selftests: bonding: add test for stacked bond header_parse recursion

Add a selftest to reproduce the infinite recursion in bond_header_parse()
when bonds are stacked (bond1 -> bond0 -> gre). When a packet is received
via AF_PACKET SOCK_DGRAM on the topmost bond, dev_parse_header() calls
bond_header_parse() which used skb->dev (always the topmost bond) to get
the bonding struct. This caused it to recurse back into itself
indefinitely, leading to stack overflow.

Before commit b7405dcf73 ("bonding: prevent potential infinite loop
in bond_header_parse()"), the test triggers:

  ./bond_stacked_header_parse.sh

  [  71.999481] BUG: MAX_LOCK_DEPTH too low!
  [  72.000170] turning off the locking correctness validator.
  [  72.001029] Please attach the output of /proc/lock_stat to the bug report
  [  72.002079] depth: 48  max: 48!
  ...

After the fix, everything works fine:

  ./bond_stacked_header_parse.sh
  TEST: Stacked bond header_parse does not recurse                  [ OK ]

Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260320022245.392384-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

tools/testing/selftests/drivers/net/bonding/Makefile

@@ -11,6 +11,7 @@ TEST_PROGS := \
 	bond_macvlan_ipvlan.sh \
 	bond_options.sh \
 	bond_passive_lacp.sh \
+	bond_stacked_header_parse.sh \
 	dev_addr_lists.sh \
 	mode-1-recovery-updelay.sh \
 	mode-2-recovery-updelay.sh \

tools/testing/selftests/drivers/net/bonding/bond_stacked_header_parse.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Test that bond_header_parse() does not infinitely recurse with stacked bonds.
+#
+# When a non-Ethernet device (e.g. GRE) is enslaved to a bond that is itself
+# enslaved to another bond (bond1 -> bond0 -> gre), receiving a packet via
+# AF_PACKET SOCK_DGRAM triggers dev_parse_header() -> bond_header_parse().
+# Since parse() used skb->dev (always the topmost bond) instead of a passed-in
+# dev pointer, it would recurse back into itself indefinitely.
+
+# shellcheck disable=SC2034
+ALL_TESTS="
+	bond_test_stacked_header_parse
+"
+REQUIRE_MZ=no
+NUM_NETIFS=0
+lib_dir=$(dirname "$0")
+source "$lib_dir"/../../../net/forwarding/lib.sh
+
+# shellcheck disable=SC2329
+bond_test_stacked_header_parse()
+{
+	local devdummy="test-dummy0"
+	local devgre="test-gre0"
+	local devbond0="test-bond0"
+	local devbond1="test-bond1"
+
+	# shellcheck disable=SC2034
+	RET=0
+
+	# Setup: dummy -> gre -> bond0 -> bond1
+	ip link add name "$devdummy" type dummy
+	ip addr add 10.0.0.1/24 dev "$devdummy"
+	ip link set "$devdummy" up
+
+	ip link add name "$devgre" type gre local 10.0.0.1
+
+	ip link add name "$devbond0" type bond mode active-backup
+	ip link add name "$devbond1" type bond mode active-backup
+
+	ip link set "$devgre" master "$devbond0"
+	ip link set "$devbond0" master "$devbond1"
+
+	ip link set "$devgre" up
+	ip link set "$devbond0" up
+	ip link set "$devbond1" up
+
+	# tcpdump on a non-Ethernet bond uses AF_PACKET SOCK_DGRAM (cooked
+	# capture), which triggers dev_parse_header() -> bond_header_parse()
+	# on receive. With the bug, this recurses infinitely.
+	timeout 5 tcpdump -c 1 -i "$devbond1" >/dev/null 2>&1 &
+	local tcpdump_pid=$!
+	sleep 1
+
+	# Send a GRE packet to 10.0.0.1 so it arrives via gre -> bond0 -> bond1
+	python3 -c "from scapy.all import *; send(IP(src='10.0.0.2', dst='10.0.0.1')/GRE()/IP()/UDP(), verbose=0)"
+	check_err $? "failed to send GRE packet (scapy installed?)"
+
+	wait "$tcpdump_pid" 2>/dev/null
+
+	ip link del "$devbond1" 2>/dev/null
+	ip link del "$devbond0" 2>/dev/null
+	ip link del "$devgre" 2>/dev/null
+	ip link del "$devdummy" 2>/dev/null
+
+	log_test "Stacked bond header_parse does not recurse"
+}
+
+tests_run
+
+exit "$EXIT_STATUS"

tools/testing/selftests/drivers/net/bonding/config

@@ -14,6 +14,7 @@ CONFIG_NETCONSOLE=m
 CONFIG_NETCONSOLE_DYNAMIC=y
 CONFIG_NETCONSOLE_EXTENDED_LOG=y
 CONFIG_NETDEVSIM=m
+CONFIG_NET_IPGRE=y
 CONFIG_NET_SCH_INGRESS=y
 CONFIG_NLMON=y
 CONFIG_VETH=y