program: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) setsockopt$inet6_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='cubic', 0x5) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) syz_usb_connect(0x0, 0x24, &(0x7f0000000080)={{0x12, 0x1, 0x0, 0x8d, 0xbd, 0xd7, 0x40, 0x424, 0x9904, 0x1d5b, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x4, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc6, 0x89, 0x89}}]}}]}}, 0x0) r2 = syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200)=@usbdevfs_connect) r3 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x60, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r5, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x34, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x0, 0x0, 0x7, 0x8}, {0x12, 0x3, 0x0, 0x1, 0x8001, 0x4400}, 0xa5, 0x4, 0x10000000}}, @TCA_TBF_BURST={0x8, 0x6, 0x8054}]}}]}, 0x60}}, 0x44080) listen(r1, 0x9) r6 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r6, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) sendto$inet(r6, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0) connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) socket$inet6_mptcp(0xa, 0x1, 0x106) (async) setsockopt$inet6_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='cubic', 0x5) (async) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) socket$inet6_tcp(0xa, 0x1, 0x0) (async) bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async) syz_usb_connect(0x0, 0x24, &(0x7f0000000080)={{0x12, 0x1, 0x0, 0x8d, 0xbd, 0xd7, 0x40, 0x424, 0x9904, 0x1d5b, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x4, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc6, 0x89, 0x89}}]}}]}}, 0x0) (async) syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) (async) ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200)=@usbdevfs_connect) (async) socket(0x10, 0x3, 0x0) (async) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) (async) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'lo\x00'}) (async) sendmsg$nl_route_sched(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x60, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r5, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x34, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x0, 0x0, 0x7, 0x8}, {0x12, 0x3, 0x0, 0x1, 0x8001, 0x4400}, 0xa5, 0x4, 0x10000000}}, @TCA_TBF_BURST={0x8, 0x6, 0x8054}]}}]}, 0x60}}, 0x44080) (async) listen(r1, 0x9) (async) socket$inet_mptcp(0x2, 0x1, 0x106) (async) connect$inet(r6, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async) sendto$inet(r6, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0) (async) connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) (async) [ 90.855946][ T46] Bluetooth: hci0: command tx timeout [ 91.306513][ T5310] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 91.461118][ T5310] usb 5-1: New USB device found, idVendor=0424, idProduct=9904, bcdDevice=1d.5b [ 91.464937][ T5310] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 91.468248][ T5310] usb 5-1: Product: syz [ 91.470252][ T5310] usb 5-1: Manufacturer: syz [ 91.472197][ T5310] usb 5-1: SerialNumber: syz [ 91.488531][ T5310] smsc95xx v2.0.0 [ 91.490228][ T5310] smsc95xx 5-1:4.0 (unnamed net_device) (uninitialized): usbnet_get_endpoints failed: -22 [ 91.499685][ T5310] smsc95xx 5-1:4.0: probe with driver smsc95xx failed with error -22 [ 91.574627][ T9] cfg80211: failed to load regulatory.db [ 91.690568][ T5343] smsc95xx v2.0.0 [ 91.692179][ T5343] smsc95xx 5-1:4.0 (unnamed net_device) (uninitialized): usbnet_get_endpoints failed: -22 [ 91.709685][ T5343] smsc95xx 5-1:4.0: probe with driver smsc95xx failed with error -22 [ 91.728118][ T5343] sch_tbf: burst 32852 is lower than device lo mtu (65550) ! [ 91.777924][ T5345] ------------[ cut here ]------------ [ 91.780516][ T5345] WARNING: net/mptcp/subflow.c:1528 at subflow_data_ready+0x49b/0x7c0, CPU#0: syz.0.0/5345 [ 91.784989][ T5345] Modules linked in: [ 91.786996][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 91.791026][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 91.795763][ T5345] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 91.798603][ T5345] Code: 48 0f b9 3a e9 c9 fc ff ff e8 61 e7 77 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 46 e7 77 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 91.807282][ T5345] RSP: 0000:ffffc90009b27740 EFLAGS: 00010293 [ 91.810041][ T5345] RAX: ffffffff8b49d98a RBX: ffff8880414e4240 RCX: ffff888033e78000 [ 91.813485][ T5345] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 91.816999][ T5345] RBP: 0000000000000000 R08: ffff8880001a094f R09: 1ffff11000034129 [ 91.820498][ T5345] R10: dffffc0000000000 R11: ffffed100003412a R12: 0000000000000000 [ 91.823694][ T5345] R13: dffffc0000000000 R14: ffff8880001a0000 R15: 0000000000000000 [ 91.826997][ T5345] FS: 00007f8df33b56c0(0000) GS:ffff88808d22a000(0000) knlGS:0000000000000000 [ 91.830636][ T5345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 91.833217][ T5345] CR2: 00007f8df33b4fc8 CR3: 000000000b77e000 CR4: 0000000000352ef0 [ 91.836787][ T5345] Call Trace: [ 91.838405][ T5345] [ 91.839755][ T5345] tcp_data_queue+0x1e14/0x5e30 [ 91.841979][ T5345] ? __pfx_tcp_data_queue+0x10/0x10 [ 91.844325][ T5345] ? __pfx_tcp_urg+0x10/0x10 [ 91.846455][ T5345] ? kvm_clock_get_cycles+0x47/0x60 [ 91.848776][ T5345] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 91.851391][ T5345] tcp_rcv_established+0xf57/0x2580 [ 91.853679][ T5345] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 91.856271][ T5345] ? __pfx_tcp_rcv_established+0x10/0x10 [ 91.858747][ T5345] tcp_v6_do_rcv+0x8eb/0x1ba0 [ 91.861177][ T5345] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 91.863492][ T5345] __release_sock+0x1b8/0x3a0 [ 91.865622][ T5345] release_sock+0x5f/0x1f0 [ 91.868030][ T5345] mptcp_connect+0x5be/0x860 [ 91.870210][ T5345] __inet_stream_connect+0x298/0xf00 [ 91.872488][ T5345] ? __local_bh_enable_ip+0x12d/0x1c0 [ 91.874790][ T5345] ? __pfx___inet_stream_connect+0x10/0x10 [ 91.877306][ T5345] ? __local_bh_enable_ip+0x12d/0x1c0 [ 91.879688][ T5345] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 91.882147][ T5345] inet_stream_connect+0x66/0xa0 [ 91.884416][ T5345] __sys_connect+0x316/0x440 [ 91.886815][ T5345] ? __pfx___sys_connect+0x10/0x10 [ 91.888875][ T5345] ? rcu_is_watching+0x15/0xb0 [ 91.890817][ T5345] __x64_sys_connect+0x7a/0x90 [ 91.892737][ T5345] do_syscall_64+0xfa/0xf80 [ 91.894570][ T5345] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 91.897163][ T5345] ? clear_bhb_loop+0x60/0xb0 [ 91.899191][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 91.901749][ T5345] RIP: 0033:0x7f8df258f7c9 [ 91.903691][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 91.911816][ T5345] RSP: 002b:00007f8df33b5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 91.915458][ T5345] RAX: ffffffffffffffda RBX: 00007f8df27e6090 RCX: 00007f8df258f7c9 [ 91.918834][ T5345] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 91.922253][ T5345] RBP: 00007f8df2613f91 R08: 0000000000000000 R09: 0000000000000000 [ 91.925574][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 91.929067][ T5345] R13: 00007f8df27e6128 R14: 00007f8df27e6090 R15: 00007ffcd69f24a8 [ 91.932145][ T5345] [ 91.933317][ T5345] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 91.936384][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 91.940158][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 91.944810][ T5345] Call Trace: [ 91.946332][ T5345] [ 91.947617][ T5345] dump_stack_lvl+0x99/0x250 [ 91.949634][ T5345] ? __asan_memcpy+0x40/0x70 [ 91.951678][ T5345] ? __pfx_dump_stack_lvl+0x10/0x10 [ 91.953909][ T5345] ? __pfx__printk+0x10/0x10 [ 91.955911][ T5345] vpanic+0x237/0x6d0 [ 91.957645][ T5345] ? __pfx_vpanic+0x10/0x10 [ 91.959664][ T5345] ? is_bpf_text_address+0x292/0x2b0 [ 91.961955][ T5345] ? is_bpf_text_address+0x26/0x2b0 [ 91.964052][ T5345] panic+0xb9/0xc0 [ 91.965747][ T5345] ? __pfx_panic+0x10/0x10 [ 91.967750][ T5345] __warn+0x317/0x4b0 [ 91.969500][ T5345] ? subflow_data_ready+0x49b/0x7c0 [ 91.971789][ T5345] ? subflow_data_ready+0x49b/0x7c0 [ 91.974131][ T5345] __report_bug+0x288/0x500 [ 91.976175][ T5345] ? subflow_data_ready+0x49b/0x7c0 [ 91.978550][ T5345] ? __pfx___report_bug+0x10/0x10 [ 91.980741][ T5345] ? mptcp_subflow_data_available+0x300f/0x3a20 [ 91.983478][ T5345] ? subflow_data_ready+0x49b/0x7c0 [ 91.985720][ T5345] report_bug+0x16a/0x220 [ 91.987608][ T5345] ? subflow_data_ready+0x49b/0x7c0 [ 91.990620][ T5345] ? subflow_data_ready+0x49d/0x7c0 [ 91.993200][ T5345] handle_bug+0x98/0x200 [ 91.995183][ T5345] exc_invalid_op+0x1a/0x50 [ 91.997241][ T5345] asm_exc_invalid_op+0x1a/0x20 [ 92.000383][ T5345] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 92.002657][ T5345] Code: 48 0f b9 3a e9 c9 fc ff ff e8 61 e7 77 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 46 e7 77 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 92.011237][ T5345] RSP: 0000:ffffc90009b27740 EFLAGS: 00010293 [ 92.013918][ T5345] RAX: ffffffff8b49d98a RBX: ffff8880414e4240 RCX: ffff888033e78000 [ 92.017267][ T5345] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 92.020736][ T5345] RBP: 0000000000000000 R08: ffff8880001a094f R09: 1ffff11000034129 [ 92.024194][ T5345] R10: dffffc0000000000 R11: ffffed100003412a R12: 0000000000000000 [ 92.027634][ T5345] R13: dffffc0000000000 R14: ffff8880001a0000 R15: 0000000000000000 [ 92.031213][ T5345] ? subflow_data_ready+0x49a/0x7c0 [ 92.033556][ T5345] tcp_data_queue+0x1e14/0x5e30 [ 92.035852][ T5345] ? __pfx_tcp_data_queue+0x10/0x10 [ 92.038211][ T5345] ? __pfx_tcp_urg+0x10/0x10 [ 92.040266][ T5345] ? kvm_clock_get_cycles+0x47/0x60 [ 92.042547][ T5345] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 92.044684][ T5345] tcp_rcv_established+0xf57/0x2580 [ 92.046727][ T5345] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 92.049288][ T5345] ? __pfx_tcp_rcv_established+0x10/0x10 [ 92.051423][ T5345] tcp_v6_do_rcv+0x8eb/0x1ba0 [ 92.053216][ T5345] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 92.055548][ T5345] __release_sock+0x1b8/0x3a0 [ 92.057699][ T5345] release_sock+0x5f/0x1f0 [ 92.059767][ T5345] mptcp_connect+0x5be/0x860 [ 92.061798][ T5345] __inet_stream_connect+0x298/0xf00 [ 92.064110][ T5345] ? __local_bh_enable_ip+0x12d/0x1c0 [ 92.066528][ T5345] ? __pfx___inet_stream_connect+0x10/0x10 [ 92.069107][ T5345] ? __local_bh_enable_ip+0x12d/0x1c0 [ 92.071488][ T5345] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 92.074043][ T5345] inet_stream_connect+0x66/0xa0 [ 92.076267][ T5345] __sys_connect+0x316/0x440 [ 92.078374][ T5345] ? __pfx___sys_connect+0x10/0x10 [ 92.080596][ T5345] ? rcu_is_watching+0x15/0xb0 [ 92.082763][ T5345] __x64_sys_connect+0x7a/0x90 [ 92.084881][ T5345] do_syscall_64+0xfa/0xf80 [ 92.086900][ T5345] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.089561][ T5345] ? clear_bhb_loop+0x60/0xb0 [ 92.091650][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.094203][ T5345] RIP: 0033:0x7f8df258f7c9 [ 92.096224][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 92.104540][ T5345] RSP: 002b:00007f8df33b5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 92.108146][ T5345] RAX: ffffffffffffffda RBX: 00007f8df27e6090 RCX: 00007f8df258f7c9 [ 92.111480][ T5345] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 92.114897][ T5345] RBP: 00007f8df2613f91 R08: 0000000000000000 R09: 0000000000000000 [ 92.118338][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.121844][ T5345] R13: 00007f8df27e6128 R14: 00007f8df27e6090 R15: 00007ffcd69f24a8 [ 92.125264][ T5345] [ 92.126979][ T5345] Kernel Offset: disabled [ 92.128918][ T5345] Rebooting in 86400 seconds..