program: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) r2 = syz_open_dev$usbfs(&(0x7f0000000000), 0x1ff, 0x402) ioctl$USBDEVFS_CONTROL(r2, 0xc0185500, &(0x7f0000000100)={0x23, 0x1, 0x10, 0x1, 0x0, 0xb, 0x0}) clock_gettime(0x0, &(0x7f00000001c0)={0x0, 0x0}) pselect6(0x40, &(0x7f0000000100)={0xc8e5, 0xfffffffffffff000, 0x0, 0x2, 0x5, 0x3, 0x7, 0x4}, &(0x7f0000000140)={0x7, 0x6000000000000000, 0x9, 0x40, 0xb0, 0x9, 0x1, 0x7fff}, &(0x7f0000000180)={0x1, 0xfffffffffffffffa, 0x1000, 0x9, 0x6, 0x8000, 0x3}, &(0x7f0000000200)={r3, r4+10000000}, &(0x7f00000002c0)={&(0x7f0000000280)={[0x9]}, 0x8}) r5 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x60, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r7, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x34, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x0, 0x0, 0x7, 0x8}, {0x12, 0x3, 0x0, 0x1, 0x8001, 0x4400}, 0xa5, 0x4, 0x10000000}}, @TCA_TBF_BURST={0x8, 0x6, 0x8054}]}}]}, 0x60}}, 0x44080) listen(r1, 0x9) r8 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r8, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) sendto$inet(r8, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0) connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) socket$inet6_mptcp(0xa, 0x1, 0x106) (async) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async) socket$inet6_tcp(0xa, 0x1, 0x0) (async) bind$inet6(r1, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async) syz_open_dev$usbfs(&(0x7f0000000000), 0x1ff, 0x402) (async) ioctl$USBDEVFS_CONTROL(r2, 0xc0185500, &(0x7f0000000100)={0x23, 0x1, 0x10, 0x1, 0x0, 0xb, 0x0}) (async) clock_gettime(0x0, &(0x7f00000001c0)) (async) pselect6(0x40, &(0x7f0000000100)={0xc8e5, 0xfffffffffffff000, 0x0, 0x2, 0x5, 0x3, 0x7, 0x4}, &(0x7f0000000140)={0x7, 0x6000000000000000, 0x9, 0x40, 0xb0, 0x9, 0x1, 0x7fff}, &(0x7f0000000180)={0x1, 0xfffffffffffffffa, 0x1000, 0x9, 0x6, 0x8000, 0x3}, &(0x7f0000000200)={r3, r4+10000000}, &(0x7f00000002c0)={&(0x7f0000000280)={[0x9]}, 0x8}) (async) socket(0x10, 0x3, 0x0) (async) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)) (async) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'lo\x00'}) (async) sendmsg$nl_route_sched(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x60, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r7, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x34, 0x2, [@TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x0, 0x0, 0x7, 0x8}, {0x12, 0x3, 0x0, 0x1, 0x8001, 0x4400}, 0xa5, 0x4, 0x10000000}}, @TCA_TBF_BURST={0x8, 0x6, 0x8054}]}}]}, 0x60}}, 0x44080) (async) listen(r1, 0x9) (async) socket$inet_mptcp(0x2, 0x1, 0x106) (async) connect$inet(r8, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async) sendto$inet(r8, &(0x7f0000000040)="a6", 0xffffff4c, 0x241, 0x0, 0x0) (async) connect$unix(r0, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) (async) [ 74.789553][ T5313] Bluetooth: hci0: command tx timeout [ 74.877663][ T5333] sch_tbf: burst 32852 is lower than device lo mtu (65550) ! [ 74.923135][ T5334] ------------[ cut here ]------------ [ 74.925825][ T5334] WARNING: net/mptcp/subflow.c:1528 at subflow_data_ready+0x49b/0x7c0, CPU#0: syz.0.0/5334 [ 74.930285][ T5334] Modules linked in: [ 74.932222][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.936180][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.940925][ T5334] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 74.943461][ T5334] Code: 48 0f b9 3a e9 c9 fc ff ff e8 61 e7 77 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 46 e7 77 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 74.951663][ T5334] RSP: 0018:ffffc9000a75f740 EFLAGS: 00010293 [ 74.954208][ T5334] RAX: ffffffff8b49d98a RBX: ffff8880393bc240 RCX: ffff888041438000 [ 74.957734][ T5334] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 74.961250][ T5334] RBP: 0000000000000000 R08: ffff88800b64094f R09: 1ffff110016c8129 [ 74.964752][ T5334] R10: dffffc0000000000 R11: ffffed10016c812a R12: 0000000000000000 [ 74.968202][ T5334] R13: dffffc0000000000 R14: ffff88800b640000 R15: 0000000000000000 [ 74.971864][ T5334] FS: 00007f3550f9e6c0(0000) GS:ffff88808d22a000(0000) knlGS:0000000000000000 [ 74.975777][ T5334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.978679][ T5334] CR2: 0000000000000000 CR3: 00000000114f4000 CR4: 0000000000352ef0 [ 74.982163][ T5334] Call Trace: [ 74.983631][ T5334] [ 74.984997][ T5334] tcp_data_queue+0x1e14/0x5e30 [ 74.987170][ T5334] ? __pfx_tcp_data_queue+0x10/0x10 [ 74.989423][ T5334] ? __pfx_tcp_urg+0x10/0x10 [ 74.991653][ T5334] ? kvm_clock_get_cycles+0x47/0x60 [ 74.993856][ T5334] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 74.996443][ T5334] tcp_rcv_established+0xf57/0x2580 [ 74.998765][ T5334] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 75.001604][ T5334] ? __pfx_tcp_rcv_established+0x10/0x10 [ 75.004062][ T5334] tcp_v6_do_rcv+0x8eb/0x1ba0 [ 75.006229][ T5334] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 75.008474][ T5334] __release_sock+0x1b8/0x3a0 [ 75.010528][ T5334] release_sock+0x5f/0x1f0 [ 75.012750][ T5334] mptcp_connect+0x5be/0x860 [ 75.014759][ T5334] __inet_stream_connect+0x298/0xf00 [ 75.017487][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.020302][ T5334] ? __pfx___inet_stream_connect+0x10/0x10 [ 75.023147][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.025617][ T5334] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 75.028150][ T5334] inet_stream_connect+0x66/0xa0 [ 75.030396][ T5334] __sys_connect+0x316/0x440 [ 75.032597][ T5334] ? __pfx___sys_connect+0x10/0x10 [ 75.034818][ T5334] __x64_sys_connect+0x7a/0x90 [ 75.036934][ T5334] do_syscall_64+0xfa/0xf80 [ 75.038931][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.041705][ T5334] ? clear_bhb_loop+0x60/0xb0 [ 75.043788][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.046491][ T5334] RIP: 0033:0x7f355018f7c9 [ 75.048535][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.057207][ T5334] RSP: 002b:00007f3550f9e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.061097][ T5334] RAX: ffffffffffffffda RBX: 00007f35503e6090 RCX: 00007f355018f7c9 [ 75.064547][ T5334] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 75.068090][ T5334] RBP: 00007f3550213f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.071632][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.075008][ T5334] R13: 00007f35503e6128 R14: 00007f35503e6090 R15: 00007fffbdf42088 [ 75.078497][ T5334] [ 75.079959][ T5334] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 75.083202][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.087157][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.091903][ T5334] Call Trace: [ 75.093396][ T5334] [ 75.094694][ T5334] dump_stack_lvl+0x99/0x250 [ 75.096741][ T5334] ? __asan_memcpy+0x40/0x70 [ 75.098864][ T5334] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.101165][ T5334] ? __pfx__printk+0x10/0x10 [ 75.103170][ T5334] vpanic+0x237/0x6d0 [ 75.105006][ T5334] ? __pfx_vpanic+0x10/0x10 [ 75.107089][ T5334] ? is_bpf_text_address+0x292/0x2b0 [ 75.109397][ T5334] ? is_bpf_text_address+0x26/0x2b0 [ 75.111725][ T5334] panic+0xb9/0xc0 [ 75.113374][ T5334] ? __pfx_panic+0x10/0x10 [ 75.115386][ T5334] __warn+0x317/0x4b0 [ 75.117221][ T5334] ? subflow_data_ready+0x49b/0x7c0 [ 75.119436][ T5334] ? subflow_data_ready+0x49b/0x7c0 [ 75.121710][ T5334] __report_bug+0x288/0x500 [ 75.123721][ T5334] ? subflow_data_ready+0x49b/0x7c0 [ 75.126002][ T5334] ? __pfx___report_bug+0x10/0x10 [ 75.128265][ T5334] ? mptcp_subflow_data_available+0x300f/0x3a20 [ 75.131081][ T5334] ? subflow_data_ready+0x49b/0x7c0 [ 75.133350][ T5334] report_bug+0x16a/0x220 [ 75.135329][ T5334] ? subflow_data_ready+0x49b/0x7c0 [ 75.137621][ T5334] ? subflow_data_ready+0x49d/0x7c0 [ 75.139946][ T5334] handle_bug+0x98/0x200 [ 75.141733][ T5334] exc_invalid_op+0x1a/0x50 [ 75.143638][ T5334] asm_exc_invalid_op+0x1a/0x20 [ 75.145560][ T5334] RIP: 0010:subflow_data_ready+0x49b/0x7c0 [ 75.147989][ T5334] Code: 48 0f b9 3a e9 c9 fc ff ff e8 61 e7 77 f6 48 89 df 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6b 0e 00 00 e8 46 e7 77 f6 90 <0f> 0b 90 e9 f2 fd ff ff 90 0f 0b 90 43 0f b6 04 2f 84 c0 0f 85 a1 [ 75.155941][ T5334] RSP: 0018:ffffc9000a75f740 EFLAGS: 00010293 [ 75.158527][ T5334] RAX: ffffffff8b49d98a RBX: ffff8880393bc240 RCX: ffff888041438000 [ 75.161863][ T5334] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.165244][ T5334] RBP: 0000000000000000 R08: ffff88800b64094f R09: 1ffff110016c8129 [ 75.168563][ T5334] R10: dffffc0000000000 R11: ffffed10016c812a R12: 0000000000000000 [ 75.171705][ T5334] R13: dffffc0000000000 R14: ffff88800b640000 R15: 0000000000000000 [ 75.174823][ T5334] ? subflow_data_ready+0x49a/0x7c0 [ 75.177011][ T5334] tcp_data_queue+0x1e14/0x5e30 [ 75.178976][ T5334] ? __pfx_tcp_data_queue+0x10/0x10 [ 75.181030][ T5334] ? __pfx_tcp_urg+0x10/0x10 [ 75.182917][ T5334] ? kvm_clock_get_cycles+0x47/0x60 [ 75.185227][ T5334] ? tcp_ecn_received_counters+0x2b7/0x7f0 [ 75.187770][ T5334] tcp_rcv_established+0xf57/0x2580 [ 75.189988][ T5334] ? __pfx_tcp_rcv_state_process+0x10/0x10 [ 75.192515][ T5334] ? __pfx_tcp_rcv_established+0x10/0x10 [ 75.195009][ T5334] tcp_v6_do_rcv+0x8eb/0x1ba0 [ 75.197281][ T5334] ? __pfx_tcp_v6_do_rcv+0x10/0x10 [ 75.199647][ T5334] __release_sock+0x1b8/0x3a0 [ 75.202180][ T5334] release_sock+0x5f/0x1f0 [ 75.204168][ T5334] mptcp_connect+0x5be/0x860 [ 75.206224][ T5334] __inet_stream_connect+0x298/0xf00 [ 75.208623][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.210929][ T5334] ? __pfx___inet_stream_connect+0x10/0x10 [ 75.213480][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.215881][ T5334] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 75.218282][ T5334] inet_stream_connect+0x66/0xa0 [ 75.220328][ T5334] __sys_connect+0x316/0x440 [ 75.222401][ T5334] ? __pfx___sys_connect+0x10/0x10 [ 75.224634][ T5334] __x64_sys_connect+0x7a/0x90 [ 75.226591][ T5334] do_syscall_64+0xfa/0xf80 [ 75.228313][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.230802][ T5334] ? clear_bhb_loop+0x60/0xb0 [ 75.232792][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.235217][ T5334] RIP: 0033:0x7f355018f7c9 [ 75.237198][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.245197][ T5334] RSP: 002b:00007f3550f9e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.248717][ T5334] RAX: ffffffffffffffda RBX: 00007f35503e6090 RCX: 00007f355018f7c9 [ 75.252340][ T5334] RDX: 000000000000001c RSI: 0000200000000040 RDI: 0000000000000003 [ 75.255692][ T5334] RBP: 00007f3550213f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.259046][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.262143][ T5334] R13: 00007f35503e6128 R14: 00007f35503e6090 R15: 00007fffbdf42088 [ 75.265433][ T5334] [ 75.267179][ T5334] Kernel Offset: disabled [ 75.269128][ T5334] Rebooting in 86400 seconds..