BUG: unable to handle page fault for address: fffff52000e84f4a
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcc067 P4D 7ffcc067 PUD 1c699067 PMD 275d6067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 150 Comm: kworker/0:1H Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_highpri snd_vmidi_output_work
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS:  0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __run_timer_base kernel/time/timer.c:2384 [inline]
 __run_timer_base kernel/time/timer.c:2376 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2393
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 96 a2 38 f6 48 89 df e8 7e f6 38 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 c5 ff 28 f6 65 8b 05 7e 25 41 08 85 c0 74 16 5b
RSP: 0018:ffffc90002a2fb10 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff888058d89620 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff8da26dd3 RDI: ffffffff8bf071c0
RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90822ad7 R11: 0000000000000001 R12: ffff888057d8a428
R13: 0000000000000000 R14: ffff888058d89620 R15: ffff888058d89608
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 class_spinlock_irqsave_destructor include/linux/spinlock.h:585 [inline]
 snd_midi_event_encode_byte sound/core/seq/seq_midi_event.c:183 [inline]
 snd_midi_event_encode_byte+0x630/0xe30 sound/core/seq/seq_midi_event.c:170
 snd_vmidi_output_work+0x150/0x390 sound/core/seq/seq_virmidi.c:153
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
 process_scheduled_works kernel/workqueue.c:3346 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: fffff52000e84f4a
---[ end trace 0000000000000000 ]---
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS:  0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	31 00                	xor    %eax,(%rax)
   2:	0f 85 c5 05 00 00    	jne    0x5cd
   8:	48 85 c0             	test   %rax,%rax
   b:	49 89 07             	mov    %rax,(%r15)
   e:	48 89 44 24 18       	mov    %rax,0x18(%rsp)
  13:	74 24                	je     0x39
  15:	e8 10 ea 13 00       	call   0x13ea2a
  1a:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
  1f:	48 8d 78 08          	lea    0x8(%rax),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	42 80 3c 31 00       	cmpb   $0x0,(%rcx,%r14,1) <-- trapping instruction
  2f:	0f 85 af 05 00 00    	jne    0x5e4
  35:	4c 89 78 08          	mov    %r15,0x8(%rax)
  39:	e8 ec e9 13 00       	call   0x13ea2a
  3e:	83                   	.byte 0x83
  3f:	44                   	rex.R