syzbot

general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
CPU: 0 PID: 6535 Comm: syz-executor106 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5762 [inline]
RIP: 0010:destroy_workqueue+0x2e/0x810 kernel/workqueue.c:4416
Code: 49 89 fe 41 55 41 54 55 53 48 83 ec 18 e8 9a c5 29 00 49 8d be 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 39 07 00 00 49 8b 9e 18 01 00 00 48 85 db 74 19
RSP: 0018:ffffc90002c9fa28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000023 RSI: ffffffff814cb2f6 RDI: 0000000000000118
RBP: ffff888019721340 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81a46b48 R11: 0000000000000000 R12: ffff888019720000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcb4ab1a6c0 CR3: 00000000703da000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hci_release_dev+0x125/0xb70 net/bluetooth/hci_core.c:4062
 bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
 device_release+0xa3/0x240 drivers/base/core.c:2195
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1d0/0x540 lib/kobject.c:753
 put_device+0x1b/0x30 drivers/base/core.c:3466
 hci_uart_tty_close+0x1e4/0x2a0 drivers/bluetooth/hci_ldisc.c:546
 tty_ldisc_close+0x114/0x1a0 drivers/tty/tty_ldisc.c:474
 tty_ldisc_kill+0x94/0x150 drivers/tty/tty_ldisc.c:629
 tty_ldisc_release+0xe3/0x2a0 drivers/tty/tty_ldisc.c:803
 tty_release_struct+0x24/0xf0 drivers/tty/tty_io.c:1706
 tty_release+0xc70/0x1200 drivers/tty/tty_io.c:1878
 __fput+0x288/0x9f0 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xbae/0x2a30 kernel/exit.c:825
 do_group_exit+0x129/0x310 kernel/exit.c:922
 __do_sys_exit_group kernel/exit.c:933 [inline]
 __se_sys_exit_group kernel/exit.c:931 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43da49
Code: Unable to access opcode bytes at RIP 0x43da1f.
RSP: 002b:00007ffff8f5fe58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043da49
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ae230
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Modules linked in:
---[ end trace f0da897eafa18aaf ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5762 [inline]
RIP: 0010:destroy_workqueue+0x2e/0x810 kernel/workqueue.c:4416
Code: 49 89 fe 41 55 41 54 55 53 48 83 ec 18 e8 9a c5 29 00 49 8d be 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 39 07 00 00 49 8b 9e 18 01 00 00 48 85 db 74 19
RSP: 0018:ffffc90002c9fa28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000023 RSI: ffffffff814cb2f6 RDI: 0000000000000118
RBP: ffff888019721340 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81a46b48 R11: 0000000000000000 R12: ffff888019720000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd198cf000 CR3: 0000000070e54000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	49 89 fe             	mov    %rdi,%r14
   3:	41 55                	push   %r13
   5:	41 54                	push   %r12
   7:	55                   	push   %rbp
   8:	53                   	push   %rbx
   9:	48 83 ec 18          	sub    $0x18,%rsp
   d:	e8 9a c5 29 00       	callq  0x29c5ac
  12:	49 8d be 18 01 00 00 	lea    0x118(%r14),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 39 07 00 00    	jne    0x76d
  34:	49 8b 9e 18 01 00 00 	mov    0x118(%r14),%rbx
  3b:	48 85 db             	test   %rbx,%rbx
  3e:	74 19                	je     0x59