program:
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c)
r2 = socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'lo\x00', <r4=>0x0})
sendmsg$nl_route_sched(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x24, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r4, {0x0, 0xa}, {0xffff, 0x2}, {0x0, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4000885}, 0x44080)
listen(r1, 0x9)
r5 = socket$inet_mptcp(0x2, 0x1, 0x106)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100))
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000280)={0x12, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c00000001009500000000000000a6520356ca8854"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x8}, 0x80)
connect$inet(r5, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10)
sendto$inet(r5, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0)
connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
socket$inet6_mptcp(0xa, 0x1, 0x106) (async)
connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)
socket$inet6_tcp(0xa, 0x1, 0x0) (async)
bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async)
socket(0x10, 0x3, 0x0) (async)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) (async)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'lo\x00'}) (async)
sendmsg$nl_route_sched(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x24, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r4, {0x0, 0xa}, {0xffff, 0x2}, {0x0, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x4000885}, 0x44080) (async)
listen(r1, 0x9) (async)
socket$inet_mptcp(0x2, 0x1, 0x106) (async)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)) (async)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000280)={0x12, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c00000001009500000000000000a6520356ca8854"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x8}, 0x80) (async)
connect$inet(r5, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async)
sendto$inet(r5, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0) (async)
connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) (async)

[   74.681776][ T5318] Bluetooth: hci0: command tx timeout
[   74.772220][ T5339] ------------[ cut here ]------------
[   74.774853][ T5339] WARNING: net/mptcp/subflow.c:1528 at subflow_data_ready+0x49b/0x7c0, CPU#0: syz.0.0/5339
[   74.779595][ T5339] Modules linked in:
[   74.781713][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.785854][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.790378][ T5339] RIP: 0010:subflow_data_ready+0x49b/0x7c0
[   74.793062][ T5339] Code: 48 0f b9 3a e9 c9 fc ff ff e8 f1 40 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 d6 40 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1
[   74.801616][ T5339] RSP: 0018:ffffc9000b37f740 EFLAGS: 00010293
[   74.804205][ T5339] RAX: ffffffff8b47c4ca RBX: ffff8880366a4240 RCX: ffff88801fbcc980
[   74.807402][ T5339] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   74.810693][ T5339] RBP: 0000000000000000 R08: ffff88801166094f R09: 1ffff110022cc129
[   74.815421][ T5339] R10: dffffc0000000000 R11: ffffed10022cc12a R12: 0000000000000000
[   74.818954][ T5339] R13: dffffc0000000000 R14: ffff888011660000 R15: 0000000000000000
[   74.822310][ T5339] FS:  00007f23d56426c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
[   74.826190][ T5339] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.829058][ T5339] CR2: 000055556f3f97c8 CR3: 0000000011b63000 CR4: 0000000000352ef0
[   74.832641][ T5339] Call Trace:
[   74.834043][ T5339]  <TASK>
[   74.835361][ T5339]  tcp_data_queue+0x1e14/0x5e30
[   74.837430][ T5339]  ? __pfx_tcp_data_queue+0x10/0x10
[   74.839540][ T5339]  ? __pfx_tcp_urg+0x10/0x10
[   74.841477][ T5339]  ? kvm_clock_get_cycles+0x47/0x60
[   74.843826][ T5339]  ? tcp_ecn_received_counters+0x2b7/0x7f0
[   74.846242][ T5339]  tcp_rcv_established+0xf57/0x2580
[   74.848301][ T5339]  ? __pfx_tcp_rcv_state_process+0x10/0x10
[   74.850584][ T5339]  ? __pfx_tcp_rcv_established+0x10/0x10
[   74.853319][ T5339]  tcp_v6_do_rcv+0x8eb/0x1ba0
[   74.855874][ T5339]  ? __pfx_tcp_v6_do_rcv+0x10/0x10
[   74.858190][ T5339]  __release_sock+0x1b8/0x3a0
[   74.860274][ T5339]  release_sock+0x5f/0x1f0
[   74.862317][ T5339]  mptcp_connect+0x5be/0x860
[   74.864517][ T5339]  __inet_stream_connect+0x298/0xf00
[   74.866766][ T5339]  ? do_raw_spin_lock+0x121/0x290
[   74.868966][ T5339]  ? lock_sock_nested+0x6a/0x100
[   74.871066][ T5339]  ? __pfx___inet_stream_connect+0x10/0x10
[   74.873694][ T5339]  ? __local_bh_enable_ip+0xd0/0x130
[   74.875853][ T5339]  inet_stream_connect+0x66/0xa0
[   74.877666][ T5339]  __sys_connect+0x316/0x440
[   74.879858][ T5339]  ? __pfx___sys_connect+0x10/0x10
[   74.882336][ T5339]  __x64_sys_connect+0x7a/0x90
[   74.884440][ T5339]  do_syscall_64+0xec/0xf80
[   74.886600][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.889270][ T5339]  ? trace_irq_disable+0x37/0x100
[   74.891608][ T5339]  ? clear_bhb_loop+0x60/0xb0
[   74.893728][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.896501][ T5339] RIP: 0033:0x7f23d478f7c9
[   74.898382][ T5339] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   74.906710][ T5339] RSP: 002b:00007f23d5642038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   74.910447][ T5339] RAX: ffffffffffffffda RBX: 00007f23d49e6090 RCX: 00007f23d478f7c9
[   74.913981][ T5339] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003
[   74.917487][ T5339] RBP: 00007f23d4813f91 R08: 0000000000000000 R09: 0000000000000000
[   74.921069][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.924578][ T5339] R13: 00007f23d49e6128 R14: 00007f23d49e6090 R15: 00007ffe0f757d98
[   74.928065][ T5339]  </TASK>
[   74.929363][ T5339] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   74.932771][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.936668][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.941096][ T5339] Call Trace:
[   74.942535][ T5339]  <TASK>
[   74.943813][ T5339]  vpanic+0x1e0/0x670
[   74.945475][ T5339]  panic+0xb9/0xc0
[   74.947016][ T5339]  ? __pfx_panic+0x10/0x10
[   74.948845][ T5339]  __warn+0x317/0x4b0
[   74.950456][ T5339]  ? subflow_data_ready+0x49b/0x7c0
[   74.952614][ T5339]  ? subflow_data_ready+0x49b/0x7c0
[   74.954734][ T5339]  __report_bug+0x288/0x500
[   74.956659][ T5339]  ? subflow_data_ready+0x49b/0x7c0
[   74.958747][ T5339]  ? __pfx___report_bug+0x10/0x10
[   74.960620][ T5339]  ? mptcp_subflow_data_available+0x300f/0x3a20
[   74.963315][ T5339]  ? subflow_data_ready+0x49b/0x7c0
[   74.965646][ T5339]  report_bug+0x16a/0x220
[   74.967650][ T5339]  ? subflow_data_ready+0x49b/0x7c0
[   74.970025][ T5339]  ? subflow_data_ready+0x49d/0x7c0
[   74.972253][ T5339]  handle_bug+0x98/0x200
[   74.974157][ T5339]  exc_invalid_op+0x1a/0x50
[   74.976145][ T5339]  asm_exc_invalid_op+0x1a/0x20
[   74.978337][ T5339] RIP: 0010:subflow_data_ready+0x49b/0x7c0
[   74.981079][ T5339] Code: 48 0f b9 3a e9 c9 fc ff ff e8 f1 40 79 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 d6 40 79 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1
[   74.989317][ T5339] RSP: 0018:ffffc9000b37f740 EFLAGS: 00010293
[   74.991988][ T5339] RAX: ffffffff8b47c4ca RBX: ffff8880366a4240 RCX: ffff88801fbcc980
[   74.995377][ T5339] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   74.998937][ T5339] RBP: 0000000000000000 R08: ffff88801166094f R09: 1ffff110022cc129
[   75.002343][ T5339] R10: dffffc0000000000 R11: ffffed10022cc12a R12: 0000000000000000
[   75.005662][ T5339] R13: dffffc0000000000 R14: ffff888011660000 R15: 0000000000000000
[   75.008952][ T5339]  ? subflow_data_ready+0x49a/0x7c0
[   75.011149][ T5339]  tcp_data_queue+0x1e14/0x5e30
[   75.013261][ T5339]  ? __pfx_tcp_data_queue+0x10/0x10
[   75.015424][ T5339]  ? __pfx_tcp_urg+0x10/0x10
[   75.017369][ T5339]  ? kvm_clock_get_cycles+0x47/0x60
[   75.019602][ T5339]  ? tcp_ecn_received_counters+0x2b7/0x7f0
[   75.022018][ T5339]  tcp_rcv_established+0xf57/0x2580
[   75.024209][ T5339]  ? __pfx_tcp_rcv_state_process+0x10/0x10
[   75.026471][ T5339]  ? __pfx_tcp_rcv_established+0x10/0x10
[   75.028892][ T5339]  tcp_v6_do_rcv+0x8eb/0x1ba0
[   75.030901][ T5339]  ? __pfx_tcp_v6_do_rcv+0x10/0x10
[   75.033882][ T5339]  __release_sock+0x1b8/0x3a0
[   75.036151][ T5339]  release_sock+0x5f/0x1f0
[   75.037964][ T5339]  mptcp_connect+0x5be/0x860
[   75.040022][ T5339]  __inet_stream_connect+0x298/0xf00
[   75.042648][ T5339]  ? do_raw_spin_lock+0x121/0x290
[   75.045164][ T5339]  ? lock_sock_nested+0x6a/0x100
[   75.047218][ T5339]  ? __pfx___inet_stream_connect+0x10/0x10
[   75.050008][ T5339]  ? __local_bh_enable_ip+0xd0/0x130
[   75.052332][ T5339]  inet_stream_connect+0x66/0xa0
[   75.054717][ T5339]  __sys_connect+0x316/0x440
[   75.057007][ T5339]  ? __pfx___sys_connect+0x10/0x10
[   75.059418][ T5339]  __x64_sys_connect+0x7a/0x90
[   75.061407][ T5339]  do_syscall_64+0xec/0xf80
[   75.063451][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.066008][ T5339]  ? trace_irq_disable+0x37/0x100
[   75.068138][ T5339]  ? clear_bhb_loop+0x60/0xb0
[   75.070182][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.072754][ T5339] RIP: 0033:0x7f23d478f7c9
[   75.074573][ T5339] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.082662][ T5339] RSP: 002b:00007f23d5642038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   75.086145][ T5339] RAX: ffffffffffffffda RBX: 00007f23d49e6090 RCX: 00007f23d478f7c9
[   75.089331][ T5339] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003
[   75.092497][ T5339] RBP: 00007f23d4813f91 R08: 0000000000000000 R09: 0000000000000000
[   75.095813][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.098874][ T5339] R13: 00007f23d49e6128 R14: 00007f23d49e6090 R15: 00007ffe0f757d98
[   75.102433][ T5339]  </TASK>
[   75.104160][ T5339] Kernel Offset: disabled
[   75.106085][ T5339] Rebooting in 86400 seconds..