------------[ cut here ]------------
WARNING: CPU: 1 PID: 961 at net/mptcp/subflow.c:1472 subflow_data_ready+0x412/0x660 net/mptcp/subflow.c:1471
Modules linked in:
CPU: 1 PID: 961 Comm: kworker/u4:5 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: krdsd rds_tcp_accept_worker
RIP: 0010:subflow_data_ready+0x412/0x660 net/mptcp/subflow.c:1471
Code: 88 38 f7 0f 0b e9 4e fd ff ff e8 89 88 38 f7 48 89 df 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 83 0d 00 00 e8 6e 88 38 f7 <0f> 0b e9 3f fe ff ff 44 89 f9 80 e1 07 38 c1 0f 8c 36 fc ff ff 4c
RSP: 0018:ffffc900001f02d8 EFLAGS: 00010246
RAX: ffffffff8a4d0852 RBX: ffff88805f68e800 RCX: ffff888022cd8000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88804ff24767 R09: 1ffff11009fe48ec
R10: dffffc0000000000 R11: ffffed1009fe48ed R12: ffff88804ff23e80
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3238bf8628 CR3: 00000000196e5000 CR4: 00000000003506e0
Call Trace:
 <IRQ>
 tcp_data_queue+0x21b2/0x5a80 net/ipv4/tcp_input.c:5226
 tcp_rcv_state_process+0x2772/0x4130 net/ipv4/tcp_input.c:6858
 tcp_v4_do_rcv+0x7b3/0xb80 net/ipv4/tcp_ipv4.c:1757
 tcp_v4_rcv+0x2334/0x2a50 net/ipv4/tcp_ipv4.c:2166
 ip_protocol_deliver_rcu+0x20e/0x3f0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2ca/0x510 net/ipv4/ip_input.c:233
 NF_HOOK+0x303/0x390 include/linux/netfilter.h:304
 NF_HOOK+0x303/0x390 include/linux/netfilter.h:304
 __netif_receive_skb_one_core net/core/dev.c:5608 [inline]
 __netif_receive_skb+0xcc/0x290 net/core/dev.c:5722
 process_backlog+0x380/0x6e0 net/core/dev.c:6050
 __napi_poll+0xc0/0x460 net/core/dev.c:6612
 napi_poll net/core/dev.c:6679 [inline]
 net_rx_action+0x5ea/0xbf0 net/core/dev.c:6815
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 do_softirq+0xed/0x180 kernel/softirq.c:479
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x178/0x1c0 kernel/softirq.c:406
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:856 [inline]
 __dev_queue_xmit+0x1449/0x35a0 net/core/dev.c:4452
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 neigh_hh_output include/net/neighbour.h:527 [inline]
 neigh_output include/net/neighbour.h:541 [inline]
 ip_finish_output2+0xcd3/0x11d0 net/ipv4/ip_output.c:235
 dst_output include/net/dst.h:467 [inline]
 ip_local_out net/ipv4/ip_output.c:129 [inline]
 __ip_queue_xmit+0x10aa/0x1a10 net/ipv4/ip_output.c:535
 __tcp_transmit_skb+0x1c97/0x32a0 net/ipv4/tcp_output.c:1422
 tcp_transmit_skb net/ipv4/tcp_output.c:1440 [inline]
 tcp_write_xmit+0x174c/0x62e0 net/ipv4/tcp_output.c:2778
 __tcp_push_pending_frames+0x97/0x340 net/ipv4/tcp_output.c:2963
 __tcp_close+0x538/0xe40 net/ipv4/tcp.c:2873
 tcp_close+0x28/0x110 net/ipv4/tcp.c:2962
 inet_release+0x13d/0x180 net/ipv4/af_inet.c:434
 __sock_release net/socket.c:659 [inline]
 sock_release+0x7f/0x140 net/socket.c:687
 rds_tcp_accept_one+0x4a2/0xa20 net/rds/tcp_listen.c:230
 rds_tcp_accept_worker+0x3e/0xa0 net/rds/tcp.c:528
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>