program: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c) mkdir(&(0x7f0000000640)='./file0\x00', 0x0) mknod(&(0x7f0000000080)='./file0\x00', 0x400, 0x5) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='cgroup2\x00', 0x0, 0x0) r1 = open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) r2 = openat$cgroup_procs(r1, &(0x7f0000000000)='cgroup.procs\x00', 0x2, 0x0) writev(r2, &(0x7f0000000340)=[{&(0x7f0000000300)='0', 0x1}], 0x1) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r3, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x1c, &(0x7f00000001c0)=[@in6={0xa, 0x0, 0x0, @private0={0xfc, 0x0, '\x00', 0x1}, 0xfffffffb}]}, &(0x7f0000000140)=0x10) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x7a, &(0x7f0000000340)={r4, @in6={{0xa, 0x3, 0x0, @dev={0xfe, 0x80, '\x00', 0x36}}}}, &(0x7f0000000040)=0x84) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) connect$unix(r0, &(0x7f0000000100)=@file={0x0, './file0\x00'}, 0x6e) socket$inet6_mptcp(0xa, 0x1, 0x106) (async) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c) (async) mkdir(&(0x7f0000000640)='./file0\x00', 0x0) (async) mknod(&(0x7f0000000080)='./file0\x00', 0x400, 0x5) (async) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000000180)='cgroup2\x00', 0x0, 0x0) (async) open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) (async) openat$cgroup_procs(r1, &(0x7f0000000000)='cgroup.procs\x00', 0x2, 0x0) (async) writev(r2, &(0x7f0000000340)=[{&(0x7f0000000300)='0', 0x1}], 0x1) (async) socket$inet6_sctp(0xa, 0x5, 0x84) (async) shutdown(r3, 0x0) (async) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x1c, &(0x7f00000001c0)=[@in6={0xa, 0x0, 0x0, @private0={0xfc, 0x0, '\x00', 0x1}, 0xfffffffb}]}, &(0x7f0000000140)=0x10) (async) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x7a, &(0x7f0000000340)={r4, @in6={{0xa, 0x3, 0x0, @dev={0xfe, 0x80, '\x00', 0x36}}}}, &(0x7f0000000040)=0x84) (async) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) (async) connect$unix(r0, &(0x7f0000000100)=@file={0x0, './file0\x00'}, 0x6e) (async) [ 75.183133][ T4681] Bluetooth: hci0: command tx timeout [ 75.259052][ T5335] ------------[ cut here ]------------ [ 75.261508][ T5335] WARNING: net/mptcp/subflow.c:1528 at subflow_data_ready+0x49b/0x7c0, CPU#0: syz.0.0/5335 [ 75.265817][ T5335] Modules linked in: [ 75.267608][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.271826][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.276966][ T5335] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 75.279714][ T5335] Code: 48 0f b9 3a e9 c9 fc ff ff e8 11 3d 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 f6 3c 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 75.288560][ T5335] RSP: 0018:ffffc9000a6d7720 EFLAGS: 00010293 [ 75.291310][ T5335] RAX: ffffffff8b47c85a RBX: ffff888040cac240 RCX: ffff888000bd24c0 [ 75.294947][ T5335] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.298450][ T5335] RBP: 0000000000000000 R08: ffff888010fd094f R09: 1ffff110021fa129 [ 75.301755][ T5335] R10: dffffc0000000000 R11: ffffed10021fa12a R12: 0000000000000000 [ 75.305272][ T5335] R13: dffffc0000000000 R14: ffff888010fd0000 R15: 0000000000000000 [ 75.308423][ T5335] FS: 00007faf9e4cf6c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 75.312067][ T5335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.314852][ T5335] CR2: 00007faf9e4adfc8 CR3: 0000000011a91000 CR4: 0000000000352ef0 [ 75.318303][ T5335] Call Trace: [ 75.319822][ T5335] [ 75.321129][ T5335] tcp_data_queue+0x1e14/0x5e30 [ 75.323407][ T5335] ? __pfx_tcp_data_queue+0x10/0x10 [ 75.325618][ T5335] ? __pfx_tcp_urg+0x10/0x10 [ 75.327608][ T5335] ? kvm_clock_get_cycles+0x47/0x60 [ 75.329817][ T5335] tcp_rcv_state_process+0x23ae/0x4530 [ 75.332135][ T5335] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 75.334646][ T5335] ? tcp_v6_connect+0x124b/0x18a0 [ 75.336820][ T5335] tcp_v6_do_rcv+0xbef/0x1ba0 [ 75.338848][ T5335] ? __local_bh_enable_ip+0xd0/0x130 [ 75.341103][ T5335] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 75.343493][ T5335] __release_sock+0x1b8/0x3a0 [ 75.345502][ T5335] release_sock+0x5f/0x1f0 [ 75.347409][ T5335] mptcp_connect+0x5be/0x860 [ 75.349481][ T5335] __inet_stream_connect+0x298/0xf00 [ 75.351820][ T5335] ? do_raw_spin_lock+0x121/0x290 [ 75.354245][ T5335] ? lock_sock_nested+0x6a/0x100 [ 75.356386][ T5335] ? __pfx___inet_stream_connect+0x10/0x10 [ 75.359105][ T5335] ? __local_bh_enable_ip+0xd0/0x130 [ 75.361703][ T5335] inet_stream_connect+0x66/0xa0 [ 75.364450][ T5335] __sys_connect+0x316/0x440 [ 75.366851][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.369325][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.371844][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.374400][ T5335] do_syscall_64+0xec/0xf80 [ 75.376532][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.379111][ T5335] ? trace_irq_disable+0x37/0x100 [ 75.381403][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.383717][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.386458][ T5335] RIP: 0033:0x7faf9d58f7c9 [ 75.388652][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.397805][ T5335] RSP: 002b:00007faf9e4cf038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.401618][ T5335] RAX: ffffffffffffffda RBX: 00007faf9d7e6090 RCX: 00007faf9d58f7c9 [ 75.405338][ T5335] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 75.409350][ T5335] RBP: 00007faf9d613f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.413313][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.417014][ T5335] R13: 00007faf9d7e6128 R14: 00007faf9d7e6090 R15: 00007ffec4fdb5f8 [ 75.420644][ T5335] [ 75.422068][ T5335] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 75.425358][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.429363][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.434129][ T5335] Call Trace: [ 75.435736][ T5335] [ 75.437229][ T5335] vpanic+0x1e0/0x670 [ 75.439295][ T5335] panic+0xb9/0xc0 [ 75.441329][ T5335] ? __pfx_panic+0x10/0x10 [ 75.443637][ T5335] __warn+0x317/0x4b0 [ 75.445437][ T5335] ? subflow_data_ready+0x49b/0x7c0 [ 75.447691][ T5335] ? subflow_data_ready+0x49b/0x7c0 [ 75.449916][ T5335] __report_bug+0x288/0x500 [ 75.451935][ T5335] ? subflow_data_ready+0x49b/0x7c0 [ 75.454279][ T5335] ? __pfx___report_bug+0x10/0x10 [ 75.456529][ T5335] ? mptcp_subflow_data_available+0x300f/0x3a20 [ 75.459353][ T5335] ? subflow_data_ready+0x49b/0x7c0 [ 75.461762][ T5335] report_bug+0x16a/0x220 [ 75.463699][ T5335] ? subflow_data_ready+0x49b/0x7c0 [ 75.466007][ T5335] ? subflow_data_ready+0x49d/0x7c0 [ 75.468401][ T5335] handle_bug+0x98/0x200 [ 75.470312][ T5335] exc_invalid_op+0x1a/0x50 [ 75.472281][ T5335] asm_exc_invalid_op+0x1a/0x20 [ 75.474489][ T5335] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 75.477399][ T5335] Code: 48 0f b9 3a e9 c9 fc ff ff e8 11 3d 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 f6 3c 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 75.486351][ T5335] RSP: 0018:ffffc9000a6d7720 EFLAGS: 00010293 [ 75.489171][ T5335] RAX: ffffffff8b47c85a RBX: ffff888040cac240 RCX: ffff888000bd24c0 [ 75.492758][ T5335] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.496284][ T5335] RBP: 0000000000000000 R08: ffff888010fd094f R09: 1ffff110021fa129 [ 75.499816][ T5335] R10: dffffc0000000000 R11: ffffed10021fa12a R12: 0000000000000000 [ 75.503323][ T5335] R13: dffffc0000000000 R14: ffff888010fd0000 R15: 0000000000000000 [ 75.506775][ T5335] ? subflow_data_ready+0x49a/0x7c0 [ 75.508671][ T5335] tcp_data_queue+0x1e14/0x5e30 [ 75.510632][ T5335] ? __pfx_tcp_data_queue+0x10/0x10 [ 75.512833][ T5335] ? __pfx_tcp_urg+0x10/0x10 [ 75.514790][ T5335] ? kvm_clock_get_cycles+0x47/0x60 [ 75.517002][ T5335] tcp_rcv_state_process+0x23ae/0x4530 [ 75.519291][ T5335] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 75.521716][ T5335] ? tcp_v6_connect+0x124b/0x18a0 [ 75.523799][ T5335] tcp_v6_do_rcv+0xbef/0x1ba0 [ 75.525750][ T5335] ? __local_bh_enable_ip+0xd0/0x130 [ 75.527947][ T5335] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 75.530052][ T5335] __release_sock+0x1b8/0x3a0 [ 75.532054][ T5335] release_sock+0x5f/0x1f0 [ 75.533914][ T5335] mptcp_connect+0x5be/0x860 [ 75.535846][ T5335] __inet_stream_connect+0x298/0xf00 [ 75.538052][ T5335] ? do_raw_spin_lock+0x121/0x290 [ 75.540208][ T5335] ? lock_sock_nested+0x6a/0x100 [ 75.542255][ T5335] ? __pfx___inet_stream_connect+0x10/0x10 [ 75.544848][ T5335] ? __local_bh_enable_ip+0xd0/0x130 [ 75.547211][ T5335] inet_stream_connect+0x66/0xa0 [ 75.549406][ T5335] __sys_connect+0x316/0x440 [ 75.551507][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.554023][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.556158][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.558197][ T5335] do_syscall_64+0xec/0xf80 [ 75.560112][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.562765][ T5335] ? trace_irq_disable+0x37/0x100 [ 75.565002][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.567151][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.569751][ T5335] RIP: 0033:0x7faf9d58f7c9 [ 75.571785][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.580545][ T5335] RSP: 002b:00007faf9e4cf038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.584834][ T5335] RAX: ffffffffffffffda RBX: 00007faf9d7e6090 RCX: 00007faf9d58f7c9 [ 75.588434][ T5335] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 75.591997][ T5335] RBP: 00007faf9d613f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.595686][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.599404][ T5335] R13: 00007faf9d7e6128 R14: 00007faf9d7e6090 R15: 00007ffec4fdb5f8 [ 75.602999][ T5335] [ 75.604688][ T5335] Kernel Offset: disabled [ 75.606565][ T5335] Rebooting in 86400 seconds..