[syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b19a97d57c15 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174817a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b7511150b112b9c3
dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b19a97d5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6e98c49ae62/vmlinux-b19a97d5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c90ded1d8e17/bzImage-b19a97d5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
 dst_input include/net/dst.h:471 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
 process_backlog+0x442/0x15e0 net/core/dev.c:6444
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
 napi_poll net/core/dev.c:7557 [inline]
 net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c2/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    8e621c9a3375 Merge tag 'net-6.18-rc7' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12887a12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1cd7f786c0f5182f
dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=133c9a12580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=117a2a12580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6be75789d60e/disk-8e621c9a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/62e7a40cfe48/vmlinux-8e621c9a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e523caa536d/bzImage-8e621c9a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 15 at net/mptcp/subflow.c:1519 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
Modules linked in:
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
Code: 89 ee e8 88 f8 72 f6 40 84 ed 75 21 e8 9e fd 72 f6 44 89 fe bf 07 00 00 00 e8 d1 f8 72 f6 41 83 ff 07 74 09 e8 86 fd 72 f6 90 <0f> 0b 90 e8 7d fd 72 f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc90000147380 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888030aa72c0 RCX: ffffffff8b4959ef
RDX: ffff88801d2cbc80 RSI: ffffffff8b4959fa RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 00000d230000000c R12: ffff888033463c00
R13: 1ffff92000028e70 R14: ffff88802f9bbc00 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f841c04df98 CR3: 0000000078b7e000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tcp_data_ready+0x110/0x550 net/ipv4/tcp_input.c:5355
 tcp_data_queue+0x1aa6/0x5000 net/ipv4/tcp_input.c:5445
 tcp_rcv_state_process+0xfb6/0x6490 net/ipv4/tcp_input.c:7159
 tcp_v4_do_rcv+0x68e/0x10a0 net/ipv4/tcp_ipv4.c:1954
 tcp_v4_rcv+0x3077/0x4db0 net/ipv4/tcp_ipv4.c:2374
 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
 dst_input include/net/dst.h:474 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
 process_backlog+0x439/0x15e0 net/core/dev.c:6544
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x97f/0xef0 net/core/dev.c:7784
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Forwarded: Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)
Author: pabeni@redhat.com

On 11/20/25 9:58 PM, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    8e621c9a3375 Merge tag 'net-6.18-rc7' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12887a12580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1cd7f786c0f5182f
> dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=133c9a12580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=117a2a12580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/6be75789d60e/disk-8e621c9a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/62e7a40cfe48/vmlinux-8e621c9a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/3e523caa536d/bzImage-8e621c9a.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 15 at net/mptcp/subflow.c:1519 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
> Modules linked in:
> CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
> Code: 89 ee e8 88 f8 72 f6 40 84 ed 75 21 e8 9e fd 72 f6 44 89 fe bf 07 00 00 00 e8 d1 f8 72 f6 41 83 ff 07 74 09 e8 86 fd 72 f6 90 <0f> 0b 90 e8 7d fd 72 f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
> RSP: 0018:ffffc90000147380 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff888030aa72c0 RCX: ffffffff8b4959ef
> RDX: ffff88801d2cbc80 RSI: ffffffff8b4959fa RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
> R10: 0000000000000004 R11: 00000d230000000c R12: ffff888033463c00
> R13: 1ffff92000028e70 R14: ffff88802f9bbc00 R15: 0000000000000004
> FS:  0000000000000000(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f841c04df98 CR3: 0000000078b7e000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  tcp_data_ready+0x110/0x550 net/ipv4/tcp_input.c:5355
>  tcp_data_queue+0x1aa6/0x5000 net/ipv4/tcp_input.c:5445
>  tcp_rcv_state_process+0xfb6/0x6490 net/ipv4/tcp_input.c:7159
>  tcp_v4_do_rcv+0x68e/0x10a0 net/ipv4/tcp_ipv4.c:1954
>  tcp_v4_rcv+0x3077/0x4db0 net/ipv4/tcp_ipv4.c:2374
>  ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
>  NF_HOOK include/linux/netfilter.h:318 [inline]
>  NF_HOOK include/linux/netfilter.h:312 [inline]
>  ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
>  dst_input include/net/dst.h:474 [inline]
>  ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
>  NF_HOOK include/linux/netfilter.h:318 [inline]
>  NF_HOOK include/linux/netfilter.h:312 [inline]
>  ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
>  __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
>  __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
>  process_backlog+0x439/0x15e0 net/core/dev.c:6544
>  __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
>  napi_poll net/core/dev.c:7657 [inline]
>  net_rx_action+0x97f/0xef0 net/core/dev.c:7784
>  handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
>  run_ksoftirqd kernel/softirq.c:1063 [inline]
>  run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
>  smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
>  kthread+0x3c5/0x780 kernel/kthread.c:463
>  ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
> 
> 
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main

I can't repro it locally. Running a debug patch to collect more status
which hopefully should help understanding the race.

Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com
Tested-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com

Tested on:

commit:         ab084f0b drivers: net: fbnic: Return the true error in..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=153a1e92580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1cc75ad16015d162
dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=121ba57c580000

Note: testing is done by a robot and is best-effort only.

Forwarded: Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)
Author: pabeni@redhat.com

On 11/20/25 9:58 PM, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    8e621c9a3375 Merge tag 'net-6.18-rc7' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12887a12580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1cd7f786c0f5182f
> dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=133c9a12580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=117a2a12580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/6be75789d60e/disk-8e621c9a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/62e7a40cfe48/vmlinux-8e621c9a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/3e523caa536d/bzImage-8e621c9a.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 15 at net/mptcp/subflow.c:1519 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
> Modules linked in:
> CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
> Code: 89 ee e8 88 f8 72 f6 40 84 ed 75 21 e8 9e fd 72 f6 44 89 fe bf 07 00 00 00 e8 d1 f8 72 f6 41 83 ff 07 74 09 e8 86 fd 72 f6 90 <0f> 0b 90 e8 7d fd 72 f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
> RSP: 0018:ffffc90000147380 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff888030aa72c0 RCX: ffffffff8b4959ef
> RDX: ffff88801d2cbc80 RSI: ffffffff8b4959fa RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
> R10: 0000000000000004 R11: 00000d230000000c R12: ffff888033463c00
> R13: 1ffff92000028e70 R14: ffff88802f9bbc00 R15: 0000000000000004
> FS:  0000000000000000(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f841c04df98 CR3: 0000000078b7e000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  tcp_data_ready+0x110/0x550 net/ipv4/tcp_input.c:5355
>  tcp_data_queue+0x1aa6/0x5000 net/ipv4/tcp_input.c:5445
>  tcp_rcv_state_process+0xfb6/0x6490 net/ipv4/tcp_input.c:7159
>  tcp_v4_do_rcv+0x68e/0x10a0 net/ipv4/tcp_ipv4.c:1954
>  tcp_v4_rcv+0x3077/0x4db0 net/ipv4/tcp_ipv4.c:2374
>  ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
>  ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
>  NF_HOOK include/linux/netfilter.h:318 [inline]
>  NF_HOOK include/linux/netfilter.h:312 [inline]
>  ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
>  dst_input include/net/dst.h:474 [inline]
>  ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
>  NF_HOOK include/linux/netfilter.h:318 [inline]
>  NF_HOOK include/linux/netfilter.h:312 [inline]
>  ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
>  __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
>  __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
>  process_backlog+0x439/0x15e0 net/core/dev.c:6544
>  __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
>  napi_poll net/core/dev.c:7657 [inline]
>  net_rx_action+0x97f/0xef0 net/core/dev.c:7784
>  handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
>  run_ksoftirqd kernel/softirq.c:1063 [inline]
>  run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
>  smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
>  kthread+0x3c5/0x780 kernel/kthread.c:463
>  ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
> 
> 
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

The previous test was supposed to crash and dump some useful information.
I'm not sure if the result means the issue is no more present on net-next,
harder to reproduce or the repro is unstable.

Let's try again, on top of the same tag used to find the repro.

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
8e621c9a3375

Re: [syzbot] [mptcp?] WARNING in subflow_data_ready (4)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in subflow_data_ready

MPTCP: fallaback under lock 0 req mpc 1 req mpj 0 state 16 parent state 7 send 0 received 0
------------[ cut here ]------------
WARNING: CPU: 1 PID: 23 at net/mptcp/subflow.c:1527 subflow_data_ready+0x59d/0x980 net/mptcp/subflow.c:1527
Modules linked in:
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:subflow_data_ready+0x59d/0x980 net/mptcp/subflow.c:1527
Code: e0 48 c7 c7 c0 71 ee 8c 44 89 f9 8b 54 24 1c 48 c1 ee 02 45 0f b7 c0 83 e6 01 e8 2e 6c 51 f6 48 8b 7c 24 10 e8 44 ee 16 00 90 <0f> 0b 90 58 5a e8 e9 fb 72 f6 48 89 df e8 51 ac ff ff 31 ff 89 c5
RSP: 0018:ffffc900001d7348 EFLAGS: 00010202
RAX: 0000000000000101 RBX: ffff8880343cd940 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffffffff8da29344 RDI: ffffffff8bf078c0
RBP: ffff8880312b1538 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90824bd7 R11: 0000000000000001 R12: ffff8880312b0c00
R13: 1ffff9200003ae70 R14: 0000000000000004 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888124b0d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ced887d58 CR3: 0000000064f00000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tcp_data_ready+0x110/0x550 net/ipv4/tcp_input.c:5355
 tcp_data_queue+0x1aa6/0x5000 net/ipv4/tcp_input.c:5445
 tcp_rcv_state_process+0xfb6/0x6490 net/ipv4/tcp_input.c:7159
 tcp_v4_do_rcv+0x68e/0x10a0 net/ipv4/tcp_ipv4.c:1954
 tcp_v4_rcv+0x3077/0x4db0 net/ipv4/tcp_ipv4.c:2374
 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
 dst_input include/net/dst.h:474 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
 process_backlog+0x439/0x15e0 net/core/dev.c:6544
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x97f/0xef0 net/core/dev.c:7784
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


Tested on:

commit:         8e621c9a Merge tag 'net-6.18-rc7' of git://git.kernel...
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14916f42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1cd7f786c0f5182f
dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=158f657c580000