[v6.6] BUG: sleeping function called from invalid context in bond_ipsec_del_sa
0 views
Skip to first unread message
syzbot
Feb 12, 2026, 9:30:47 AMFeb 12
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1b4ef5214f17 Linux 6.6.124
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=157fcc02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=d793c71583281b9e8d1e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/054222c95938/disk-1b4ef521.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bf3f638dea81/vmlinux-1b4ef521.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ba2200fbe5c9/bzImage-1b4ef521.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d793c7...@syzkaller.appspotmail.com
netlink: 14 bytes leftover after parsing attributes in process `syz.3.1908'.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 10838, name: syz.3.1908
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.3.1908/10838:
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 10838 Comm: syz.3.1908 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
__might_resched+0x4ad/0x630 kernel/sched/core.c:10211
__mutex_lock_common kernel/locking/mutex.c:580 [inline]
__mutex_lock+0xb7/0xcc0 kernel/locking/mutex.c:747
bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
__xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
notifier_call_chain+0x197/0x380 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
call_netdevice_notifiers net/core/dev.c:2091 [inline]
unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
__sys_sendmsg net/socket.c:2677 [inline]
__do_sys_sendmsg net/socket.c:2686 [inline]
__se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd05639bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd057232028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd056616090 RCX: 00007fd05639bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000008
RBP: 00007fd0564327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd056616128 R14: 00007fd056616090 R15: 00007ffd26c060d8
</TASK>
=============================
[ BUG: Invalid wait context ]
syzkaller #0 Tainted: G W
-----------------------------
syz.3.1908/10838 is trying to lock:
ffff888030025520 (&bond->ipsec_lock){+.+.}-{3:3}, at: bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
other info that might help us debug this:
context-{4:4}
2 locks held by syz.3.1908/10838:
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
stack backtrace:
CPU: 1 PID: 10838 Comm: syz.3.1908 Tainted: G W syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline]
check_wait_context kernel/locking/lockdep.c:4821 [inline]
__lock_acquire+0x1d19/0x7d40 kernel/locking/lockdep.c:5087
lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x136/0xcc0 kernel/locking/mutex.c:747
bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
__xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
notifier_call_chain+0x197/0x380 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
call_netdevice_notifiers net/core/dev.c:2091 [inline]
unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
__sys_sendmsg net/socket.c:2677 [inline]
__do_sys_sendmsg net/socket.c:2686 [inline]
__se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd05639bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd057232028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd056616090 RCX: 00007fd05639bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000008
RBP: 00007fd0564327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd056616128 R14: 00007fd056616090 R15: 00007ffd26c060d8
</TASK>
bond0 (unregistering): left promiscuous mode
bond0 (unregistering): Released all slaves
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1b4ef5214f17 Linux 6.6.124
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=157fcc02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=d793c71583281b9e8d1e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/054222c95938/disk-1b4ef521.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bf3f638dea81/vmlinux-1b4ef521.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ba2200fbe5c9/bzImage-1b4ef521.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d793c7...@syzkaller.appspotmail.com
netlink: 14 bytes leftover after parsing attributes in process `syz.3.1908'.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 10838, name: syz.3.1908
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.3.1908/10838:
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 10838 Comm: syz.3.1908 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
__might_resched+0x4ad/0x630 kernel/sched/core.c:10211
__mutex_lock_common kernel/locking/mutex.c:580 [inline]
__mutex_lock+0xb7/0xcc0 kernel/locking/mutex.c:747
bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
__xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
notifier_call_chain+0x197/0x380 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
call_netdevice_notifiers net/core/dev.c:2091 [inline]
unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
__sys_sendmsg net/socket.c:2677 [inline]
__do_sys_sendmsg net/socket.c:2686 [inline]
__se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd05639bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd057232028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd056616090 RCX: 00007fd05639bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000008
RBP: 00007fd0564327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd056616128 R14: 00007fd056616090 R15: 00007ffd26c060d8
</TASK>
=============================
[ BUG: Invalid wait context ]
syzkaller #0 Tainted: G W
-----------------------------
syz.3.1908/10838 is trying to lock:
ffff888030025520 (&bond->ipsec_lock){+.+.}-{3:3}, at: bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
other info that might help us debug this:
context-{4:4}
2 locks held by syz.3.1908/10838:
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
#0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
#1: ffff88805d238c68 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
stack backtrace:
CPU: 1 PID: 10838 Comm: syz.3.1908 Tainted: G W syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline]
check_wait_context kernel/locking/lockdep.c:4821 [inline]
__lock_acquire+0x1d19/0x7d40 kernel/locking/lockdep.c:5087
lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x136/0xcc0 kernel/locking/mutex.c:747
bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
__xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
notifier_call_chain+0x197/0x380 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
call_netdevice_notifiers net/core/dev.c:2091 [inline]
unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
__sys_sendmsg net/socket.c:2677 [inline]
__do_sys_sendmsg net/socket.c:2686 [inline]
__se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd05639bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd057232028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd056616090 RCX: 00007fd05639bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000008
RBP: 00007fd0564327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd056616128 R14: 00007fd056616090 R15: 00007ffd26c060d8
</TASK>
bond0 (unregistering): left promiscuous mode
bond0 (unregistering): Released all slaves
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages