syzbot

RBP: 00007ffec2c481d0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7957 Comm: syz-executor308 Not tainted 4.14.304-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
task: ffff8880b4cb4100 task.stack: ffff88809a3d8000
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:602
RSP: 0018:ffff88809a3dfb90 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff8880af05df00 RCX: 0000000000000000
RDX: 000000000000000c RSI: ffff8880b4cb4988 RDI: 0000000000000064
RBP: 0000000000000000 R08: ffffffff8b9da690 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880af05df08
R13: ffff8880af04c9c8 R14: ffff8880a11730c0 R15: ffff8880a1f35818
FS:  0000555556685300(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565140838160 CR3: 0000000008e6a000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tty_unregister_device drivers/tty/tty_io.c:3046 [inline]
 tty_unregister_device+0x101/0x1a0 drivers/tty/tty_io.c:3041
 gsmld_detach_gsm drivers/tty/n_gsm.c:2361 [inline]
 gsmld_close+0xaa/0x1f0 drivers/tty/n_gsm.c:2430
 tty_ldisc_close+0x8c/0xc0 drivers/tty/tty_ldisc.c:505
 tty_ldisc_kill drivers/tty/tty_ldisc.c:651 [inline]
 tty_ldisc_release+0xe8/0x400 drivers/tty/tty_ldisc.c:818
 tty_release_struct+0x20/0xe0 drivers/tty/tty_io.c:1603
 tty_release+0xb3f/0x10d0 drivers/tty/tty_io.c:1776
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 SYSC_exit_group kernel/exit.c:976 [inline]
 SyS_exit_group+0x19/0x20 kernel/exit.c:974
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f047652dcf9
RSP: 002b:00007ffec2c48168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f04765a23f0 RCX: 00007f047652dcf9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f04765a23f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Code: c5 3e f7 ff eb d2 0f 1f 00 55 48 89 fd 48 83 ec 08 e8 f3 7b cd ff 48 8d 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 
RIP: cdev_del+0x22/0x90 fs/char_dev.c:602 RSP: ffff88809a3dfb90
---[ end trace 5a01e659fa6a90fc ]---
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	3e f7 ff             	ds idiv %edi
   3:	eb d2                	jmp    0xffffffd7
   5:	0f 1f 00             	nopl   (%rax)
   8:	55                   	push   %rbp
   9:	48 89 fd             	mov    %rdi,%rbp
   c:	48 83 ec 08          	sub    $0x8,%rsp
  10:	e8 f3 7b cd ff       	callq  0xffcd7c08
  15:	48 8d 7d 64          	lea    0x64(%rbp),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:	48 89 f8             	mov    %rdi,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 04                	jl     0x3f
  3b:	84 d2                	test   %dl,%dl
  3d:	75 4f                	jne    0x8e