program:
syz_open_dev$sndctrl(&(0x7f0000001440), 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x4)
ioctl$EXT4_IOC_GET_ES_CACHE(r0, 0x400442c9, 0x0)
r1 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c)
connect$inet6(r1, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c)
connect$unix(r1, &(0x7f0000000100)=@file={0x0, './file0\x00'}, 0x6e)
r2 = socket$inet(0x2, 0x3, 0x33)
socket$nl_route(0x10, 0x3, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xe, 0x4, &(0x7f0000000040)=ANY=[@ANYBLOB="b400000000000018691132000000000016000000000000009500740000000000"], &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb}, 0x48)
r4 = open_tree(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x8101)
ioctl$IOCTL_GET_NCIDEV_IDX(r4, 0x0, &(0x7f00000000c0))
r5 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, &(0x7f0000000000)={r5})
setsockopt$inet_int(r2, 0x0, 0xa15d90fc55616bd1, &(0x7f00000001c0)=0x2, 0x4)
fsconfig$FSCONFIG_SET_FD(r4, 0x5, &(0x7f0000000180)='\x00', 0x0, r3)
getsockopt$inet_mreqsrc(r2, 0x0, 0x53, &(0x7f0000000000)={@dev, @local, @broadcast}, &(0x7f0000000440)=0xc)
syz_open_dev$sndctrl(&(0x7f0000001440), 0x0, 0x0) (async)
syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x4) (async)
ioctl$EXT4_IOC_GET_ES_CACHE(r0, 0x400442c9, 0x0) (async)
socket$inet6_mptcp(0xa, 0x1, 0x106) (async)
bind$inet6(r1, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c) (async)
connect$inet6(r1, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) (async)
connect$unix(r1, &(0x7f0000000100)=@file={0x0, './file0\x00'}, 0x6e) (async)
socket$inet(0x2, 0x3, 0x33) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xe, 0x4, &(0x7f0000000040)=ANY=[@ANYBLOB="b400000000000018691132000000000016000000000000009500740000000000"], &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb}, 0x48) (async)
open_tree(0xffffffffffffffff, &(0x7f0000000080)='./file0\x00', 0x8101) (async)
ioctl$IOCTL_GET_NCIDEV_IDX(r4, 0x0, &(0x7f00000000c0)) (async)
socket$nl_generic(0x10, 0x3, 0x10) (async)
ioctl$sock_kcm_SIOCKCMATTACH(0xffffffffffffffff, 0x89e0, &(0x7f0000000000)={r5}) (async)
setsockopt$inet_int(r2, 0x0, 0xa15d90fc55616bd1, &(0x7f00000001c0)=0x2, 0x4) (async)
fsconfig$FSCONFIG_SET_FD(r4, 0x5, &(0x7f0000000180)='\x00', 0x0, r3) (async)
getsockopt$inet_mreqsrc(r2, 0x0, 0x53, &(0x7f0000000000)={@dev, @local, @broadcast}, &(0x7f0000000440)=0xc) (async)

[  144.929018][ T4690] Bluetooth: hci0: command tx timeout
[  145.180155][ T5344] ------------[ cut here ]------------
[  145.182883][ T5344] WARNING: net/mptcp/subflow.c:1528 at subflow_data_ready+0x49b/0x7c0, CPU#0: syz.0.0/5344
[  145.187351][ T5344] Modules linked in:
[  145.189517][ T5344] CPU: 0 UID: 0 PID: 5344 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  145.193747][ T5344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  145.199557][ T5344] RIP: 0010:subflow_data_ready+0x49b/0x7c0
[  145.202470][ T5344] Code: 48 0f b9 3a e9 c9 fc ff ff e8 81 41 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 66 41 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1
[  145.212042][ T5344] RSP: 0018:ffffc9000c00f720 EFLAGS: 00010293
[  145.214782][ T5344] RAX: ffffffff8b47c3ba RBX: ffff888040f54240 RCX: ffff888000350000
[  145.218441][ T5344] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  145.222099][ T5344] RBP: 0000000000000000 R08: ffff88803586094f R09: 1ffff11006b0c129
[  145.225796][ T5344] R10: dffffc0000000000 R11: ffffed1006b0c12a R12: 0000000000000000
[  145.229986][ T5344] R13: dffffc0000000000 R14: ffff888035860000 R15: 0000000000000000
[  145.233456][ T5344] FS:  00007fec5b9766c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
[  145.237698][ T5344] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  145.240471][ T5344] CR2: 00007fec56ff4fc8 CR3: 0000000040e10000 CR4: 0000000000352ef0
[  145.243761][ T5344] Call Trace:
[  145.245223][ T5344]  <TASK>
[  145.246514][ T5344]  tcp_data_queue+0x1e14/0x5e30
[  145.249166][ T5344]  ? __pfx_tcp_data_queue+0x10/0x10
[  145.252045][ T5344]  ? __pfx_tcp_urg+0x10/0x10
[  145.254327][ T5344]  ? kvm_clock_get_cycles+0x47/0x60
[  145.256589][ T5344]  tcp_rcv_state_process+0x23ae/0x4530
[  145.259145][ T5344]  ? __pfx_tcp_rcv_state_process+0x10/0x10
[  145.261834][ T5344]  ? tcp_v6_connect+0x124b/0x18a0
[  145.264059][ T5344]  tcp_v6_do_rcv+0xbef/0x1ba0
[  145.266173][ T5344]  ? __local_bh_enable_ip+0xd0/0x130
[  145.268570][ T5344]  ? __pfx_tcp_v6_do_rcv+0x10/0x10
[  145.270856][ T5344]  __release_sock+0x1b8/0x3a0
[  145.272909][ T5344]  release_sock+0x5f/0x1f0
[  145.274898][ T5344]  mptcp_connect+0x5be/0x860
[  145.276996][ T5344]  __inet_stream_connect+0x298/0xf00
[  145.279449][ T5344]  ? do_raw_spin_lock+0x121/0x290
[  145.281741][ T5344]  ? lock_sock_nested+0x6a/0x100
[  145.283939][ T5344]  ? __pfx___inet_stream_connect+0x10/0x10
[  145.286541][ T5344]  ? __local_bh_enable_ip+0xd0/0x130
[  145.288956][ T5344]  inet_stream_connect+0x66/0xa0
[  145.291209][ T5344]  __sys_connect+0x316/0x440
[  145.293313][ T5344]  ? __pfx___sys_connect+0x10/0x10
[  145.295541][ T5344]  ? rcu_is_watching+0x15/0xb0
[  145.297606][ T5344]  __x64_sys_connect+0x7a/0x90
[  145.300048][ T5344]  do_syscall_64+0xec/0xf80
[  145.302832][ T5344]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  145.306346][ T5344]  ? trace_irq_disable+0x37/0x100
[  145.309045][ T5344]  ? clear_bhb_loop+0x60/0xb0
[  145.311204][ T5344]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  145.313880][ T5344] RIP: 0033:0x7fec5ab8f7c9
[  145.315888][ T5344] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  145.323562][ T5344] RSP: 002b:00007fec5b976038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  145.327040][ T5344] RAX: ffffffffffffffda RBX: 00007fec5ade5fa0 RCX: 00007fec5ab8f7c9
[  145.330339][ T5344] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000004
[  145.334145][ T5344] RBP: 00007fec5ac13f91 R08: 0000000000000000 R09: 0000000000000000
[  145.337626][ T5344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  145.341503][ T5344] R13: 00007fec5ade6038 R14: 00007fec5ade5fa0 R15: 00007ffdc01b7478
[  145.344893][ T5344]  </TASK>
[  145.346241][ T5344] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  145.349515][ T5344] CPU: 0 UID: 0 PID: 5344 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  145.354065][ T5344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  145.359301][ T5344] Call Trace:
[  145.360883][ T5344]  <TASK>
[  145.362191][ T5344]  vpanic+0x1e0/0x670
[  145.363961][ T5344]  panic+0xb9/0xc0
[  145.365626][ T5344]  ? __pfx_panic+0x10/0x10
[  145.367519][ T5344]  __warn+0x317/0x4b0
[  145.369223][ T5344]  ? subflow_data_ready+0x49b/0x7c0
[  145.371553][ T5344]  ? subflow_data_ready+0x49b/0x7c0
[  145.373930][ T5344]  __report_bug+0x288/0x500
[  145.376035][ T5344]  ? subflow_data_ready+0x49b/0x7c0
[  145.378376][ T5344]  ? __pfx___report_bug+0x10/0x10
[  145.380597][ T5344]  ? mptcp_subflow_data_available+0x300f/0x3a20
[  145.383291][ T5344]  ? subflow_data_ready+0x49b/0x7c0
[  145.385478][ T5344]  report_bug+0x16a/0x220
[  145.387478][ T5344]  ? subflow_data_ready+0x49b/0x7c0
[  145.389890][ T5344]  ? subflow_data_ready+0x49d/0x7c0
[  145.392353][ T5344]  handle_bug+0x98/0x200
[  145.394366][ T5344]  exc_invalid_op+0x1a/0x50
[  145.396442][ T5344]  asm_exc_invalid_op+0x1a/0x20
[  145.398676][ T5344] RIP: 0010:subflow_data_ready+0x49b/0x7c0
[  145.401285][ T5344] Code: 48 0f b9 3a e9 c9 fc ff ff e8 81 41 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 66 41 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1
[  145.408769][ T5344] RSP: 0018:ffffc9000c00f720 EFLAGS: 00010293
[  145.411157][ T5344] RAX: ffffffff8b47c3ba RBX: ffff888040f54240 RCX: ffff888000350000
[  145.414304][ T5344] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  145.417776][ T5344] RBP: 0000000000000000 R08: ffff88803586094f R09: 1ffff11006b0c129
[  145.421426][ T5344] R10: dffffc0000000000 R11: ffffed1006b0c12a R12: 0000000000000000
[  145.425024][ T5344] R13: dffffc0000000000 R14: ffff888035860000 R15: 0000000000000000
[  145.428483][ T5344]  ? subflow_data_ready+0x49a/0x7c0
[  145.430790][ T5344]  tcp_data_queue+0x1e14/0x5e30
[  145.432909][ T5344]  ? __pfx_tcp_data_queue+0x10/0x10
[  145.435194][ T5344]  ? __pfx_tcp_urg+0x10/0x10
[  145.437193][ T5344]  ? kvm_clock_get_cycles+0x47/0x60
[  145.439454][ T5344]  tcp_rcv_state_process+0x23ae/0x4530
[  145.441864][ T5344]  ? __pfx_tcp_rcv_state_process+0x10/0x10
[  145.444374][ T5344]  ? tcp_v6_connect+0x124b/0x18a0
[  145.446629][ T5344]  tcp_v6_do_rcv+0xbef/0x1ba0
[  145.448784][ T5344]  ? __local_bh_enable_ip+0xd0/0x130
[  145.451191][ T5344]  ? __pfx_tcp_v6_do_rcv+0x10/0x10
[  145.453455][ T5344]  __release_sock+0x1b8/0x3a0
[  145.455507][ T5344]  release_sock+0x5f/0x1f0
[  145.457488][ T5344]  mptcp_connect+0x5be/0x860
[  145.459469][ T5344]  __inet_stream_connect+0x298/0xf00
[  145.461828][ T5344]  ? do_raw_spin_lock+0x121/0x290
[  145.464023][ T5344]  ? lock_sock_nested+0x6a/0x100
[  145.466177][ T5344]  ? __pfx___inet_stream_connect+0x10/0x10
[  145.469217][ T5344]  ? __local_bh_enable_ip+0xd0/0x130
[  145.472385][ T5344]  inet_stream_connect+0x66/0xa0
[  145.475100][ T5344]  __sys_connect+0x316/0x440
[  145.477172][ T5344]  ? __pfx___sys_connect+0x10/0x10
[  145.479509][ T5344]  ? rcu_is_watching+0x15/0xb0
[  145.481634][ T5344]  __x64_sys_connect+0x7a/0x90
[  145.483770][ T5344]  do_syscall_64+0xec/0xf80
[  145.485877][ T5344]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  145.488462][ T5344]  ? trace_irq_disable+0x37/0x100
[  145.490701][ T5344]  ? clear_bhb_loop+0x60/0xb0
[  145.492851][ T5344]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  145.495442][ T5344] RIP: 0033:0x7fec5ab8f7c9
[  145.497495][ T5344] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  145.506194][ T5344] RSP: 002b:00007fec5b976038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  145.509794][ T5344] RAX: ffffffffffffffda RBX: 00007fec5ade5fa0 RCX: 00007fec5ab8f7c9
[  145.513196][ T5344] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000004
[  145.516735][ T5344] RBP: 00007fec5ac13f91 R08: 0000000000000000 R09: 0000000000000000
[  145.520278][ T5344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  145.523679][ T5344] R13: 00007fec5ade6038 R14: 00007fec5ade5fa0 R15: 00007ffdc01b7478
[  145.527765][ T5344]  </TASK>
[  145.529821][ T5344] Kernel Offset: disabled
[  145.532175][ T5344] Rebooting in 86400 seconds..