[syzkaller] WARNING in `subflow_data_ready`

[matttbe]

When validating Paolo's mptcp: receive path improvement v1 series (git), syzkaller reported the following issue:

PM: hibernation: Image mismatch: architecture specific data
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pid=9010 comm=syz.5.1985
------------[ cut here ]------------
WARNING: CPU: 1 PID: 22 at net/mptcp/subflow.c:1525 subflow_data_ready+0x314/0x5c0 net/mptcp/subflow.c:1525
Modules linked in:
CPU: 1 UID: 0 PID: 22 Comm: ksoftirqd/1 Not tainted 6.17.0-rc5-gf83d2e5ccf99 #31 PREEMPT(voluntary) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:subflow_data_ready+0x314/0x5c0 net/mptcp/subflow.c:1525
Code: 18 44 89 f6 e8 ad 64 ed fc 45 84 f6 75 1f e8 03 6d ed fc 89 ee bf 07 00 00 00 e8 f7 64 ed fc 83 fd 07 74 09 e8 ed 6c ed fc 90 <0f> 0b 90 e8 e4 6c ed fc 48 89 df e8 dc b7 ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffff888007b872a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880837ba600 RCX: ffffffff848112d9
RDX: ffff888007b71140 RSI: ffffffff848112e3 RDI: 0000000000000005
RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: ffffffff812c0ce1 R12: 1ffff11000f70e55
R13: ffff888010618000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88811ccba000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555868e68c8 CR3: 000000000c2ab000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcp_data_queue+0x12b6/0x47b0 net/ipv4/tcp_input.c:5154
 tcp_rcv_state_process+0x1811/0x4af0 net/ipv4/tcp_input.c:6879
 tcp_v4_do_rcv+0x346/0xa60 net/ipv4/tcp_ipv4.c:1947
 tcp_v4_rcv+0x2b0d/0x4000 net/ipv4/tcp_ipv4.c:2364
 ip_protocol_deliver_rcu+0x6d/0x340 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x38c/0x520 net/ipv4/ip_input.c:239
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_local_deliver+0x1c6/0x320 net/ipv4/ip_input.c:260
 dst_input include/net/dst.h:474 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:454 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_rcv+0x27e/0x2e0 net/ipv4/ip_input.c:574
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6040
 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6153
 process_backlog+0x1b4/0x610 net/core/dev.c:6505
 __napi_poll+0xba/0x650 net/core/dev.c:7555
 napi_poll net/core/dev.c:7618 [inline]
 net_rx_action+0xafe/0xfa0 net/core/dev.c:7745
 handle_softirqs+0x18a/0x540 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x20/0x30 kernel/softirq.c:960
 smpboot_thread_fn+0x395/0x860 kernel/smpboot.c:160
 kthread+0x368/0x700 kernel/kthread.c:463
 ret_from_fork+0x181/0x260 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace 0000000000000000 ]---

syzkaller-logs.txt

No reproducers, only one hit.

I don't think it is related to Paolo's series, and probably not urgent, but sharing early, just in case.

[matttbe]

Mmh, clearly not linked to Paolo's series: syzbot reported this issue 2 weeks ago:

• HEAD commit: b19a97d Merge tag 'pull-fixes' of git://git.kernel.or..
• git tree: upstream
• console output: https://syzkaller.appspot.com/x/log.txt?x=174817a2580000
• kernel config: https://syzkaller.appspot.com/x/.config?x=b7511150b112b9c3
• dashboard link: https://syzkaller.appspot.com/bug?extid=0ff6b771b4f7a5bce83b
• compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
• Unfortunately, I don't have any reproducer for this issue yet.
• Downloadable assets:
  • disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b19a97d5.raw.xz
  • vmlinux: https://storage.googleapis.com/syzbot-assets/d6e98c49ae62/vmlinux-b19a97d5.xz
  • kernel image: https://storage.googleapis.com/syzbot-assets/c90ded1d8e17/bzImage-b19a97d5.xz
• IMPORTANT: if you fix the issue, please add the following tag to the commit:

  Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com
  

------------[ cut here ]------------
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
 dst_input include/net/dst.h:471 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
 process_backlog+0x442/0x15e0 net/core/dev.c:6444
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
 napi_poll net/core/dev.c:7557 [inline]
 net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c2/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

[pabeni]

the warning is:

WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable &&
     !subflow->mp_join && !(state & TCPF_CLOSE));

In one of the splat reported by syzkaller:

https://syzkaller.appspot.com/text?tag=CrashLog&x=178f8e62580000
https://syzkaller.appspot.com/text?tag=CrashReport&x=12e42a42580000

the relevant syzkaller program is:

845.112709ms ago: executing program 3 (id=7253):
r0 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000040)={0x0, 0x9007}, 0x4)
socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000001c0)={'wlan0\x00'})
setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, &(0x7f0000000040)={0x0, 0x9007}, 0x4)
r2 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r2, &(0x7f0000000040)={0x2, 0x4e21, @broadcast}, 0x10)
connect$inet(r2, &(0x7f0000000080)={0x2, 0x4e21, @empty}, 0x10)
connect$pppoe(0xffffffffffffffff, 0x0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=@newlink={0x30, 0x10, 0x1, 0x0, 0x0, {}, [@IFLA_MTU={0x8, 0x4, 0x600}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0)
setsockopt$inet_tcp_int(r2, 0x6, 0x19, &(0x7f00000000c0)=0x3, 0x4)
sendto(r2, &(0x7f00000002c0)='%', 0x300000, 0x0, 0x0, 0x0)

The mptcp socket does self-connect, so it should/must be a fallback one. That specific fallback happens under the ssk socket lock, so the above warn should see the up2date fallback value: I don't see any way to trigger the warning short of a memory corruption - but syzkaller has kasan enabled

[matttbe]

Note that this warning seems reproducible on top of 8e621c9 according to syzbot:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 15 at net/mptcp/subflow.c:1519 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
Modules linked in:
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1519
Code: 89 ee e8 88 f8 72 f6 40 84 ed 75 21 e8 9e fd 72 f6 44 89 fe bf 07 00 00 00 e8 d1 f8 72 f6 41 83 ff 07 74 09 e8 86 fd 72 f6 90 <0f> 0b 90 e8 7d fd 72 f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc90000147380 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888030aa72c0 RCX: ffffffff8b4959ef
RDX: ffff88801d2cbc80 RSI: ffffffff8b4959fa RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 00000d230000000c R12: ffff888033463c00
R13: 1ffff92000028e70 R14: ffff88802f9bbc00 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f841c04df98 CR3: 0000000078b7e000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tcp_data_ready+0x110/0x550 net/ipv4/tcp_input.c:5355
 tcp_data_queue+0x1aa6/0x5000 net/ipv4/tcp_input.c:5445
 tcp_rcv_state_process+0xfb6/0x6490 net/ipv4/tcp_input.c:7159
 tcp_v4_do_rcv+0x68e/0x10a0 net/ipv4/tcp_ipv4.c:1954
 tcp_v4_rcv+0x3077/0x4db0 net/ipv4/tcp_ipv4.c:2374
 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x3f2/0x720 net/ipv4/ip_input.c:239
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:260
 dst_input include/net/dst.h:474 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:453 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ip_rcv+0x2e0/0x600 net/ipv4/ip_input.c:573
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6079
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192
 process_backlog+0x439/0x15e0 net/core/dev.c:6544
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x97f/0xef0 net/core/dev.c:7784
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Repro:

# https://syzkaller.appspot.com/bug?id=6b53effa5234d16dc2c55e1e8dafc63ba776be90
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"threaded":true,"repeat":true,"procs":1,"slowdown":1,"sandbox":"none","sandbox_arg":0,"netdev":true,"close_fds":true,"callcomments":true}
mmap$auto(0x0, 0xa00006, 0x400002, 0x40eb1, 0x602, 0x300000000000)
r0 = socket(0x2, 0x1, 0x106)
bind$auto(r0, &(0x7f0000000040)=@in={0x2, 0x3, @multicast2}, 0x6a)
connect$auto(0x3, &(0x7f0000000080)=@in={0x2, 0x3, @dev={0xac, 0x14, 0x14, 0x10}}, 0x54)
recvfrom$auto(0x3, 0x0, 0x800000000e, 0x13e, 0x0, 0xfffffffffffffffd)
write$auto(0x3, 0x0, 0xfffffdef)
connect$auto(0x3, 0x0, 0x52)

C repro also available.

Paolo sent the following patch:

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index af707ce0f624..09f24a456f73 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1516,8 +1516,16 @@ static void subflow_data_ready(struct sock *sk)
 		return;
 	}
 
-	WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable &&
-		     !subflow->mp_join && !(state & TCPF_CLOSE));
+	if (!__mptcp_check_fallback(msk) && !subflow->mp_capable &&
+	    !subflow->mp_join && !(state & TCPF_CLOSE)) {
+		spin_lock_bh(&msk->fallback_lock);
+		pr_err("fallaback under lock %d req mpc %d req mpj %d state %d parent state %d send %lld received %lld\n",
+			__mptcp_check_fallback(msk), subflow->request_mptcp,
+			subflow->request_join, state, parent->sk_state,
+			msk->bytes_sent, msk->bytes_received);
+		spin_unlock_bh(&msk->fallback_lock);
+		WARN_ON(1);
+	}
 
 	if (mptcp_subflow_data_available(sk)) {
 		mptcp_data_ready(parent, sk);

And got this:

MPTCP: fallaback under lock 0 req mpc 1 req mpj 0 state 16 parent state 7 send 0 received 0

(state: TCP_FIN_WAIT1, parent: TCP_CLOSE)

[matttbe]

On my side, I got two other repros involving TFO:

Syzkaller hit 'WARNING in subflow_data_ready' bug.

audit: type=1401 audit(1763132070.818:8): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
syz-executor (295) used greatest stack depth: 10992 bytes left
------------[ cut here ]------------
WARNING: CPU: 0 PID: 868 at net/mptcp/subflow.c:1529 subflow_data_ready+0x213/0x2c0 net/mptcp/subflow.c:1528
Modules linked in:
CPU: 0 UID: 0 PID: 868 Comm: syz.2.17 Not tainted 6.18.0-rc5-01077-gc2eff70b71b8 #13 PREEMPT(voluntary) 
Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:subflow_data_ready+0x213/0x2c0 net/mptcp/subflow.c:1528
Code: fe 90 0f 0b 90 90 e9 99 fe ff ff e8 07 03 75 fe 48 89 df 48 83 c4 08 5b 41 5c 41 5e 41 5f 5d e9 a3 05 00 00 e8 ee 02 75 fe 90 <0f> 0b 90 e9 0a ff ff ff f3 0f 1e fa 65 8b 05 6e ab ea 01 89 c0 31
RSP: 0018:ffffc90003267ad0 EFLAGS: 00010293
RAX: ffffffff82d854b2 RBX: ffff88800d7824c0 RCX: ffff88800ecc0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88800ecc0000 R09: 0000000000000005
R10: 0000000000000006 R11: ffffffff82d852a0 R12: 0000000000000000
R13: ffff88800d7824c0 R14: ffff8880105f8000 R15: 0000000000000000
FS:  000055558d251500(0000) GS:ffff8880f8fe4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9f95e8520 CR3: 0000000013021000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcp_data_ready net/ipv4/tcp_input.c:5361 [inline]
 tcp_data_queue+0x1410/0x23e0 net/ipv4/tcp_input.c:5451
 tcp_rcv_state_process+0x1421/0x1790 net/ipv4/tcp_input.c:7175
 tcp_v4_do_rcv+0x3ae/0x6c0 net/ipv4/tcp_ipv4.c:1904
 __release_sock+0x65/0x120 net/core/sock.c:3213
 release_sock+0x37/0xf0 net/core/sock.c:3795
 mptcp_sendmsg_fastopen+0xba/0x1e0 net/mptcp/protocol.c:1799
 mptcp_sendmsg+0x952/0xa20 net/mptcp/protocol.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0xa7/0xf0 net/socket.c:742
 __sys_sendto+0x30c/0x3d0 net/socket.c:2244
 __do_sys_sendto net/socket.c:2251 [inline]
 __se_sys_sendto net/socket.c:2247 [inline]
 __x64_sys_sendto+0x28/0x40 net/socket.c:2247
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xed/0x2e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd9f9726f6d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff2d24e998 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fd9f99b5fa0 RCX: 00007fd9f9726f6d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000200000000480 R09: 0000000000000010
R10: 0000000020044091 R11: 0000000000000246 R12: 00007fd9f99b5fac
R13: 0000000000000000 R14: 0000000000001a3d R15: 00007fd9f99b5fa0
 </TASK>
irq event stamp: 1405
hardirqs last  enabled at (1413): [<ffffffff813d55fc>] __up_console_sem kernel/printk/printk.c:345 [inline]
hardirqs last  enabled at (1413): [<ffffffff813d55fc>] __console_unlock+0x9c/0xc0 kernel/printk/printk.c:2858
hardirqs last disabled at (1422): [<ffffffff813d55e1>] __up_console_sem kernel/printk/printk.c:343 [inline]
hardirqs last disabled at (1422): [<ffffffff813d55e1>] __console_unlock+0x81/0xc0 kernel/printk/printk.c:2858
softirqs last  enabled at (1354): [<ffffffff813177a9>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (1354): [<ffffffff813177a9>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (1354): [<ffffffff813177a9>] __irq_exit_rcu+0x69/0x110 kernel/softirq.c:723
softirqs last disabled at (1349): [<ffffffff813177a9>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (1349): [<ffffffff813177a9>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (1349): [<ffffffff813177a9>] __irq_exit_rcu+0x69/0x110 kernel/softirq.c:723
---[ end trace 0000000000000000 ]---

Syzkaller reproducer:

# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f0000000100)={0x2, 0x4e24, @multicast2}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x20044091, &(0x7f0000000480)={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10)
connect$unix(r0, &(0x7f0000000200)=@abs={0x0, 0x0, 0x4e20}, 0x6e)
sendto$inet(r0, 0x0, 0x0, 0x20044091, &(0x7f0000000480)={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10)

And the other one with a repro:

Syzkaller hit 'WARNING in subflow_data_ready' bug.

audit: type=1400 audit(1763380058.421:7): avc:  denied  { execmem } for  pid=249 comm="syz-executor" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
audit: type=1401 audit(1763380058.444:8): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
------------[ cut here ]------------
WARNING: CPU: 1 PID: 876 at net/mptcp/subflow.c:1528 subflow_data_ready+0x314/0x5c0 net/mptcp/subflow.c:1528
Modules linked in:
CPU: 1 UID: 0 PID: 876 Comm: syz.2.20 Not tainted 6.18.0-rc5-gc2eff70b71b8 #40 PREEMPT(voluntary) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:subflow_data_ready+0x314/0x5c0 net/mptcp/subflow.c:1528
Code: 18 44 89 f6 e8 ad 06 e9 fc 45 84 f6 75 1f e8 03 0f e9 fc 89 ee bf 07 00 00 00 e8 f7 06 e9 fc 83 fd 07 74 09 e8 ed 0e e9 fc 90 <0f> 0b 90 e8 e4 0e e9 fc 48 89 df e8 0c ba ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffff88800c25f770 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880106dc280 RCX: ffffffff8485b9d9
RDX: ffff8880111bd640 RSI: ffffffff8485b9e3 RDI: 0000000000000005
RBP: 000000000000000b R08: 0000000000000005 R09: 0000000000000007
R10: 000000000000000b R11: 0000010000000000 R12: 1ffff1100184beee
R13: ffff8880088718c0 R14: 0000000000000000 R15: 0000000000000000
FS:  00007efd86fff6c0(0000) GS:ffff88811cc95000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000080 CR3: 0000000028fbc000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcp_data_ready+0x110/0x530 net/ipv4/tcp_input.c:5361
 tcp_data_queue+0x197e/0x4830 net/ipv4/tcp_input.c:5451
 tcp_rcv_state_process+0x17f1/0x5dd0 net/ipv4/tcp_input.c:7175
 tcp_v4_do_rcv+0x346/0xa60 net/ipv4/tcp_ipv4.c:1904
 sk_backlog_rcv include/net/sock.h:1172 [inline]
 __release_sock+0x28f/0x320 net/core/sock.c:3213
 release_sock+0x58/0x1b0 net/core/sock.c:3795
 mptcp_sendmsg_fastopen net/mptcp/protocol.c:1799 [inline]
 mptcp_sendmsg+0x120d/0x1b90 net/mptcp/protocol.c:1896
 inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:859
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 __sys_sendto+0x43c/0x520 net/socket.c:2244
 __do_sys_sendto net/socket.c:2251 [inline]
 __se_sys_sendto net/socket.c:2247 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2247
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efd871a40ad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efd86fff018 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007efd87415fa0 RCX: 00007efd871a40ad
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007efd87248c3e R08: 0000200000000480 R09: 0000000000000010
R10: 0000000020044091 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efd87416038 R14: 00007efd87415fa0 R15: 00007fff80db4fe0
 </TASK>
---[ end trace 0000000000000000 ]---

Syzkaller reproducer:

# {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
close(r0)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r1, &(0x7f0000000000)={0x2, 0x4e24, @multicast2}, 0x10)
sendto$inet(r1, 0x0, 0x0, 0x20044091, &(0x7f0000000480)={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10) (async, rerun: 64)
connect$unix(r0, &(0x7f0000000240)=@file={0x0, './file0\x00'}, 0x6e)

[pabeni]

MPTCP: fallaback under lock 0 req mpc 1 req mpj 0 state 16 parent state 7 send 0 received 0

From the above and the repro it can be inferred that the issue is caused by this sequence:

• (self-)connect is invoked on the MPTCP socket, TCP syn is sent out and subflow is in SYN_SENT status. The syn packet is in flight. [1]
• the MPTCP socket is closed. The TCP subflow transition to FIN_WAIT1.
• the (self connect) syn reaches the TCP subflows; since end_seq - seq > 0, it triggers subflow data_ready
• the subflow status matches the warn condition in subflow_data_ready() and generates the splat.

it's hard to reproduce for syzkaller as it's hard to do a self-connect with delay, needed by [1]. Should be more easily reproducible with pktdrill.

[matttbe]

On my side, with:

• this syzrepro:

# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f0000000100)={0x2, 0x4e24, @multicast2}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x20044091, &(0x7f0000000480)={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10)
connect$unix(r0, &(0x7f0000000200)=@abs={0x0, 0x0, 0x4e20}, 0x6e)
sendto$inet(r0, 0x0, 0x0, 0x20044091, &(0x7f0000000480)={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x39}}, 0x10)

• this kconfig: repro.config.gz
• and Paolo's patch applied on top of net

I have the following stacktrace:

[   37.270741] ------------[ cut here ]------------
[   37.270951] WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
[   37.271333] Modules linked in:
[   37.271479] CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
[   37.271694] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   37.272041] RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
[   37.272261] Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
All code
========
   0:   90                      nop
   1:   0f 0b                   ud2
   3:   90                      nop
   4:   90                      nop
   5:   e9 04 fe ff ff          jmp    0xfffffffffffffe0e
   a:   e8 b7 1e f5 fe          call   0xfffffffffef51ec6
   f:   89 ee                   mov    %ebp,%esi
  11:   bf 07 00 00 00          mov    $0x7,%edi
  16:   e8 db 19 f5 fe          call   0xfffffffffef519f6
  1b:   83 fd 07                cmp    $0x7,%ebp
  1e:   0f 84 35 ff ff ff       je     0xffffffffffffff59
  24:   e8 9d 1e f5 fe          call   0xfffffffffef51ec6
  29:   90                      nop
  2a:*  0f 0b                   ud2             <-- trapping instruction
  2c:   90                      nop
  2d:   e9 27 ff ff ff          jmp    0xffffffffffffff59
  32:   e8 8f 1e f5 fe          call   0xfffffffffef51ec6
  37:   4c 89 e7                mov    %r12,%rdi
  3a:   48 89 de                mov    %rbx,%rsi
  3d:   e8                      .byte 0xe8
  3e:   14 09                   adc    $0x9,%al

Code starting with the faulting instruction
===========================================
   0:   0f 0b                   ud2
   2:   90                      nop
   3:   e9 27 ff ff ff          jmp    0xffffffffffffff2f
   8:   e8 8f 1e f5 fe          call   0xfffffffffef51e9c
   d:   4c 89 e7                mov    %r12,%rdi
  10:   48 89 de                mov    %rbx,%rsi
  13:   e8                      .byte 0xe8
  14:   14 09                   adc    $0x9,%al
[   37.272853] RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
[   37.273101] RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
[   37.273466] RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
[   37.273763] RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
[   37.274025] R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
[   37.274322] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.274490] FS:  00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
[   37.274649] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   37.274786] CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
[   37.274955] Call Trace:
[   37.275043]  <TASK>
[   37.275483]  tcp_data_ready (net/ipv4/tcp_input.c:5356)
[   37.275629]  tcp_data_queue (net/ipv4/tcp_input.c:5445)
[   37.275838]  tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
[   37.276076]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[   37.276235]  ? __release_sock (net/core/sock.c:3170)
[   37.276419]  ? tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
[   37.276633]  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
[   37.276808]  ? __pfx_tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1907)
[   37.276998]  __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
[   37.277263]  release_sock (net/core/sock.c:3737)
[   37.277501]  mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
[   37.277695]  ? __pfx_mptcp_sendmsg (net/mptcp/protocol.c:1839)
[   37.277900]  inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
[   37.278103]  __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
[   37.278283]  __x64_sys_sendto (net/socket.c:2247)
[   37.278490]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[   37.278672]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[   37.278914] RIP: 0033:0x7f883326702d
[   37.279134] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
All code
========
   0:   ff c3                   inc    %ebx
   2:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
   9:   00 00 00
   c:   90                      nop
   d:   f3 0f 1e fa             endbr64
  11:   48 89 f8                mov    %rdi,%rax
  14:   48 89 f7                mov    %rsi,%rdi
  17:   48 89 d6                mov    %rdx,%rsi
  1a:   48 89 ca                mov    %rcx,%rdx
  1d:   4d 89 c2                mov    %r8,%r10
  20:   4d 89 c8                mov    %r9,%r8
  23:   4c 8b 4c 24 08          mov    0x8(%rsp),%r9
  28:   0f 05                   syscall
  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
  30:   73 01                   jae    0x33
  32:   c3                      ret
  33:   48 c7 c1 e8 ff ff ff    mov    $0xffffffffffffffe8,%rcx
  3a:   f7 d8                   neg    %eax
  3c:   64 89 01                mov    %eax,%fs:(%rcx)
  3f:   48                      rex.W

Code starting with the faulting instruction
===========================================
   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
   6:   73 01                   jae    0x9
   8:   c3                      ret
   9:   48 c7 c1 e8 ff ff ff    mov    $0xffffffffffffffe8,%rcx
  10:   f7 d8                   neg    %eax
  12:   64 89 01                mov    %eax,%fs:(%rcx)
  15:   48                      rex.W
[   37.279683] RSP: 002b:00007f88330aeff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   37.279953] RAX: ffffffffffffffda RBX: 00007f88334f5fa0 RCX: 00007f883326702d
[   37.280375] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[   37.280562] RBP: 0000000000000000 R08: 0000200000000480 R09: 0000000000000010
[   37.280740] R10: 0000000020044091 R11: 0000000000000246 R12: 0000000000000000
[   37.280893] R13: 00007ffd60eff8c0 R14: 00007f88330afce4 R15: 00007ffd60eff9b7
[   37.281086]  </TASK>
[   37.281165] irq event stamp: 997
[   37.281240] hardirqs last  enabled at (1005): __up_console_sem (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:119 arch/x86/include/asm/irqflags.h:159 kernel/printk/printk.c:345)
[   37.281440] hardirqs last disabled at (1012): __up_console_sem (kernel/printk/printk.c:343 (discriminator 10))
[   37.281623] softirqs last  enabled at (652): handle_softirqs (kernel/softirq.c:469 (discriminator 2) kernel/softirq.c:650 (discriminator 2))
[   37.281837] softirqs last disabled at (647): __irq_exit_rcu (kernel/softirq.c:657 kernel/softirq.c:496 kernel/softirq.c:723)
[   37.282034] ---[ end trace 0000000000000000 ]---

I can easily reproduce it, so I added the debug patch from above and got this:

2025/12/02 11:34:38 executed programs: 64
[   37.312699] MPTCP: fallaback under lock 0 req mpc 0 req mpj 0 state 2048 parent state 2 send 0 received 0
[   37.313201] ------------[ cut here ]------------
[   37.313434] WARNING: CPU: 22 PID: 8996 at net/mptcp/subflow.c:1527 subflow_data_ready (net/mptcp/subflow.c:1527 (discriminator 2))
[   37.313768] Modules linked in:
[   37.313941] CPU: 22 UID: 0 PID: 8996 Comm: syz.2.19 Not tainted 6.18.0-rc7-05427-g11fc074f6c36-dirty #1 PREEMPT(voluntary)
[   37.314307] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   37.314534] RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1527 (discriminator 2))
[   37.314656] Code: e0 89 d1 83 e2 01 48 c1 e8 02 d0 e9 45 0f b7 c0 89 c6 83 e1 01 83 e6 01 e8 cb b8 c4 fe 48 8d bd f8 0a 00 00 e8 6f a4 08 00 90 <0f> 0b 90 58 5a e9 be fe ff ff e8 1f 1e f5 fe 48 89 ef 48 89 de e8
All code
========
   0:   e0 89                   loopne 0xffffffffffffff8b
   2:   d1 83 e2 01 48 c1       roll   $1,-0x3eb7fe1e(%rbx)
   8:   e8 02 d0 e9 45          call   0x45e9d00f
   d:   0f b7 c0                movzwl %ax,%eax
  10:   89 c6                   mov    %eax,%esi
  12:   83 e1 01                and    $0x1,%ecx
  15:   83 e6 01                and    $0x1,%esi
  18:   e8 cb b8 c4 fe          call   0xfffffffffec4b8e8
  1d:   48 8d bd f8 0a 00 00    lea    0xaf8(%rbp),%rdi
  24:   e8 6f a4 08 00          call   0x8a498
  29:   90                      nop
  2a:*  0f 0b                   ud2             <-- trapping instruction
  2c:   90                      nop
  2d:   58                      pop    %rax
  2e:   5a                      pop    %rdx
  2f:   e9 be fe ff ff          jmp    0xfffffffffffffef2
  34:   e8 1f 1e f5 fe          call   0xfffffffffef51e58
  39:   48 89 ef                mov    %rbp,%rdi
  3c:   48 89 de                mov    %rbx,%rsi
  3f:   e8                      .byte 0xe8

Code starting with the faulting instruction
===========================================
   0:   0f 0b                   ud2
   2:   90                      nop
   3:   58                      pop    %rax
   4:   5a                      pop    %rdx
   5:   e9 be fe ff ff          jmp    0xfffffffffffffec8
   a:   e8 1f 1e f5 fe          call   0xfffffffffef51e2e
   f:   48 89 ef                mov    %rbp,%rdi
  12:   48 89 de                mov    %rbx,%rsi
  15:   e8                      .byte 0xe8
[   37.314988] RSP: 0018:ffffc90026d1bb18 EFLAGS: 00010282
[   37.315115] RAX: 0000000080000000 RBX: ffff888138ae8000 RCX: ffffffff8136044f
[   37.315282] RDX: ffff88811721b580 RSI: 0000000000000000 RDI: ffffffff8136044f
[   37.315437] RBP: ffff8881351a0000 R08: 0000000000000000 R09: 0000000000000001
[   37.315619] R10: 0000000000000006 R11: ffff88811721c000 R12: 000000000000000b
[   37.315786] R13: ffff888115291a00 R14: 000000000000000b R15: 0000000000000000
[   37.315958] FS:  00007f49f01df6c0(0000) GS:ffff888a93cd2000(0000) knlGS:0000000000000000
[   37.316128] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   37.316297] CR2: 00007f49f01defe8 CR3: 000000013849d000 CR4: 0000000000350ef0
[   37.316476] Call Trace:
[   37.316536]  <TASK>
[   37.316610]  tcp_data_ready (net/ipv4/tcp_input.c:5356)
[   37.316722]  tcp_data_queue (net/ipv4/tcp_input.c:5445)
[   37.316843]  tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
[   37.316978]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[   37.317105]  ? __release_sock (net/core/sock.c:3170)
[   37.317248]  ? tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
[   37.317364]  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
[   37.317452]  ? __pfx_tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1907)
[   37.317573]  __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
[   37.317673]  release_sock (net/core/sock.c:3737)
[   37.317779]  mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
[   37.317868]  ? __pfx_mptcp_sendmsg (net/mptcp/protocol.c:1839)
[   37.317983]  inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
[   37.318085]  __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
[   37.318229]  __x64_sys_sendto (net/socket.c:2247)
[   37.318335]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[   37.318447]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

So regarding the extra debug info:

MPTCP: fallaback under lock 0 req mpc 0 req mpj 0 state 2048 parent state 2 send 0 received 0

The states are different in my case: subflow in TCP_CLOSING, and the parent in TCP_SYN_SENT. Also, subflow->request_mptcp and subflow->request_mptcp (and subflow->mp_capable and subflow->mp_join) are unset. Should the check ignore this closing state (and more?) as well?