90000a08ab8 EFLAGS: 00010006
RAX: 1ffff110053c6b01 RBX: 0000000000000000 RCX: ffff88802599bc00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000141134 R12: 0000000000000001
R13: 0000000000000088 R14: dffffc0000000000 R15: 0000000000000011
FS:  0000000000000000(0000) GS:ffff888125d12000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd87a5c880 CR3: 0000000075620000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 snd_usbmidi_error_timer+0x316/0x660 sound/usb/midi.c:362
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5872
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 1b 74 03 11 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc9000386f438 EFLAGS: 00000206

RAX: 1d7be7f3ace39800 RBX: 0000000000000000 RCX: 1d7be7f3ace39800
RDX: 0000000000000000 RSI: ffffffff8dba9bc5 RDI: ffffffff8be33f80
RBP: ffffffff8172d195 R08: 0000000000000000 R09: ffffffff8172d195
R10: ffffc9000386f5f8 R11: ffffffff81ac4860 R12: 0000000000000002
R13: ffffffff8e13a120 R14: 0000000000000000 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4797
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:836 [inline]
 nsim_dev_trap_report_work+0x7cf/0xb80 drivers/net/netdevsim/dev.c:866
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:snd_usbmidi_do_output+0x199/0x560 sound/usb/midi.c:310
Code: 5c 24 48 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 28 7c ec f8 48 8b 1b 4c 8d ab 88 00 00 00 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 37 84 c0 0f 85 44 02 00 00 41 c7 45 00 00 00 00 00 48
RSP: 0018:ffffc90000a08ab8 EFLAGS: 00010006
RAX: 1ffff110053c6b01 RBX: 0000000000000000 RCX: ffff88802599bc00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000141134 R12: 0000000000000001
R13: 0000000000000088 R14: dffffc0000000000 R15: 0000000000000011
FS:  0000000000000000(0000) GS:ffff888125d12000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd87a5c880 CR3: 0000000075620000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	5c                   	pop    %rsp
   1:	24 48                	and    $0x48,%al
   3:	48 89 d8             	mov    %rbx,%rax
   6:	48 c1 e8 03          	shr    $0x3,%rax
   a:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
   f:	74 08                	je     0x19
  11:	48 89 df             	mov    %rbx,%rdi
  14:	e8 28 7c ec f8       	call   0xf8ec7c41
  19:	48 8b 1b             	mov    (%rbx),%rbx
  1c:	4c 8d ab 88 00 00 00 	lea    0x88(%rbx),%r13
  23:	4d 89 ef             	mov    %r13,%r15
  26:	49 c1 ef 03          	shr    $0x3,%r15
* 2a:	43 0f b6 04 37       	movzbl (%r15,%r14,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 44 02 00 00    	jne    0x27b
  37:	41 c7 45 00 00 00 00 	movl   $0x0,0x0(%r13)
  3e:	00
  3f:	48                   	rex.W