[PATCH net v2] selftests: bonding: add test for stacked bond header_parse recursion

Mon, 16 Mar 2026 20:16:23 -0700 

From: Jiayuan Chen <[email protected]>

Add a selftest to reproduce the infinite recursion in bond_header_parse()
when bonds are stacked (bond1 -> bond0 -> gre). When a packet is received
via AF_PACKET SOCK_DGRAM on the topmost bond, dev_parse_header() calls
bond_header_parse() which used skb->dev (always the topmost bond) to get
the bonding struct. This caused it to recurse back into itself
indefinitely, leading to stack overflow.

Before commit b7405dcf7385 ("bonding: prevent potential infinite loop
in bond_header_parse()"), the test triggers:

  ./bond_stacked_header_parse.sh

  [  71.999481] BUG: MAX_LOCK_DEPTH too low!
  [  72.000170] turning off the locking correctness validator.
  [  72.001029] Please attach the output of /proc/lock_stat to the bug report
  [  72.002079] depth: 48  max: 48!
  ...

After the fix, everything works fine:

  ./bond_stacked_header_parse.sh
  TEST: Stacked bond header_parse does not recurse                  [ OK ]

Cc: Jiayuan Chen <[email protected]>
Signed-off-by: Jiayuan Chen <[email protected]>
---
Changes in v2:
- Use tcpdump + scapy instead of custom Python script
- Remove unnecessary modprobe and skip checks
- Add CONFIG_NET_IPGRE to config dependencies

v1: https://lore.kernel.org/netdev/[email protected]/T/#t
https://lore.kernel.org/netdev/CANn89iK2EURqsjtd=ovp4awytjhgcr-uu-v9wovpwr1z3f0...@mail.gmail.com/
---
 .../selftests/drivers/net/bonding/Makefile    |  1 +
 .../net/bonding/bond_stacked_header_parse.sh  | 69 +++++++++++++++++++
 .../selftests/drivers/net/bonding/config      |  1 +
 3 files changed, 71 insertions(+)
 create mode 100755 
tools/testing/selftests/drivers/net/bonding/bond_stacked_header_parse.sh

diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile 
b/tools/testing/selftests/drivers/net/bonding/Makefile
index 6c5c60adb5e8..9af5f84edd37 100644
--- a/tools/testing/selftests/drivers/net/bonding/Makefile
+++ b/tools/testing/selftests/drivers/net/bonding/Makefile
@@ -11,6 +11,7 @@ TEST_PROGS := \
        bond_macvlan_ipvlan.sh \
        bond_options.sh \
        bond_passive_lacp.sh \
+       bond_stacked_header_parse.sh \
        dev_addr_lists.sh \
        mode-1-recovery-updelay.sh \
        mode-2-recovery-updelay.sh \
diff --git 
a/tools/testing/selftests/drivers/net/bonding/bond_stacked_header_parse.sh 
b/tools/testing/selftests/drivers/net/bonding/bond_stacked_header_parse.sh
new file mode 100755
index 000000000000..4d0ec6e89e75
--- /dev/null
+++ b/tools/testing/selftests/drivers/net/bonding/bond_stacked_header_parse.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Test that bond_header_parse() does not infinitely recurse with stacked bonds.
+#
+# When a non-Ethernet device (e.g. GRE) is enslaved to a bond that is itself
+# enslaved to another bond (bond1 -> bond0 -> gre), receiving a packet via
+# AF_PACKET SOCK_DGRAM triggers dev_parse_header() -> bond_header_parse().
+# Since parse() used skb->dev (always the topmost bond) instead of a passed-in
+# dev pointer, it would recurse back into itself indefinitely.
+
+ALL_TESTS="
+       bond_test_stacked_header_parse
+"
+REQUIRE_MZ=no
+NUM_NETIFS=0
+lib_dir=$(dirname "$0")
+source "$lib_dir"/../../../net/forwarding/lib.sh
+
+bond_test_stacked_header_parse()
+{
+       local devdummy="test-dummy0"
+       local devgre="test-gre0"
+       local devbond0="test-bond0"
+       local devbond1="test-bond1"
+
+       RET=0
+
+       # Setup: dummy -> gre -> bond0 -> bond1
+       ip link add name "$devdummy" type dummy
+       ip addr add 10.0.0.1/24 dev "$devdummy"
+       ip link set "$devdummy" up
+
+       ip link add name "$devgre" type gre local 10.0.0.1
+
+       ip link add name "$devbond0" type bond mode active-backup
+       ip link add name "$devbond1" type bond mode active-backup
+
+       ip link set "$devgre" master "$devbond0"
+       ip link set "$devbond0" master "$devbond1"
+
+       ip link set "$devgre" up
+       ip link set "$devbond0" up
+       ip link set "$devbond1" up
+
+       # tcpdump on a non-Ethernet bond uses AF_PACKET SOCK_DGRAM (cooked
+       # capture), which triggers dev_parse_header() -> bond_header_parse()
+       # on receive. With the bug, this recurses infinitely.
+       timeout 5 tcpdump -c 1 -i "$devbond1" >/dev/null 2>&1 &
+       local tcpdump_pid=$!
+       sleep 1
+
+       # Send a GRE packet to 10.0.0.1 so it arrives via gre -> bond0 -> bond1
+       python3 -c "from scapy.all import *; send(IP(src='10.0.0.2', 
dst='10.0.0.1')/GRE()/IP()/UDP(), verbose=0)"
+       check_err $? "failed to send GRE packet (scapy installed?)"
+
+       wait "$tcpdump_pid" 2>/dev/null
+
+       ip link del "$devbond1" 2>/dev/null
+       ip link del "$devbond0" 2>/dev/null
+       ip link del "$devgre" 2>/dev/null
+       ip link del "$devdummy" 2>/dev/null
+
+       log_test "Stacked bond header_parse does not recurse"
+}
+
+tests_run
+
+exit "$EXIT_STATUS"
diff --git a/tools/testing/selftests/drivers/net/bonding/config 
b/tools/testing/selftests/drivers/net/bonding/config
index 991494376223..14f21f0e4d2f 100644
--- a/tools/testing/selftests/drivers/net/bonding/config
+++ b/tools/testing/selftests/drivers/net/bonding/config
@@ -13,6 +13,7 @@ CONFIG_NET_CLS_MATCHALL=m
 CONFIG_NETCONSOLE=m
 CONFIG_NETCONSOLE_DYNAMIC=y
 CONFIG_NETCONSOLE_EXTENDED_LOG=y
+CONFIG_NET_IPGRE=y
 CONFIG_NETDEVSIM=m
 CONFIG_NET_SCH_INGRESS=y
 CONFIG_NLMON=y
-- 
2.43.0

Reply via email to