Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
RIP: 0010:snd_usbmidi_do_output+0x199/0x560 sound/usb/midi.c:310
Code: 5c 24 48 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 c8 89 ec f8 48 8b 1b 4c 8d ab 88 00 00 00 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 37 84 c0 0f 85 44 02 00 00 41 c7 45 00 00 00 00 00 48
RSP: 0018:ffffc90000007ab8 EFLAGS: 00010006
RAX: 1ffff11004f00a01 RBX: 0000000000000000 RCX: ffff88801ce90000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000000f34 R12: 0000000000000001
R13: 0000000000000088 R14: dffffc0000000000 R15: 0000000000000011
FS:  0000000000000000(0000) GS:ffff888125c13000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000001de030 CR3: 0000000033874000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 snd_usbmidi_error_timer+0x316/0x660 sound/usb/midi.c:362
 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:deref_stack_reg+0x13/0x230 arch/x86/kernel/unwind_orc.c:402
Code: 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 54 24 18 <49> 89 f0 49 89 ff 48 be 00 00 00 00 00 fc ff df 48 8d 5f 08 49 89
RSP: 0018:ffffc900000e6e60 EFLAGS: 00000286
RAX: fffffffffffffff0 RBX: ffffffff9045c786 RCX: 0000000000000000
RDX: ffffc900000e6fc8 RSI: ffffc900000e7550 RDI: ffffc900000e6f88
RBP: dffffc0000000000 R08: ffffc900000e6fe7 R09: 0000000000000000
R10: ffffc900000e6fd8 R11: fffff5200001cdfd R12: ffffc900000e7550
R13: ffffc900000e6fd8 R14: ffffc900000e6f88 R15: 1ffffffff208b8f1
 unwind_next_frame+0x17c4/0x2390 arch/x86/kernel/unwind_orc.c:-1
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 __call_rcu_common kernel/rcu/tree.c:3123 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3243
 kernfs_put+0x19e/0x480 fs/kernfs/dir.c:591
 kernfs_remove_by_name_ns+0xb7/0x130 fs/kernfs/dir.c:1718
 kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xfc/0x2c0 fs/sysfs/group.c:322
 sysfs_remove_groups+0x54/0xb0 fs/sysfs/group.c:346
 device_remove_groups drivers/base/core.c:2843 [inline]
 device_remove_attrs+0x1aa/0x260 drivers/base/core.c:2973
 device_del+0x509/0x8e0 drivers/base/core.c:3877
 usb_disconnect+0x614/0x950 drivers/usb/core/hub.c:2375
 hub_port_connect drivers/usb/core/hub.c:5406 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x1cf5/0x4a20 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:snd_usbmidi_do_output+0x199/0x560 sound/usb/midi.c:310
Code: 5c 24 48 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 c8 89 ec f8 48 8b 1b 4c 8d ab 88 00 00 00 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 37 84 c0 0f 85 44 02 00 00 41 c7 45 00 00 00 00 00 48
RSP: 0018:ffffc90000007ab8 EFLAGS: 00010006
RAX: 1ffff11004f00a01 RBX: 0000000000000000 RCX: ffff88801ce90000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000000f34 R12: 0000000000000001
R13: 0000000000000088 R14: dffffc0000000000 R15: 0000000000000011
FS:  0000000000000000(0000) GS:ffff888125c13000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000001de030 CR3: 0000000033874000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	5c                   	pop    %rsp
   1:	24 48                	and    $0x48,%al
   3:	48 89 d8             	mov    %rbx,%rax
   6:	48 c1 e8 03          	shr    $0x3,%rax
   a:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
   f:	74 08                	je     0x19
  11:	48 89 df             	mov    %rbx,%rdi
  14:	e8 c8 89 ec f8       	call   0xf8ec89e1
  19:	48 8b 1b             	mov    (%rbx),%rbx
  1c:	4c 8d ab 88 00 00 00 	lea    0x88(%rbx),%r13
  23:	4d 89 ef             	mov    %r13,%r15
  26:	49 c1 ef 03          	shr    $0x3,%r15
* 2a:	43 0f b6 04 37       	movzbl (%r15,%r14,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 44 02 00 00    	jne    0x27b
  37:	41 c7 45 00 00 00 00 	movl   $0x0,0x0(%r13)
  3e:	00
  3f:	48                   	rex.W