BTRFS info (device loop2): force clearing of disk cache
Oops: general protection fault, probably for non-canonical address 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xdead000000000120-0xdead000000000127]
CPU: 0 UID: 0 PID: 5978 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__hlist_del include/linux/list.h:992 [inline]
RIP: 0010:hlist_del_init include/linux/list.h:1020 [inline]
RIP: 0010:__umount_mnt+0x24e/0x490 fs/namespace.c:997
Code: 85 e4 74 61 4d 8d be f8 00 00 00 4c 89 f8 48 c1 e8 03 80 3c 28 00 74 08 4c 89 ff e8 1c 8a e2 ff 4d 8b 2f 4c 89 e0 48 c1 e8 03 <80> 3c 28 00 74 08 4c 89 e7 e8 f4 8a e2 ff 4d 89 2c 24 4d 85 ed 74
RSP: 0000:ffffc9000606f980 EFLAGS: 00010a06
RAX: 1bd5a00000000024 RBX: ffff888109195008 RCX: ffff888171749d40
RDX: 0000000000000000 RSI: ffffc9000606fa40 RDI: ffff888109195078
RBP: dffffc0000000000 R08: ffffffff8253f97e R09: ffffffff8e416948
R10: 0000000000000000 R11: fffff52000c0df28 R12: dead000000000122
R13: dead000000000100 R14: ffff888109195000 R15: ffff8881091950f8
FS:  00007f9d096f76c0(0000) GS:ffff88818de5f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffea2c2ff88 CR3: 000000000e54c000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 mntput_no_expire_slowpath+0x950/0xbd0 fs/namespace.c:1368
 free_fs_struct fs/fs_struct.c:108 [inline]
 exit_fs+0x15e/0x1e0 fs/fs_struct.c:125
 do_exit+0x6d1/0x23c0 kernel/exit.c:972
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1118
 get_signal+0x1284/0x1330 kernel/signal.c:3038
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9d0879c799
Code: Unable to access opcode bytes at 0x7f9d0879c76f.
RSP: 002b:00007f9d096f70e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f9d08a15fa8 RCX: 00007f9d0879c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9d08a15fa8
RBP: 00007f9d08a15fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9d08a16038 R14: 00007ffc2e5502b0 R15: 00007ffc2e550398
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__hlist_del include/linux/list.h:992 [inline]
RIP: 0010:hlist_del_init include/linux/list.h:1020 [inline]
RIP: 0010:__umount_mnt+0x24e/0x490 fs/namespace.c:997
Code: 85 e4 74 61 4d 8d be f8 00 00 00 4c 89 f8 48 c1 e8 03 80 3c 28 00 74 08 4c 89 ff e8 1c 8a e2 ff 4d 8b 2f 4c 89 e0 48 c1 e8 03 <80> 3c 28 00 74 08 4c 89 e7 e8 f4 8a e2 ff 4d 89 2c 24 4d 85 ed 74
RSP: 0000:ffffc9000606f980 EFLAGS: 00010a06
RAX: 1bd5a00000000024 RBX: ffff888109195008 RCX: ffff888171749d40
RDX: 0000000000000000 RSI: ffffc9000606fa40 RDI: ffff888109195078
RBP: dffffc0000000000 R08: ffffffff8253f97e R09: ffffffff8e416948
R10: 0000000000000000 R11: fffff52000c0df28 R12: dead000000000122
R13: dead000000000100 R14: ffff888109195000 R15: ffff8881091950f8
FS:  00007f9d096f76c0(0000) GS:ffff88818de5f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffea2c2ff88 CR3: 000000000e54c000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
   0:	85 e4                	test   %esp,%esp
   2:	74 61                	je     0x65
   4:	4d 8d be f8 00 00 00 	lea    0xf8(%r14),%r15
   b:	4c 89 f8             	mov    %r15,%rax
   e:	48 c1 e8 03          	shr    $0x3,%rax
  12:	80 3c 28 00          	cmpb   $0x0,(%rax,%rbp,1)
  16:	74 08                	je     0x20
  18:	4c 89 ff             	mov    %r15,%rdi
  1b:	e8 1c 8a e2 ff       	call   0xffe28a3c
  20:	4d 8b 2f             	mov    (%r15),%r13
  23:	4c 89 e0             	mov    %r12,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 28 00          	cmpb   $0x0,(%rax,%rbp,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 e7             	mov    %r12,%rdi
  33:	e8 f4 8a e2 ff       	call   0xffe28b2c
  38:	4d 89 2c 24          	mov    %r13,(%r12)
  3c:	4d 85 ed             	test   %r13,%r13
  3f:	74                   	.byte 0x74
