[syzbot] [net?] general protection fault in bond_header_create

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 8004279c41ad Merge tag 'nfs-for-7.0-2' of git://git.linux-..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1593c416580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ccef46afa67b2b19
dashboard link: https://syzkaller.appspot.com/bug?extid=3d8bc31c45e11450f24c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172d1416580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-8004279c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f56a78af5be3/vmlinux-8004279c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/89a6ba48229d/bzImage-8004279c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d8bc3...@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xe000080fee63d21a: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000607f731e90d0-0x0000607f731e90d7]
CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:bond_header_create+0x150/0x300 drivers/net/bonding/bond_main.c:1524
Code: e8 25 bd 59 fb 45 85 f6 0f 84 a5 00 00 00 e8 d7 b8 59 fb eb 05 e8 d0 b8 59 fb 48 85 ed 0f 84 89 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 71 81 c5 fb 48 8b 6d 00 4c 8d 75
RSP: 0018:ffffc90000b0f600 EFLAGS: 00010202
RAX: 00000c0fee63d21a RBX: ffffffff866bf37b RCX: ffff888000c524c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000607f731e90d0 R08: ffffffff866bf37b R09: ffffffff8e75e420
R10: dffffc0000000000 R11: ffffffff866bf340 R12: 00000000000086dd
R13: ffff8880127763c0 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2fbfe3ff8c CR3: 0000000012645000 CR4: 0000000000352ef0
Call Trace:
<TASK>
dev_hard_header include/linux/netdevice.h:3439 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1644
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x2e5/0x740 net/ipv6/ip6_output.c:219
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
dst_output include/net/dst.h:470 [inline]
NF_HOOK+0x177/0x4f0 include/linux/netfilter.h:318
mld_sendpack+0x8b4/0xe40 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x835/0xe70 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3275 [inline]
process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358
worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bond_header_create+0x150/0x300 drivers/net/bonding/bond_main.c:1524
Code: e8 25 bd 59 fb 45 85 f6 0f 84 a5 00 00 00 e8 d7 b8 59 fb eb 05 e8 d0 b8 59 fb 48 85 ed 0f 84 89 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 71 81 c5 fb 48 8b 6d 00 4c 8d 75
RSP: 0018:ffffc90000b0f600 EFLAGS: 00010202
RAX: 00000c0fee63d21a RBX: ffffffff866bf37b RCX: ffff888000c524c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000607f731e90d0 R08: ffffffff866bf37b R09: ffffffff8e75e420
R10: dffffc0000000000 R11: ffffffff866bf340 R12: 00000000000086dd
R13: ffff8880127763c0 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e232d92000 CR3: 000000000e54c000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: e8 25 bd 59 fb call 0xfb59bd2a
5: 45 85 f6 test %r14d,%r14d
8: 0f 84 a5 00 00 00 je 0xb3
e: e8 d7 b8 59 fb call 0xfb59b8ea
13: eb 05 jmp 0x1a
15: e8 d0 b8 59 fb call 0xfb59b8ea
1a: 48 85 ed test %rbp,%rbp
1d: 0f 84 89 00 00 00 je 0xac
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 ef mov %rbp,%rdi
34: e8 71 81 c5 fb call 0xfbc581aa
39: 48 8b 6d 00 mov 0x0(%rbp),%rbp
3d: 4c rex.WR
3e: 8d .byte 0x8d
3f: 75 .byte 0x75


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Eric Dumazet]

I am suspecting.

Can you take a look ?

Thanks.

commit 950803f7254721c1c15858fbbfae3deaaeeecb11
Author: Jiayuan Chen <jiayua...@shopee.com>
Date: Fri Mar 6 10:15:07 2026 +0800

bonding: fix type confusion in bond_setup_by_slave()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] bonding: debug: add printk to bond_header_create
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add temporary debug printks to identify which pointer is corrupted
in bond_header_create() causing a general protection fault.

Reported-by: syzbot+3d8bc3...@syzkaller.appspotmail.com
---
drivers/net/bonding/bond_main.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 707419270ebf..807ab8784116 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1520,7 +1520,12 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,

rcu_read_lock();
slave = rcu_dereference(bond->curr_active_slave);
+ pr_err("bond: curr_active_slave raw=%px\n",
+ rcu_access_pointer(bond->curr_active_slave));
if (slave) {
+ pr_err("bond: slave=%px\n", slave);
+ pr_err("bond: slave->dev=%px\n", slave->dev);
+ pr_err("bond: slave->dev->header_ops=%px\n", slave->dev->header_ops);
slave_ops = READ_ONCE(slave->dev->header_ops);
if (slave_ops && slave_ops->create)
ret = slave_ops->create(skb, slave->dev,
--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



syzkaller login: qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x8e000)
Warning: Permanently added '[localhost]:18996' (ED25519) to the list of known hosts.
[ 97.289256][ T10] cfg80211: failed to load regulatory.db
[ 152.340372][ T1011] ata1.00: exception Emask 0x0 SAct 0x4000 SErr 0x0 action 0x6 frozen
[ 152.344761][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[ 152.347836][ T1011] ata1.00: cmd 61/70:70:b6:54:04/04:00:00:00:00/40 tag 14 ncq dma 581632 out
[ 152.347836][ T1011] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 152.357188][ T1011] ata1.00: status: { DRDY }
[ 152.360133][ T1011] ata1: hard resetting link
[ 152.682867][ T1011] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[ 152.688365][ T1011] ata1.00: configured for UDMA/100
[ 152.691802][ T1011] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x83000)
2026/03/14 02:48:08 parsed 1 programs
[ 157.947149][ T5334] cgroup: Unknown subsys name 'net'
[ 157.998795][ T5334] cgroup: Unknown subsys name 'cpuset'
[ 158.005626][ T5334] cgroup: Unknown subsys name 'rlimit'
[ 209.923844][ T1316] ieee802154 phy0 wpan0: encryption failed: -22
[ 209.927618][ T1316] ieee802154 phy1 wpan1: encryption failed: -22
[ 218.260125][ T1011] ata1.00: NCQ disabled due to excessive errors
[ 218.263261][ T1011] ata1.00: exception Emask 0x0 SAct 0x4000 SErr 0x0 action 0x6 frozen
[ 218.267800][ T1011] ata1.00: failed command: WRITE FPDMA QUEUED
[ 218.271402][ T1011] ata1.00: cmd 61/18:70:1e:9d:05/04:00:00:00:00/40 tag 14 ncq dma 536576 out
[ 218.271402][ T1011] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 218.280859][ T1011] ata1.00: status: { DRDY }
[ 218.283018][ T1011] ata1: hard resetting link
[ 218.602968][ T1011] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[ 218.608098][ T1011] ata1.00: configured for UDMA/100
[ 218.611748][ T1011] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4127251169=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.0'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 2f7f359d8a4d
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=2f7f359d8a4db30d79a33f1bbc17a331b1eb58dd -X github.com/google/syzkaller/prog.gitRevisionDate=20260312-214211" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=2f7f359d8a4db30d79a33f1bbc17a331b1eb58dd -X github.com/google/syzkaller/prog.gitRevisionDate=20260312-214211" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=2f7f359d8a4db30d79a33f1bbc17a331b1eb58dd -X github.com/google/syzkaller/prog.gitRevisionDate=20260312-214211" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"2f7f359d8a4db30d79a33f1bbc17a331b1eb58dd\"
/usr/bin/ld: /tmp/ccFlVss0.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit: 1c9982b4 Merge tag 'drm-fixes-2026-03-14' of https://g..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ccef46afa67b2b19
dashboard link: https://syzkaller.appspot.com/bug?extid=3d8bc31c45e11450f24c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15f61d4a580000

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

lost connection to test machine

Tested on:

commit: 1c9982b4 Merge tag 'drm-fixes-2026-03-14' of https://g..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=14df1602580000

kernel config: https://syzkaller.appspot.com/x/.config?x=ccef46afa67b2b19
dashboard link: https://syzkaller.appspot.com/bug?extid=3d8bc31c45e11450f24c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1267a216580000

[syzbot]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-execprog to VM: failed to run ["scp" "-P" "29478" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@localhost:/syz-execprog"]: exit status 255

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1111839217=/tmp/go-build -gno-record-gcc-switches'

/usr/bin/ld: /tmp/ccwvqbK3.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null

Tested on:

commit: 1c9982b4 Merge tag 'drm-fixes-2026-03-14' of https://g..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ccef46afa67b2b19
dashboard link: https://syzkaller.appspot.com/bug?extid=3d8bc31c45e11450f24c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=153f1602580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [net?] general protection fault in bond_header_create
Author: jiayua...@linux.dev

#syz test

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 707419270ebf..47a16117190d 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1518,6 +1518,9 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
struct slave *slave;
int ret = 0;

+ /* debug: team ? */
+ pr_err("bond_header_create: dev=%s\n", bond_dev->name);
+

rcu_read_lock();
slave = rcu_dereference(bond->curr_active_slave);

if (slave) {

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
lost connection to test machine

Tested on:

commit: 1c9982b4 Merge tag 'drm-fixes-2026-03-14' of https://g..

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14395d52580000

kernel config: https://syzkaller.appspot.com/x/.config?x=ccef46afa67b2b19
dashboard link: https://syzkaller.appspot.com/bug?extid=3d8bc31c45e11450f24c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=12e23c16580000