syzbot

map[ReproOpts:{"procs": 1, "sandbox": "none", "fault": false, "threaded": false, "repeat": false} ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x1002})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1043})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1043})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c) SyzkallerCommit:86914af9098a80da53c3c5d46be980c572ee29f8]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/69c2c03ba46b287e1a31f0282983a6c7e3880f70]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/696355c102766eff88b9d0b16fd49269482edf09]

map[Index:codesearch-index]

gemini-3-pro-preview

map[ReproOpts:{"procs": 1, "sandbox": "none", "fault": false, "threaded": false, "repeat": false} ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x1002})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1043})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1043})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)]

You are an expert in the Linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug.

Don't make assumptions about the kernel source code, use the provided codesearch tools
to examine the kernel code instead.

Document about syzkaller program syntax:
===
# Program syntax

Syzkaller uses a compact domain-specific language (DSL) for programs
to log executed programs, test its code, and persist programs in the
corpus. This page provides a brief description of the corresponding
syntax. Some useful information can also be found in the
[existing examples](/sys/linux/test) and in the program
[deserialization code](/prog/encoding.go).

Together with execution options, the DSL provides everything that
syz-executor needs to run a program.

For example, consider the program:
```
r0 = syz_open_dev$loop(&(0x7f00000011c0), 0x0, 0x0)
r1 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
ioctl$LOOP_SET_FD(r0, 0x4c00, r1)
```

Each line in this program describes a particular syscall invocation,
with the first two calls saving the result in temporary variables `r0`
and `r1`, which are passed to the third call.

```
line = assignment | call
assignment = variable " = " call
call = syscall-name "(" [arg ["," arg]*] ")"  ["(" [call-prop ["," call-prop*] ")"]
arg = "nil" | "AUTO" | const-arg | resource-arg | result-arg | pointer-arg | string-arg | struct-arg | array-arg | union-arg
const-arg = integer
resource-arg = variable ["/" hex-integer] ["+" hex-integer]
result-arg = "<" variable "=>" arg
pointer-arg = "&" pointer-arg-addr ["=ANY"] "=" arg
pointer-arg-addr = "AUTO" | "(" pointer-addr ["/" region-size] ")"
string-arg = "'" escaped-string "'" | "\"" escaped-string "\"" | "\"$" escaped-string "\""
struct-arg =  "{" [arg ["," arg]*] "}"
array-arg = "[" [arg ["," arg]*] "]"
union-arg = "@" field-name ["=" arg]
call-prop = prop-name ": " prop-value
variable = "r" dec-integer
pointer-addr = integer
region-size = integer
integer = dec-integer | oct-integer | "0x" hex-integer
```

Programs may also contain blank lines and comments.
```
# Obtain a file handle
r0 = openat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x42, 0x1ff)

# Perform a write operation
write(r0, &AUTO="01010101", 0x4)
```

### Memory management

Memory management is performed by syzkaller itself. It will allocate
virtual memory regions of the necessary size and set the final values
of pointer arguments.

By using the `AUTO` keyword, programs can give syzkaller the full
control over storing the data. This may be convenient e.g. when a
parameter must be passed by reference, but the exact location of its
value is not of particular importance.

```
r1 = syz_genetlink_get_family_id$nl80211(&AUTO='nl80211\x00', 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &AUTO={'wlan0\x00', <r2=>0x0})
```

Alternatively, some data can be "anchored" to specific addresses. It
may be especially important when a memory region must be shared
between multiple calls.  In this case, pointer addresses must be given
at the 0x7f0000000000 offset. Before the actual execution, syzkaller
will adjust pointers to the start of the actual mmap'ed region.

### Call properties

Call properties specify extra information about how a specific call
must be executed. Each call within a program has its own set of call
properties. If no properties are provided, syzkaller takes the default
ones.

Currently, syzkaller supports the following call properties.

#### Fault injection
Syntax: `fail_nth: N`.

It takes an integer (base 10) argument `N`. If the argument is
non-negative, a fault will be injected into the `N`-th occasion.

```
r0 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
ioctl$LOOP_SET_FD(r0, 0x4c00, r0) (fail_nth: 5)
```

#### Async
Syntax: `async`.

Instructs `syz-executor` not to wait until the call completes and
to proceed immediately to the next call.

```
r0 = openat(0xffffffffffffff9c, &AUTO='./file1\x00', 0x42, 0x1ff)
write(r0, &AUTO="01010101", 0x4) (async)
read(r0, &AUTO=""/4, 0x4)
close(r0)
```

When setting `async` flags be aware of the following considerations:
* Such programs should only be executed in threaded mode (i.e. `-threaded`
flag must be passed to `syz-executor`.
* Each `async` call is executed in a separate thread and there's a
limited number of available threads (`kMaxThreads = 16`).
* If an `async` call produces a resource, keep in mind that some other call
might take it as input and `syz-executor` will just pass 0 if the resource-
producing call has not finished by that time.

===

Document about syzlang system call descriptions syntax:
===
# Syscall description language

aka `syzlang` (`[siːzˈlæŋg]`)

Pseudo-formal grammar of syscall description:

```
syscallname "(" [arg ["," arg]*] ")" [type] ["(" attribute* ")"]
arg = argname type
argname = identifier
type = typename [ "[" type-options "]" ]
typename = "const" | "intN" | "intptr" | "flags" | "array" | "ptr" |
	   "string" | "filename" | "glob" | "len" |
	   "bytesize" | "bytesizeN" | "bitsize" | "vma" | "proc" |
	   "compressed_image"
type-options = [type-opt ["," type-opt]]
```

common type-options include:

```
"opt" - the argument is optional (like mmap fd argument, or accept peer argument)
```

rest of the type-options are type-specific:

```
"const": integer constant, type-options:
	value, underlying type (one of "intN", "intptr")
"intN"/"intptr": an integer without a particular meaning, type-options:
	either an optional range of values (e.g. "5:10", or "100:200")
	or a reference to flags description (see below),
	or a single value
	optionally followed by an alignment parameter if using a range
"flags": a set of values, type-options:
	reference to flags description (see below), underlying int type (e.g. "int32")
"array": a variable/fixed-length array, type-options:
	type of elements, optional size (fixed "5", or ranged "5:10", boundaries inclusive)
"ptr"/"ptr64": a pointer to an object, type-options:
	direction (in/out/inout); type of the object
	ptr64 has size of 8 bytes regardless of target pointer size
"string": a zero-terminated memory buffer (no pointer indirection implied), type-options:
	either a string value in quotes for constant strings (e.g. "foo" or `deadbeef` for hex literal),
	or a reference to string flags (special value `filename` produces file names),
	optionally followed by a buffer size (string values will be padded with \x00 to that size)
"stringnoz": a non-zero-terminated memory buffer (no pointer indirection implied), type-options:
	either a string value in quotes for constant strings (e.g. "foo" or `deadbeef` for hex literal),
	or a reference to string flags,
"glob": glob pattern to match on the target files, type-options:
	a pattern string in quotes (syntax: https://golang.org/pkg/path/filepath/#Match)
	(e.g. "/sys/" or "/sys/**/*"),
	or include exclude glob too (e.g. "/sys/**/*:-/sys/power/state")
"fmt": a string representation of an integer (not zero-terminated), type-options:
	format (one of "dec", "hex", "oct") and the value (a resource, int, flags or proc)
	the resulting data is always fixed-size (formatted as "%020llu", "0x%016llx" or "%023llo", respectively)
"len": length of another field (for array it is number of elements), type-options:
	argname of the object
"bytesize": similar to "len", but always denotes the size in bytes, type-options:
	argname of the object
"bitsize": similar to "len", but always denotes the size in bits, type-options:
	argname of the object
"offsetof": offset of the field from the beginning of the parent struct, type-options:
	field
"vma"/"vma64": a pointer to a set of pages (used as input for mmap/munmap/mremap/madvise), type-options:
	optional number of pages (e.g. vma[7]), or a range of pages (e.g. vma[2-4])
	vma64 has size of 8 bytes regardless of target pointer size
"proc": per process int (see description below), type-options:
	value range start, how many values per process, underlying type
"compressed_image": zlib-compressed disk image
	syscalls accepting compressed images must be marked with `no_generate`
	and `no_minimize` call attributes. if the content of the decompressed image
	can be checked by a `fsck`-like command, use the `fsck` syscall attribute
"text": machine code of the specified type, type-options:
	text type (x86_real, x86_16, x86_32, x86_64, arm64)
"void": type with static size 0
	mostly useful inside of templates and varlen unions, can't be syscall argument
```

flags/len/flags also have trailing underlying type type-option when used in structs/unions/pointers.

Flags are described as:

```
flagname = const ["," const]*
```

or for string flags as:

```
flagname = "\"" literal "\"" ["," "\"" literal "\""]*
```

Call attributes are:

```
"disabled": the call will not be used in fuzzing; useful to temporary disable some calls
	or prohibit particular argument combinations.
"timeout[N]": additional execution timeout (in ms) for the call on top of some default value.
"prog_timeout[N]": additional execution timeout (in ms) for the whole program if it contains this call;
	if a program contains several such calls, the max value is used.
"ignore_return": ignore return value of this syscall in fallback feedback; need to be used for calls
	that don't return fixed error codes but rather something else (e.g. the current time).
"breaks_returns": ignore return values of all subsequent calls in the program in fallback feedback (can't be trusted).
"no_generate": do not try to generate this syscall, i.e. use only seed descriptions to produce it.
"no_minimize": do not modify instances of this syscall when trying to minimize a crashing program.
"no_squash": do not attempt to pass squashed arguments to this syscall.
	Without that, the fuzzer will sometimes attempt to replace complex structures with arrays of bytes,
	possibly triggering interesting mutations, but also making programs hard to reason about.
"fsck": the content of the compressed buffer argument for this syscall is a file system and the
	string argument is a fsck-like command that will be called to verify the filesystem.
"remote_cover": wait longer to collect remote coverage for this call.
"kfuzz_test": the call is a kfuzztest target.
"snapshot": the call is enabled by default only in snapshot fuzzing mode, but can also be enabled in
    the non-snasphot mode when listed in "enable_syscalls" with its full name (as opposed to a wildcard match).
    It can also always be disabled via "disable_syscalls".
    The attribute is generally used to mark calls that are not safe to execute in non-snapshot mode
	(can lead to false positives, or lost connections to test machines.
```

## Ints

`int8`, `int16`, `int32` and `int64` denote an integer of the corresponding size.
`intptr` denotes a pointer-sized integer, i.e. C `long` type.

By appending `be` suffix (e.g. `int16be`) integers become big-endian.

It's possible to specify a range of values for an integer in the format of `int32[0:100]` or `int32[0:4096, 512]` for a 512-aligned int.

Integers can also take a reference to flags description or a value as its first type-option.
In that case, the alignment parameter is not supported.

To denote a bitfield of size N use `int64:N`.

It's possible to use these various kinds of ints as base types for `const`, `flags`, `len` and `proc`.

```
example_struct {
	f0	int8			# random 1-byte integer
	f1	const[0x42, int16be]	# const 2-byte integer with value 0x4200 (big-endian 0x42)
	f2	int32[0:100]		# random 4-byte integer with values from 0 to 100 inclusive
	f3	int32[1:10, 2]		# random 4-byte integer with values {1, 3, 5, 7, 9}
	f4	int64:20		# random 20-bit bitfield
	f5	int8[10]		# const 1-byte integer with value 10
	f6	int32[flagname]		# random 4-byte integer from the set of values referenced by flagname
}
```

## Structs

Structs are described as:

```
structname "{" "\n"
	(fieldname type ("(" fieldattribute* ")")? (if[expression])? "\n")+
"}" ("[" attribute* "]")?
```

Fields can have attributes specified in parentheses after the field, independent
of their type. `in/out/inout` attribute specify per-field direction, for example:

```
foo {
	field0	const[1, int32]	(in)
	field1	int32		(inout)
	field2	fd		(out)
}
```

You may specify conditions that determine whether a field will be included:

```
foo {
	field0	int32
	field1	int32 (if[value[field0] == 0x1])
}
```

See [the corresponding section](syscall_descriptions_syntax.md#conditional-fields)
for more details.

`out_overlay` attribute allows to have separate input and output layouts for the struct.
Fields before the `out_overlay` field are input, fields starting from `out_overlay` are output.
Input and output fields overlap in memory (both start from the beginning of the struct in memory).
For example:

```
foo {
	in0	const[1, int32]
	in1	flags[bar, int8]
	in2	ptr[in, string]
	out0	fd	(out_overlay)
	out1	int32
}
```

Structs can have attributes specified in square brackets after the struct.
Attributes are:

- `packed`: the struct does not have paddings between fields and has alignment 1; this is similar to GNU C `__attribute__((packed))`; struct alignment can be overridden with `align` attribute
- `align[N]`: the struct has alignment N and padded up to multiple of `N`; contents of the padding are unspecified (though, frequently are zeros); similar to GNU C `__attribute__((aligned(N)))`
- `size[N]`: the struct is padded up to the specified size `N`; contents of the padding are unspecified (though, frequently are zeros)

## Unions

Unions are described as:

```
unionname "[" "\n"
	(fieldname type (if[expression])? "\n")+
"]" ("[" attribute* "]")?
```

During fuzzing, syzkaller randomly picks one of the union options.

You may also specify conditions that determine whether the corresponding
option may or may not be selected, depending on values of other fields. See
[the corresponding section](syscall_descriptions_syntax.md#conditional-fields)
for more details.

Unions can have attributes specified in square brackets after the union.
Attributes are:

- `varlen`: union size is the size of the particular chosen option (not statically known); without this attribute unions are statically sized as maximum of all options (similar to C unions)
- `size[N]`: the union is padded up to the specified size `N`; contents of the padding are unspecified (though, frequently are zeros)

## Resources

Resources represent values that need to be passed from output of one syscall to input of another syscall. For example, `close` syscall requires an input value (fd) previously returned by `open` or `pipe` syscall. To achieve this, `fd` is declared as a resource. This is a way of modelling dependencies between syscalls, as defining a syscall as the producer of a resource and another syscall as the consumer defines a loose sense of ordering between them. Resources are described as:

```
"resource" identifier "[" underlying_type "]" [ ":" const ("," const)* ]
```

`underlying_type` is either one of `int8`, `int16`, `int32`, `int64`, `intptr` or another resource (which models inheritance, for example, a socket is a subtype of fd). The optional set of constants represent resource special values, for example, `0xffffffffffffffff` (-1) for "no fd", or `AT_FDCWD` for "the current dir". Special values are used once in a while as resource values. If no special values specified, special value of `0` is used. Resources can then be used as types, for example:

```
resource fd[int32]: 0xffffffffffffffff, AT_FDCWD, 1000000
resource sock[fd]
resource sock_unix[sock]

socket(...) sock
accept(fd sock, ...) sock
listen(fd sock, backlog int32)
```

Resources don't have to be necessarily returned by a syscall. They can be used as any other data type. For example:

```
resource my_resource[int32]

request_producer(..., arg ptr[out, my_resource])
request_consumer(..., arg ptr[inout, test_struct])

test_struct {
	...
	attr	my_resource
}
```

For more complex producer/consumer scenarios, field attributes can be utilized.
For example:

```
resource my_resource_1[int32]
resource my_resource_2[int32]

request_produce1_consume2(..., arg ptr[inout, test_struct])

test_struct {
	...
	field0	my_resource_1	(out)
	field1	my_resource_2	(in)
}
```

Each resource type must be "produced" (used as an output) by at least one syscall
(outside of unions and optional pointers) and "consumed" (used as an input)
by at least one syscall.

## Type Aliases

Complex types that are often repeated can be given short type aliases using the
following syntax:

```
type identifier underlying_type
```

For example:

```
type signalno int32[0:65]
type net_port proc[20000, 4, int16be]
```

Then, type alias can be used instead of the underlying type in any contexts.
Underlying type needs to be described as if it's a struct field, that is,
with the base type if it's required. However, type alias can be used as syscall
arguments as well. Underlying types are currently restricted to integer types,
`ptr`, `ptr64`, `const`, `flags` and `proc` types.

There are some builtin type aliases:

```
type bool8	int8[0:1]
type bool16	int16[0:1]
type bool32	int32[0:1]
type bool64	int64[0:1]
type boolptr	intptr[0:1]

type fileoff[BASE] BASE

type filename string[filename]

type buffer[DIR] ptr[DIR, array[int8]]
```

## Type Templates

Type templates can be declared as follows:

```
type buffer[DIR] ptr[DIR, array[int8]]
type fileoff[BASE] BASE
type nlattr[TYPE, PAYLOAD] {
	nla_len		len[parent, int16]
	nla_type	const[TYPE, int16]
	payload		PAYLOAD
} [align_4]
```

and later used as follows:

```
syscall(a buffer[in], b fileoff[int64], c ptr[in, nlattr[FOO, int32]])
```

There is builtin type template `optional` defined as:

```
type optional[T] [
	val	T
	void	void
] [varlen]
```

## Length

You can specify length of a particular field in struct or a named argument by
using `len`, `bytesize` and `bitsize` types, for example:

```
write(fd fd, buf ptr[in, array[int8]], count len[buf])

sock_fprog {
	len	len[filter, int16]
	filter	ptr[in, array[sock_filter]]
}
```

If `len`'s argument is a pointer, then the length of the pointee argument is used.

To denote the length of a field in N-byte words use `bytesizeN`, possible values
for N are 1, 2, 4 and 8.

To denote the length of the parent struct, you can use `len[parent, int8]`.
To denote the length of the higher level parent when structs are embedded into
one another, you can specify the type name of the particular parent:

```
s1 {
    f0      len[s2]  # length of s2
}

s2 {
    f0      s1
    f1      array[int32]
    f2      len[parent, int32]
}
```

`len` argument can also be a path expression which allows more complex
addressing. Path expressions are similar to C field references, but also allow
referencing parent and sibling elements. A special reference `syscall` used
in the beginning of the path allows to refer directly to the syscall arguments.
For example:

```
s1 {
	a	ptr[in, s2]
	b	ptr[in, s3]
	c	array[int8]
}

s2 {
	d	array[int8]
}

s3 {
# This refers to the array c in the parent s1.
	e	len[s1:c, int32]
# This refers to the array d in the sibling s2.
	f	len[s1:a:d, int32]
# This refers to the array k in the child s4.
	g	len[i:j, int32]
# This refers to syscall argument l.
	h	len[syscall:l, int32]
	i	ptr[in, s4]
}

s4 {
	j	array[int8]
}

foo(k ptr[in, s1], l ptr[in, array[int8]])
```

## Proc

The `proc` type can be used to denote per process integers.
The idea is to have a separate range of values for each executor, so they don't interfere.

The simplest example is a port number.
The `proc[20000, 4, int16be]` type means that we want to generate an `int16be`
integer starting from `20000` and assign `4` values for each process.
As a result the executor number `n` will get values in the `[20000 + n * 4, 20000 + (n + 1) * 4)` range.

## Integer Constants

Integer constants can be specified as decimal literals, as `0x`-prefixed
hex literals, as `'`-surrounded char literals, or as symbolic constants
extracted from kernel headers or defined by `define` directives. For example:

```
foo(a const[10], b const[-10])
foo(a const[0xabcd])
foo(a int8['a':'z'])
foo(a const[PATH_MAX])
foo(a int32[PATH_MAX])
foo(a ptr[in, array[int8, MY_PATH_MAX]])
define MY_PATH_MAX	PATH_MAX + 2
```

## Conditional fields

### In structures

In syzlang, it's possible to specify a condition for every struct field that
determines whether the field should be included or omitted:

```
header_fields {
  magic       const[0xabcd, int16]
  haveInteger int8
} [packed]

packet {
  header  header_fields
  integer int64  (if[value[header:haveInteger] == 0x1])
  body    array[int8]
} [packed]

some_call(a ptr[in, packet])
```

In this example, the `packet` structure will include the field `integer` only
if `header.haveInteger == 1`. In memory, `packet` will have the following
layout:

| header.magic = 0xabcd | header.haveInteger = 0x1 | integer | body |
| --------------------- | ------------------------ | ------- | ---- |

That corresponds to e.g. the following program:

```
some_call(&AUTO={{AUTO, 0x1}, @value=0xabcd, []})
```

If `header.haveInteger` is not `1`, syzkaller will just pretend that the field
`integer` does not exist.

```
some_call(&AUTO={{AUTO, 0x0}, @void, []})
```

| header.magic = 0xabcd | header.haveInteger = 0x0 | body |
| --------------------- | ------------------------ | ---- |

Every conditional field is assumed to be of variable length and so is the struct
to which this field belongs.

When a variable length field appears in the middle of a structure, the structure
must be marked with `[packed].`

Conditions on bitfields are prohibited:

```
struct {
  f0 int
  f1 int:3 (if[value[f0] == 0x1])  # It will not compile.
}
```

But you may reference bitfields in your conditions:

```
struct {
  f0 int:1
  f1 int:7
  f2 int   (if[value[f0] == value[f1]])
} [packed]
```

### In unions

Let's consider the following example.

```
struct {
  type int
  body alternatives
}

alternatives [
  int     int64 (if[value[struct:type] == 0x1])
  arr     array[int64, 5] (if[value[struct:type] == 0x2])
  default int32
] [varlen]

some_call(a ptr[in, struct])
```

In this case, the union option will be selected depending on the value of the
`type` field. For example, if `type` is `0x1`, then it can be either `int` or
`default`:

```
some_call(&AUTO={0x1, @int=0x123})
some_call(&AUTO={0x1, @default=0x123})
```

If `type` is `0x2`, it can be either `arr` or `default`.

If `type` is neither `0x1` nor `0x2`, syzkaller may only select `default`:

```
some_call(&AUTO={0x0, @default=0xabcd})
```

To ensure that a union can always be constructed, the last union field **must always
have no condition**.

Thus, the following definition would fail to compile:

```
alternatives [
  int int64 (if[value[struct:type] == 0x1])
  arr array[int64, 5] (if[value[struct:type] == 0x1])
] [varlen]
```

During prog mutation and generation syzkaller will select a random union field
whose condition is satisfied.

### Expression syntax

Currently, only `==`, `!=`, `&` and `||` operators are supported. However, the
functionality was designed in such a way that adding more operators is easy.
Feel free to file a GitHub issue or write us an email in case it's needed.

Expressions are evaluated as `int64` values. If the final result of an
expression is not 0, it's assumed to be satisfied.

If you want to reference a field's value, you can do it via
`value[path:to:field]`, which is similar to the `len[]` argument.

```
sub_struct {
  f0 int
  # Reference a field in a parent struct.
  f1 int (if[value[struct:f2]]) # Same as if[value[struct:f2] != 0].
}

struct {
  f2 int
  f3 sub_struct
  f4 int (if[value[f2] == 0x2]) # Reference a sibling field.
  f5 int (if[value[f3:f0] == 0x1]) # Reference a nested field.
  f6 int (if[value[f3:f0] == 0x1 || value[f3:f0] == 0x2]) # Reference a nested field which either equals to 0x1 or 0x2.
} [packed]

call(a ptr[in, struct])
```

The referenced field must be of integer type and there must be no
conditional fields in the path to it. For example, the following
descriptions will not compile.

```
struct {
  f0 int
  f1 int (if[value[f0] == 0x1])
  f2 int (if[value[f1] == 0x1])
}
```

You may also reference constants in expressions:

```
struct {
  f0 int
  f1 int
  f2 int (if[value[f0] & SOME_CONST == OTHER_CONST])
}
```

## Meta

Description files can also contain `meta` directives that specify meta-information for the whole file.

```
meta noextract
```

Tells `make extract` to not extract constants for this file.
Though, `syz-extract` can still be invoked manually on this file.

```
meta arches["arch1", "arch2"]
```

Restricts this file only to the given set of architectures.
`make extract` and `make generate` will not use it on other architectures.

## Misc

Description files also contain `include` directives that refer to Linux kernel header files,
`incdir` directives that refer to custom Linux kernel header directories
and `define` directives that define symbolic constant values.

The syzkaller executor defines some [pseudo system calls](./pseudo_syscalls.md)
that can be used as any other syscall in a description file. These pseudo
system calls expand to literal C code and can perform user-defined
custom actions. You can find some examples in
[executor/common_linux.h](../executor/common_linux.h).

Also see [tips](syscall_descriptions.md#tips) on writing good descriptions.

===

Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Bug title: BUG: unable to handle kernel paging request in bond_rr_gen_slave_id

The bug report to reproduce:
BUG: unable to handle page fault for address: ffff8880d6b60000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1b201067 P4D 1b201067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 18510 Comm: syz.7.3743 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:bond_rr_gen_slave_id+0x1d5/0x250 drivers/net/bonding/bond_main.c:4836
Code: bc 24 f0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 49 8b 84 24 f0 00 00 00 bb 01 00 00 00 <65> 0f c1 18 e8 82 f5 73 fb 83 c3 01 89 d8 5b 5d 41 5c 41 5d 41 5e
RSP: 0018:ffffc900039d75d0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffc90034e9f000
RDX: 1ffff1100c6b61ce RSI: ffffffff864a3089 RDI: ffff8880635b0e70
RBP: ffff8880635b0000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000001 R11: 000000000ac0d5af R12: ffff8880635b0d80
R13: 0000000000008f00 R14: ffff8880635b0d80 R15: dffffc0000000000
FS:  00007f96076d66c0(0000) GS:ffff8880d6b60000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880d6b60000 CR3: 0000000113c4b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bond_xdp_xmit_roundrobin_slave_get drivers/net/bonding/bond_main.c:4923 [inline]
 bond_xdp_get_xmit_slave+0x2a9/0x6b0 drivers/net/bonding/bond_main.c:5506
 xdp_master_redirect+0x161/0x330 net/core/filter.c:4388
 bpf_prog_run_xdp include/net/xdp.h:700 [inline]
 xdp_test_run_batch.constprop.0+0x14ce/0x1b20 net/bpf/test_run.c:307
 bpf_test_run_xdp_live+0x365/0x770 net/bpf/test_run.c:379
 bpf_prog_test_run_xdp+0xd3d/0x1660 net/bpf/test_run.c:1388
 bpf_prog_test_run kernel/bpf/syscall.c:4703 [inline]
 __sys_bpf+0x1035/0x4980 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:6272
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f960678f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f96076d6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f96069e5fa0 RCX: 00007f960678f7c9
RDX: 0000000000000050 RSI: 0000200000000600 RDI: 000000000000000a
RBP: 00007f9606813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f96069e6038 R14: 00007f96069e5fa0 R15: 00007ffd7a8f7488
 </TASK>
Modules linked in:
CR2: ffff8880d6b60000
---[ end trace 0000000000000000 ]---
RIP: 0010:bond_rr_gen_slave_id+0x1d5/0x250 drivers/net/bonding/bond_main.c:4836
Code: bc 24 f0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 49 8b 84 24 f0 00 00 00 bb 01 00 00 00 <65> 0f c1 18 e8 82 f5 73 fb 83 c3 01 89 d8 5b 5d 41 5c 41 5d 41 5e
RSP: 0018:ffffc900039d75d0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffc90034e9f000
RDX: 1ffff1100c6b61ce RSI: ffffffff864a3089 RDI: ffff8880635b0e70
RBP: ffff8880635b0000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000001 R11: 000000000ac0d5af R12: ffff8880635b0d80
R13: 0000000000008f00 R14: ffff8880635b0d80 R15: dffffc0000000000
FS:  00007f96076d66c0(0000) GS:ffff8880d6b60000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880d6b60000 CR3: 0000000113c4b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
   9:	fc ff df
   c:	48 89 fa             	mov    %rdi,%rdx
   f:	48 c1 ea 03          	shr    $0x3,%rdx
  13:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  17:	75 7a                	jne    0x93
  19:	49 8b 84 24 f0 00 00 	mov    0xf0(%r12),%rax
  20:	00
  21:	bb 01 00 00 00       	mov    $0x1,%ebx
* 26:	65 0f c1 18          	xadd   %ebx,%gs:(%rax) <-- trapping instruction
  2a:	e8 82 f5 73 fb       	call   0xfb73f5b1
  2f:	83 c3 01             	add    $0x1,%ebx
  32:	89 d8                	mov    %ebx,%eax
  34:	5b                   	pop    %rbx
  35:	5d                   	pop    %rbp
  36:	41 5c                	pop    %r12
  38:	41 5d                	pop    %r13
  3a:	41 5e                	pop    %r14


The list of existing description files:
acpi_thermal_rel.txt
aio.txt
auto.txt
binfmt.txt
bpf.txt
bpf_prog.txt
bpf_trace.txt
cgroup.txt
damon.txt
dev_ashmem.txt
dev_bifrost.txt
dev_binder.txt
dev_binderfs.txt
dev_block.txt
dev_bsg.txt
dev_bus_usb.txt
dev_camx.txt
dev_cdrom.txt
dev_cec.txt
dev_char_usb.txt
dev_comedi.txt
dev_dma_heap.txt
dev_dri.txt
dev_dsp.txt
dev_dvb_demux.txt
dev_dvb_dvr.txt
dev_dvb_frontend.txt
dev_fb.txt
dev_floppy.txt
dev_hidraw.txt
dev_i2c.txt
dev_i915.txt
dev_img_rogue.txt
dev_infiniband_rdma.txt
dev_infiniband_rdma_cm.txt
dev_input.txt
dev_iommu.txt
dev_kvm.txt
dev_kvm_amd64.txt
dev_kvm_arm64.txt
dev_kvm_extra.txt
dev_kvm_riscv64.txt
dev_loop.txt
dev_mali.txt
dev_media.txt
dev_msm.txt
dev_msr.txt
dev_nbd.txt
dev_net_tun.txt
dev_panthor.txt
dev_ppp.txt
dev_ptmx.txt
dev_ptp.txt
dev_qat_adf_ctl.txt
dev_qrtr_tun.txt
dev_random.txt
dev_rfkill.txt
dev_rtc.txt
dev_sequencer.txt
dev_sg.txt
dev_snapshot.txt
dev_snd_control.txt
dev_snd_hw.txt
dev_snd_midi.txt
dev_snd_pcm.txt
dev_snd_seq.txt
dev_snd_timer.txt
dev_sr.txt
dev_sw_sync.txt
dev_tlk_device.txt
dev_trusty.txt
dev_udmabuf.txt
dev_uhid.txt
dev_uinput.txt
dev_usb_hiddev.txt
dev_usbmon.txt
dev_userio.txt
dev_vfio.txt
dev_vga_arbiter.txt
dev_vhci.txt
dev_video4linux.txt
dev_video4linux_vim2m.txt
dev_virtual_nci.txt
dev_vtpm.txt
fanotify.txt
filesystem.txt
fs_9p.txt
fs_fuse.txt
fs_incfs.txt
fs_ioctl.txt
fs_ioctl_autofs.txt
fs_ioctl_btrfs.txt
fs_ioctl_ext4.txt
fs_ioctl_f2fs.txt
fs_ioctl_fat.txt
fs_ioctl_fscrypt.txt
fs_ioctl_fsverity.txt
fs_ioctl_nilfs2.txt
fs_ioctl_ocfs2.txt
fs_ioctl_xfs.txt
futex.txt
hafnium.txt
inotify.txt
io_uring.txt
ipc.txt
key.txt
kfuzztest.txt
l2cap.txt
landlock.txt
lsm.txt
namespaces.txt
net_80211.txt
netfilter.txt
netfilter_arp.txt
netfilter_bridge.txt
netfilter_ipv4.txt
netfilter_ipv6.txt
netfilter_ipvs.txt
netfilter_targets.txt
pagemap_ioctl.txt
perf.txt
prctl.txt
quotactl.txt
seccomp.txt
security_apparmor.txt
security_selinux.txt
security_smack.txt
socket.txt
socket_alg.txt
socket_ax25.txt
socket_bluetooth.txt
socket_caif.txt
socket_can.txt
socket_ieee802154.txt
socket_inet.txt
socket_inet6.txt
socket_inet_dccp.txt
socket_inet_icmp.txt
socket_inet_igmp.txt
socket_inet_l2tp.txt
socket_inet_sctp.txt
socket_inet_tcp.txt
socket_inet_udp.txt
socket_ip_tunnel.txt
socket_isdn.txt
socket_kcm.txt
socket_key.txt
socket_llc.txt
socket_netlink.txt
socket_netlink_audit.txt
socket_netlink_crypto.txt
socket_netlink_generic.txt
socket_netlink_generic_80211.txt
socket_netlink_generic_batadv.txt
socket_netlink_generic_devlink.txt
socket_netlink_generic_ethtool.txt
socket_netlink_generic_fou.txt
socket_netlink_generic_gtp.txt
socket_netlink_generic_mptcp.txt
socket_netlink_generic_net_dm.txt
socket_netlink_generic_netlabel.txt
socket_netlink_generic_nfc.txt
socket_netlink_generic_seg6.txt
socket_netlink_generic_smc.txt
socket_netlink_generic_team.txt
socket_netlink_generic_wireguard.txt
socket_netlink_netfilter.txt
socket_netlink_netfilter_acct.txt
socket_netlink_netfilter_conntrack.txt
socket_netlink_netfilter_conntrack_exp.txt
socket_netlink_netfilter_conntrack_helper.txt
socket_netlink_netfilter_ipset.txt
socket_netlink_netfilter_log.txt
socket_netlink_netfilter_nft_compat.txt
socket_netlink_netfilter_nftables.txt
socket_netlink_netfilter_osf.txt
socket_netlink_netfilter_queue.txt
socket_netlink_netfilter_timeout.txt
socket_netlink_rdma.txt
socket_netlink_route.txt
socket_netlink_route_sched.txt
socket_netlink_route_sched_retired.txt
socket_netlink_sock_diag.txt
socket_netlink_xfrm.txt
socket_netrom.txt
socket_nfc.txt
socket_nvme_of_tcp.txt
socket_packet.txt
socket_phonet.txt
socket_pppox.txt
socket_qipcrtr.txt
socket_rds.txt
socket_rose.txt
socket_rxrpc.txt
socket_tipc.txt
socket_tipc_netlink.txt
socket_unix.txt
socket_vnet.txt
socket_x25.txt
socket_xdp.txt
sys.txt
uffd.txt
usbip.txt
vmw_vmci.txt
vnet.txt
vnet_mptcp.txt
vusb.txt
watch_queue.txt
xattr.txt

gemini-3-pro-preview

							input: 15692
							output: 49
							thoughts: 411
						

**Analyzing a Kernel Panic in Bonded Network Interfaces**

Okay, so I've got this bug report, "BUG: unable to handle kernel paging request in bond_rr_gen_slave_id." Right away, I see that the crash is happening deep within the bonding driver, specifically in `bond_rr_gen_slave_id` at `drivers/net/bonding/bond_main.c:4836`. That's a pretty low-level function, likely dealing with how the round-robin bonding mode selects slaves for transmission.

The call trace is crucial here. Let's break it down: It looks like the error originates from `bond_xdp_xmit_roundrobin_slave_get`, then `bond_xdp_get_xmit_slave`, which are related to XDP (eXpress Data Path) and how bonded interfaces interact with XDP. Then the call chain involves `xdp_master_redirect`, the generic XDP redirect mechanism and then we get into the bpf subsystem. The XDP and BPF code seems to be testing and handling the data flow through our network stack. The stack seems to get to the `__sys_bpf` system call, which I know is the entry point for BPF programs. This suggests that the issue might be triggered when an XDP program is loaded or running on the bonded interface.

My immediate thought is to zero in on that section of `bond_main.c` around line 4836. I need to understand what that function is doing in detail, especially within the context of XDP. I need to see what's happening just before this call and what data it's operating on. Is there a race condition? Memory corruption? Or is some value being dereferenced incorrectly? I will need to look closely at how the slave selection is implemented, how it's integrated with the XDP path, and what assumptions are made about the state of the bond and its slaves. This is most likely the root cause.

map[ContextFile:drivers/net/bonding/bond_main.c IncludeLines:true Name:bond_rr_gen_slave_id]

map[SourceCode:4817:	/**
4818:	 * bond_rr_gen_slave_id - generate slave id based on packets_per_slave
4819:	 * @bond: bonding device to use
4820:	 *
4821:	 * Based on the value of the bonding device's packets_per_slave parameter
4822:	 * this function generates a slave id, which is usually used as the next
4823:	 * slave to transmit through.
4824:	 */
4825:	static u32 bond_rr_gen_slave_id(struct bonding *bond)
4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
4847:		return slave_id;
4848:	}
 SourceFile:drivers/net/bonding/bond_main.c]

gemini-3-pro-preview

							input: 17091
							output: 56
							thoughts: 72
						

**Debugging a Suspected Null Pointer Dereference**

Okay, so I've got a crash at line 4836, and the stack trace points directly to `slave_id = this_cpu_inc_return(*bond->rr_tx_counter);`. My immediate suspicion, given the nature of that operation, is a classic null pointer dereference. The likely culprit is `bond->rr_tx_counter`. It's either null, uninitialized, or, potentially, pointing to some garbage memory.

My next step is clear: I need to trace back and find the initialization point for `rr_tx_counter`. I need to figure out *why* it's in this potentially broken state. I'll be looking for where `rr_tx_counter` is declared, allocated, and assigned its value. Hopefully, I can spot a logical error in the flow there.

map[ContextFile:drivers/net/bonding/bond_main.c IncludeSnippetLines:10 Name:bonding::rr_tx_counter SourceTreePrefix:]

map[References:[map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_destructor SourceFile:drivers/net/bonding/bond_main.c SourceLine:5874 SourceSnippet:5867:	static void bond_destructor(struct net_device *bond_dev)
5868:	{
5869:		struct bonding *bond = netdev_priv(bond_dev);
5870:	
5871:		if (bond->wq)
5872:			destroy_workqueue(bond->wq);
5873:	
5874:		free_percpu(bond->rr_tx_counter);
5875:	}
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_open SourceFile:drivers/net/bonding/bond_main.c SourceLine:4241 SourceSnippet:4235:	static int bond_open(struct net_device *bond_dev)
4236:	{
4237:		struct bonding *bond = netdev_priv(bond_dev);
4238:		struct list_head *iter;
4239:		struct slave *slave;
4240:	
4241:		if (BOND_MODE(bond) == BOND_MODE_ROUNDROBIN && !bond->rr_tx_counter) {
4242:			bond->rr_tx_counter = alloc_percpu(u32);
4243:			if (!bond->rr_tx_counter)
4244:				return -ENOMEM;
4245:		}
4246:	
4247:		/* reset slave->backup and slave->inactive */
4248:		if (bond_has_slaves(bond)) {
4249:			bond_for_each_slave(bond, slave, iter) {
4250:				if (bond_uses_primary(bond) &&
4251:				    slave != rcu_access_pointer(bond->curr_active_slave)) {
] map[ReferenceKind:writes ReferencingEntityKind:function ReferencingEntityName:bond_open SourceFile:drivers/net/bonding/bond_main.c SourceLine:4242 SourceSnippet:4235:	static int bond_open(struct net_device *bond_dev)
4236:	{
4237:		struct bonding *bond = netdev_priv(bond_dev);
4238:		struct list_head *iter;
4239:		struct slave *slave;
4240:	
4241:		if (BOND_MODE(bond) == BOND_MODE_ROUNDROBIN && !bond->rr_tx_counter) {
4242:			bond->rr_tx_counter = alloc_percpu(u32);
4243:			if (!bond->rr_tx_counter)
4244:				return -ENOMEM;
4245:		}
4246:	
4247:		/* reset slave->backup and slave->inactive */
4248:		if (bond_has_slaves(bond)) {
4249:			bond_for_each_slave(bond, slave, iter) {
4250:				if (bond_uses_primary(bond) &&
4251:				    slave != rcu_access_pointer(bond->curr_active_slave)) {
4252:					bond_set_slave_inactive_flags(slave,
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_open SourceFile:drivers/net/bonding/bond_main.c SourceLine:4243 SourceSnippet:4235:	static int bond_open(struct net_device *bond_dev)
4236:	{
4237:		struct bonding *bond = netdev_priv(bond_dev);
4238:		struct list_head *iter;
4239:		struct slave *slave;
4240:	
4241:		if (BOND_MODE(bond) == BOND_MODE_ROUNDROBIN && !bond->rr_tx_counter) {
4242:			bond->rr_tx_counter = alloc_percpu(u32);
4243:			if (!bond->rr_tx_counter)
4244:				return -ENOMEM;
4245:		}
4246:	
4247:		/* reset slave->backup and slave->inactive */
4248:		if (bond_has_slaves(bond)) {
4249:			bond_for_each_slave(bond, slave, iter) {
4250:				if (bond_uses_primary(bond) &&
4251:				    slave != rcu_access_pointer(bond->curr_active_slave)) {
4252:					bond_set_slave_inactive_flags(slave,
4253:								      BOND_SLAVE_NOTIFY_NOW);
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4836 SourceSnippet:4826:	{
4827:		u32 slave_id;
4828:		struct reciprocal_value reciprocal_packets_per_slave;
4829:		int packets_per_slave = bond->params.packets_per_slave;
4830:	
4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
] map[ReferenceKind:reads ReferencingEntityKind:function ReferencingEntityName:bond_rr_gen_slave_id SourceFile:drivers/net/bonding/bond_main.c SourceLine:4841 SourceSnippet:4831:		switch (packets_per_slave) {
4832:		case 0:
4833:			slave_id = get_random_u32();
4834:			break;
4835:		case 1:
4836:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4837:			break;
4838:		default:
4839:			reciprocal_packets_per_slave =
4840:				bond->params.reciprocal_packets_per_slave;
4841:			slave_id = this_cpu_inc_return(*bond->rr_tx_counter);
4842:			slave_id = reciprocal_divide(slave_id,
4843:						     reciprocal_packets_per_slave);
4844:			break;
4845:		}
4846:	
4847:		return slave_id;
4848:	}
]] TruncatedOutput:true]

gemini-3-pro-preview

							input: 24578
							output: 51
							thoughts: 93
						

Okay, here's my breakdown of what's going on, thinking through this like a network expert:

**Investigating a Round Robin Bonding Crash in XDP Context**

Alright, I'm tracking down this crash. My initial hunch is that it's related to how round-robin bonding is set up and used within the XDP framework. The key here is that the counter `bond->rr_tx_counter` seems to only be initialized in `bond_open` *if* the bonding mode is set to round-robin, which is a key observation.

Now, the crash is specifically occurring within the `bond_xdp_xmit_roundrobin_slave_get` function. That function is, as expected, being called from `bond_xdp_get_xmit_slave`. So, the problem lies somewhere in that chain. My next step is to drill down into `bond_xdp_get_xmit_slave` and understand the logic there. Something must be going wrong with accessing or using that round-robin counter, or perhaps the slave selection process itself, when the bonding is in the XDP context. I'm guessing we'll find some race condition or uninitialized access if we look closely at this function. Let's see what's going on!

map[ContextFile:drivers/net/bonding/bond_main.c IncludeLines:true Name:bond_xdp_get_xmit_slave]

map[SourceCode:5496:	static struct net_device *
5497:	bond_xdp_get_xmit_slave(struct net_device *bond_dev, struct xdp_buff *xdp)
5498:	{
5499:		struct bonding *bond = netdev_priv(bond_dev);
5500:		struct slave *slave;
5501:	
5502:		/* Caller needs to hold rcu_read_lock() */
5503:	
5504:		switch (BOND_MODE(bond)) {
5505:		case BOND_MODE_ROUNDROBIN:
5506:			slave = bond_xdp_xmit_roundrobin_slave_get(bond, xdp);
5507:			break;
5508:	
5509:		case BOND_MODE_ACTIVEBACKUP:
5510:			slave = bond_xmit_activebackup_slave_get(bond);
5511:			break;
5512:	
5513:		case BOND_MODE_8023AD:
5514:		case BOND_MODE_XOR:
5515:			slave = bond_xdp_xmit_3ad_xor_slave_get(bond, xdp);
5516:			break;
5517:	
5518:		default:
5519:			if (net_ratelimit())
5520:				netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n",
5521:					   BOND_MODE(bond));
5522:			return NULL;
5523:		}
5524:	
5525:		if (slave)
5526:			return slave->dev;
5527:	
5528:		return NULL;
5529:	}
 SourceFile:drivers/net/bonding/bond_main.c]

gemini-3-pro-preview

							input: 25510
							output: 42
							thoughts: 47
						

Here's my summary, as the expert:

**Tracing the XDP Master Redirect**

Okay, so I'm looking at `bond_xdp_get_xmit_slave` which gets called within `xdp_master_redirect`. Right, that makes sense. The bond driver needs to figure out which slave interface to transmit the XDP-processed packet out on. Let's dig into `xdp_master_redirect` directly to understand the context. I need to see how the decision process unfolds within that function. I'm assuming it handles load balancing, failover, or some other bond-specific logic in the XDP context. I wonder if there's any interaction with the `dev->priv_flags`, or if they are using a separate data structure to track the bond's status. I expect to see some interface selection based on a specific criteria that is defined with the bond configuration. Let's get to the code.

map[ContextFile:net/core/filter.c IncludeLines:true Name:xdp_master_redirect]

map[SourceCode:4382:	u32 xdp_master_redirect(struct xdp_buff *xdp)
4383:	{
4384:		struct bpf_redirect_info *ri = bpf_net_ctx_get_ri();
4385:		struct net_device *master, *slave;
4386:	
4387:		master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
4388:		slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
4389:		if (slave && slave != xdp->rxq->dev) {
4390:			/* The target device is different from the receiving device, so
4391:			 * redirect it to the new device.
4392:			 * Using XDP_REDIRECT gets the correct behaviour from XDP enabled
4393:			 * drivers to unmap the packet from their rx ring.
4394:			 */
4395:			ri->tgt_index = slave->ifindex;
4396:			ri->map_id = INT_MAX;
4397:			ri->map_type = BPF_MAP_TYPE_UNSPEC;
4398:			return XDP_REDIRECT;
4399:		}
4400:		return XDP_TX;
4401:	}
 SourceFile:net/core/filter.c]

gemini-3-pro-preview

							input: 26183
							output: 51
							thoughts: 385
						

**XDP Program Flow: A Deep Dive**

Okay, so I'm tracing this `xdp_master_redirect` function and trying to understand its place in the broader XDP ecosystem. I'm seeing that it first fetches the master device from `xdp->rxq->dev` and then calls `ndo_xdp_get_xmit_slave`. The interesting part is the conditional logic: if that master device is a bonding device, it dives into `bond_xdp_get_xmit_slave`. Now, if the bond isn't up, meaning `bond_open` hasn't been invoked yet, the `bond->rr_tx_counter` is `NULL`.

Aha, that’s when `bond_xdp_get_xmit_slave` is supposed to run, though. I'm now realizing that `xdp_master_redirect` is executed during the test run - it’s being called when `xdp_master_redirect` is executed.

The call trace confirms this: I'm seeing this being executed as part of `xdp_test_run_batch`, `bpf_test_run_xdp_live`, and ultimately, `bpf_prog_test_run_xdp`. This tells me we're using `BPF_PROG_RUN` on an XDP program, which makes sense to use the BPF to conduct a test.

So, the next question is: How does this all tie into the XDP program itself? Is `bpf_xdp_redirect_map` involved? No, `xdp_master_redirect` is called by `bpf_xdp_redirect_map`. I need to figure out the connection because `xdp_master_redirect` is a BPF helper. Wait, `xdp_master_redirect` is not a BPF helper. I need to get a better handle on how and where `xdp_master_redirect` is actually being called from within the XDP execution flow. I need to trace it backward and see where this originates from.

map[ContextFile:net/core/filter.c IncludeSnippetLines:10 Name:xdp_master_redirect SourceTreePrefix:]

map[References:[map[ReferenceKind:calls ReferencingEntityKind:function ReferencingEntityName:bpf_prog_run_xdp SourceFile:include/net/xdp.h SourceLine:700 SourceSnippet: 690:						    struct xdp_buff *xdp)
 691:	{
 692:		/* Driver XDP hooks are invoked within a single NAPI poll cycle and thus
 693:		 * under local_bh_disable(), which provides the needed RCU protection
 694:		 * for accessing map entries.
 695:		 */
 696:		u32 act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp));
 697:	
 698:		if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) {
 699:			if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev))
 700:				act = xdp_master_redirect(xdp);
 701:		}
 702:	
 703:		return act;
 704:	}
]] TruncatedOutput:false]

gemini-3-pro-preview

							input: 27394
							output: 56
							thoughts: 92
						

Okay, here's my understanding, thinking through this piece by piece:

**Navigating the XDP Redirect Logic**

Right, so I'm looking at `bpf_prog_run_xdp`. My understanding is that, if the action code `act` is equal to `XDP_TX` *and* the receiving device `xdp->rxq->dev` is a bonded slave interface, then it calls `xdp_master_redirect`. Got it. The key question now becomes: under what conditions does this `bpf_master_redirect_enabled_key` *actually* get enabled? That's the crucial enabling condition. I need to trace back through the code and figure out the chain of events that lead to that specific key being set. Where does `bpf_master_redirect_enabled_key` get set? I need to find the answer. Let's dig in.

map[ContextFile:include/net/xdp.h IncludeSnippetLines:10 Name:bpf_master_redirect_enabled_key SourceTreePrefix:]

map[References:<nil> TruncatedOutput:false]

gemini-3-pro-preview

							input: 27756
							output: 55
							thoughts: 28
						

Okay, here's my attempt at summarizing that thought process, keeping in mind I'm speaking to a fellow expert:

**Locating the Definition**

Right, a slight pause there. I needed to quickly pinpoint where `bpf_master_redirect_enabled_key` is actually *defined*. No point diving into this further without that. And bingo, the source file is `net/core/filter.c`. That's where I need to be looking if I want to understand what's going on with that particular key. Now I can move forward with confidence.

map[ContextFile:net/core/filter.c IncludeSnippetLines:10 Name:bpf_master_redirect_enabled_key SourceTreePrefix:]

map[References:<nil> TruncatedOutput:false]

gemini-3-pro-preview

							input: 27981
							output: 24
							thoughts: 17
						

Here's my thought process, summarized as you requested:

**Investigating a Configuration Parameter**

Okay, so I need to find something specific. My initial instinct is to go straight to the code and search for a particular key. I'm going to leverage my familiarity with the codebase and use `grep`. Specifically, I'll search for the configuration key `bpf_master_redirect_enabled_key`. This key likely controls a feature or setting related to BPF (Berkeley Packet Filter) and master redirection. Grabbing this should help me understand the context around this key, its usage, and potential implications within the system. Let's see what we find!

map[Expression:bpf_master_redirect_enabled_key]

map[Output:drivers/net/bonding/bond_main.c=5568=static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
--
drivers/net/bonding/bond_main.c-5622-	if (prog) {
drivers/net/bonding/bond_main.c:5623:		static_branch_inc(&bpf_master_redirect_enabled_key);
drivers/net/bonding/bond_main.c-5624-	} else if (old_prog) {
drivers/net/bonding/bond_main.c-5625-		bpf_prog_put(old_prog);
drivers/net/bonding/bond_main.c:5626:		static_branch_dec(&bpf_master_redirect_enabled_key);
drivers/net/bonding/bond_main.c-5627-	}
--
include/linux/filter.h=1012=DECLARE_BPF_DISPATCHER(xdp)
include/linux/filter.h-1013-
include/linux/filter.h:1014:DECLARE_STATIC_KEY_FALSE(bpf_master_redirect_enabled_key);
include/linux/filter.h-1015-
--
include/net/xdp.h=689=static __always_inline u32 bpf_prog_run_xdp(const struct bpf_prog *prog,
--
include/net/xdp.h-697-
include/net/xdp.h:698:	if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) {
include/net/xdp.h-699-		if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev))
--
net/core/filter.c=4355=void xdp_do_check_flushed(struct napi_struct *napi)
--
net/core/filter.c-4378-
net/core/filter.c:4379:DEFINE_STATIC_KEY_FALSE(bpf_master_redirect_enabled_key);
net/core/filter.c:4380:EXPORT_SYMBOL_GPL(bpf_master_redirect_enabled_key);
net/core/filter.c-4381-
]

gemini-3-pro-preview

							input: 28746
							output: 45
							thoughts: 400
						

**My Analysis of the Bonding Device XDP Crash**

Okay, so here's what's happening. I've got this `bpf_master_redirect_enabled_key` that's getting incremented when an XDP program is attached to a bonding interface. The bug is triggered in a very specific sequence. First, you set up a bonding device and configure it for round-robin mode. Then you attach an XDP program to the bonding interface, which kicks off that key. That’s step 3, so far so good.

Now things get interesting. You then add a slave interface to the bonding device. Then, for whatever reason, we run an XDP program on that slave device using `bpf_prog_test_run`, and this program returns `XDP_TX`. The code sees that `bpf_master_redirect_enabled_key` is set to true and that we are dealing with a slave device (`netif_is_bond_slave(xdp->rxq->dev)`). This then triggers a call to `xdp_master_redirect(xdp)`.

`xdp_master_redirect` calls `master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp)`. That call resolves to `bond_xdp_get_xmit_slave`, which calls `bond_xdp_xmit_roundrobin_slave_get`, and that function calls `bond_rr_gen_slave_id`.

Here's the problem. `bond_rr_gen_slave_id` accesses `bond->rr_tx_counter`. But, and this is key, if the bonding interface is *not* UP (i.e., the interface has not been activated) then `bond_open` hasn't been called. So, in that case, the `bond->rr_tx_counter` is NULL! This means a null pointer dereference, and we crash.

Hold on a second... can you even add a slave to a bonding device if the bonding device is *not* UP? That seems like a strange scenario, but it's important to understand to be sure. Let me quickly check the `bond_enslave` function to confirm this is possible.

map[ContextFile:drivers/net/bonding/bond_main.c IncludeLines:true Name:bond_enslave]

map[SourceCode:1798:	/* enslave device <slave> to bond device <master> */
1799:	int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
1800:			 struct netlink_ext_ack *extack)
1801:	{
1802:		struct bonding *bond = netdev_priv(bond_dev);
1803:		const struct net_device_ops *slave_ops = slave_dev->netdev_ops;
1804:		struct slave *new_slave = NULL, *prev_slave;
1805:		struct sockaddr_storage ss;
1806:		int res = 0, i;
1807:	
1808:		if (slave_dev->flags & IFF_MASTER &&
1809:		    !netif_is_bond_master(slave_dev)) {
1810:			BOND_NL_ERR(bond_dev, extack,
1811:				    "Device type (master device) cannot be enslaved");
1812:			return -EPERM;
1813:		}
1814:	
1815:		/* already in-use? */
1816:		if (netdev_is_rx_handler_busy(slave_dev)) {
1817:			SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1818:				     "Device is in use and cannot be enslaved");
1819:			return -EBUSY;
1820:		}
1821:	
1822:		if (bond_dev == slave_dev) {
1823:			BOND_NL_ERR(bond_dev, extack, "Cannot enslave bond to itself.");
1824:			return -EPERM;
1825:		}
1826:	
1827:		/* vlan challenged mutual exclusion */
1828:		/* no need to lock since we're protected by rtnl_lock */
1829:		if (slave_dev->features & NETIF_F_VLAN_CHALLENGED) {
1830:			slave_dbg(bond_dev, slave_dev, "is NETIF_F_VLAN_CHALLENGED\n");
1831:			if (vlan_uses_dev(bond_dev)) {
1832:				SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1833:					     "Can not enslave VLAN challenged device to VLAN enabled bond");
1834:				return -EPERM;
1835:			} else {
1836:				slave_warn(bond_dev, slave_dev, "enslaved VLAN challenged slave. Adding VLANs will be blocked as long as it is part of bond.\n");
1837:			}
1838:		} else {
1839:			slave_dbg(bond_dev, slave_dev, "is !NETIF_F_VLAN_CHALLENGED\n");
1840:		}
1841:	
1842:		if (slave_dev->features & NETIF_F_HW_ESP)
1843:			slave_dbg(bond_dev, slave_dev, "is esp-hw-offload capable\n");
1844:	
1845:		/* Old ifenslave binaries are no longer supported.  These can
1846:		 * be identified with moderate accuracy by the state of the slave:
1847:		 * the current ifenslave will set the interface down prior to
1848:		 * enslaving it; the old ifenslave will not.
1849:		 */
1850:		if (slave_dev->flags & IFF_UP) {
1851:			SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1852:				     "Device can not be enslaved while up");
1853:			return -EPERM;
1854:		}
1855:	
1856:		/* set bonding device ether type by slave - bonding netdevices are
1857:		 * created with ether_setup, so when the slave type is not ARPHRD_ETHER
1858:		 * there is a need to override some of the type dependent attribs/funcs.
1859:		 *
1860:		 * bond ether type mutual exclusion - don't allow slaves of dissimilar
1861:		 * ether type (eg ARPHRD_ETHER and ARPHRD_INFINIBAND) share the same bond
1862:		 */
1863:		if (!bond_has_slaves(bond)) {
1864:			if (bond_dev->type != slave_dev->type) {
1865:				slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
1866:					  bond_dev->type, slave_dev->type);
1867:	
1868:				res = call_netdevice_notifiers(NETDEV_PRE_TYPE_CHANGE,
1869:							       bond_dev);
1870:				res = notifier_to_errno(res);
1871:				if (res) {
1872:					slave_err(bond_dev, slave_dev, "refused to change device type\n");
1873:					return -EBUSY;
1874:				}
1875:	
1876:				/* Flush unicast and multicast addresses */
1877:				dev_uc_flush(bond_dev);
1878:				dev_mc_flush(bond_dev);
1879:	
1880:				if (slave_dev->type != ARPHRD_ETHER)
1881:					bond_setup_by_slave(bond_dev, slave_dev);
1882:				else
1883:					bond_ether_setup(bond_dev);
1884:	
1885:				call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE,
1886:							 bond_dev);
1887:			}
1888:		} else if (bond_dev->type != slave_dev->type) {
1889:			SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1890:				     "Device type is different from other slaves");
1891:			return -EINVAL;
1892:		}
1893:	
1894:		if (slave_dev->type == ARPHRD_INFINIBAND &&
1895:		    BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
1896:			SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1897:				     "Only active-backup mode is supported for infiniband slaves");
1898:			res = -EOPNOTSUPP;
1899:			goto err_undo_flags;
1900:		}
1901:	
1902:		if (!slave_ops->ndo_set_mac_address ||
1903:		    slave_dev->type == ARPHRD_INFINIBAND) {
1904:			slave_warn(bond_dev, slave_dev, "The slave device specified does not support setting the MAC address\n");
1905:			if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
1906:			    bond->params.fail_over_mac != BOND_FOM_ACTIVE) {
1907:				if (!bond_has_slaves(bond)) {
1908:					bond->params.fail_over_mac = BOND_FOM_ACTIVE;
1909:					slave_warn(bond_dev, slave_dev, "Setting fail_over_mac to active for active-backup mode\n");
1910:				} else {
1911:					SLAVE_NL_ERR(bond_dev, slave_dev, extack,
1912:						     "Slave device does not support setting the MAC address, but fail_over_mac is not set to active");
1913:					res = -EOPNOTSUPP;
1914:					goto err_undo_flags;
1915:				}
1916:			}
1917:		}
1918:	
1919:		call_netdevice_notifiers(NETDEV_JOIN, slave_dev);
1920:	
1921:		/* If this is the first slave, then we need to set the master's hardware
1922:		 * address to be the same as the slave's.
1923:		 */
1924:		if (!bond_has_slaves(bond) &&
1925:		    bond->dev->addr_assign_type == NET_ADDR_RANDOM) {
1926:			res = bond_set_dev_addr(bond->dev, slave_dev);
1927:			if (res)
1928:				goto err_undo_flags;
1929:		}
1930:	
1931:		new_slave = bond_alloc_slave(bond, slave_dev);
1932:		if (!new_slave) {
1933:			res = -ENOMEM;
1934:			goto err_undo_flags;
1935:		}
1936:	
1937:		/* Set the new_slave's queue_id to be zero.  Queue ID mapping
1938:		 * is set via sysfs or module option if desired.
1939:		 */
1940:		new_slave->queue_id = 0;
1941:	
1942:		/* Save slave's original mtu and then set it to match the bond */
1943:		new_slave->original_mtu = slave_dev->mtu;
1944:		res = dev_set_mtu(slave_dev, bond->dev->mtu);
1945:		if (res) {
1946:			slave_err(bond_dev, slave_dev, "Error %d calling dev_set_mtu\n", res);
1947:			goto err_free;
1948:		}
1949:	
1950:		/* Save slave's original ("permanent") mac address for modes
1951:		 * that need it, and for restoring it upon release, and then
1952:		 * set it to the master's address
1953:		 */
1954:		bond_hw_addr_copy(new_slave->perm_hwaddr, slave_dev->dev_addr,
1955:				  slave_dev->addr_len);
1956:	
1957:		if (!bond->params.fail_over_mac ||
1958:		    BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
1959:			/* Set slave to master's mac address.  The application already
1960:			 * set the master's mac address to that of the first slave
1961:			 */
1962:			memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len);
1963:		} else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW &&
1964:			   BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
1965:			   bond_has_slaves(bond) &&
1966:			   memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) {
1967:			/* Set slave to random address to avoid duplicate mac
1968:			 * address in later fail over.
1969:			 */
1970:			eth_random_addr(ss.__data);
1971:		} else {
1972:			goto skip_mac_set;
1973:		}
1974:	
1975:		ss.ss_family = slave_dev->type;
1976:		res = dev_set_mac_address(slave_dev, &ss, extack);
1977:		if (res) {
1978:			slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res);
1979:			goto err_restore_mtu;
1980:		}
1981:	
1982:	skip_mac_set:
1983:	
1984:		/* set no_addrconf flag before open to prevent IPv6 addrconf */
1985:		slave_dev->priv_flags |= IFF_NO_ADDRCONF;
1986:	
1987:		/* open the slave since the application closed it */
1988:		res = dev_open(slave_dev, extack);
1989:		if (res) {
1990:			slave_err(bond_dev, slave_dev, "Opening slave failed\n");
1991:			goto err_restore_mac;
1992:		}
1993:	
1994:		slave_dev->priv_flags |= IFF_BONDING;
1995:		/* initialize slave stats */
1996:		dev_get_stats(new_slave->dev, &new_slave->slave_stats);
1997:	
1998:		if (bond_is_lb(bond)) {
1999:			/* bond_alb_init_slave() must be called before all other stages since
2000:			 * it might fail and we do not want to have to undo everything
2001:			 */
2002:			res = bond_alb_init_slave(bond, new_slave);
2003:			if (res)
2004:				goto err_close;
2005:		}
2006:	
2007:		res = vlan_vids_add_by_dev(slave_dev, bond_dev);
2008:		if (res) {
2009:			slave_err(bond_dev, slave_dev, "Couldn't add bond vlan ids\n");
2010:			goto err_close;
2011:		}
2012:	
2013:		prev_slave = bond_last_slave(bond);
2014:	
2015:		new_slave->delay = 0;
2016:		new_slave->link_failure_count = 0;
2017:	
2018:		if (bond_update_speed_duplex(new_slave) &&
2019:		    bond_needs_speed_duplex(bond))
2020:			new_slave->link = BOND_LINK_DOWN;
2021:	
2022:		new_slave->last_rx = jiffies -
2023:			(msecs_to_jiffies(bond->params.arp_interval) + 1);
2024:		for (i = 0; i < BOND_MAX_ARP_TARGETS; i++)
2025:			new_slave->target_last_arp_rx[i] = new_slave->last_rx;
2026:	
2027:		new_slave->last_tx = new_slave->last_rx;
2028:	
2029:		/* check for initial state */
2030:		new_slave->link = BOND_LINK_NOCHANGE;
2031:		if (bond->params.miimon) {
2032:			if (netif_running(slave_dev) && netif_carrier_ok(slave_dev)) {
2033:				if (bond->params.updelay) {
2034:					bond_set_slave_link_state(new_slave,
2035:								  BOND_LINK_BACK,
2036:								  BOND_SLAVE_NOTIFY_NOW);
2037:					new_slave->delay = bond->params.updelay;
2038:				} else {
2039:					bond_set_slave_link_state(new_slave,
2040:								  BOND_LINK_UP,
2041:								  BOND_SLAVE_NOTIFY_NOW);
2042:				}
2043:			} else {
2044:				bond_set_slave_link_state(new_slave, BOND_LINK_DOWN,
2045:							  BOND_SLAVE_NOTIFY_NOW);
2046:			}
2047:		} else if (bond->params.arp_interval) {
2048:			bond_set_slave_link_state(new_slave,
2049:						  (netif_carrier_ok(slave_dev) ?
2050:						  BOND_LINK_UP : BOND_LINK_DOWN),
2051:						  BOND_SLAVE_NOTIFY_NOW);
2052:		} else {
2053:			bond_set_slave_link_state(new_slave, BOND_LINK_UP,
2054:						  BOND_SLAVE_NOTIFY_NOW);
2055:		}
2056:	
2057:		if (new_slave->link != BOND_LINK_DOWN)
2058:			new_slave->last_link_up = jiffies;
2059:		slave_dbg(bond_dev, slave_dev, "Initial state of slave is BOND_LINK_%s\n",
2060:			  new_slave->link == BOND_LINK_DOWN ? "DOWN" :
2061:			  (new_slave->link == BOND_LINK_UP ? "UP" : "BACK"));
2062:	
2063:		if (bond_uses_primary(bond) && bond->params.primary[0]) {
2064:			/* if there is a primary slave, remember it */
2065:			if (strcmp(bond->params.primary, new_slave->dev->name) == 0) {
2066:				rcu_assign_pointer(bond->primary_slave, new_slave);
2067:				bond->force_primary = true;
2068:			}
2069:		}
2070:	
2071:		switch (BOND_MODE(bond)) {
2072:		case BOND_MODE_ACTIVEBACKUP:
2073:			bond_set_slave_inactive_flags(new_slave,
2074:						      BOND_SLAVE_NOTIFY_NOW);
2075:			break;
2076:		case BOND_MODE_8023AD:
2077:			/* in 802.3ad mode, the internal mechanism
2078:			 * will activate the slaves in the selected
2079:			 * aggregator
2080:			 */
2081:			bond_set_slave_inactive_flags(new_slave, BOND_SLAVE_NOTIFY_NOW);
2082:			/* if this is the first slave */
2083:			if (!prev_slave) {
2084:				SLAVE_AD_INFO(new_slave)->id = 1;
2085:				/* Initialize AD with the number of times that the AD timer is called in 1 second
2086:				 * can be called only after the mac address of the bond is set
2087:				 */
2088:				bond_3ad_initialize(bond);
2089:			} else {
2090:				SLAVE_AD_INFO(new_slave)->id =
2091:					SLAVE_AD_INFO(prev_slave)->id + 1;
2092:			}
2093:	
2094:			bond_3ad_bind_slave(new_slave);
2095:			break;
2096:		case BOND_MODE_TLB:
2097:		case BOND_MODE_ALB:
2098:			bond_set_active_slave(new_slave);
2099:			bond_set_slave_inactive_flags(new_slave, BOND_SLAVE_NOTIFY_NOW);
2100:			break;
2101:		default:
2102:			slave_dbg(bond_dev, slave_dev, "This slave is always active in trunk mode\n");
2103:	
2104:			/* always active in trunk mode */
2105:			bond_set_active_slave(new_slave);
2106:	
2107:			/* In trunking mode there is little meaning to curr_active_slave
2108:			 * anyway (it holds no special properties of the bond device),
2109:			 * so we can change it without calling change_active_interface()
2110:			 */
2111:			if (!rcu_access_pointer(bond->curr_active_slave) &&
2112:			    new_slave->link == BOND_LINK_UP)
2113:				rcu_assign_pointer(bond->curr_active_slave, new_slave);
2114:	
2115:			break;
2116:		} /* switch(bond_mode) */
2117:	
2118:	#ifdef CONFIG_NET_POLL_CONTROLLER
2119:		if (bond->dev->npinfo) {
2120:			if (slave_enable_netpoll(new_slave)) {
2121:				slave_info(bond_dev, slave_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
2122:				res = -EBUSY;
2123:				goto err_detach;
2124:			}
2125:		}
2126:	#endif
2127:	
2128:		if (!(bond_dev->features & NETIF_F_LRO))
2129:			dev_disable_lro(slave_dev);
2130:	
2131:		res = netdev_rx_handler_register(slave_dev, bond_handle_frame,
2132:						 new_slave);
2133:		if (res) {
2134:			slave_dbg(bond_dev, slave_dev, "Error %d calling netdev_rx_handler_register\n", res);
2135:			goto err_detach;
2136:		}
2137:	
2138:		res = bond_master_upper_dev_link(bond, new_slave, extack);
2139:		if (res) {
2140:			slave_dbg(bond_dev, slave_dev, "Error %d calling bond_master_upper_dev_link\n", res);
2141:			goto err_unregister;
2142:		}
2143:	
2144:		bond_lower_state_changed(new_slave);
2145:	
2146:		res = bond_sysfs_slave_add(new_slave);
2147:		if (res) {
2148:			slave_dbg(bond_dev, slave_dev, "Error %d calling bond_sysfs_slave_add\n", res);
2149:			goto err_upper_unlink;
2150:		}
2151:	
2152:		/* If the mode uses primary, then the following is handled by
2153:		 * bond_change_active_slave().
2154:		 */
2155:		if (!bond_uses_primary(bond)) {
2156:			/* set promiscuity level to new slave */
2157:			if (bond_dev->flags & IFF_PROMISC) {
2158:				res = dev_set_promiscuity(slave_dev, 1);
2159:				if (res)
2160:					goto err_sysfs_del;
2161:			}
2162:	
2163:			/* set allmulti level to new slave */
2164:			if (bond_dev->flags & IFF_ALLMULTI) {
2165:				res = dev_set_allmulti(slave_dev, 1);
2166:				if (res) {
2167:					if (bond_dev->flags & IFF_PROMISC)
2168:						dev_set_promiscuity(slave_dev, -1);
2169:					goto err_sysfs_del;
2170:				}
2171:			}
2172:	
2173:			if (bond_dev->flags & IFF_UP) {
2174:				netif_addr_lock_bh(bond_dev);
2175:				dev_mc_sync_multiple(slave_dev, bond_dev);
2176:				dev_uc_sync_multiple(slave_dev, bond_dev);
2177:				netif_addr_unlock_bh(bond_dev);
2178:	
2179:				if (BOND_MODE(bond) == BOND_MODE_8023AD)
2180:					dev_mc_add(slave_dev, lacpdu_mcast_addr);
2181:			}
2182:		}
2183:	
2184:		bond->slave_cnt++;
2185:		netdev_compute_master_upper_features(bond->dev, true);
2186:		bond_set_carrier(bond);
2187:	
2188:		/* Needs to be called before bond_select_active_slave(), which will
2189:		 * remove the maddrs if the slave is selected as active slave.
2190:		 */
2191:		bond_slave_ns_maddrs_add(bond, new_slave);
2192:	
2193:		if (bond_uses_primary(bond)) {
2194:			block_netpoll_tx();
2195:			bond_select_active_slave(bond);
2196:			unblock_netpoll_tx();
2197:		}
2198:	
2199:		/* broadcast mode uses the all_slaves to loop through slaves. */
2200:		if (bond_mode_can_use_xmit_hash(bond) ||
2201:		    BOND_MODE(bond) == BOND_MODE_BROADCAST)
2202:			bond_update_slave_arr(bond, NULL);
2203:	
2204:		if (!slave_dev->netdev_ops->ndo_bpf ||
2205:		    !slave_dev->netdev_ops->ndo_xdp_xmit) {
2206:			if (bond->xdp_prog) {
2207:				SLAVE_NL_ERR(bond_dev, slave_dev, extack,
2208:					     "Slave does not support XDP");
2209:				res = -EOPNOTSUPP;
2210:				goto err_sysfs_del;
2211:			}
2212:		} else if (bond->xdp_prog) {
2213:			struct netdev_bpf xdp = {
2214:				.command = XDP_SETUP_PROG,
2215:				.flags   = 0,
2216:				.prog    = bond->xdp_prog,
2217:				.extack  = extack,
2218:			};
2219:	
2220:			if (dev_xdp_prog_count(slave_dev) > 0) {
2221:				SLAVE_NL_ERR(bond_dev, slave_dev, extack,
2222:					     "Slave has XDP program loaded, please unload before enslaving");
2223:				res = -EOPNOTSUPP;
2224:				goto err_sysfs_del;
2225:			}
2226:	
2227:			res = dev_xdp_propagate(slave_dev, &xdp);
2228:			if (res < 0) {
2229:				/* ndo_bpf() sets extack error message */
2230:				slave_dbg(bond_dev, slave_dev, "Error %d calling ndo_bpf\n", res);
2231:				goto err_sysfs_del;
2232:			}
2233:			if (bond->xdp_prog)
2234:				bpf_prog_inc(bond->xdp_prog);
2235:		}
2236:	
2237:		bond_xdp_set_features(bond_dev);
2238:	
2239:		slave_info(bond_dev, slave_dev, "Enslaving as %s interface with %s link\n",
2240:			   bond_is_active_slave(new_slave) ? "an active" : "a backup",
2241:			   new_slave->link != BOND_LINK_DOWN ? "an up" : "a down");
2242:	
2243:		/* enslave is successful */
2244:		bond_queue_slave_event(new_slave);
2245:		return 0;
2246:	
2247:	/* Undo stages on error */
2248:	err_sysfs_del:
2249:		bond_sysfs_slave_del(new_slave);
2250:	
2251:	err_upper_unlink:
2252:		bond_upper_dev_unlink(bond, new_slave);
2253:	
2254:	err_unregister:
2255:		netdev_rx_handler_unregister(slave_dev);
2256:	
2257:	err_detach:
2258:		vlan_vids_del_by_dev(slave_dev, bond_dev);
2259:		if (rcu_access_pointer(bond->primary_slave) == new_slave)
2260:			RCU_INIT_POINTER(bond->primary_slave, NULL);
2261:		if (rcu_access_pointer(bond->curr_active_slave) == new_slave) {
2262:			block_netpoll_tx();
2263:			bond_change_active_slave(bond, NULL);
2264:			bond_select_active_slave(bond);
2265:			unblock_netpoll_tx();
2266:		}
2267:		/* either primary_slave or curr_active_slave might've changed */
2268:		synchronize_rcu();
2269:		slave_disable_netpoll(new_slave);
2270:	
2271:	err_close:
2272:		if (!netif_is_bond_master(slave_dev))
2273:			slave_dev->priv_flags &= ~IFF_BONDING;
2274:		dev_close(slave_dev);
2275:	
2276:	err_restore_mac:
2277:		slave_dev->priv_flags &= ~IFF_NO_ADDRCONF;
2278:		if (!bond->params.fail_over_mac ||
2279:		    BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
2280:			/* XXX TODO - fom follow mode needs to change master's
2281:			 * MAC if this slave's MAC is in use by the bond, or at
2282:			 * least print a warning.
2283:			 */
2284:			bond_hw_addr_copy(ss.__data, new_slave->perm_hwaddr,
2285:					  new_slave->dev->addr_len);
2286:			ss.ss_family = slave_dev->type;
2287:			dev_set_mac_address(slave_dev, &ss, NULL);
2288:		}
2289:	
2290:	err_restore_mtu:
2291:		dev_set_mtu(slave_dev, new_slave->original_mtu);
2292:	
2293:	err_free:
2294:		kobject_put(&new_slave->kobj);
2295:	
2296:	err_undo_flags:
2297:		/* Enslave of first slave has failed and we need to fix master's mac */
2298:		if (!bond_has_slaves(bond)) {
2299:			if (ether_addr_equal_64bits(bond_dev->dev_addr,
2300:						    slave_dev->dev_addr))
2301:				eth_hw_addr_random(bond_dev);
2302:			if (bond_dev->type != ARPHRD_ETHER) {
2303:				dev_close(bond_dev);
2304:				bond_ether_setup(bond_dev);
2305:			}
2306:		}
2307:	
2308:		return res;
2309:	}
 SourceFile:drivers/net/bonding/bond_main.c]

gemini-3-pro-preview

							input: 38298
							output: 46
							thoughts: 112
						

**A Potential Hole in the Bonding Driver's Logic**

Okay, hold on a second. I was just reviewing the `bond_enslave` function and something's bugging me. It's checking if the slave device is already `IFF_UP` before allowing it to be enslaved, returning `-EPERM` if it is. Seems reasonable, you wouldn't want to mess with a live slave. But… it completely skips checking if the *bonding device* (`bond_dev`) itself is up.

That's a potential vulnerability, or at least an unexpected state. Could this mean we could actually enslave a device to a bonding interface even if the bonding interface is currently down? That feels... not right. And if we can do *that*, can we then attach an XDP program to this bonding device that's in a down state? My instinct says "no", but logic alone can be fallible when it comes to kernel interactions.

Let me just quickly check `bond_xdp_set` to see if there are any obvious checks there. This could be interesting...

map[ContextFile:drivers/net/bonding/bond_main.c IncludeLines:true Name:bond_xdp_set]

map[SourceCode:5568:	static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
5569:				struct netlink_ext_ack *extack)
5570:	{
5571:		struct bonding *bond = netdev_priv(dev);
5572:		struct list_head *iter;
5573:		struct slave *slave, *rollback_slave;
5574:		struct bpf_prog *old_prog;
5575:		struct netdev_bpf xdp = {
5576:			.command = XDP_SETUP_PROG,
5577:			.flags   = 0,
5578:			.prog    = prog,
5579:			.extack  = extack,
5580:		};
5581:		int err;
5582:	
5583:		ASSERT_RTNL();
5584:	
5585:		if (!bond_xdp_check(bond, BOND_MODE(bond))) {
5586:			BOND_NL_ERR(dev, extack,
5587:				    "No native XDP support for the current bonding mode");
5588:			return -EOPNOTSUPP;
5589:		}
5590:	
5591:		old_prog = bond->xdp_prog;
5592:		bond->xdp_prog = prog;
5593:	
5594:		bond_for_each_slave(bond, slave, iter) {
5595:			struct net_device *slave_dev = slave->dev;
5596:	
5597:			if (!slave_dev->netdev_ops->ndo_bpf ||
5598:			    !slave_dev->netdev_ops->ndo_xdp_xmit) {
5599:				SLAVE_NL_ERR(dev, slave_dev, extack,
5600:					     "Slave device does not support XDP");
5601:				err = -EOPNOTSUPP;
5602:				goto err;
5603:			}
5604:	
5605:			if (dev_xdp_prog_count(slave_dev) > 0) {
5606:				SLAVE_NL_ERR(dev, slave_dev, extack,
5607:					     "Slave has XDP program loaded, please unload before enslaving");
5608:				err = -EOPNOTSUPP;
5609:				goto err;
5610:			}
5611:	
5612:			err = dev_xdp_propagate(slave_dev, &xdp);
5613:			if (err < 0) {
5614:				/* ndo_bpf() sets extack error message */
5615:				slave_err(dev, slave_dev, "Error %d calling ndo_bpf\n", err);
5616:				goto err;
5617:			}
5618:			if (prog)
5619:				bpf_prog_inc(prog);
5620:		}
5621:	
5622:		if (prog) {
5623:			static_branch_inc(&bpf_master_redirect_enabled_key);
5624:		} else if (old_prog) {
5625:			bpf_prog_put(old_prog);
5626:			static_branch_dec(&bpf_master_redirect_enabled_key);
5627:		}
5628:	
5629:		return 0;
5630:	
5631:	err:
5632:		/* unwind the program changes */
5633:		bond->xdp_prog = old_prog;
5634:		xdp.prog = old_prog;
5635:		xdp.extack = NULL; /* do not overwrite original error */
5636:	
5637:		bond_for_each_slave(bond, rollback_slave, iter) {
5638:			struct net_device *slave_dev = rollback_slave->dev;
5639:			int err_unwind;
5640:	
5641:			if (slave == rollback_slave)
5642:				break;
5643:	
5644:			err_unwind = dev_xdp_propagate(slave_dev, &xdp);
5645:			if (err_unwind < 0)
5646:				slave_err(dev, slave_dev,
5647:					  "Error %d when unwinding XDP program change\n", err_unwind);
5648:			else if (xdp.prog)
5649:				bpf_prog_inc(xdp.prog);
5650:		}
5651:		return err;
5652:	}
 SourceFile:drivers/net/bonding/bond_main.c]

gemini-3-pro-preview

							input: 40004
							output: 50
							thoughts: 402
						

**My XDP Program Conundrum**

Okay, so I'm digging into this `bond_xdp_set` function and it's hitting me: it's not checking if the bonding device is actually up before trying to do its thing. That’s interesting. Let's see what we can do with this.

My initial thought was, let's play with this. I could:

1.  Create a bonding device, `bond0`.
2.  Set its mode to `ROUNDROBIN`.
3.  Then, create a dummy device, `dummy0`.
4.  Enslave `dummy0` to `bond0`.
5.  And then, I'd attach an XDP program to `bond0`. My initial thinking was that this would neatly propagate the XDP program down to `dummy0`. But then I remember `dev_xdp_propagate` is what’s called to handle that.

Wait a sec, if I attach to `bond0`, the propagation will try and stick it on `dummy0`. But... doesn't `dummy0` not support XDP? Time to double check. Yep, `dummy0` does NOT support XDP. So that's out.

Okay, pivot. Let's think about `veth` pairs. Those DO support XDP. So, here's the revised plan:

1.  Create a `veth` pair: `veth0` and `veth1`.
2.  Create a bonding device, `bond0`.
3.  Set `bond0` mode to `ROUNDROBIN`.
4.  Enslave `veth0` to `bond0`.
5.  Attach the XDP program to `bond0`.
6.  Then I want to run `bpf_prog_test_run` on that XDP program attached to `veth0` (or should I use bond0? Hmm...).

Wait, hold on. `bpf_prog_test_run` takes a BPF program FD, right? So if I run it on the XDP program, it'll execute the XDP program. Okay, that makes sense.

Wait, doesn't it also need an ifindex? Ah, let me check `bpf_prog_test_run_xdp`. Let's see what that looks like...

map[ContextFile:net/bpf/test_run.c IncludeLines:true Name:bpf_prog_test_run_xdp]

map[SourceCode:1265:	int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
1266:				  union bpf_attr __user *uattr)
1267:	{
1268:		bool do_live = (kattr->test.flags & BPF_F_TEST_XDP_LIVE_FRAMES);
1269:		u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1270:		u32 retval = 0, meta_sz = 0, duration, max_linear_sz, size;
1271:		u32 linear_sz = kattr->test.data_size_in;
1272:		u32 batch_size = kattr->test.batch_size;
1273:		u32 headroom = XDP_PACKET_HEADROOM;
1274:		u32 repeat = kattr->test.repeat;
1275:		struct netdev_rx_queue *rxqueue;
1276:		struct skb_shared_info *sinfo;
1277:		struct xdp_buff xdp = {};
1278:		int i, ret = -EINVAL;
1279:		struct xdp_md *ctx;
1280:		void *data;
1281:	
1282:		if (prog->expected_attach_type == BPF_XDP_DEVMAP ||
1283:		    prog->expected_attach_type == BPF_XDP_CPUMAP)
1284:			return -EINVAL;
1285:	
1286:		if (kattr->test.flags & ~BPF_F_TEST_XDP_LIVE_FRAMES)
1287:			return -EINVAL;
1288:	
1289:		if (bpf_prog_is_dev_bound(prog->aux))
1290:			return -EINVAL;
1291:	
1292:		if (do_live) {
1293:			if (!batch_size)
1294:				batch_size = NAPI_POLL_WEIGHT;
1295:			else if (batch_size > TEST_XDP_MAX_BATCH)
1296:				return -E2BIG;
1297:	
1298:			headroom += sizeof(struct xdp_page_head);
1299:		} else if (batch_size) {
1300:			return -EINVAL;
1301:		}
1302:	
1303:		ctx = bpf_ctx_init(kattr, sizeof(struct xdp_md));
1304:		if (IS_ERR(ctx))
1305:			return PTR_ERR(ctx);
1306:	
1307:		if (ctx) {
1308:			/* There can't be user provided data before the meta data */
1309:			if (ctx->data_meta || ctx->data_end > kattr->test.data_size_in ||
1310:			    ctx->data > ctx->data_end ||
1311:			    unlikely(xdp_metalen_invalid(ctx->data)) ||
1312:			    (do_live && (kattr->test.data_out || kattr->test.ctx_out)))
1313:				goto free_ctx;
1314:			/* Meta data is allocated from the headroom */
1315:			headroom -= ctx->data;
1316:	
1317:			meta_sz = ctx->data;
1318:			linear_sz = ctx->data_end;
1319:		}
1320:	
1321:		max_linear_sz = PAGE_SIZE - headroom - tailroom;
1322:		linear_sz = min_t(u32, linear_sz, max_linear_sz);
1323:	
1324:		/* disallow live data mode for jumbo frames */
1325:		if (do_live && kattr->test.data_size_in > linear_sz)
1326:			goto free_ctx;
1327:	
1328:		if (kattr->test.data_size_in - meta_sz < ETH_HLEN)
1329:			goto free_ctx;
1330:	
1331:		data = bpf_test_init(kattr, linear_sz, max_linear_sz, headroom, tailroom);
1332:		if (IS_ERR(data)) {
1333:			ret = PTR_ERR(data);
1334:			goto free_ctx;
1335:		}
1336:	
1337:		rxqueue = __netif_get_rx_queue(current->nsproxy->net_ns->loopback_dev, 0);
1338:		rxqueue->xdp_rxq.frag_size = PAGE_SIZE;
1339:		xdp_init_buff(&xdp, rxqueue->xdp_rxq.frag_size, &rxqueue->xdp_rxq);
1340:		xdp_prepare_buff(&xdp, data, headroom, linear_sz, true);
1341:		sinfo = xdp_get_shared_info_from_buff(&xdp);
1342:	
1343:		ret = xdp_convert_md_to_buff(ctx, &xdp);
1344:		if (ret)
1345:			goto free_data;
1346:	
1347:		size = linear_sz;
1348:		if (unlikely(kattr->test.data_size_in > size)) {
1349:			void __user *data_in = u64_to_user_ptr(kattr->test.data_in);
1350:	
1351:			while (size < kattr->test.data_size_in) {
1352:				struct page *page;
1353:				skb_frag_t *frag;
1354:				u32 data_len;
1355:	
1356:				if (sinfo->nr_frags == MAX_SKB_FRAGS) {
1357:					ret = -ENOMEM;
1358:					goto out;
1359:				}
1360:	
1361:				page = alloc_page(GFP_KERNEL);
1362:				if (!page) {
1363:					ret = -ENOMEM;
1364:					goto out;
1365:				}
1366:	
1367:				frag = &sinfo->frags[sinfo->nr_frags++];
1368:	
1369:				data_len = min_t(u32, kattr->test.data_size_in - size,
1370:						 PAGE_SIZE);
1371:				skb_frag_fill_page_desc(frag, page, 0, data_len);
1372:	
1373:				if (copy_from_user(page_address(page), data_in + size,
1374:						   data_len)) {
1375:					ret = -EFAULT;
1376:					goto out;
1377:				}
1378:				sinfo->xdp_frags_size += data_len;
1379:				size += data_len;
1380:			}
1381:			xdp_buff_set_frags_flag(&xdp);
1382:		}
1383:	
1384:		if (repeat > 1)
1385:			bpf_prog_change_xdp(NULL, prog);
1386:	
1387:		if (do_live)
1388:			ret = bpf_test_run_xdp_live(prog, &xdp, repeat, batch_size, &duration);
1389:		else
1390:			ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true);
1391:		/* We convert the xdp_buff back to an xdp_md before checking the return
1392:		 * code so the reference count of any held netdevice will be decremented
1393:		 * even if the test run failed.
1394:		 */
1395:		xdp_convert_buff_to_md(&xdp, ctx);
1396:		if (ret)
1397:			goto out;
1398:	
1399:		size = xdp.data_end - xdp.data_meta + sinfo->xdp_frags_size;
1400:		ret = bpf_test_finish(kattr, uattr, xdp.data_meta, sinfo, size, sinfo->xdp_frags_size,
1401:				      retval, duration);
1402:		if (!ret)
1403:			ret = bpf_ctx_finish(kattr, uattr, ctx,
1404:					     sizeof(struct xdp_md));
1405:	
1406:	out:
1407:		if (repeat > 1)
1408:			bpf_prog_change_xdp(prog, NULL);
1409:	free_data:
1410:		for (i = 0; i < sinfo->nr_frags; i++)
1411:			__free_page(skb_frag_page(&sinfo->frags[i]));
1412:		kfree(data);
1413:	free_ctx:
1414:		kfree(ctx);
1415:		return ret;
1416:	}
 SourceFile:net/bpf/test_run.c]

gemini-3-pro-preview

							input: 43557
							output: 50
							thoughts: 435
						

**XDP Test Execution Flow Analysis**

Okay, so I'm looking at this `bpf_prog_test_run_xdp` function, and the first thing that jumps out is that it's using `current->nsproxy->net_ns->loopback_dev` as the receive interface. That's immediately interesting. It sets up an XDP receive queue, and importantly, the `xdp->rxq->dev` is going to be `loopback_dev`.

Now, the crash trace is showing `bond_xdp_xmit_roundrobin_slave_get`, and then eventually calls `xdp_master_redirect`. Right, so if `xdp->rxq->dev` is `loopback_dev`, then `netif_is_bond_slave(xdp->rxq->dev)` should be false, since the loopback interface isn't a bond slave.

So, how is this crash happening if the interface isn't a bond slave? It doesn't quite make sense. I need to dig deeper into the call stack to see where the bonding functions are being called if the interface should not be part of the bonding. I'll need to check the exact function that is causing the problem to be sure, likely the `bpf_test_run_xdp_live` function. That seems like a likely culprit to start with.

map[ContextFile:net/bpf/test_run.c IncludeLines:true Name:bpf_test_run_xdp_live]

map[SourceCode: 361:	static int bpf_test_run_xdp_live(struct bpf_prog *prog, struct xdp_buff *ctx,
 362:					 u32 repeat, u32 batch_size, u32 *time)
 363:	
 364:	{
 365:		struct xdp_test_data xdp = { .batch_size = batch_size };
 366:		struct bpf_test_timer t = {};
 367:		int ret;
 368:	
 369:		if (!repeat)
 370:			repeat = 1;
 371:	
 372:		ret = xdp_test_run_setup(&xdp, ctx);
 373:		if (ret)
 374:			return ret;
 375:	
 376:		bpf_test_timer_enter(&t);
 377:		do {
 378:			xdp.frame_cnt = 0;
 379:			ret = xdp_test_run_batch(&xdp, prog, repeat - t.i);
 380:			if (unlikely(ret < 0))
 381:				break;
 382:		} while (bpf_test_timer_continue(&t, xdp.frame_cnt, repeat, &ret, time));
 383:		bpf_test_timer_leave(&t);
 384:	
 385:		xdp_test_run_teardown(&xdp);
 386:		return ret;
 387:	}
 SourceFile:net/bpf/test_run.c]

gemini-3-pro-preview

							input: 44789
							output: 47
							thoughts: 24
						

Here's my attempt at summarizing the thought process, tailored for an expert audience and written in the first person:

**Potential Device Alteration in `xdp_test_run_setup`**

Okay, hold on a second. I need to be absolutely sure about something concerning `xdp_test_run_setup`. It just hit me: is it possible that this setup function, within the context of XDP testing, actually modifies the `xdp->rxq->dev` pointer? That would be a significant point to consider, specifically whether it could be pointing to a different underlying network device than the one I initially provided. I need to dig deeper into the code and be completely certain about the state of `xdp->rxq->dev` after running that setup function. If it *is* changing, that has implications for my assumed device context, and my analysis based on the assumption of consistency may be flawed. Gotta check this.

map[ContextFile:net/bpf/test_run.c IncludeLines:true Name:xdp_test_run_setup]

map[SourceCode: 150:	static int xdp_test_run_setup(struct xdp_test_data *xdp, struct xdp_buff *orig_ctx)
 151:	{
 152:		struct page_pool *pp;
 153:		int err = -ENOMEM;
 154:		struct page_pool_params pp_params = {
 155:			.order = 0,
 156:			.flags = 0,
 157:			.pool_size = xdp->batch_size,
 158:			.nid = NUMA_NO_NODE,
 159:			.init_callback = xdp_test_run_init_page,
 160:			.init_arg = xdp,
 161:		};
 162:	
 163:		xdp->frames = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL);
 164:		if (!xdp->frames)
 165:			return -ENOMEM;
 166:	
 167:		xdp->skbs = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL);
 168:		if (!xdp->skbs)
 169:			goto err_skbs;
 170:	
 171:		pp = page_pool_create(&pp_params);
 172:		if (IS_ERR(pp)) {
 173:			err = PTR_ERR(pp);
 174:			goto err_pp;
 175:		}
 176:	
 177:		/* will copy 'mem.id' into pp->xdp_mem_id */
 178:		err = xdp_reg_mem_model(&xdp->mem, MEM_TYPE_PAGE_POOL, pp);
 179:		if (err)
 180:			goto err_mmodel;
 181:	
 182:		xdp->pp = pp;
 183:	
 184:		/* We create a 'fake' RXQ referencing the original dev, but with an
 185:		 * xdp_mem_info pointing to our page_pool
 186:		 */
 187:		xdp_rxq_info_reg(&xdp->rxq, orig_ctx->rxq->dev, 0, 0);
 188:		xdp->rxq.mem.type = MEM_TYPE_PAGE_POOL;
 189:		xdp->rxq.mem.id = pp->xdp_mem_id;
 190:		xdp->dev = orig_ctx->rxq->dev;
 191:		xdp->orig_ctx = orig_ctx;
 192:	
 193:		return 0;
 194:	
 195:	err_mmodel:
 196:		page_pool_destroy(pp);
 197:	err_pp:
 198:		kvfree(xdp->skbs);
 199:	err_skbs:
 200:		kvfree(xdp->frames);
 201:		return err;
 202:	}
 SourceFile:net/bpf/test_run.c]

gemini-3-pro-preview

							input: 45925
							output: 59
							thoughts: 152
						

**XDP Device Assignment Confusion**

Okay, hold on a second. Let me trace this through. So, `xdp->dev` is assigned directly from `orig_ctx->rxq->dev`, right? And based on the context, `orig_ctx` *is* the `xdp` context we're using in `bpf_prog_test_run_xdp`. Right, got it. Then, `orig_ctx->rxq->dev` resolves to the `current->nsproxy->net_ns->loopback_dev`, which is our loopback device, making `xdp->dev` also the `loopback_dev`.

But that can't be right! How in the world can we be passing a `netif_is_bond_slave` check? That suggests `xdp->rxq->dev` is a bond slave, but it should be loopback here. Something's clearly not making sense. Am I missing something fundamental in the context setup, or is this happening somewhere else?

Wait, maybe there's another path to calling `bpf_test_run_xdp_live`? Let me see if there's any other way to get here. Let's look at `bpf_prog_test_run`.

map[ContextFile:net/bpf/test_run.c IncludeSnippetLines:10 Name:bpf_test_run_xdp_live SourceTreePrefix:]

map[References:[map[ReferenceKind:calls ReferencingEntityKind:function ReferencingEntityName:bpf_prog_test_run_xdp SourceFile:net/bpf/test_run.c SourceLine:1388 SourceSnippet:1378:				sinfo->xdp_frags_size += data_len;
1379:				size += data_len;
1380:			}
1381:			xdp_buff_set_frags_flag(&xdp);
1382:		}
1383:	
1384:		if (repeat > 1)
1385:			bpf_prog_change_xdp(NULL, prog);
1386:	
1387:		if (do_live)
1388:			ret = bpf_test_run_xdp_live(prog, &xdp, repeat, batch_size, &duration);
1389:		else
1390:			ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true);
1391:		/* We convert the xdp_buff back to an xdp_md before checking the return
1392:		 * code so the reference count of any held netdevice will be decremented
1393:		 * even if the test run failed.
1394:		 */
1395:		xdp_convert_buff_to_md(&xdp, ctx);
1396:		if (ret)
1397:			goto out;
1398:	
]] TruncatedOutput:false]

gemini-3-pro-preview

							input: 46829
							output: 49
							thoughts: 26
						

Here's my attempt at summarizing that thought process, tailored for an expert audience:

**XDP and Device Context: A Potential Pitfall**

Okay, so I'm digging into this `xdp_convert_md_to_buff` function, and a red flag just went up. I need to seriously consider the implications. My initial assumption was that the `xdp->rxq->dev` pointer was stable within this XDP context, but now I'm thinking, "Wait a minute... could this conversion function *actually* modify the underlying `xdp->rxq->dev` pointer?"

This is a critical point. If `xdp_convert_md_to_buff` is internally messing with the device context, it can have ripple effects down the line. I'll need to meticulously review the implementation of this function. I have to look for calls to functions that could modify the `rxq` structure in any way. I am going to need to trace any potential side effects. The implications of that pointer changing mid-processing are substantial, potentially leading to inconsistencies in data access, unexpected behavior with hardware offloads, or even outright crashes. Better safe than sorry – let's dissect this with a fine-tooth comb.

map[ContextFile:net/bpf/test_run.c IncludeLines:true Name:xdp_convert_md_to_buff]

map[SourceCode:1207:	static int xdp_convert_md_to_buff(struct xdp_md *xdp_md, struct xdp_buff *xdp)
1208:	{
1209:		unsigned int ingress_ifindex, rx_queue_index;
1210:		struct netdev_rx_queue *rxqueue;
1211:		struct net_device *device;
1212:	
1213:		if (!xdp_md)
1214:			return 0;
1215:	
1216:		if (xdp_md->egress_ifindex != 0)
1217:			return -EINVAL;
1218:	
1219:		ingress_ifindex = xdp_md->ingress_ifindex;
1220:		rx_queue_index = xdp_md->rx_queue_index;
1221:	
1222:		if (!ingress_ifindex && rx_queue_index)
1223:			return -EINVAL;
1224:	
1225:		if (ingress_ifindex) {
1226:			device = dev_get_by_index(current->nsproxy->net_ns,
1227:						  ingress_ifindex);
1228:			if (!device)
1229:				return -ENODEV;
1230:	
1231:			if (rx_queue_index >= device->real_num_rx_queues)
1232:				goto free_dev;
1233:	
1234:			rxqueue = __netif_get_rx_queue(device, rx_queue_index);
1235:	
1236:			if (!xdp_rxq_info_is_reg(&rxqueue->xdp_rxq))
1237:				goto free_dev;
1238:	
1239:			xdp->rxq = &rxqueue->xdp_rxq;
1240:			/* The device is now tracked in the xdp->rxq for later
1241:			 * dev_put()
1242:			 */
1243:		}
1244:	
1245:		xdp->data = xdp->data_meta + xdp_md->data;
1246:		return 0;
1247:	
1248:	free_dev:
1249:		dev_put(device);
1250:		return -EINVAL;
1251:	}
 SourceFile:net/bpf/test_run.c]

gemini-3-pro-preview

							input: 47853
							output: 55
							thoughts: 178
						

**Exploiting Interface Index in XDP Program Testing**

Okay, so I'm thinking about how `xdp_convert_md_to_buff` uses `xdp_md->ingress_ifindex` to set `xdp->rxq`. That's the key! If I can control `ingress_ifindex` when running the BPF program with `bpf_prog_test_run`, I should be able to manipulate `xdp->rxq->dev` and point it to any interface I want. But hang on, there's a constraint: `xdp_rxq_info_is_reg(&rxqueue->xdp_rxq)` has to be true. I need to understand when that's actually the case.

Right, `xdp_rxq_info_is_reg` is true when the driver has registered the rxq info. So, I need a driver that does that. Let me see... the `veth` driver is coming to mind. It's a common virtual ethernet device, and I seem to recall it having the capabilities I need. Okay, time to confirm that `veth` actually *does* register rxq info. Gotta check that out.

map[ContextFile:drivers/net/veth.c IncludeSnippetLines:10 Name:xdp_rxq_info_reg SourceTreePrefix:]

map[References:<nil> TruncatedOutput:false]

gemini-3-pro-preview

							input: 48367
							output: 23
							thoughts: 50
						

Okay, let's see... Wait a minute, I was under the impression that the `veth` driver directly invoked `xdp_rxq_info_reg`. I need to confirm that. Let me quickly double-check that by examining the `xdp_rxq_info_reg` function's usage, specifically within the `drivers/net/veth.c` source file. Gotta make sure my understanding of the XDP interaction is on point here.

map[Expression:xdp_rxq_info_reg]

map[Output:
Full output is too long, showing 500 out of 642 lines.
Use more precise expression if possible.

[Documentation/networking/page_pool.rst=127=Registration
 --
 Documentation/networking/page_pool.rst-146-
 Documentation/networking/page_pool.rst:147:    err = xdp_rxq_info_reg(&xdp_rxq, ndev, 0);
 Documentation/networking/page_pool.rst-148-    if (err)
 --
 Documentation/networking/page_pool.rst-150-
 Documentation/networking/page_pool.rst:151:    err = xdp_rxq_info_reg_mem_model(&xdp_rxq, MEM_TYPE_PAGE_POOL, page_pool);
 Documentation/networking/page_pool.rst-152-    if (err)
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c=196=int ena_xdp_register_rxq_info(struct ena_ring *rx_ring)
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c-199-
 drivers/net/ethernet/amazon/ena/ena_xdp.c:200:	rc = xdp_rxq_info_reg(&rx_ring->xdp_rxq, rx_ring->netdev, rx_ring->qid, 0);
 drivers/net/ethernet/amazon/ena/ena_xdp.c-201-
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c-210-
 drivers/net/ethernet/amazon/ena/ena_xdp.c:211:	rc = xdp_rxq_info_reg_mem_model(&rx_ring->xdp_rxq, MEM_TYPE_PAGE_SHARED, NULL);
 drivers/net/ethernet/amazon/ena/ena_xdp.c-212-
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c=128=int aq_vec_ring_alloc(struct aq_vec_s *self, struct aq_nic_s *aq_nic,
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-148-		ring = &self->ring[i][AQ_VEC_RX_ID];
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c:149:		if (xdp_rxq_info_reg(&ring->xdp_rxq,
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-150-				     aq_nic->ndev, idx,
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-154-		}
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c:155:		if (xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-156-					       MEM_TYPE_PAGE_SHARED, NULL) < 0) {
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c=3884=static int bnxt_alloc_rx_rings(struct bnxt *bp)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3910-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:3911:		rc = xdp_rxq_info_reg(&rxr->xdp_rxq, bp->dev, i, 0);
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3912-		if (rc < 0)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3914-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:3915:		rc = xdp_rxq_info_reg_mem_model(&rxr->xdp_rxq,
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3916-						MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c=15905=static int bnxt_queue_mem_alloc(struct net_device *dev, void *qmem, int idx)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15930-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:15931:	rc = xdp_rxq_info_reg(&clone->xdp_rxq, bp->dev, idx, 0);
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15932-	if (rc < 0)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15934-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:15935:	rc = xdp_rxq_info_reg_mem_model(&clone->xdp_rxq,
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15936-					MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c=745=static void nicvf_rcv_queue_config(struct nicvf *nic, struct queue_set *qs,
 --
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c-773-	/* Driver have no proper error path for failed XDP RX-queue info reg */
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c:774:	WARN_ON(xdp_rxq_info_reg(&rq->xdp_rxq, nic->netdev, qidx, 0) < 0);
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c-775-
 --
 drivers/net/ethernet/engleder/tsnep_main.c=1915=static int tsnep_queue_open(struct tsnep_adapter *adapter,
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1936-		 */
 drivers/net/ethernet/engleder/tsnep_main.c:1937:		retval = xdp_rxq_info_reg(&rx->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/engleder/tsnep_main.c-1938-					  rx->queue_index, queue->napi.napi_id);
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1940-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1941:		retval = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/engleder/tsnep_main.c-1942-						    MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1945-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1946:		retval = xdp_rxq_info_reg(&rx->xdp_rxq_zc, adapter->netdev,
 drivers/net/ethernet/engleder/tsnep_main.c-1947-					  rx->queue_index, queue->napi.napi_id);
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1949-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1950:		retval = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq_zc,
 drivers/net/ethernet/engleder/tsnep_main.c-1951-						    MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c=1025=static int dpaa_fq_init(struct dpaa_fq *dpaa_fq, bool td_enable)
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1166-	    dpaa_fq->fq_type == FQ_TYPE_RX_PCD) {
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1167:		err = xdp_rxq_info_reg(&dpaa_fq->xdp_rxq, dpaa_fq->net_dev,
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1168-				       dpaa_fq->fqid, 0);
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1169-		if (err) {
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1170:			dev_err(dev, "xdp_rxq_info_reg() = %d\n", err);
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1171-			return err;
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1173-
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1174:		err = xdp_rxq_info_reg_mem_model(&dpaa_fq->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1175-						 MEM_TYPE_PAGE_ORDER0, NULL);
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1176-		if (err) {
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1177:			dev_err(dev, "xdp_rxq_info_reg_mem_model() = %d\n",
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1178-				err);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c=3895=static int dpaa2_eth_setup_rx_flow(struct dpaa2_eth_priv *priv,
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3929-
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3930:	err = xdp_rxq_info_reg(&fq->channel->xdp_rxq, priv->net_dev,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3931-			       fq->flowid, 0);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3932-	if (err) {
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3933:		dev_err(dev, "xdp_rxq_info_reg failed\n");
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3934-		return err;
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3936-
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3937:	err = xdp_rxq_info_reg_mem_model(&fq->channel->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3938-					 MEM_TYPE_PAGE_ORDER0, NULL);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3939-	if (err) {
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3940:		dev_err(dev, "xdp_rxq_info_reg_mem_model failed\n");
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3941-		xdp_rxq_info_unreg(&fq->channel->xdp_rxq);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c=173=static int dpaa2_xsk_disable_pool(struct net_device *dev, u16 qid)
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-190-	xsk_pool_dma_unmap(pool, 0);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:191:	err = xdp_rxq_info_reg_mem_model(&ch->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-192-					 MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c=220=static int dpaa2_xsk_enable_pool(struct net_device *dev,
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-251-	ch = priv->channel[qid];
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:252:	err = xdp_rxq_info_reg_mem_model(&ch->xdp_rxq, MEM_TYPE_XSK_BUFF_POOL, NULL);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-253-	if (err) {
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:254:		netdev_err(dev, "xdp_rxq_info_reg_mem_model() failed (err = %d)\n", err);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-255-		goto err_mem_model;
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-289-err_bp_alloc:
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:290:	err2 = xdp_rxq_info_reg_mem_model(&priv->channel[qid]->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-291-					  MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/enetc/enetc.c=3446=static int enetc_int_vector_init(struct enetc_ndev_priv *priv, int i,
 --
 drivers/net/ethernet/freescale/enetc/enetc.c-3465-
 drivers/net/ethernet/freescale/enetc/enetc.c:3466:	err = __xdp_rxq_info_reg(&bdr->xdp.rxq, priv->ndev, i, 0,
 drivers/net/ethernet/freescale/enetc/enetc.c-3467-				 ENETC_RXB_DMA_SIZE_XDP);
 --
 drivers/net/ethernet/freescale/enetc/enetc.c-3470-
 drivers/net/ethernet/freescale/enetc/enetc.c:3471:	err = xdp_rxq_info_reg_mem_model(&bdr->xdp.rxq, MEM_TYPE_PAGE_SHARED,
 drivers/net/ethernet/freescale/enetc/enetc.c-3472-					 NULL);
 --
 drivers/net/ethernet/freescale/fec_main.c=469=fec_enet_create_page_pool(struct fec_enet_private *fep,
 --
 drivers/net/ethernet/freescale/fec_main.c-491-
 drivers/net/ethernet/freescale/fec_main.c:492:	err = xdp_rxq_info_reg(&rxq->xdp_rxq, fep->netdev, rxq->id, 0);
 drivers/net/ethernet/freescale/fec_main.c-493-	if (err < 0)
 --
 drivers/net/ethernet/freescale/fec_main.c-495-
 drivers/net/ethernet/freescale/fec_main.c:496:	err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/freescale/fec_main.c-497-					 rxq->page_pool);
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c=697=int fun_rxq_create_dev(struct funeth_rxq *q, struct fun_irq *irq)
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-703-
 drivers/net/ethernet/fungible/funeth/funeth_rx.c:704:	err = xdp_rxq_info_reg(&q->xdp_rxq, q->netdev, q->qidx,
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-705-			       irq->napi.napi_id);
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-708-
 drivers/net/ethernet/fungible/funeth/funeth_rx.c:709:	err = xdp_rxq_info_reg_mem_model(&q->xdp_rxq, MEM_TYPE_PAGE_SHARED,
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-710-					 NULL);
 --
 drivers/net/ethernet/google/gve/gve_main.c=1185=static int gve_reg_xsk_pool(struct gve_priv *priv, struct net_device *dev,
 --
 drivers/net/ethernet/google/gve/gve_main.c-1192-	rx = &priv->rx[qid];
 drivers/net/ethernet/google/gve/gve_main.c:1193:	err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1194-					 MEM_TYPE_XSK_BUFF_POOL, pool);
 --
 drivers/net/ethernet/google/gve/gve_main.c=1233=static int gve_reg_xdp_info(struct gve_priv *priv, struct net_device *dev)
 --
 drivers/net/ethernet/google/gve/gve_main.c-1248-
 drivers/net/ethernet/google/gve/gve_main.c:1249:		err = xdp_rxq_info_reg(&rx->xdp_rxq, dev, i,
 drivers/net/ethernet/google/gve/gve_main.c-1250-				       napi->napi_id);
 --
 drivers/net/ethernet/google/gve/gve_main.c-1257-		else if (gve_is_qpl(priv))
 drivers/net/ethernet/google/gve/gve_main.c:1258:			err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1259-							 MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/google/gve/gve_main.c-1261-		else
 drivers/net/ethernet/google/gve/gve_main.c:1262:			err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1263-							 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c=3558=static int i40e_configure_rx_ring(struct i40e_ring *ring)
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3579-	if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/i40e/i40e_main.c:3580:		err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3581-					 ring->queue_index,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3591-		ring->rx_buf_len = xsk_pool_get_rx_frame_size(ring->xsk_pool);
 drivers/net/ethernet/intel/i40e/i40e_main.c:3592:		err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3593-					 ring->queue_index,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3597-			return err;
 drivers/net/ethernet/intel/i40e/i40e_main.c:3598:		err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3599-						 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3607-	} else {
 drivers/net/ethernet/intel/i40e/i40e_main.c:3608:		err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3609-						 MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/ice/ice_base.c=658=static int ice_vsi_cfg_rxq(struct ice_rx_ring *ring)
 --
 drivers/net/ethernet/intel/ice/ice_base.c-666-		if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/ice/ice_base.c:667:			err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-668-						 ring->q_index,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-684-				xsk_pool_get_rx_frame_size(ring->xsk_pool);
 drivers/net/ethernet/intel/ice/ice_base.c:685:			err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-686-						 ring->q_index,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-690-				return err;
 drivers/net/ethernet/intel/ice/ice_base.c:691:			err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ice/ice_base.c-692-							 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-705-			if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/ice/ice_base.c:706:				err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-707-							 ring->q_index,
 --
 drivers/net/ethernet/intel/idpf/xdp.c=45=static int __idpf_xdp_rxq_info_init(struct idpf_rx_queue *rxq, void *arg)
 --
 drivers/net/ethernet/intel/idpf/xdp.c-50-
 drivers/net/ethernet/intel/idpf/xdp.c:51:	err = __xdp_rxq_info_reg(&rxq->xdp_rxq, vport->netdev, rxq->idx,
 drivers/net/ethernet/intel/idpf/xdp.c-52-				 rxq->q_vector->napi.napi_id,
 --
 drivers/net/ethernet/intel/idpf/xdp.c-57-	if (idpf_queue_has(XSK, rxq)) {
 drivers/net/ethernet/intel/idpf/xdp.c:58:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq,
 drivers/net/ethernet/intel/idpf/xdp.c-59-						 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igb/igb_main.c=4445=int igb_setup_rx_resources(struct igb_ring *rx_ring)
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4453-		xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
 drivers/net/ethernet/intel/igb/igb_main.c:4454:	res = xdp_rxq_info_reg(&rx_ring->xdp_rxq, rx_ring->netdev,
 drivers/net/ethernet/intel/igb/igb_main.c-4455-			       rx_ring->queue_index, 0);
 --
 drivers/net/ethernet/intel/igb/igb_main.c=4783=void igb_configure_rx_ring(struct igb_adapter *adapter,
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4794-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/igb/igb_main.c:4795:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igb/igb_main.c-4796-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4799-	} else {
 drivers/net/ethernet/intel/igb/igb_main.c:4800:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igb/igb_main.c-4801-						   MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/igc/igc_main.c=534=int igc_setup_rx_resources(struct igc_ring *rx_ring)
 --
 drivers/net/ethernet/intel/igc/igc_main.c-543-		xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
 drivers/net/ethernet/intel/igc/igc_main.c:544:	res = xdp_rxq_info_reg(&rx_ring->xdp_rxq, ndev, index,
 drivers/net/ethernet/intel/igc/igc_main.c-545-			       rx_ring->q_vector->napi.napi_id);
 --
 drivers/net/ethernet/intel/igc/igc_main.c=625=static void igc_configure_rx_ring(struct igc_adapter *adapter,
 --
 drivers/net/ethernet/intel/igc/igc_main.c-637-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/igc/igc_main.c:638:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igc/igc_main.c-639-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igc/igc_main.c-642-	} else {
 drivers/net/ethernet/intel/igc/igc_main.c:643:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igc/igc_main.c-644-						   MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c=4497=void ixgbe_configure_rx_ring(struct ixgbe_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4508-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:4509:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4510-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4513-	} else {
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:4514:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4515-						   MEM_TYPE_PAGE_SHARED, NULL));
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c=7159=int ixgbe_setup_rx_resources(struct ixgbe_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-7197-	/* XDP RX-queue info */
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:7198:	if (xdp_rxq_info_reg(&rx_ring->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-7199-			     rx_ring->queue_index, ixgbe_rx_napi_id(rx_ring)) < 0)
 --
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c=3524=int ixgbevf_setup_rx_resources(struct ixgbevf_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c-3546-	/* XDP RX-queue info */
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c:3547:	if (xdp_rxq_info_reg(&rx_ring->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c-3548-			     rx_ring->queue_index, 0) < 0)
 --
 drivers/net/ethernet/marvell/mvneta.c=3356=static int mvneta_create_page_pool(struct mvneta_port *pp,
 --
 drivers/net/ethernet/marvell/mvneta.c-3378-
 drivers/net/ethernet/marvell/mvneta.c:3379:	err = __xdp_rxq_info_reg(&rxq->xdp_rxq, pp->dev, rxq->id, 0,
 drivers/net/ethernet/marvell/mvneta.c-3380-				 PAGE_SIZE);
 --
 drivers/net/ethernet/marvell/mvneta.c-3383-
 drivers/net/ethernet/marvell/mvneta.c:3384:	err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/marvell/mvneta.c-3385-					 rxq->page_pool);
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c=2942=static int mvpp2_rxq_init(struct mvpp2_port *port,
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2989-	if (priv->percpu_pools) {
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2990:		err = xdp_rxq_info_reg(&rxq->xdp_rxq_short, port->dev, rxq->logic_rxq, 0);
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2991-		if (err < 0)
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2993-
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2994:		err = xdp_rxq_info_reg(&rxq->xdp_rxq_long, port->dev, rxq->logic_rxq, 0);
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2995-		if (err < 0)
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2998-		/* Every RXQ has a pool for short and another for long packets */
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2999:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq_short,
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3000-						 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3004-
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:3005:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq_long,
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3006-						 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c=1051=int otx2_cq_init(struct otx2_nic *pfvf, u16 qidx)
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1066-		if (pfvf->xdp_prog) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1067:			xdp_rxq_info_reg(&cq->xdp_rxq, pfvf->netdev, qidx, 0);
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1068-			pool = &qset->pool[qidx];
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1069-			if (pool->xsk_pool) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1070:				xdp_rxq_info_reg_mem_model(&cq->xdp_rxq,
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1071-							   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1074-			} else if (pool->page_pool) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1075:				xdp_rxq_info_reg_mem_model(&cq->xdp_rxq,
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1076-							   MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/mediatek/mtk_eth_soc.c=1870=static struct page_pool *mtk_create_page_pool(struct mtk_eth *eth,
 --
 drivers/net/ethernet/mediatek/mtk_eth_soc.c-1891-
 drivers/net/ethernet/mediatek/mtk_eth_soc.c:1892:	err = __xdp_rxq_info_reg(xdp_q, eth->dummy_dev, id,
 drivers/net/ethernet/mediatek/mtk_eth_soc.c-1893-				 eth->rx_napi.napi_id, PAGE_SIZE);
 --
 drivers/net/ethernet/mediatek/mtk_eth_soc.c-1896-
 drivers/net/ethernet/mediatek/mtk_eth_soc.c:1897:	err = xdp_rxq_info_reg_mem_model(xdp_q, MEM_TYPE_PAGE_POOL, pp);
 drivers/net/ethernet/mediatek/mtk_eth_soc.c-1898-	if (err)
 --
 drivers/net/ethernet/mellanox/mlx4/en_rx.c=237=int mlx4_en_create_rx_ring(struct mlx4_en_priv *priv,
 --
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-274-
 drivers/net/ethernet/mellanox/mlx4/en_rx.c:275:	if (xdp_rxq_info_reg(&ring->xdp_rxq, priv->dev, queue_index, 0) < 0)
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-276-		goto err_pp;
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-277-
 drivers/net/ethernet/mellanox/mlx4/en_rx.c:278:	err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-279-					 ring->pp);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c=713=static int mlx5e_init_ptp_rq(struct mlx5e_ptp *c, struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c-734-
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c:735:	return xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, 0);
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c-736-}
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c=60=static int mlx5e_init_xsk_rq(struct mlx5e_channel *c,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c-89-
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c:90:	return xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq_xdp_ix, c->napi.napi_id);
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c-91-}
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c=728=static int mlx5e_init_rxq_rq(struct mlx5e_channel *c, struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-752-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:753:	return __xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, c->napi.napi_id,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-754-				  xdp_frag_size);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c=898=static int mlx5e_alloc_rq(struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-996-	if (xsk) {
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:997:		err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-998-						 MEM_TYPE_XSK_BUFF_POOL, NULL);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-1034-		if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) {
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:1035:			err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-1036-							 MEM_TYPE_PAGE_POOL, rq->page_pool);
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c=2003=static int fbnic_alloc_rx_qt_resources(struct fbnic_net *fbn,
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2013-
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2014:	err = xdp_rxq_info_reg(&qt->xdp_rxq, fbn->netdev, qt->sub0.q_idx,
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2015-			       nv->napi.napi_id);
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2018-
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2019:	err = xdp_rxq_info_reg_mem_model(&qt->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2020-					 qt->sub0.page_pool);
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c=75=static int lan966x_fdma_rx_alloc_page_pool(struct lan966x_rx *rx)
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c-102-		xdp_rxq_info_unreg_mem_model(&port->xdp_rxq);
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c:103:		xdp_rxq_info_reg_mem_model(&port->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c-104-					   rx->page_pool);
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c=124=int lan966x_xdp_port_init(struct lan966x_port *port)
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c-127-
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c:128:	return xdp_rxq_info_reg(&port->xdp_rxq, port->dev, 0,
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c-129-				lan966x->napi.napi_id);
 --
 drivers/net/ethernet/microsoft/mana/mana_en.c=2579=static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc,
 --
 drivers/net/ethernet/microsoft/mana/mana_en.c-2682-
 drivers/net/ethernet/microsoft/mana/mana_en.c:2683:	WARN_ON(xdp_rxq_info_reg(&rxq->xdp_rxq, ndev, rxq_idx,
 drivers/net/ethernet/microsoft/mana/mana_en.c-2684-				 cq->napi.napi_id));
 drivers/net/ethernet/microsoft/mana/mana_en.c:2685:	WARN_ON(xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/microsoft/mana/mana_en.c-2686-					   rxq->page_pool));
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c=284=nfp_net_rx_ring_alloc(struct nfp_net_dp *dp, struct nfp_net_rx_ring *rx_ring)
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-298-	if (dp->netdev) {
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c:299:		err = xdp_rxq_info_reg(&rx_ring->xdp_rxq, dp->netdev,
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-300-				       rx_ring->idx, rx_ring->r_vec->napi.napi_id);
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-303-
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c:304:		err = xdp_rxq_info_reg_mem_model(&rx_ring->xdp_rxq, mem_type, NULL);
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-305-		if (err)
 --
 drivers/net/ethernet/pensando/ionic/ionic_lif.c=2692=static int ionic_register_rxq_info(struct ionic_queue *q, unsigned int napi_id)
 --
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2700-
 drivers/net/ethernet/pensando/ionic/ionic_lif.c:2701:	err = xdp_rxq_info_reg(rxq_info, q->lif->netdev, q->index, napi_id);
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2702-	if (err) {
 drivers/net/ethernet/pensando/ionic/ionic_lif.c:2703:		netdev_err(q->lif->netdev, "q%d xdp_rxq_info_reg failed, err %d\n",
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2704-			   q->index, err);
 --
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2707-
 drivers/net/ethernet/pensando/ionic/ionic_lif.c:2708:	err = xdp_rxq_info_reg_mem_model(rxq_info, MEM_TYPE_PAGE_POOL, q->page_pool);
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2709-	if (err) {
 drivers/net/ethernet/pensando/ionic/ionic_lif.c:2710:		netdev_err(q->lif->netdev, "q%d xdp_rxq_info_reg_mem_model failed, err %d\n",
 drivers/net/ethernet/pensando/ionic/ionic_lif.c-2711-			   q->index, err);
 --
 drivers/net/ethernet/qlogic/qede/qede_main.c=1822=static void qede_init_fp(struct qede_dev *edev)
 --
 drivers/net/ethernet/qlogic/qede/qede_main.c-1853-			/* Driver have no error path from here */
 drivers/net/ethernet/qlogic/qede/qede_main.c:1854:			WARN_ON(xdp_rxq_info_reg(&fp->rxq->xdp_rxq, edev->ndev,
 drivers/net/ethernet/qlogic/qede/qede_main.c-1855-						 fp->rxq->rxq_id, 0) < 0);
 drivers/net/ethernet/qlogic/qede/qede_main.c-1856-
 drivers/net/ethernet/qlogic/qede/qede_main.c:1857:			if (xdp_rxq_info_reg_mem_model(&fp->rxq->xdp_rxq,
 drivers/net/ethernet/qlogic/qede/qede_main.c-1858-						       MEM_TYPE_PAGE_ORDER0,
 --
 drivers/net/ethernet/sfc/rx_common.c=221=void efx_init_rx_queue(struct efx_rx_queue *rx_queue)
 --
 drivers/net/ethernet/sfc/rx_common.c-263-	/* Initialise XDP queue information */
 drivers/net/ethernet/sfc/rx_common.c:264:	rc = xdp_rxq_info_reg(&rx_queue->xdp_rxq_info, efx->net_dev,
 drivers/net/ethernet/sfc/rx_common.c-265-			      rx_queue->core_index, 0);
 --
 drivers/net/ethernet/sfc/siena/rx_common.c=224=void efx_siena_init_rx_queue(struct efx_rx_queue *rx_queue)
 --
 drivers/net/ethernet/sfc/siena/rx_common.c-262-	/* Initialise XDP queue information */
 drivers/net/ethernet/sfc/siena/rx_common.c:263:	rc = xdp_rxq_info_reg(&rx_queue->xdp_rxq_info, efx->net_dev,
 drivers/net/ethernet/sfc/siena/rx_common.c-264-			      rx_queue->core_index, 0);
 --
 drivers/net/ethernet/socionext/netsec.c=1294=static int netsec_setup_rx_dring(struct netsec_priv *priv)
 --
 drivers/net/ethernet/socionext/netsec.c-1319-
 drivers/net/ethernet/socionext/netsec.c:1320:	err = xdp_rxq_info_reg(&dring->xdp_rxq, priv->ndev, 0, priv->napi.napi_id);
 drivers/net/ethernet/socionext/netsec.c-1321-	if (err)
 --
 drivers/net/ethernet/socionext/netsec.c-1323-
 drivers/net/ethernet/socionext/netsec.c:1324:	err = xdp_rxq_info_reg_mem_model(&dring->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/socionext/netsec.c-1325-					 dring->page_pool);
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c=1780=static int __init_dma_rx_desc_rings(struct stmmac_priv *priv,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1797-	if (rx_q->xsk_pool) {
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:1798:		WARN_ON(xdp_rxq_info_reg_mem_model(&rx_q->xdp_rxq,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1799-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1805-	} else {
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:1806:		WARN_ON(xdp_rxq_info_reg_mem_model(&rx_q->xdp_rxq,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1807-						   MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c=2125=static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-2196-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:2197:	ret = xdp_rxq_info_reg(&rx_q->xdp_rxq, priv->dev,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-2198-			       rx_q->queue_index,
 --
 drivers/net/ethernet/ti/am65-cpsw-nuss.c=557=static int am65_cpsw_create_rxq(struct am65_cpsw_common *common, int id)
 --
 drivers/net/ethernet/ti/am65-cpsw-nuss.c-593-		rxq = &common->ports[port].xdp_rxq[id];
 drivers/net/ethernet/ti/am65-cpsw-nuss.c:594:		ret = xdp_rxq_info_reg(rxq, common->ports[port].ndev,
 drivers/net/ethernet/ti/am65-cpsw-nuss.c-595-				       id, flow->napi_rx.napi_id);
 --
 drivers/net/ethernet/ti/am65-cpsw-nuss.c-598-
 drivers/net/ethernet/ti/am65-cpsw-nuss.c:599:		ret = xdp_rxq_info_reg_mem_model(rxq,
 drivers/net/ethernet/ti/am65-cpsw-nuss.c-600-						 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/ti/cpsw_priv.c=1162=static int cpsw_ndev_create_xdp_rxq(struct cpsw_priv *priv, int ch)
 --
 drivers/net/ethernet/ti/cpsw_priv.c-1171-
 drivers/net/ethernet/ti/cpsw_priv.c:1172:	ret = xdp_rxq_info_reg(rxq, priv->ndev, ch, 0);
 drivers/net/ethernet/ti/cpsw_priv.c-1173-	if (ret)
 --
 drivers/net/ethernet/ti/cpsw_priv.c-1175-
 drivers/net/ethernet/ti/cpsw_priv.c:1176:	ret = xdp_rxq_info_reg_mem_model(rxq, MEM_TYPE_PAGE_POOL, pool);
 drivers/net/ethernet/ti/cpsw_priv.c-1177-	if (ret)
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c=584=static int prueth_create_xdp_rxqs(struct prueth_emac *emac)
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-590-
 drivers/net/ethernet/ti/icssg/icssg_prueth.c:591:	ret = xdp_rxq_info_reg(rxq, emac->ndev, 0, emac->napi_rx.napi_id);
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-592-	if (ret)
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-595-	if (rx_chn->xsk_pool) {
 drivers/net/ethernet/ti/icssg/icssg_prueth.c:596:		ret = xdp_rxq_info_reg_mem_model(rxq, MEM_TYPE_XSK_BUFF_POOL, NULL);
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-597-		if (ret)
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-600-	} else {
 drivers/net/ethernet/ti/icssg/icssg_prueth.c:601:		ret = xdp_rxq_info_reg_mem_model(rxq, MEM_TYPE_PAGE_POOL, pool);
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-602-		if (ret)
 --
 drivers/net/hyperv/netvsc.c=1762=struct netvsc_device *netvsc_device_add(struct hv_device *device,
 --
 drivers/net/hyperv/netvsc.c-1796-
]
]

gemini-3-pro-preview

							input: 63935
							output: 44
							thoughts: 32
						

Okay, here's my interpretation of those thoughts, presented as a first-person expert summary:

**Digging into veth and XDP**

Hold on a second, isn't it true that the `veth` driver actually *does* have something to do with registering `xdp_rxq_info`? I vaguely recall seeing something like that. This merits immediate investigation. Let's not assume, let's confirm. The obvious next step is to dive right into the code. Specifically, the place to start is likely going to be in `drivers/net/veth.c`. That should contain all the core logic for the virtual ethernet pair device. I'll check there. It's time to confirm my suspicion and find the pertinent registration code or, alternatively, finally put the matter to rest.

map[ContextFile:drivers/net/veth.c IncludeLines:true Name:veth_enable_xdp]

map[SourceCode:1163:	static int veth_enable_xdp(struct net_device *dev)
1164:	{
1165:		bool napi_already_on = veth_gro_requested(dev) && (dev->flags & IFF_UP);
1166:		struct veth_priv *priv = netdev_priv(dev);
1167:		int err, i;
1168:	
1169:		if (!xdp_rxq_info_is_reg(&priv->rq[0].xdp_rxq)) {
1170:			err = veth_enable_xdp_range(dev, 0, dev->real_num_rx_queues, napi_already_on);
1171:			if (err)
1172:				return err;
1173:	
1174:			if (!napi_already_on) {
1175:				err = __veth_napi_enable(dev);
1176:				if (err) {
1177:					veth_disable_xdp_range(dev, 0, dev->real_num_rx_queues, true);
1178:					return err;
1179:				}
1180:			}
1181:		}
1182:	
1183:		for (i = 0; i < dev->real_num_rx_queues; i++) {
1184:			rcu_assign_pointer(priv->rq[i].xdp_prog, priv->_xdp_prog);
1185:			rcu_assign_pointer(priv->rq[i].napi, &priv->rq[i].xdp_napi);
1186:		}
1187:	
1188:		return 0;
1189:	}
 SourceFile:drivers/net/veth.c]

gemini-3-pro-preview

							input: 64682
							output: 46
							thoughts: 266
						

**XDP and VETH - A Reproducer Scenario**

Okay, so `veth` does indeed register `xdp_rxq_info`. That’s good, it means we can potentially use `veth` in our testing. Let's see if we can construct a solid reproducer for the potential issue. I'll need to think this through step by step.

First, I need to create the `veth` pair: `veth0` and `veth1`. Makes sense, standard practice. Next, a bonding device, let's call it `bond0`. Mode needs to be set to `ROUNDROBIN` for the reproducer's purposes. Then, the trickier part: enslaving `veth0` to `bond0`. Ah, but I need to remember the `bond_enslave` checks. It specifically tests if the slave device is up with that `if (slave_dev->flags & IFF_UP) return -EPERM;` check. So `veth0` absolutely *must* be down for this to work. Okay, got it.

Now, the XDP program. I need to attach an XDP program to `bond0`. Here's where it gets interesting because `bond_xdp_set` will call `dev_xdp_propagate` on `veth0`. And if `veth0` is down, `veth_enable_xdp` is called, which feels like the important part. Wait, `veth_enable_xdp` also has a check: `if (dev->flags & IFF_UP)`. But hold on, the previous check makes it clear that it *should* be down. If it *is* down, `veth_enable_xdp` still registers `xdp_rxq_info`! That's... curious. I'll have to investigate that function to be sure. Let's check `veth_enable_xdp_range` to make sure I am not missing anything.

map[ContextFile:drivers/net/veth.c IncludeLines:true Name:veth_enable_xdp_range]

map[SourceCode:1106:	static int veth_enable_xdp_range(struct net_device *dev, int start, int end,
1107:					 bool napi_already_on)
1108:	{
1109:		struct veth_priv *priv = netdev_priv(dev);
1110:		int err, i;
1111:	
1112:		for (i = start; i < end; i++) {
1113:			struct veth_rq *rq = &priv->rq[i];
1114:	
1115:			if (!napi_already_on)
1116:				netif_napi_add(dev, &rq->xdp_napi, veth_poll);
1117:			err = xdp_rxq_info_reg(&rq->xdp_rxq, dev, i, rq->xdp_napi.napi_id);
1118:			if (err < 0)
1119:				goto err_rxq_reg;
1120:	
1121:			err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
1122:							 MEM_TYPE_PAGE_SHARED,
1123:							 NULL);
1124:			if (err < 0)
1125:				goto err_reg_mem;
1126:	
1127:			/* Save original mem info as it can be overwritten */
1128:			rq->xdp_mem = rq->xdp_rxq.mem;
1129:		}
1130:		return 0;
1131:	
1132:	err_reg_mem:
1133:		xdp_rxq_info_unreg(&priv->rq[i].xdp_rxq);
1134:	err_rxq_reg:
1135:		for (i--; i >= start; i--) {
1136:			struct veth_rq *rq = &priv->rq[i];
1137:	
1138:			xdp_rxq_info_unreg(&rq->xdp_rxq);
1139:			if (!napi_already_on)
1140:				netif_napi_del(&rq->xdp_napi);
1141:		}
1142:	
1143:		return err;
1144:	}
 SourceFile:drivers/net/veth.c]

gemini-3-pro-preview

							input: 66094
							output: 45
							thoughts: 852
						

**XDP on a Bond Interface: A Potential Crash Scenario**

Okay, so I'm following the flow here, and it looks like `veth_enable_xdp_range` registers the `xdp_rxq_info`, which is expected. That means `veth0` will have its `xdp_rxq_info` registered. Now, I should be able to run `bpf_prog_test_run` on the XDP program attached to `veth0`, right?

Wait a second... `bpf_prog_test_run` wants a BPF program FD. We can just reuse the one attached to the bond, that makes sense.

But, `bpf_prog_test_run` also requires `ingress_ifindex` in `ctx_in`. Fine, I'll set that to `veth0`'s ifindex. Then `xdp_convert_md_to_buff` should correctly set `xdp->rxq` to `veth0`'s `xdp_rxq`.

Okay, so now `bpf_test_run_xdp_live` fires the BPF program, which should return `XDP_TX`. Now, here's where it gets interesting: `bpf_prog_run_xdp` sees `act == XDP_TX` and, crucially, that `netif_is_bond_slave(xdp->rxq->dev)`. Since `xdp->rxq->dev` is `veth0`, and `veth0` is a slave, that means it'll call `xdp_master_redirect(xdp)`.

`xdp_master_redirect` is going to call `master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp)`. In this case `master` is the bond. This call ends up in `bond_xdp_get_xmit_slave`, which delegates to `bond_xdp_xmit_roundrobin_slave_get`. `bond_xdp_xmit_roundrobin_slave_get` eventually calls `bond_rr_gen_slave_id`, which accesses the `bond->rr_tx_counter` variable.

*Aha!* That's where it goes sideways. Since the `bond0` interface is *DOWN*, `bond_open` was never called, meaning `bond->rr_tx_counter` is null, which leads to a crash when it's accessed.

Let's verify this, I need to confirm `bond0` can be down when we attach an XDP program. `bond_xdp_set` doesn't check if the bond is UP. But, `bond_enslave` does check that the slave is UP. It doesn't appear to check if the bond is up. Wait! `bond_enslave` calls `bond_xdp_set_features(bond_dev)` and propagates the XDP program. So, it looks like either attaching the XDP program to `bond0` before enslaving `veth0` or enslaving `veth0` first should work. Both seem to be viable approaches.

Alright, let's craft a syzkaller program to reproduce this. Here's the plan:

1.  Create a `veth` pair.
2.  Create a `bond` device.
3.  Set the `bond` mode to ROUNDROBIN (mode 0).
4.  Enslave the `veth` to the `bond`.
5.  Load a BPF program of type `BPF_PROG_TYPE_XDP` that simply returns `XDP_TX`.
6.  Attach the BPF program to the `bond`.
7.  Finally, run `bpf_prog_test_run` on the BPF program, with `ctx_in` configured to have the `ingress_ifindex` set to `veth`'s ifindex.

I need to quickly double-check the exact arguments of `bpf_prog_test_run` again. This needs to be precise.

map[ContextFile:kernel/bpf/syscall.c IncludeLines:true Name:bpf_prog_test_run]

map[SourceCode:4681:	static int bpf_prog_test_run(const union bpf_attr *attr,
4682:				     union bpf_attr __user *uattr)
4683:	{
4684:		struct bpf_prog *prog;
4685:		int ret = -ENOTSUPP;
4686:	
4687:		if (CHECK_ATTR(BPF_PROG_TEST_RUN))
4688:			return -EINVAL;
4689:	
4690:		if ((attr->test.ctx_size_in && !attr->test.ctx_in) ||
4691:		    (!attr->test.ctx_size_in && attr->test.ctx_in))
4692:			return -EINVAL;
4693:	
4694:		if ((attr->test.ctx_size_out && !attr->test.ctx_out) ||
4695:		    (!attr->test.ctx_size_out && attr->test.ctx_out))
4696:			return -EINVAL;
4697:	
4698:		prog = bpf_prog_get(attr->test.prog_fd);
4699:		if (IS_ERR(prog))
4700:			return PTR_ERR(prog);
4701:	
4702:		if (prog->aux->ops->test_run)
4703:			ret = prog->aux->ops->test_run(prog, attr, uattr);
4704:	
4705:		bpf_prog_put(prog);
4706:		return ret;
4707:	}
 SourceFile:kernel/bpf/syscall.c]

gemini-3-pro-preview

							input: 68353
							output: 40
							thoughts: 348
						

**My BPF Program Logic**

Okay, so the goal is to get this BPF program to transmit the packet, and to do that, I need it to return `XDP_TX`. Now, looking at my notes, `XDP_TX` is defined as 3. Therefore, the essential instructions I need in the BPF program are a move immediate instruction with the value 3 into register 0, followed by an exit instruction.

That translates directly to:

```
BPF_MOV64_IMM(BPF_REG_0, 3),
BPF_EXIT_INSN()
```

Which, if I disassemble that, looks like:

```
b7 00 00 00 03 00 00 00
95 00 00 00 00 00 00 00
```

Now, I need to figure out the best way to integrate this into a syzkaller program. Initially, I thought about getting the family ID for `nl80211` using `syz_genetlink_get_family_id`. However, that might be overkill, so I need to check my options.

Wait, instead of using `syz_genetlink_get_family_id`, I think I can use `syz_init_net_socket` to create a netlink socket, then use `sendmsg` to create `veth` and `bond`. No, I was wrong - I need to create devices. It doesn't look like `syz_emit_ethernet` is suitable here, as I need to create the actual devices. Syzkaller has utilities like `syz_genetlink_get_family_id` and `sendmsg$nl_route` to create devices.

Or…does Syzkaller *automatically* create `bond0` and `veth0` if I use `syz_init_net_socket`? That would be ideal. I seem to recall something about Syzkaller's test environment doing that by default. I should double-check.

Okay, I think I need to look into `executor/common_linux.h` in the syzkaller source to verify how device creation is handled in the default test environment. I will start there to see if I need to explicitly create the veth and bond devices.

requested entity does not exist

map[ContextFile:executor/common_linux.h IncludeLines:true Name:initialize_netdevices]

map[SourceCode: SourceFile:]

gemini-3-pro-preview

							input: 69279
							output: 18
							thoughts: 20
						

Okay, here's my thought process summarized as requested:

**Checking the Network Initialization**

Alright, before I dive too deep into this, I need to make sure I understand how network devices are initialized. My first instinct is to look at the low-level code that sets these up, rather than the higher-level functions, so I'm going to jump straight into `executor/common_linux.h`. The function name I'm specifically looking for is `initialize_netdevices`. That's where I expect to find the core logic. Let's see what's in there. I'm hoping it's well-documented... but even if not, I can usually glean enough from the function signature and a quick scan of the surrounding code. This header file will probably reveal a lot about dependencies on the kernel interfaces, and what specific calls are being made.

no matches

map[Expression:initialize_netdevices]

map[Output:]

gemini-3-pro-preview

							input: 69514
							output: 20
							thoughts: 22
						

Here's my thought process, summarized as you requested:

**Navigating the Codebase: Netdevice Initialization**

Okay, so we're talking about `initialize_netdevices_init`. That sounds like a pretty critical function, likely involved in the initial setup of network interfaces within the execution environment. To get a handle on what it's doing, and how it fits into the broader picture, the best place to start is probably in `executor/common_linux.h`. That header file is a good central repository for common definitions and function declarations that would be used across various Linux-specific executor components. I'm expecting to find either the declaration of `initialize_netdevices_init` there, or at least some related macros and structures that will give me context. This should tell me how it's called, what it expects as arguments (if any), and how it's intended to interact with other parts of the system. Let's see what we can dig up.

no matches

map[Expression:initialize_netdevices_init]

map[Output:]

gemini-3-pro-preview

							input: 69775
							output: 18
							thoughts: 26
						

Here's my thought process, summarized as you requested:

**Navigating the Syzkaller Network Initialization**

Okay, so I need to understand how network devices are initialized within syzkaller. The core of this probably lies in the Linux-specific setup, given that syzkaller is a fuzzing tool and needs to handle various configurations. My instinct is to zero in on the `executor` directory, which houses the code that actually interacts with the target kernel. Within that, I'm pretty certain there'll be common elements used across different architectures, so `common_linux.h` feels like the right place to start. I'm focusing in particular on finding the `initialize_netdevices` function (or a similar naming scheme). This function is very likely the heart of the matter and I'm guessing it will be responsible for creating, configuring, and possibly bringing up network interfaces for the fuzzer to use. It may also deal with setting up the routing tables and other kernel level networking setups, so this is where I'll begin.

no matches

map[Expression:initialize_netdevices]

map[Output:]

gemini-3-pro-preview

							input: 70052
							output: 18
							thoughts: 43
						

Okay, let's see...

**Looking for Network Device Initialization within the Syzkaller Executor**

Hmm, so I seem to recall encountering `initialize_netdevices` within syzkaller's codebase. Now where was that? Ah, yes, it's ringing a bell – I think it's buried in `executor/common_linux.h`. Time to confirm that. Let me quickly jump over there and take a look at the contents of `executor/common_linux.h` and check the actual declaration and implementation. I expect to find something related to network device setup in there. It's a logical place for such a function, given the executor's need to simulate and interact with network interactions for fuzzing. This should give me a solid foundation of what's going on.

no matches

map[Expression:initialize_netdevices]

map[Output:]

gemini-3-pro-preview

							input: 70295
							output: 20
							thoughts: 46
						

Okay, here's my interpretation of that thought process, from an expert's perspective:

**Diving into the Network Initialization Code**

Right, so I'm dealing with network initialization, and it looks like the culprit is in `executor/common_linux.h`, specifically, the `initialize_netdevices_init` function. That name rings a bell... I've probably seen it before, but let's be sure. Let me go ahead and confirm its definition within `executor/common_linux.h`. Time to dig into the details and refresh my memory on the intricacies of the underlying implementation.

no matches

map[Expression:initialize_netdevices_init]

map[Output:]

gemini-3-pro-preview

							input: 70504
							output: 43
							thoughts: 62910
						

map[ContextFile:kernel/bpf/syscall.c IncludeLines:true Name:bpf_prog_load]

map[SourceCode:2870:	static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
2871:	{
2872:		enum bpf_prog_type type = attr->prog_type;
2873:		struct bpf_prog *prog, *dst_prog = NULL;
2874:		struct btf *attach_btf = NULL;
2875:		struct bpf_token *token = NULL;
2876:		bool bpf_cap;
2877:		int err;
2878:		char license[128];
2879:	
2880:		if (CHECK_ATTR(BPF_PROG_LOAD))
2881:			return -EINVAL;
2882:	
2883:		if (attr->prog_flags & ~(BPF_F_STRICT_ALIGNMENT |
2884:					 BPF_F_ANY_ALIGNMENT |
2885:					 BPF_F_TEST_STATE_FREQ |
2886:					 BPF_F_SLEEPABLE |
2887:					 BPF_F_TEST_RND_HI32 |
2888:					 BPF_F_XDP_HAS_FRAGS |
2889:					 BPF_F_XDP_DEV_BOUND_ONLY |
2890:					 BPF_F_TEST_REG_INVARIANTS |
2891:					 BPF_F_TOKEN_FD))
2892:			return -EINVAL;
2893:	
2894:		bpf_prog_load_fixup_attach_type(attr);
2895:	
2896:		if (attr->prog_flags & BPF_F_TOKEN_FD) {
2897:			token = bpf_token_get_from_fd(attr->prog_token_fd);
2898:			if (IS_ERR(token))
2899:				return PTR_ERR(token);
2900:			/* if current token doesn't grant prog loading permissions,
2901:			 * then we can't use this token, so ignore it and rely on
2902:			 * system-wide capabilities checks
2903:			 */
2904:			if (!bpf_token_allow_cmd(token, BPF_PROG_LOAD) ||
2905:			    !bpf_token_allow_prog_type(token, attr->prog_type,
2906:						       attr->expected_attach_type)) {
2907:				bpf_token_put(token);
2908:				token = NULL;
2909:			}
2910:		}
2911:	
2912:		bpf_cap = bpf_token_capable(token, CAP_BPF);
2913:		err = -EPERM;
2914:	
2915:		if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) &&
2916:		    (attr->prog_flags & BPF_F_ANY_ALIGNMENT) &&
2917:		    !bpf_cap)
2918:			goto put_token;
2919:	
2920:		/* Intent here is for unprivileged_bpf_disabled to block BPF program
2921:		 * creation for unprivileged users; other actions depend
2922:		 * on fd availability and access to bpffs, so are dependent on
2923:		 * object creation success. Even with unprivileged BPF disabled,
2924:		 * capability checks are still carried out for these
2925:		 * and other operations.
2926:		 */
2927:		if (sysctl_unprivileged_bpf_disabled && !bpf_cap)
2928:			goto put_token;
2929:	
2930:		if (attr->insn_cnt == 0 ||
2931:		    attr->insn_cnt > (bpf_cap ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS)) {
2932:			err = -E2BIG;
2933:			goto put_token;
2934:		}
2935:		if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
2936:		    type != BPF_PROG_TYPE_CGROUP_SKB &&
2937:		    !bpf_cap)
2938:			goto put_token;
2939:	
2940:		if (is_net_admin_prog_type(type) && !bpf_token_capable(token, CAP_NET_ADMIN))
2941:			goto put_token;
2942:		if (is_perfmon_prog_type(type) && !bpf_token_capable(token, CAP_PERFMON))
2943:			goto put_token;
2944:	
2945:		/* attach_prog_fd/attach_btf_obj_fd can specify fd of either bpf_prog
2946:		 * or btf, we need to check which one it is
2947:		 */
2948:		if (attr->attach_prog_fd) {
2949:			dst_prog = bpf_prog_get(attr->attach_prog_fd);
2950:			if (IS_ERR(dst_prog)) {
2951:				dst_prog = NULL;
2952:				attach_btf = btf_get_by_fd(attr->attach_btf_obj_fd);
2953:				if (IS_ERR(attach_btf)) {
2954:					err = -EINVAL;
2955:					goto put_token;
2956:				}
2957:				if (!btf_is_kernel(attach_btf)) {
2958:					/* attaching through specifying bpf_prog's BTF
2959:					 * objects directly might be supported eventually
2960:					 */
2961:					btf_put(attach_btf);
2962:					err = -ENOTSUPP;
2963:					goto put_token;
2964:				}
2965:			}
2966:		} else if (attr->attach_btf_id) {
2967:			/* fall back to vmlinux BTF, if BTF type ID is specified */
2968:			attach_btf = bpf_get_btf_vmlinux();
2969:			if (IS_ERR(attach_btf)) {
2970:				err = PTR_ERR(attach_btf);
2971:				goto put_token;
2972:			}
2973:			if (!attach_btf) {
2974:				err = -EINVAL;
2975:				goto put_token;
2976:			}
2977:			btf_get(attach_btf);
2978:		}
2979:	
2980:		if (bpf_prog_load_check_attach(type, attr->expected_attach_type,
2981:					       attach_btf, attr->attach_btf_id,
2982:					       dst_prog)) {
2983:			if (dst_prog)
2984:				bpf_prog_put(dst_prog);
2985:			if (attach_btf)
2986:				btf_put(attach_btf);
2987:			err = -EINVAL;
2988:			goto put_token;
2989:		}
2990:	
2991:		/* plain bpf_prog allocation */
2992:		prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);
2993:		if (!prog) {
2994:			if (dst_prog)
2995:				bpf_prog_put(dst_prog);
2996:			if (attach_btf)
2997:				btf_put(attach_btf);
2998:			err = -EINVAL;
2999:			goto put_token;
3000:		}
3001:	
3002:		prog->expected_attach_type = attr->expected_attach_type;
3003:		prog->sleepable = !!(attr->prog_flags & BPF_F_SLEEPABLE);
3004:		prog->aux->attach_btf = attach_btf;
3005:		prog->aux->attach_btf_id = attr->attach_btf_id;
3006:		prog->aux->dst_prog = dst_prog;
3007:		prog->aux->dev_bound = !!attr->prog_ifindex;
3008:		prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS;
3009:	
3010:		/* move token into prog->aux, reuse taken refcnt */
3011:		prog->aux->token = token;
3012:		token = NULL;
3013:	
3014:		prog->aux->user = get_current_user();
3015:		prog->len = attr->insn_cnt;
3016:	
3017:		err = -EFAULT;
3018:		if (copy_from_bpfptr(prog->insns,
3019:				     make_bpfptr(attr->insns, uattr.is_kernel),
3020:				     bpf_prog_insn_size(prog)) != 0)
3021:			goto free_prog;
3022:		/* copy eBPF program license from user space */
3023:		if (strncpy_from_bpfptr(license,
3024:					make_bpfptr(attr->license, uattr.is_kernel),
3025:					sizeof(license) - 1) < 0)
3026:			goto free_prog;
3027:		license[sizeof(license) - 1] = 0;
3028:	
3029:		/* eBPF programs must be GPL compatible to use GPL-ed functions */
3030:		prog->gpl_compatible = license_is_gpl_compatible(license) ? 1 : 0;
3031:	
3032:		if (attr->signature) {
3033:			err = bpf_prog_verify_signature(prog, attr, uattr.is_kernel);
3034:			if (err)
3035:				goto free_prog;
3036:		}
3037:	
3038:		prog->orig_prog = NULL;
3039:		prog->jited = 0;
3040:	
3041:		atomic64_set(&prog->aux->refcnt, 1);
3042:	
3043:		if (bpf_prog_is_dev_bound(prog->aux)) {
3044:			err = bpf_prog_dev_bound_init(prog, attr);
3045:			if (err)
3046:				goto free_prog;
3047:		}
3048:	
3049:		if (type == BPF_PROG_TYPE_EXT && dst_prog &&
3050:		    bpf_prog_is_dev_bound(dst_prog->aux)) {
3051:			err = bpf_prog_dev_bound_inherit(prog, dst_prog);
3052:			if (err)
3053:				goto free_prog;
3054:		}
3055:	
3056:		/*
3057:		 * Bookkeeping for managing the program attachment chain.
3058:		 *
3059:		 * It might be tempting to set attach_tracing_prog flag at the attachment
3060:		 * time, but this will not prevent from loading bunch of tracing prog
3061:		 * first, then attach them one to another.
3062:		 *
3063:		 * The flag attach_tracing_prog is set for the whole program lifecycle, and
3064:		 * doesn't have to be cleared in bpf_tracing_link_release, since tracing
3065:		 * programs cannot change attachment target.
3066:		 */
3067:		if (type == BPF_PROG_TYPE_TRACING && dst_prog &&
3068:		    dst_prog->type == BPF_PROG_TYPE_TRACING) {
3069:			prog->aux->attach_tracing_prog = true;
3070:		}
3071:	
3072:		/* find program type: socket_filter vs tracing_filter */
3073:		err = find_prog_type(type, prog);
3074:		if (err < 0)
3075:			goto free_prog;
3076:	
3077:		prog->aux->load_time = ktime_get_boottime_ns();
3078:		err = bpf_obj_name_cpy(prog->aux->name, attr->prog_name,
3079:				       sizeof(attr->prog_name));
3080:		if (err < 0)
3081:			goto free_prog;
3082:	
3083:		err = security_bpf_prog_load(prog, attr, token, uattr.is_kernel);
3084:		if (err)
3085:			goto free_prog_sec;
3086:	
3087:		/* run eBPF verifier */
3088:		err = bpf_check(&prog, attr, uattr, uattr_size);
3089:		if (err < 0)
3090:			goto free_used_maps;
3091:	
3092:		prog = bpf_prog_select_runtime(prog, &err);
3093:		if (err < 0)
3094:			goto free_used_maps;
3095:	
3096:		err = bpf_prog_mark_insn_arrays_ready(prog);
3097:		if (err < 0)
3098:			goto free_used_maps;
3099:	
3100:		err = bpf_prog_alloc_id(prog);
3101:		if (err)
3102:			goto free_used_maps;
3103:	
3104:		/* Upon success of bpf_prog_alloc_id(), the BPF prog is
3105:		 * effectively publicly exposed. However, retrieving via
3106:		 * bpf_prog_get_fd_by_id() will take another reference,
3107:		 * therefore it cannot be gone underneath us.
3108:		 *
3109:		 * Only for the time /after/ successful bpf_prog_new_fd()
3110:		 * and before returning to userspace, we might just hold
3111:		 * one reference and any parallel close on that fd could
3112:		 * rip everything out. Hence, below notifications must
3113:		 * happen before bpf_prog_new_fd().
3114:		 *
3115:		 * Also, any failure handling from this point onwards must
3116:		 * be using bpf_prog_put() given the program is exposed.
3117:		 */
3118:		bpf_prog_kallsyms_add(prog);
3119:		perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
3120:		bpf_audit_prog(prog, BPF_AUDIT_LOAD);
3121:	
3122:		err = bpf_prog_new_fd(prog);
3123:		if (err < 0)
3124:			bpf_prog_put(prog);
3125:		return err;
3126:	
3127:	free_used_maps:
3128:		/* In case we have subprogs, we need to wait for a grace
3129:		 * period before we can tear down JIT memory since symbols
3130:		 * are already exposed under kallsyms.
3131:		 */
3132:		__bpf_prog_put_noref(prog, prog->aux->real_func_cnt);
3133:		return err;
3134:	
3135:	free_prog_sec:
3136:		security_bpf_prog_free(prog);
3137:	free_prog:
3138:		free_uid(prog->aux->user);
3139:		if (prog->aux->attach_btf)
3140:			btf_put(prog->aux->attach_btf);
3141:		bpf_prog_free(prog);
3142:	put_token:
3143:		bpf_token_put(token);
3144:		return err;
3145:	}
 SourceFile:kernel/bpf/syscall.c]

gemini-3-pro-preview

							input: 137999
							output: 40
							thoughts: 1320
						

**Refining the XDP BPF Program for Bonded Interfaces**

Okay, let's break this down. I need to get this XDP program working with a bonded interface. First, I realize that `bpf_prog_load` expects `BPF_PROG_TYPE_XDP` (6) for the `prog_type` attribute. No problem there, the instructions are correct.

Then, for the testing, `bpf_prog_test_run` uses `attr->test.prog_fd`, and needs `attr->test.ctx_in` and `attr->test.ctx_size_in`. The context for XDP is `struct xdp_md`, so I need to set those parameters right. Looking at the definition, `struct xdp_md` has `ingress_ifindex` at offset 16. That means `ctx_size_in` will be 24, including `ingress_ifindex`, `rx_queue_index` and `egress_ifindex`.

I need to populate `ingress_ifindex` with the interface index of `veth0`. I'll use `ioctl$SIOCGIFINDEX` to get the interface index. Now I know how to prepare for the test run.

Now, let's look at refining the syzkaller program I have. I already have the socket creation, and setting bond0 and veth0 down. I'm setting the bond mode to ROUNDROBIN (0) and enslaving veth0 to bond0. That's all good.

I'm loading the BPF program correctly now. The key is how to attach it. I initially considered using `ioctl$SIOCGIFINDEX` to get bond0's ifindex, then attaching it. Now, instead, I'm going to use `bpf$LINK_CREATE`. That makes things easier, it takes `target_ifindex`. I can use `ioctl$sock_SIOCGIFINDEX` with `bond0` as the argument to the call to `bpf$LINK_CREATE`.

Wait, the link type for XDP with `bpf$LINK_CREATE` is `BPF_XDP` (39 = 0x27). I can check `bpf_link_create` in `kernel/bpf/syscall.c` to be sure. I can get the interface index directly from `ioctl$sock_SIOCGIFINDEX` in memory and pass that result to `bpf$LINK_CREATE`. I will call the socket `r0` and the ifindex result will be `r4`. `bpf$LINK_CREATE` takes the program, interface index (r4) and BPF_XDP. Perfect. Let's make this work.

map[ContextFile:kernel/bpf/syscall.c IncludeLines:true Name:link_create]

map[SourceCode:5659:	static int link_create(union bpf_attr *attr, bpfptr_t uattr)
5660:	{
5661:		struct bpf_prog *prog;
5662:		int ret;
5663:	
5664:		if (CHECK_ATTR(BPF_LINK_CREATE))
5665:			return -EINVAL;
5666:	
5667:		if (attr->link_create.attach_type == BPF_STRUCT_OPS)
5668:			return bpf_struct_ops_link_create(attr);
5669:	
5670:		prog = bpf_prog_get(attr->link_create.prog_fd);
5671:		if (IS_ERR(prog))
5672:			return PTR_ERR(prog);
5673:	
5674:		ret = bpf_prog_attach_check_attach_type(prog,
5675:							attr->link_create.attach_type);
5676:		if (ret)
5677:			goto out;
5678:	
5679:		switch (prog->type) {
5680:		case BPF_PROG_TYPE_CGROUP_SKB:
5681:		case BPF_PROG_TYPE_CGROUP_SOCK:
5682:		case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
5683:		case BPF_PROG_TYPE_SOCK_OPS:
5684:		case BPF_PROG_TYPE_CGROUP_DEVICE:
5685:		case BPF_PROG_TYPE_CGROUP_SYSCTL:
5686:		case BPF_PROG_TYPE_CGROUP_SOCKOPT:
5687:			ret = cgroup_bpf_link_attach(attr, prog);
5688:			break;
5689:		case BPF_PROG_TYPE_EXT:
5690:			ret = bpf_tracing_prog_attach(prog,
5691:						      attr->link_create.target_fd,
5692:						      attr->link_create.target_btf_id,
5693:						      attr->link_create.tracing.cookie,
5694:						      attr->link_create.attach_type);
5695:			break;
5696:		case BPF_PROG_TYPE_LSM:
5697:		case BPF_PROG_TYPE_TRACING:
5698:			if (attr->link_create.attach_type != prog->expected_attach_type) {
5699:				ret = -EINVAL;
5700:				goto out;
5701:			}
5702:			if (prog->expected_attach_type == BPF_TRACE_RAW_TP)
5703:				ret = bpf_raw_tp_link_attach(prog, NULL, attr->link_create.tracing.cookie,
5704:							     attr->link_create.attach_type);
5705:			else if (prog->expected_attach_type == BPF_TRACE_ITER)
5706:				ret = bpf_iter_link_attach(attr, uattr, prog);
5707:			else if (prog->expected_attach_type == BPF_LSM_CGROUP)
5708:				ret = cgroup_bpf_link_attach(attr, prog);
5709:			else
5710:				ret = bpf_tracing_prog_attach(prog,
5711:							      attr->link_create.target_fd,
5712:							      attr->link_create.target_btf_id,
5713:							      attr->link_create.tracing.cookie,
5714:							      attr->link_create.attach_type);
5715:			break;
5716:		case BPF_PROG_TYPE_FLOW_DISSECTOR:
5717:		case BPF_PROG_TYPE_SK_LOOKUP:
5718:			ret = netns_bpf_link_create(attr, prog);
5719:			break;
5720:		case BPF_PROG_TYPE_SK_MSG:
5721:		case BPF_PROG_TYPE_SK_SKB:
5722:			ret = sock_map_link_create(attr, prog);
5723:			break;
5724:	#ifdef CONFIG_NET
5725:		case BPF_PROG_TYPE_XDP:
5726:			ret = bpf_xdp_link_attach(attr, prog);
5727:			break;
5728:		case BPF_PROG_TYPE_SCHED_CLS:
5729:			if (attr->link_create.attach_type == BPF_TCX_INGRESS ||
5730:			    attr->link_create.attach_type == BPF_TCX_EGRESS)
5731:				ret = tcx_link_attach(attr, prog);
5732:			else
5733:				ret = netkit_link_attach(attr, prog);
5734:			break;
5735:		case BPF_PROG_TYPE_NETFILTER:
5736:			ret = bpf_nf_link_attach(attr, prog);
5737:			break;
5738:	#endif
5739:		case BPF_PROG_TYPE_PERF_EVENT:
5740:		case BPF_PROG_TYPE_TRACEPOINT:
5741:			ret = bpf_perf_link_attach(attr, prog);
5742:			break;
5743:		case BPF_PROG_TYPE_KPROBE:
5744:			if (attr->link_create.attach_type == BPF_PERF_EVENT)
5745:				ret = bpf_perf_link_attach(attr, prog);
5746:			else if (attr->link_create.attach_type == BPF_TRACE_KPROBE_MULTI ||
5747:				 attr->link_create.attach_type == BPF_TRACE_KPROBE_SESSION)
5748:				ret = bpf_kprobe_multi_link_attach(attr, prog);
5749:			else if (attr->link_create.attach_type == BPF_TRACE_UPROBE_MULTI ||
5750:				 attr->link_create.attach_type == BPF_TRACE_UPROBE_SESSION)
5751:				ret = bpf_uprobe_multi_link_attach(attr, prog);
5752:			break;
5753:		default:
5754:			ret = -EINVAL;
5755:		}
5756:	
5757:	out:
5758:		if (ret < 0)
5759:			bpf_prog_put(prog);
5760:		return ret;
5761:	}
 SourceFile:kernel/bpf/syscall.c]

gemini-3-pro-preview

							input: 141800
							output: 45
							thoughts: 16
						

Here's my thought process, as if I were considering this:

**XDP and Link Attachment: Digging Deeper**

Okay, so I see `bpf_xdp_link_attach` mentioned. Immediately, my mind jumps to the specifics of XDP (eXpress Data Path) and how we're tying a BPF program into the network interface. Knowing that this function is involved tells me we're not just dealing with the typical kernel space program loading; we're talking about a more direct and efficient way to handle packets *before* they even hit the traditional network stack. This means we're probably looking at high-performance packet filtering, shaping, or maybe even manipulation right at the driver level. That `link_attach` piece is critical, as it signifies the direct association of the BPF program with the network link, which, from what I know, needs proper handling and consideration of resources for it to run as intended. It also raises questions for me. What kind of program? Is it filtering, redirecting, or something more complex? I need more context to understand the *why* behind this attachment. What are the specific requirements of this XDP program, and how are the potential conflicts being resolved?

map[ContextFile:net/core/dev.c IncludeLines:true Name:bpf_xdp_link_attach]

map[SourceCode:10628:	int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
10629:	{
10630:		struct net *net = current->nsproxy->net_ns;
10631:		struct bpf_link_primer link_primer;
10632:		struct netlink_ext_ack extack = {};
10633:		struct bpf_xdp_link *link;
10634:		struct net_device *dev;
10635:		int err, fd;
10636:	
10637:		rtnl_lock();
10638:		dev = dev_get_by_index(net, attr->link_create.target_ifindex);
10639:		if (!dev) {
10640:			rtnl_unlock();
10641:			return -EINVAL;
10642:		}
10643:	
10644:		link = kzalloc(sizeof(*link), GFP_USER);
10645:		if (!link) {
10646:			err = -ENOMEM;
10647:			goto unlock;
10648:		}
10649:	
10650:		bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog,
10651:			      attr->link_create.attach_type);
10652:		link->dev = dev;
10653:		link->flags = attr->link_create.flags;
10654:	
10655:		err = bpf_link_prime(&link->link, &link_primer);
10656:		if (err) {
10657:			kfree(link);
10658:			goto unlock;
10659:		}
10660:	
10661:		netdev_lock_ops(dev);
10662:		err = dev_xdp_attach_link(dev, &extack, link);
10663:		netdev_unlock_ops(dev);
10664:		rtnl_unlock();
10665:	
10666:		if (err) {
10667:			link->dev = NULL;
10668:			bpf_link_cleanup(&link_primer);
10669:			trace_bpf_xdp_link_attach_failed(extack._msg);
10670:			goto out_put_dev;
10671:		}
10672:	
10673:		fd = bpf_link_settle(&link_primer);
10674:		/* link itself doesn't hold dev's refcnt to not complicate shutdown */
10675:		dev_put(dev);
10676:		return fd;
10677:	
10678:	unlock:
10679:		rtnl_unlock();
10680:	
10681:	out_put_dev:
10682:		dev_put(dev);
10683:		return err;
10684:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 143017
							output: 18
							thoughts: 263
						

**My BPF Link Creation Strategy**

Okay, so `bpf$LINK_CREATE` is confirmed to be working, that's good. But hang on, it needs a `target_ifindex`. I know Syzkaller has a way to get interface indexes; I just need to remember how. Hmm, `syz_genetlink_get_family_id` is for a different purpose, that won't work. Ah, for ifindex... Right, I think I can use `syz_init_net_socket` and then the `ioctl$sock_SIOCGIFINDEX` call. 

Wait, did Syzkaller provide a pseudo-syscall like `syz_get_ifindex`? Nope, I don't recall one. But no worries; I can simply use `ioctl$sock_SIOCGIFINDEX` and pass its result directly to `bpf$LINK_CREATE`. That should be fairly straightforward.

Now, let me just confirm the Syzkaller syntax to use. Right, the general approach should be:

```
r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bond0\x00', <r1=>0x0})
```

Then the return value, stored in `r1`, will be the ifindex that I need. Seems correct. I should double-check the `socket.txt` file for `ioctl$sock_SIOCGIFINDEX` to make sure there aren't any gotchas, but this seems like the correct approach.

map[File:socket.txt]

map[Output:# Copyright 2017 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

include <asm/ioctls.h>
include <linux/if_tun.h>
include <linux/if_bridge.h>
include <linux/net.h>
include <linux/net_tstamp.h>
include <linux/route.h>
include <linux/socket.h>
include <uapi/linux/in.h>
include <uapi/linux/ethtool.h>
include <uapi/linux/if_ether.h>
include <uapi/linux/if_vlan.h>
include <uapi/asm-generic/socket.h>

resource sock[fd]
type sock_port int16be[20000:20004]

# TODO: describe socketcall syscall

socket(domain flags[socket_domain], type flags[socket_type], proto int32) sock (automatic_helper)
socketpair(domain flags[socket_domain], type flags[socket_type], proto int32, fds ptr[out, sock_pair])
bind(fd sock, addr ptr[in, sockaddr_storage], addrlen len[addr])
connect(fd sock, addr ptr[in, sockaddr_storage], addrlen len[addr])
accept(fd sock, peer ptr[out, sockaddr_storage, opt], peerlen ptr[inout, len[peer, int32]]) sock
accept4(fd sock, peer ptr[out, sockaddr_storage, opt], peerlen ptr[inout, len[peer, int32]], flags flags[accept_flags]) sock
sendto(fd sock, buf buffer[in], len len[buf], f flags[send_flags], addr ptr[in, sockaddr_storage, opt], addrlen len[addr])
recvfrom(fd sock, buf buffer[out], len len[buf], f flags[recv_flags], addr ptr[in, sockaddr_storage, opt], addrlen len[addr])
getsockname(fd sock, addr ptr[out, sockaddr_storage], addrlen ptr[inout, len[addr, int32]])
getpeername(fd sock, peer ptr[out, sockaddr_storage], peerlen ptr[inout, len[peer, int32]])

sendmsg(fd sock, msg ptr[in, send_msghdr], f flags[send_flags])
sendmmsg(fd sock, mmsg ptr[in, array[send_mmsghdr]], vlen len[mmsg], f flags[send_flags])
recvmsg(fd sock, msg ptr[inout, recv_msghdr], f flags[recv_flags])
recvmmsg(fd sock, mmsg ptr[in, array[recv_mmsghdr]], vlen len[mmsg], f flags[recv_flags], timeout ptr[in, timespec, opt])

listen(fd sock, backlog int32)
shutdown(fd sock, how flags[shutdown_flags])

getsockopt(fd sock, level int32, optname int32, optval buffer[out], optlen ptr[inout, len[optval, int32]])
setsockopt(fd sock, level int32, optname int32, optval buffer[in], optlen len[optval])

socket_domain = AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_X25, AF_AX25, AF_ATMPVC, AF_APPLETALK, AF_PACKET, AF_VSOCK, AF_XDP, AF_TIPC, AF_RXRPC, AF_PPPOX, AF_RDS, AF_ROSE, AF_PHONET, AF_NFC, AF_NETROM, AF_KEY, AF_KCM, AF_ISDN, AF_SMC, AF_CAN, AF_CAIF, AF_BLUETOOTH, AF_LLC, AF_ALG, AF_QIPCRTR
socket_type = SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_RDM, SOCK_SEQPACKET, SOCK_DCCP, SOCK_PACKET, SOCK_NONBLOCK, SOCK_CLOEXEC
accept_flags = SOCK_NONBLOCK, SOCK_CLOEXEC
shutdown_flags = SHUT_RD, SHUT_WR
send_flags = MSG_CONFIRM, MSG_DONTROUTE, MSG_DONTWAIT, MSG_EOR, MSG_MORE, MSG_NOSIGNAL, MSG_OOB, MSG_PROBE, MSG_BATCH, MSG_FASTOPEN, MSG_ZEROCOPY
recv_flags = MSG_CMSG_CLOEXEC, MSG_DONTWAIT, MSG_ERRQUEUE, MSG_OOB, MSG_PEEK, MSG_TRUNC, MSG_WAITALL, MSG_WAITFORONE
cmsg_levels = SOL_SOCKET, IPPROTO_ICMP, SOL_IP, SOL_TCP, SOL_UDP, SOL_IPV6, SOL_ICMPV6, SOL_SCTP, SOL_UDPLITE, SOL_RAW, SOL_AX25, SOL_ATALK, SOL_NETROM, SOL_ROSE, SOL_PACKET, SOL_ATM, SOL_AAL, SOL_IRDA, SOL_NETBEUI, SOL_LLC, SOL_DCCP, SOL_NETLINK, SOL_TIPC, SOL_RXRPC, SOL_PPPOL2TP, SOL_BLUETOOTH, SOL_PNPIPE, SOL_RDS, SOL_IUCV, SOL_CAIF, SOL_ALG, SOL_NFC, SOL_KCM

sock_pair {
	fd0	sock
	fd1	sock
}

# This sockaddr type corresponds to the struct sockaddr and is 16 bytes or less.
# TODO: add AF_APPLETALK, AF_ATMPVC, AF_ROSE, AF_ATMSVC, AF_IRDA, AF_IB, AF_IUCV
# Note: AF_UNIX, AF_INET6, AF_PACKET, AF_ALG, AF_PPPOX sockaddr is bigger than 16 bytes
# Note: AF_NETROM sockaddr is the same as AF_AX25
sockaddr [
	in		sockaddr_in
	ax25		sockaddr_ax25
	nl		sockaddr_nl
	llc		sockaddr_llc
	can		sockaddr_can
	sco		sockaddr_sco
	l2		sockaddr_l2
	hci		sockaddr_hci
	rc		sockaddr_rc
	nfc		sockaddr_nfc
	vsock		sockaddr_vm
	xdp		sockaddr_xdp
	tipc		sockaddr_tipc
	isdn		sockaddr_mISDN
	l2tp		sockaddr_l2tpip
	phonet		sockaddr_pn
	ethernet	sockaddr_ethernet
	qipcrtr		sockaddr_qrtr
	generic		sockaddr_generic
] [size[SOCKADDR_SIZE]]

# This sockaddr type corresponds to the sockaddr_storage type and is 128 bytes size.
sockaddr_storage [
	un		sockaddr_un
	in		sockaddr_in
	x25		sockaddr_x25
	ax25		full_sockaddr_ax25
	in6		sockaddr_in6
	nl		sockaddr_nl
	ll		sockaddr_ll
	pppoe		sockaddr_pppoe
	pppol2tp	sockaddr_pppol2tp
	pppol2tpin6	sockaddr_pppol2tpin6
	pppol2tpv3	sockaddr_pppol2tpv3
	pppol2tpv3in6	sockaddr_pppol2tpv3in6
	pptp		sockaddr_pptp
	l2tp		sockaddr_l2tpip
	l2tp6		sockaddr_l2tpip6
	llc		sockaddr_llc
	can		sockaddr_can
	sco		sockaddr_sco
	l2		sockaddr_l2
	hci		sockaddr_hci
	rc		sockaddr_rc
	alg		sockaddr_alg
	nfc		sockaddr_nfc
	nfc_llcp	sockaddr_nfc_llcp
	vsock		sockaddr_vm
	xdp		sockaddr_xdp
	tipc		sockaddr_tipc
	caif		sockaddr_caif
	isdn		sockaddr_mISDN
	rxrpc		sockaddr_rxrpc
	phonet		sockaddr_pn
	ethernet	sockaddr_ethernet
	qipcrtr		sockaddr_qrtr
	ieee802154	sockaddr_ieee802154
	generic		sockaddr_storage_generic
] [size[SOCKADDR_STORAGE_SIZE]]

define SOCKADDR_SIZE	sizeof(struct sockaddr)
define SOCKADDR_STORAGE_SIZE	sizeof(struct sockaddr_storage)

sockaddr_generic {
	sa_family	flags[socket_domain, int16]
	sa_data		array[int8, 14]
}

sockaddr_storage_generic {
	sa_family	flags[socket_domain, int16]
	sa_data		array[int8, 126]
}

send_msghdr {
	msg_name	ptr[in, sockaddr_storage, opt]
	msg_namelen	len[msg_name, int32]
	msg_iov		ptr[in, array[iovec_in]]
	msg_iovlen	len[msg_iov, intptr]
	msg_control	ptr[in, array[cmsghdr], opt]
	msg_controllen	bytesize[msg_control, intptr]
	msg_flags	const[0, int32]
}

msghdr_sock {
	msg_name	ptr[in, sockaddr_storage, opt]
	msg_namelen	len[msg_name, int32]
	msg_iov		ptr[in, array[iovec_in]]
	msg_iovlen	len[msg_iov, intptr]
	msg_control	ptr[in, array[cmsghdr_sock], opt]
	msg_controllen	bytesize[msg_control, intptr]
	msg_flags	const[0, int32]
}

send_mmsghdr {
	msg_hdr	send_msghdr
	msg_len	const[0, int32]
}

mmsghdr_sock {
	msg_hdr	msghdr_sock
	msg_len	const[0, int32]
}

recv_msghdr {
	msg_name	ptr[out, sockaddr_storage, opt]
	msg_namelen	len[msg_name, int32]
	msg_iov		ptr[in, array[iovec_out]]
	msg_iovlen	len[msg_iov, intptr]
	msg_control	ptr[out, array[int8], opt]
	msg_controllen	bytesize[msg_control, intptr]
	msg_flags	const[0, int32]
}

recv_mmsghdr {
	msg_hdr	recv_msghdr
	msg_len	int32
}

cmsghdr {
	cmsg_len	len[parent, intptr]
	cmsg_level	flags[cmsg_levels, int32]
	cmsg_type	int32
	data		array[int8]
} [align[PTR_SIZE]]

type cmsghdr_t[SOL, TYP, DATA] {
	unaligned	cmsghdr_unaligned[SOL, TYP, DATA]
} [align[PTR_SIZE]]

type cmsghdr_unaligned[SOL, TYP, DATA] {
	cmsg_len	len[parent, intptr]
	cmsg_level	const[SOL, int32]
	cmsg_type	const[TYP, int32]
	data		DATA
} [packed]

# For __sock_cmsg_send
cmsghdr_sock [
	mark		cmsghdr_t[SOL_SOCKET, SO_MARK, int32]
	timestamping	cmsghdr_t[SOL_SOCKET, SO_TIMESTAMPING_OLD, int32]
	txtime		cmsghdr_t[SOL_SOCKET, SCM_TXTIME, int64]
] [varlen]

# Socket options

# http://lxr.free-electrons.com/source/include/uapi/asm-generic/socket.h

setsockopt$sock_void(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_void], optval const[0], optlen const[0])
getsockopt$sock_int(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_int], optval ptr[out, int32], optlen ptr[inout, len[optval, int32]])
setsockopt$sock_int(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_int], optval ptr[in, int32], optlen len[optval])
getsockopt$sock_linger(fd sock, level const[SOL_SOCKET], optname const[SO_LINGER], optval ptr[out, linger], optlen ptr[inout, len[optval, int32]])
setsockopt$sock_linger(fd sock, level const[SOL_SOCKET], optname const[SO_LINGER], optval ptr[in, linger], optlen len[optval])
getsockopt$sock_cred(fd sock, level const[SOL_SOCKET], optname const[SO_PEERCRED], optval ptr[out, ucred], optlen ptr[inout, len[optval, int32]])
setsockopt$sock_cred(fd sock, level const[SOL_SOCKET], optname const[SO_PEERCRED], optval ptr[in, ucred], optlen len[optval])
getsockopt$sock_timeval(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timeval], optval ptr[out, timeval], optlen ptr[inout, len[optval, int32]])
setsockopt$sock_timeval(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timeval], optval ptr[in, timeval], optlen len[optval])
setsockopt$sock_attach_bpf(fd sock, level const[SOL_SOCKET], optname const[SO_ATTACH_BPF], optval ptr[in, fd_bpf_prog], optlen len[optval])
setsockopt$SO_TIMESTAMP(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timestamp], optval ptr[in, int32], optlen len[optval])
getsockopt$SO_TIMESTAMP(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timestamp], optval ptr[out, int32], optlen ptr[inout, len[optval, int32]])
setsockopt$SO_TIMESTAMPING(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timestamping], optval ptr[in, flags[sockopt_so_timestamping, int32]], optlen len[optval])
getsockopt$SO_TIMESTAMPING(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timestamping], optval ptr[out, int32], optlen ptr[inout, len[optval, int32]])
setsockopt$SO_ATTACH_FILTER(fd sock, level const[SOL_SOCKET], optname const[SO_ATTACH_FILTER], optval ptr[in, sock_fprog], optlen len[optval])
setsockopt$SO_BINDTODEVICE(fd sock, level const[SOL_SOCKET], optname const[SO_BINDTODEVICE], optval ptr[in, devname], optlen len[optval])
getsockopt$SO_BINDTODEVICE(fd sock, level const[SOL_SOCKET], optname const[SO_BINDTODEVICE], optval ptr[out, devname], optlen len[optval])
getsockopt$sock_buf(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_buf], optval buffer[out], optlen ptr[inout, len[optval, int32]])
getsockopt$SO_COOKIE(fd sock, level const[SOL_SOCKET], optname const[SO_COOKIE], optval ptr[out, int64], optlen ptr[inout, len[optval, int32]])

linger {
	onoff	bool32
	linger	int32
}

sockopt_opt_sock_void = SO_DETACH_FILTER, SO_MARK
sockopt_opt_sock_int = SO_ACCEPTCONN, SO_BROADCAST, SO_DEBUG, SO_DOMAIN, SO_ERROR, SO_DONTROUTE, SO_KEEPALIVE, SO_PEEK_OFF, SO_PRIORITY, SO_PROTOCOL, SO_RCVBUF, SO_RCVBUFFORCE, SO_RCVLOWAT, SO_SNDLOWAT, SO_REUSEADDR, SO_SNDBUF, SO_SNDBUFFORCE, SO_TIMESTAMP_OLD, SO_TYPE, SO_REUSEPORT, SO_OOBINLINE, SO_NO_CHECK, SO_PASSCRED, SO_TIMESTAMPNS_OLD, SO_LOCK_FILTER, SO_PASSSEC, SO_RXQ_OVFL, SO_WIFI_STATUS, SO_NOFCS, SO_SELECT_ERR_QUEUE, SO_BUSY_POLL, SO_MAX_PACING_RATE, SO_ZEROCOPY
sockopt_opt_sock_timeval = SO_RCVTIMEO_OLD, SO_RCVTIMEO_NEW, SO_SNDTIMEO_OLD, SO_SNDTIMEO_NEW
sockopt_opt_sock_timestamp = SO_TIMESTAMP_OLD, SO_TIMESTAMP_NEW, SO_TIMESTAMPNS_OLD, SO_TIMESTAMPNS_NEW
sockopt_opt_sock_timestamping = SO_TIMESTAMPING_OLD, SO_TIMESTAMPING_NEW
sockopt_opt_sock_buf = SO_PEERNAME, SO_PEERSEC, SO_GET_FILTER, SO_MEMINFO, SO_PEERGROUPS, SO_TXTIME
sockopt_so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE, SOF_TIMESTAMPING_TX_SOFTWARE, SOF_TIMESTAMPING_RX_HARDWARE, SOF_TIMESTAMPING_RX_SOFTWARE, SOF_TIMESTAMPING_SOFTWARE, SOF_TIMESTAMPING_SYS_HARDWARE, SOF_TIMESTAMPING_RAW_HARDWARE, SOF_TIMESTAMPING_OPT_ID, SOF_TIMESTAMPING_TX_SCHED, SOF_TIMESTAMPING_TX_ACK, SOF_TIMESTAMPING_OPT_CMSG, SOF_TIMESTAMPING_OPT_TSONLY, SOF_TIMESTAMPING_OPT_STATS, SOF_TIMESTAMPING_OPT_PKTINFO, SOF_TIMESTAMPING_OPT_TX_SWHW

# Socket ioctls

# Since some socket ioctls are forwarded to the network device, adding device ioctls here as well.

# http://lxr.free-electrons.com/linux/latest/source/include/uapi/linux/sockios.h

# http://lxr.free-electrons.com/linux/latest/source/include/uapi/asm-generic/sockios.h

ioctl$sock_SIOCADDRT(fd sock, cmd const[SIOCADDRT], arg ptr[inout, rtentry])
ioctl$sock_SIOCDELRT(fd sock, cmd const[SIOCDELRT], arg ptr[inout, rtentry])

ioctl$sock_SIOCGIFVLAN_SET_VLAN_INGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[SET_VLAN_INGRESS_PRIORITY_CMD, int32]])
ioctl$sock_SIOCGIFVLAN_SET_VLAN_EGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[SET_VLAN_EGRESS_PRIORITY_CMD, int32]])
ioctl$sock_SIOCGIFVLAN_SET_VLAN_FLAG_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[SET_VLAN_FLAG_CMD, int32]])
ioctl$sock_SIOCGIFVLAN_SET_VLAN_NAME_TYPE_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[SET_VLAN_NAME_TYPE_CMD, int32]])
ioctl$sock_SIOCGIFVLAN_ADD_VLAN_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[ADD_VLAN_CMD, int32[0:4]]])
ioctl$sock_SIOCGIFVLAN_DEL_VLAN_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[in, vlan_args[DEL_VLAN_CMD, const[0, int32]]])
ioctl$sock_SIOCGIFVLAN_GET_VLAN_REALDEV_NAME_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[inout, vlan_args[GET_VLAN_REALDEV_NAME_CMD, string[devnames, 24]]])
ioctl$sock_SIOCGIFVLAN_GET_VLAN_VID_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[out, vlan_args[GET_VLAN_VID_CMD, int32]])
ioctl$sock_SIOCGIFVLAN_GET_VLAN_INGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[out, vlan_args[GET_VLAN_INGRESS_PRIORITY_CMD, const[0, int32]]])
ioctl$sock_SIOCGIFVLAN_GET_VLAN_EGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCGIFVLAN], arg ptr[out, vlan_args[GET_VLAN_EGRESS_PRIORITY_CMD, const[0, int32]]])

ioctl$sock_SIOCSIFVLAN_SET_VLAN_INGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[SET_VLAN_INGRESS_PRIORITY_CMD, int32]])
ioctl$sock_SIOCSIFVLAN_SET_VLAN_EGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[SET_VLAN_EGRESS_PRIORITY_CMD, int32]])
ioctl$sock_SIOCSIFVLAN_SET_VLAN_FLAG_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[SET_VLAN_FLAG_CMD, int32]])
ioctl$sock_SIOCSIFVLAN_SET_VLAN_NAME_TYPE_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[SET_VLAN_NAME_TYPE_CMD, int32]])
ioctl$sock_SIOCSIFVLAN_ADD_VLAN_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[ADD_VLAN_CMD, int32[0:4]]])
ioctl$sock_SIOCSIFVLAN_DEL_VLAN_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[in, vlan_args[DEL_VLAN_CMD, const[0, int32]]])
ioctl$sock_SIOCSIFVLAN_GET_VLAN_REALDEV_NAME_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[inout, vlan_args[GET_VLAN_REALDEV_NAME_CMD, string[devnames, 24]]])
ioctl$sock_SIOCSIFVLAN_GET_VLAN_VID_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[out, vlan_args[GET_VLAN_VID_CMD, int32]])
ioctl$sock_SIOCSIFVLAN_GET_VLAN_INGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[out, vlan_args[GET_VLAN_INGRESS_PRIORITY_CMD, const[0, int32]]])
ioctl$sock_SIOCSIFVLAN_GET_VLAN_EGRESS_PRIORITY_CMD(fd sock, cmd const[SIOCSIFVLAN], arg ptr[out, vlan_args[GET_VLAN_EGRESS_PRIORITY_CMD, const[0, int32]]])

ioctl$sock_SIOCETHTOOL(fd sock, cmd const[SIOCETHTOOL], arg ptr[inout, ifreq_t[ptr[inout, ethtool_cmd_u]]])

ioctl$sock_SIOCOUTQ(fd sock, cmd const[SIOCOUTQ], arg ptr[out, int32])
ioctl$sock_SIOCINQ(fd sock, cmd const[SIOCINQ], arg ptr[out, int32])

ioctl$sock_SIOCGIFCONF(fd sock, cmd const[SIOCGIFCONF], arg ptr[inout, ifconf])

ifreq_ioctls = SIOCGIFNAME, SIOCSIFLINK, SIOCGIFFLAGS, SIOCSIFFLAGS, SIOCGIFADDR, SIOCSIFADDR, SIOCGIFDSTADDR, SIOCSIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFBRDADDR, SIOCGIFNETMASK, SIOCSIFNETMASK, SIOCGIFMETRIC, SIOCSIFMETRIC, SIOCGIFMEM, SIOCSIFMEM, SIOCGIFMTU, SIOCSIFMTU, SIOCSIFNAME, SIOCSIFHWADDR, SIOCGIFENCAP, SIOCSIFENCAP, SIOCGIFHWADDR, SIOCGIFSLAVE, SIOCSIFSLAVE, SIOCADDMULTI, SIOCDELMULTI, SIOCGIFINDEX, SIOCSIFPFLAGS, SIOCGIFPFLAGS, SIOCDIFADDR, SIOCSIFHWBROADCAST, SIOCGIFCOUNT, SIOCGIFTXQLEN, SIOCSIFTXQLEN, SIOCETHTOOL, SIOCGMIIPHY, SIOCGMIIREG, SIOCSMIIREG, SIOCWANDEV, SIOCGIFMAP, SIOCSIFMAP, SIOCBONDENSLAVE, SIOCBONDRELEASE, SIOCBONDSETHWADDR, SIOCBONDSLAVEINFOQUERY, SIOCBONDINFOQUERY, SIOCBONDCHANGEACTIVE, SIOCBRADDIF, SIOCBRDELIF, SIOCSHWTSTAMP, SIOCGHWTSTAMP

ioctl$sock_ifreq(fd sock, cmd flags[ifreq_ioctls], arg ptr[inout, ifreq])

ioctl$sock_SIOCGIFINDEX(fd sock, cmd const[SIOCGIFINDEX], arg ptr[out, ifreq_t[ifindex]]) (automatic_helper)

ioctl$sock_SIOCGIFBR(fd sock, cmd const[SIOCGIFBR], arg ptr[inout, brctl_arg])
ioctl$sock_SIOCSIFBR(fd sock, cmd const[SIOCSIFBR], arg ptr[inout, brctl_arg])

ioctl$sock_SIOCOUTQNSD(fd sock, cmd const[SIOCOUTQNSD], arg ptr[out, int32])

ioctl$sock_SIOCGSKNS(fd sock, cmd const[SIOCGSKNS], arg ptr[inout, int32])

ioctl$sock_SIOCADDDLCI(fd sock, cmd const[SIOCADDDLCI], arg ptr[inout, dlci_add])
ioctl$sock_SIOCDELDLCI(fd sock, cmd const[SIOCDELDLCI], arg ptr[in, dlci_add])

ioctl$sock_SIOCBRADDBR(fd sock, cmd const[SIOCBRADDBR], arg ptr[in, devname])
ioctl$sock_SIOCBRDELBR(fd sock, cmd const[SIOCBRDELBR], arg ptr[in, devname])

define SIOCDEVPRIVATE_BEG	(SIOCDEVPRIVATE)
define SIOCDEVPRIVATE_END	(SIOCDEVPRIVATE + 15)

define SIOCPROTOPRIVATE_BEG	(SIOCPROTOPRIVATE)
define SIOCPROTOPRIVATE_END	(SIOCPROTOPRIVATE + 15)

ioctl$sock_netdev_private(fd sock, cmd int32[SIOCDEVPRIVATE_BEG:SIOCDEVPRIVATE_END], arg ptr[in, array[int8]])
ioctl$sock_proto_private(fd sock, cmd int32[SIOCPROTOPRIVATE_BEG:SIOCPROTOPRIVATE_END], arg ptr[in, array[int8]])

ioctl$sock_FIOSETOWN(fd sock, cmd const[FIOSETOWN], arg ptr[in, pid])
ioctl$sock_SIOCSPGRP(fd sock, cmd const[SIOCSPGRP], arg ptr[in, pid])

ioctl$sock_FIOGETOWN(fd sock, cmd const[FIOGETOWN], arg ptr[out, pid])
ioctl$sock_SIOCGPGRP(fd sock, cmd const[SIOCGPGRP], arg ptr[out, pid])

ioctl$sock_TIOCOUTQ(fd sock, cmd const[TIOCOUTQ], arg ptr[out, int32])
ioctl$sock_TIOCINQ(fd sock, cmd const[TIOCINQ], arg ptr[out, int32])
ioctl$SIOCGSTAMP(fd sock, cmd const[SIOCGSTAMP], arg ptr[out, timeval])
ioctl$SIOCGSTAMPNS(fd sock, cmd const[SIOCGSTAMPNS], arg ptr[out, timespec])

# Socket sendmsg
sendmsg$sock(fd sock, msg ptr[in, msghdr_sock], f flags[send_flags])
sendmmsg$sock(fd sock, mmsg ptr[in, array[mmsghdr_sock]], vlen len[mmsg], f flags[send_flags])

resource ifindex[int32]

type ifreq_dev_t[DEVNAME, ELEM] {
	ifr_ifrn	string[DEVNAME, IFNAMSIZ]	(in)
	elem		ELEM
} [size[IFREQ_SIZE]]

type ifreq_t[ELEM] ifreq_dev_t[devnames, ELEM]

type ifreq ifreq_t[ifr_ifru]

ifr_ifru [
	ifru_addrs	sockaddr
	ifru_hwaddr	mac_addr
	ifru_flags	flags[ifru_flags, int16]
	ifru_ivalue	int32
	ifru_mtu	int32
	ifru_map	ifmap
	ifru_names	devname
	ifru_data	ptr[in, array[int8, 32]]
	ifru_settings	if_settings
]

define IFREQ_SIZE	sizeof(struct ifreq)

# https://elixir.bootlin.com/linux/v5.3.11/source/include/uapi/linux/if_vlan.h
type vlan_args[CMD, DATA] {
	cmd		const[CMD, int32]
	device1		string[devnames, 24]
	u		vlan_args_u[DATA]
	vlan_qos	int16
}

type vlan_args_u[DATA] {
	datadata	DATA
} [size[24]]

# https://elixir.bootlin.com/linux/v5.3.12/source/include/uapi/linux/route.h#L31
rtentry {
	rt_pad1		const[0, intptr]
	rt_dst		sockaddr
	rt_gateway	sockaddr
	rt_genmask	sockaddr
	rt_flags	int16
	rt_pad2		const[0, int16]
	rt_pad3		const[0, intptr]
	rt_pad4		const[0, intptr]
	rt_metric	int16
	rt_dev		ptr[in, devname, opt]
	rt_mtu		intptr
	rt_window	intptr
	rt_irtt		int16
}

# We could add "eth0" to this list as well, but this will affect the connection
# between fuzzer and manager and produce lots of "no output" crashes
# (actually, this is not true now since all testing is done in a separate
# network namespace, but we still don't mess with eth0).
# Note: lapb0, bpq0 and hwsim0 are only present in init namespace.
# Note: for roseN and nrN we should use proc type, but for simplicity we currently use N=0.
# Note: netdevsim0 and netpci0 are renamed in initialize_devlink_ports()
devnames = "", "lo", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "sit0", "ip6tnl0", "ip6gre0", "ip6gretap0", "bond0", "dummy0", "nr0", "rose0", "erspan0", "vlan0", "bridge0", "vcan0", "team0", "syz_tun", "veth0", "veth1", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team", "bridge_slave_0", "bridge_slave_1", "bond_slave_0", "bond_slave_1", "team_slave_0", "team_slave_1", "syzkaller0", "syzkaller1", "veth0_to_hsr", "veth1_to_hsr", "hsr0", "ip6erspan0", "vxcan1", "caif0", "batadv0", "veth0_to_batadv", "veth1_to_batadv", "batadv_slave_0", "batadv_slave_1", "netdevsim0", "netpci0", "nicvf0", "xfrm0", "veth0_virt_wifi", "veth1_virt_wifi", "virt_wifi0", "veth0_vlan", "veth1_vlan", "vlan0", "vlan1", "macvlan0", "macvlan1", "ipvlan0", "ipvlan1", "veth0_macvtap", "veth1_macvtap", "macvtap0", "macsec0", "geneve0", "geneve1", "wg0", "wg1", "wg2", "wlan0", "wlan1", "dvmrp0", "dvmrp1", "pimreg", "pimreg0", "pimreg1", "pim6reg", "pim6reg0", "pim6reg1"

type devname string[devnames, IFNAMSIZ]

devname_mask {
	lo	flags[devname_mask_values, int8]
} [size[IFNAMSIZ]]

devname_mask_values = 0, 0xff

ifru_flags = IFF_TUN, IFF_TAP, IFF_NO_PI, IFF_ONE_QUEUE, IFF_VNET_HDR, IFF_TUN_EXCL, IFF_MULTI_QUEUE, IFF_ATTACH_QUEUE, IFF_DETACH_QUEUE, IFF_PERSIST, IFF_NOFILTER

ifmap {
	mem_start	intptr
	mem_end		intptr
	base_addr	int16
	irq		int8
	dma		int8
	port		int8
}

if_settings {
	type		int32
	size		int32
	ifs_ifsu	ifs_ifsu
}

ifs_ifsu [
	raw_hdlc	ptr[in, raw_hdlc_proto]
	cisco		ptr[in, cisco_proto]
	fr		ptr[in, fr_proto]
	fr_pvc		ptr[in, fr_proto_pvc]
	fr_pvc_info	ptr[in, fr_proto_pvc_info]
	sync		ptr[in, sync_serial_settings]
	te1		ptr[in, te1_settings]
]

raw_hdlc_proto {
	encode	int16
	parity	int16
}

cisco_proto {
	val	int32
	timeout	int32
}

fr_proto {
	t391	int32
	t392	int32
	n391	int32
	n392	int32
	n393	int32
	lmi	int16
	dce	int16
}

fr_proto_pvc {
	dlcl	int32
}

fr_proto_pvc_info {
	dlci	int32
	master	devname
}

sync_serial_settings {
	rate	int32
	type	int32
	loop	int16
}

te1_settings {
	rate	int32
	type	int32
	loop	int16
	slot	int32
}

ifconf [
	req	ifconf_req
	buf	ifconf_buf
]

ifconf_buf {
	ifc_len		len[ifcu_buf, int32]
	ifcu_buf	ptr[inout, array[int8], opt]
}

ifconf_req {
	ifc_len		len[ifcu_req, int32]
	ifcu_req	ptr[inout, ifreq, opt]
}

brctl_cmds = BRCTL_GET_VERSION, BRCTL_GET_BRIDGES, BRCTL_ADD_BRIDGE, BRCTL_DEL_BRIDGE

brctl_arg [
	get	brctl_arg_get
	add_del	brctl_arg_add_del
	generic	brctl_arg_generic
]

brctl_arg_get {
	cmd	const[BRCTL_GET_BRIDGES, int64]
	buf	ptr[out, array[int8]]
	indices	int64
}

brctl_arg_add_del {
	cmd	const[BRCTL_ADD_BRIDGE, int64]
	devname	ptr[in, devname]
	pad	const[0, int64]
}

brctl_arg_generic {
	a0	flags[brctl_cmds, int64]
	a1	int64
	a2	int64
}

dlci_add {
	devname	devname
	dlci	int16
}

# ETHTOOL declaration part
# http://elixir.free-electrons.com/linux/latest/source/include/uapi/linux/ethtool.h

ethtool_cmd_u [
	ethtool_cmd		ethtool_cmd
	ethtool_drvinfo		ethtool_drvinfo
	ethtool_wolinfo		ethtool_wolinfo
	ethtool_regs		ethtool_regs
	ethtool_eeprom		ethtool_eeprom
	ethtool_eee		ethtool_eee
	ethtool_modinfo		ethtool_modinfo
	ethtool_coalesce	ethtool_coalesce
	ethtool_ringparam	ethtool_ringparam
	ethtool_channels	ethtool_channels
	ethtool_pauseparam	ethtool_pauseparam
	ethtool_gstrings	ethtool_gstrings
	ethtool_sset_info	ethtool_sset_info
	ethtool_test		ethtool_test
	ethtool_stats		ethtool_stats
	ethtool_perm_addr	ethtool_perm_addr
	ethtool_rxnfc		ethtool_rxnfc
	ethtool_rxfh_indir	ethtool_rxfh_indir
	ethtool_rxfh		ethtool_rxfh
	ethtool_rx_ntuple	ethtool_rx_ntuple
	ethtool_flash		ethtool_flash
	ethtool_dump		ethtool_dump
	ethtool_gfeatures	ethtool_gfeatures
	ethtool_sfeatures	ethtool_sfeatures
	ethtool_ts_info		ethtool_ts_info
	ethtool_per_queue_op	ethtool_per_queue_op
	ethtool_link_settings	ethtool_link_settings
] [varlen]

ethtool_cmd {
	cmd			flags[ethtool_cmd_flags, int32]
	supported		int32
	advertising		int32
	speed			int16
	duplex			int8
	port			int8
	phy_address		int8
	transceiver		int8
	autoneg			int8
	mdio_support		int8
	maxtxpkt		int32
	maxrxpkt		int32
	speed_hi		int16
	eth_tp_mdix		int8
	eth_tp_mdix_ctrl	int8
	lp_advertising		int32
	reserved		array[int32, 2]
}

ethtool_cmd_flags = ETHTOOL_GSET, ETHTOOL_SSET, ETHTOOL_GDRVINFO, ETHTOOL_GREGS, ETHTOOL_GWOL, ETHTOOL_SWOL, ETHTOOL_GMSGLVL, ETHTOOL_SMSGLVL, ETHTOOL_NWAY_RST, ETHTOOL_GLINK, ETHTOOL_GCOALESCE, ETHTOOL_SCOALESCE, ETHTOOL_GRINGPARAM, ETHTOOL_SRINGPARAM, ETHTOOL_GPAUSEPARAM, ETHTOOL_SPAUSEPARAM, ETHTOOL_GRXCSUM, ETHTOOL_SRXCSUM, ETHTOOL_GTXCSUM, ETHTOOL_STXCSUM, ETHTOOL_GSG, ETHTOOL_SSG, ETHTOOL_TEST, ETHTOOL_PHYS_ID, ETHTOOL_GSTATS, ETHTOOL_GTSO, ETHTOOL_STSO, ETHTOOL_GPERMADDR, ETHTOOL_GUFO, ETHTOOL_SUFO, ETHTOOL_GGSO, ETHTOOL_SGSO, ETHTOOL_GFLAGS, ETHTOOL_SFLAGS, ETHTOOL_GPFLAGS, ETHTOOL_SPFLAGS, ETHTOOL_GGRO, ETHTOOL_SGRO, ETHTOOL_RESET, ETHTOOL_SRXNTUPLE, ETHTOOL_GRXNTUPLE, ETHTOOL_GSSET_INFO, ETHTOOL_GRXFHINDIR, ETHTOOL_SRXFHINDIR, ETHTOOL_GFEATURES, ETHTOOL_SFEATURES, ETHTOOL_GCHANNELS, ETHTOOL_SCHANNELS, ETHTOOL_GET_TS_INFO, ETHTOOL_GEEE, ETHTOOL_SEEE, ETHTOOL_GRSSH, ETHTOOL_SRSSH, ETHTOOL_GTUNABLE, ETHTOOL_STUNABLE, ETHTOOL_GPHYSTATS, ETHTOOL_PERQUEUE, ETHTOOL_GLINKSETTINGS, ETHTOOL_SLINKSETTINGS, ETHTOOL_PHY_GTUNABLE, ETHTOOL_PHY_STUNABLE, ethtool_eeprom_cmd_flags, ethtool_rxnfc_cmd_flags, ethtool_dump_cmd_flags

ethtool_drvinfo {
	cmd		const[ETHTOOL_GDRVINFO, int32]
	driver		array[int8, 32]
	version		array[int8, 32]
	fw_version	array[int8, ETHTOOL_FWVERS_LEN]
	bus_info	array[int8, ETHTOOL_BUSINFO_LEN]
	erom_version	array[int8, ETHTOOL_EROMVERS_LEN]
	reserved2	array[int8, 12]
	n_priv_flags	int32
	n_stats		int32
	testinfo_len	int32
	eedump_len	int32
	regdump_len	int32
}

ethtool_wolinfo_cmd_flags = ETHTOOL_GWOL, ETHTOOL_SWOL

ethtool_wolinfo {
	cmd		flags[ethtool_wolinfo_cmd_flags, int32]
	supported	int32
	wolopts		int32
	sopass		array[int8, SOPASS_MAX]
}

ethtool_regs {
	cmd	const[ETHTOOL_GREGS, int32]
	version	int32
	len	len[data, int32]
	data	array[int8]
}

ethtool_eeprom_cmd_flags = ETHTOOL_GEEPROM, ETHTOOL_GMODULEEEPROM, ETHTOOL_SEEPROM

ethtool_eeprom {
	cmd	flags[ethtool_eeprom_cmd_flags, int32]
	magic	int32
	offset	int32
	len	len[data, int32]
	data	array[int8]
}

ethtool_eee_cmd_flags = ETHTOOL_GEEE, ETHTOOL_SEEE

ethtool_eee {
	cmd		flags[ethtool_eee_cmd_flags, int32]
	supported	int32
	advertised	int32
	lp_advertised	int32
	eee_active	int32
	eee_enabled	int32
	tx_lpi_enabled	int32
	tx_lpi_timer	int32
	reserved	array[int32, 2]
}

ethtool_modinfo {
	cmd		const[ETHTOOL_GMODULEINFO, int32]
	type		int32
	eeprom_len	int32
	reserved	array[const[0, int32], 8]
}

ethtool_coalesce_cmd_flags = ETHTOOL_GCOALESCE, ETHTOOL_SCOALESCE

ethtool_coalesce {
	cmd				flags[ethtool_coalesce_cmd_flags, int32]
	rx_coalesce_usecs		int32
	rx_max_coalesced_frames		int32
	rx_coalesce_usecs_irq		int32
	rx_max_coalesced_frames_irq	int32
	tx_coalesce_usecs		int32
	tx_max_coalesced_frames		int32
	tx_coalesce_usecs_irq		int32
	tx_max_coalesced_frames_irq	int32
	stats_block_coalesce_usecs	int32
	use_adaptive_rx_coalesce	int32
	use_adaptive_tx_coalesce	int32
	pkt_rate_low			int32
	rx_coalesce_usecs_low		int32
	rx_max_coalesced_frames_low	int32
	tx_coalesce_usecs_low		int32
	tx_max_coalesced_frames_low	int32
	pkt_rate_high			int32
	rx_coalesce_usecs_high		int32
	rx_max_coalesced_frames_high	int32
	tx_coalesce_usecs_high		int32
	tx_max_coalesced_frames_high	int32
	rate_sample_interval		int32
}

ethtool_ringparam_cmd_flags = ETHTOOL_GRINGPARAM, ETHTOOL_SRINGPARAM

ethtool_ringparam {
	cmd			flags[ethtool_ringparam_cmd_flags, int32]
	rx_max_pending		int32
	rx_mini_max_pending	int32
	rx_jumbo_max_pending	int32
	tx_max_pending		int32
	rx_pending		int32
	rx_mini_pending		int32
	rx_jumbo_pending	int32
	tx_pending		int32
}

ethtool_channels_cmd_flags = ETHTOOL_GCHANNELS, ETHTOOL_SCHANNELS

ethtool_channels {
	cmd		flags[ethtool_channels_cmd_flags, int32]
	max_rx		int32
	max_tx		int32
	max_other	int32
	max_combined	int32
	rx_count	int32
	tx_count	int32
	other_count	int32
	combined_count	int32
}

ethtool_pauseparam_cmd_flags = ETHTOOL_GPAUSEPARAM, ETHTOOL_SPAUSEPARAM

ethtool_pauseparam {
	cmd		flags[ethtool_pauseparam_cmd_flags, int32]
	autoneg		int32
	rx_pause	int32
	tx_pause	int32
}

ethtool_gstrings {
	cmd		const[ETHTOOL_GSTRINGS, int32]
	string_set	flags[ethtool_stringset, int32]
	len		len[data, int32]
	data		array[int8]
}

ethtool_stringset = ETH_SS_TEST, ETH_SS_STATS, ETH_SS_PRIV_FLAGS, ETH_SS_NTUPLE_FILTERS, ETH_SS_FEATURES, ETH_SS_RSS_HASH_FUNCS, ETH_SS_TUNABLES, ETH_SS_PHY_STATS, ETH_SS_PHY_TUNABLES

ethtool_sset_info {
	cmd		const[ETHTOOL_GSSET_INFO, int32]
	reserved	int32
	sset_mask	int64
	data		array[int32]
}

ethtool_test {
	cmd		const[ETHTOOL_TEST, int32]
	flags		int32
	reserved	int32
	len		len[data, int32]
	data		array[int64]
}

ethtool_stats {
	cmd	const[ETHTOOL_GSTATS, int32]
	n_stats	len[data, int32]
	data	array[int64]
}

ethtool_perm_addr {
	cmd	const[ETHTOOL_GPERMADDR, int32]
	size	len[data, int32]
	data	array[int8]
}

# http://elixir.free-electrons.com/linux/latest/source/include/uapi/linux/ethtool.h#L1565
traffic_flow_types = TCP_V4_FLOW, UDP_V4_FLOW, SCTP_V4_FLOW, AH_ESP_V4_FLOW, TCP_V6_FLOW, UDP_V6_FLOW, SCTP_V6_FLOW, AH_ESP_V6_FLOW, AH_V4_FLOW, ESP_V4_FLOW, AH_V6_FLOW, ESP_V6_FLOW, IPV4_USER_FLOW, IP_USER_FLOW, IPV6_USER_FLOW, IPV4_FLOW, IPV6_FLOW, ETHER_FLOW

ethtool_rxnfc_cmd_flags = ETHTOOL_GRXFH, ETHTOOL_SRXFH, ETHTOOL_GRXRINGS, ETHTOOL_GRXCLSRLCNT, ETHTOOL_GRXCLSRULE, ETHTOOL_GRXCLSRLALL, ETHTOOL_SRXCLSRLDEL, ETHTOOL_SRXCLSRLINS

ethtool_rxnfc {
	cmd		flags[ethtool_rxnfc_cmd_flags, int32]
	flow_type	flags[traffic_flow_types, int32]
	data		int64
	fs		ethtool_rx_flow_spec
	rule_cnt	len[rule_locs, int32]
	rule_locs	array[int32]
}

ethtool_rx_flow_spec {
	flow_type	flags[traffic_flow_types, int32]
	h_u		ethtool_flow_union
	h_ext		ethtool_flow_ext
	m_u		ethtool_flow_union
	m_ext		ethtool_flow_ext
	ring_cookie	int64
	location	int32
}

ethtool_flow_union [
	tcp_ip4_spec	ethtool_tcpip4_spec
	udp_ip4_spec	ethtool_tcpip4_spec
	sctp_ip4_spec	ethtool_tcpip4_spec
	ah_ip4_spec	ethtool_ah_espip4_spec
	esp_ip4_spec	ethtool_ah_espip4_spec
	usr_ip4_spec	ethtool_usrip4_spec
	tcp_ip6_spec	ethtool_tcpip6_spec
	udp_ip6_spec	ethtool_tcpip6_spec
	sctp_ip6_spec	ethtool_tcpip6_spec
	ah_ip6_spec	ethtool_ah_espip6_spec
	esp_ip6_spec	ethtool_ah_espip6_spec
	usr_ip6_spec	ethtool_usrip6_spec
	ether_spec	ethhdr
	hdata		array[int8, 52]
]

ethtool_flow_ext {
	padding		const[0, int16]
	h_dest		mac_addr
	vlan_etype	int16be
	vlan_tci	int16be
	data		array[int32be, 2]
}

ethtool_tcpip4_spec {
	ip4src	ipv4_addr
	ip4dst	ipv4_addr
	psrc	sock_port
	pdst	sock_port
	tos	int8
}

ethtool_ah_espip4_spec {
	ip4src	ipv4_addr
	ip4dst	ipv4_addr
	spi	int32be
	tos	int8
}

ethtool_usrip4_spec {
	ip4src		ipv4_addr
	ip4dst		ipv4_addr
	l4_4_bytes	int32be
	tos		int8
	ip_ver		const[ETH_RX_NFC_IP4, int8]
	proto		int8
}

ethtool_tcpip6_spec {
	ip6src	ipv6_addr
	ip6dst	ipv6_addr
	psrc	sock_port
	pdst	sock_port
	tclass	int8
}

ethtool_ah_espip6_spec {
	ip6src	ipv6_addr
	ip6dst	ipv6_addr
	spi	int32be
	tclass	int8
}

ethtool_usrip6_spec {
	ip6src		ipv6_addr
	ip6dst		ipv6_addr
	l4_4_bytes	int32be
	tclass		int8
	l4_proto	int8
}

ethhdr {
	h_dest		mac_addr
	h_source	mac_addr
	h_proto		int16be
} [packed]

ethtool_rxfh_indir_flags = ETHTOOL_GRXFHINDIR, ETHTOOL_SRXFHINDIR

ethtool_rxfh_indir {
	cmd		flags[ethtool_rxfh_indir_flags, int32]
	size		len[ring_index, int32]
	ring_index	array[int32]
}

ethtool_rxfh_cmd_flags = ETHTOOL_GRSSH, ETHTOOL_SRSSH

ethtool_rxfh {
	cmd		flags[ethtool_rxfh_cmd_flags, int32]
	rss_context	int32
	indir_size	int32
	key_size	int32
	hfunc		int8
	rsvd8		array[int8, 3]
	rsvd32		int32
	rss_config	array[int32]
}

ethtool_rx_ntuple {
	cmd	const[ETHTOOL_SRXNTUPLE, int32]
	fs	ethtool_rx_ntuple_flow_spec
}

ethtool_rx_ntuple_flow_spec_action_flags = ETHTOOL_RXNTUPLE_ACTION_DROP, ETHTOOL_RXNTUPLE_ACTION_CLEAR

ethtool_rx_ntuple_flow_spec {
	flow_type	flags[traffic_flow_types, int32]
	h_u		ethtool_rx_ntuple_flow_spec_union
	m_u		ethtool_rx_ntuple_flow_spec_union
	vlan_tag	int16
	vlan_tag_mask	int16
	data		int64
	data_mask	int64
	action		flags[ethtool_rx_ntuple_flow_spec_action_flags, int32]
}

ethtool_rx_ntuple_flow_spec_union [
	tcp_ip4_spec	ethtool_tcpip4_spec
	udp_ip4_spec	ethtool_tcpip4_spec
	sctp_ip4_spec	ethtool_tcpip4_spec
	ah_ip4_spec	ethtool_ah_espip4_spec
	esp_ip4_spec	ethtool_ah_espip4_spec
	usr_ip4_spec	ethtool_usrip4_spec
	ether_spec	ethhdr
	hdata		array[int8, 72]
]

ethtool_flash {
	cmd	const[ETHTOOL_FLASHDEV, int32]
	region	int32
	data	string[filename, ETHTOOL_FLASH_MAX_FILENAME]
}

ethtool_dump_cmd_flags = ETHTOOL_GET_DUMP_FLAG, ETHTOOL_GET_DUMP_DATA, ETHTOOL_SET_DUMP

ethtool_dump {
	cmd	flags[ethtool_dump_cmd_flags, int32]
	version	int32
	flag	int32
	len	len[data, int32]
	data	array[int8]
}

ethtool_gfeatures {
	cmd		const[ETHTOOL_GFEATURES, int32]
	size		len[features, int32]
	features	array[ethtool_get_features_block]
}

ethtool_get_features_block {
	available	const[0, int32]
	requested	const[0, int32]
	active		const[0, int32]
	never_changed	const[0, int32]
}

ethtool_sfeatures {
	cmd		const[ETHTOOL_SFEATURES, int32]
	size		len[features, int32]
	features	array[ethtool_set_features_block]
}

ethtool_set_features_block {
	valid		int32
	requested	int32
}

ethtool_ts_info {
	cmd		const[ETHTOOL_GET_TS_INFO, int32]
	so_timestamping	const[0, int32]
	phc_index	const[0, int32]
	tx_types	const[0, int32]
	tx_reserved	array[const[0, int32], 3]
	rx_filters	const[0, int32]
	rx_reserved	array[const[0, int32], 3]
}

ethtool_per_queue_op {
	cmd		const[ETHTOOL_PERQUEUE, int32]
	sub_command	flags[ethtool_per_queue_sub_cmd, int32]
	queue_mask	array[int32, ethtool_per_queue_op_size]
	data		array[int8]
}

ethtool_per_queue_sub_cmd = ETHTOOL_GCOALESCE, ETHTOOL_SCOALESCE

define ethtool_per_queue_op_size	__KERNEL_DIV_ROUND_UP(MAX_NUM_QUEUE, 32)

ethtool_link_settings_cmd_flags = ETHTOOL_GLINKSETTINGS, ETHTOOL_SLINKSETTINGS

ethtool_link_settings {
	cmd			flags[ethtool_link_settings_cmd_flags, int32]
	speed			int32
	duplex			int8
	port			int8
	phy_address		int8
	autoneg			int8
	mdio_support		int8
	eth_tp_mdix		int8
	eth_tp_mdix_ctrl	int8
	link_mode_masks_nwords	int8
	reserved		array[int32, 8]
	link_mode_masks		array[int32]
}
]

gemini-3-pro-preview

							input: 158453
							output: 19
							thoughts: 283
						

**Deconstructing the `ioctl` Call for Network Interface Index Retrieval**

Okay, let's break this down. I see we're calling `ioctl` with `sock_SIOCGIFINDEX`. That takes an `ifreq_t` structure. Looking at the definitions, `ifreq_t` is essentially a `ifreq_dev_t` structure with the element replaced with the `ifindex`. This means the `ifreq_t` structure we're using contains the interface name and then the index itself.

So, when we pass `ifreq_t[ifindex]` to the `ioctl` call, it's really like:

```
{
    ifr_ifrn string[devnames, IFNAMSIZ]
    elem ifindex
}
```

The `ifindex` itself is an `int32`.  We can observe that the call is being structured as such:

```
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r4=>0x0})
```

It looks like the `ioctl` call is executed with `bond0` as the interface name and expects `r4` to receive the `ifindex` value. Therefore, after the call, register `r4` should hold the ifindex of `bond0`.

Right, that makes sense. Now, let's see. This `ifindex` is relevant because `bpf$LINK_CREATE` uses `target_ifindex` in `attr->link_create.target_ifindex`. So we want to link the bpf to the net device using the retrieved ifindex. I will check the bpf.txt documentation to confirm how to use `bpf$LINK_CREATE`

map[File:bpf.txt]

map[Output:# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Note these sysctls have radical effect on code paths inside of kernel:
# net.core.bpf_jit_enable  = { 0, 1, 2 }
# net.core.bpf_jit_harden  = { 0, 1, 2 }

include <uapi/linux/bpf.h>
include <uapi/linux/btf.h>
include <uapi/linux/if_link.h>
include <uapi/linux/netfilter.h>

resource fd_bpf_map[fd]: BPF_PSEUDO_MAP_FD
resource fd_bpf_prog[fd]
resource fd_btf[fd]
resource fd_bpf_token[fd]
resource bpf_prog_id[int32]: 0, -1
resource bpf_map_id[int32]: 0, -1
resource bpf_btf_id[int32]: 0, -1
resource bpf_link_id[int32]: 0, -1
resource fd_bpf_link[fd]
resource bpf_revision[int64]
resource fd_bpf_const_str_map[fd_bpf_map]
resource fd_bpf_const_str[fd_bpf_const_str_map]
resource bpf_frozen_const_str[fd_bpf_const_str]
resource tail_call_map_fd[fd_bpf_map]
resource tail_call_map[tail_call_map_fd]
resource ringbuf_map_fd[fd_bpf_map]

# NEED: this is a random index in btf_header:types. We can't express this, so we just use a small index.
type btf_type_id int32[1:5]
# NEED: opt modified on typedefs, this could be btf_type_id[opt]
type btf_opt_type_id int32[0:5]

# NEED: offset in bpf_btf_program:strings. We can't express this, so we just use a small index.
type btf_name_off int32[1:16]
type btf_opt_name_off int32[0:16]

# NEED: offset in bpf_prog_t:fd_array. We can't express this, so we just use a small index.
type map_fd_id int32[0:16]

bpf$MAP_CREATE(cmd const[BPF_MAP_CREATE], arg ptr[in, bpf_map_create_arg], size len[arg]) fd_bpf_map
bpf$MAP_CREATE_RINGBUF(cmd const[BPF_MAP_CREATE], arg ptr[in, bpf_map_create_arg_ringbuf], size len[arg]) ringbuf_map_fd
bpf$MAP_CREATE_CONST_STR(cmd const[BPF_MAP_CREATE], arg ptr[in, bpf_map_create_arg_const_str], size len[arg]) fd_bpf_const_str_map
bpf$MAP_CREATE_TAIL_CALL(cmd const[BPF_MAP_CREATE], arg ptr[in, bpf_map_create_arg_tail_call], size len[arg]) tail_call_map_fd
bpf$MAP_LOOKUP_ELEM(cmd const[BPF_MAP_LOOKUP_ELEM], arg ptr[in, bpf_map_lookup_arg], size len[arg])
bpf$MAP_UPDATE_ELEM(cmd const[BPF_MAP_UPDATE_ELEM], arg ptr[in, bpf_map_update_arg], size len[arg])
bpf$MAP_UPDATE_CONST_STR(cmd const[BPF_MAP_UPDATE_ELEM], arg ptr[inout, bpf_map_update_const_str_arg], size len[arg])
bpf$MAP_UPDATE_ELEM_TAIL_CALL(cmd const[BPF_MAP_UPDATE_ELEM], arg ptr[inout, bpf_map_update_tail_call_arg], size len[arg])
bpf$MAP_DELETE_ELEM(cmd const[BPF_MAP_DELETE_ELEM], arg ptr[in, bpf_map_delete_arg], size len[arg])
bpf$MAP_GET_NEXT_KEY(cmd const[BPF_MAP_GET_NEXT_KEY], arg ptr[in, bpf_map_get_next_arg], size len[arg])
bpf$PROG_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog], size len[arg]) fd_bpf_prog
bpf$OBJ_PIN_MAP(cmd const[BPF_OBJ_PIN], arg ptr[in, bpf_obj_pin_map], size len[arg])
bpf$OBJ_PIN_PROG(cmd const[BPF_OBJ_PIN], arg ptr[in, bpf_obj_pin_prog], size len[arg])
bpf$OBJ_GET_MAP(cmd const[BPF_OBJ_GET], arg ptr[in, bpf_obj_get], size len[arg]) fd_bpf_map
bpf$OBJ_GET_PROG(cmd const[BPF_OBJ_GET], arg ptr[in, bpf_obj_get], size len[arg]) fd_bpf_prog
bpf$BPF_PROG_ATTACH(cmd const[BPF_PROG_ATTACH], arg ptr[in, bpf_attach_arg], size len[arg])
bpf$BPF_PROG_DETACH(cmd const[BPF_PROG_DETACH], arg ptr[in, bpf_detach_arg], size len[arg])
bpf$BPF_PROG_TEST_RUN(cmd const[BPF_PROG_TEST_RUN], arg ptr[in, bpf_test_prog_arg], size len[arg])
bpf$BPF_PROG_GET_NEXT_ID(cmd const[BPF_PROG_GET_NEXT_ID], arg ptr[inout, bpf_prog_get_next_id_arg], size len[arg])
bpf$BPF_MAP_GET_NEXT_ID(cmd const[BPF_MAP_GET_NEXT_ID], arg ptr[inout, bpf_map_get_next_id_arg], size len[arg])
bpf$BPF_BTF_GET_NEXT_ID(cmd const[BPF_BTF_GET_NEXT_ID], arg ptr[inout, bpf_btf_get_next_id_arg], size len[arg])
bpf$BPF_PROG_GET_FD_BY_ID(cmd const[BPF_PROG_GET_FD_BY_ID], arg ptr[in, bpf_prog_get_fd_by_id_arg], size len[arg]) fd_bpf_prog
bpf$BPF_MAP_GET_FD_BY_ID(cmd const[BPF_MAP_GET_FD_BY_ID], arg ptr[in, bpf_map_get_fd_by_id_arg], size len[arg]) fd_bpf_map
bpf$BPF_GET_PROG_INFO(cmd const[BPF_OBJ_GET_INFO_BY_FD], arg ptr[in, bpf_get_prog_info_arg], size len[arg])
bpf$BPF_GET_MAP_INFO(cmd const[BPF_OBJ_GET_INFO_BY_FD], arg ptr[in, bpf_get_map_info_arg], size len[arg])
bpf$BPF_GET_BTF_INFO(cmd const[BPF_OBJ_GET_INFO_BY_FD], arg ptr[in, bpf_get_btf_info_arg], size len[arg])
bpf$BPF_PROG_QUERY(cmd const[BPF_PROG_QUERY], arg ptr[inout, bpf_prog_query], size len[arg])
bpf$BPF_BTF_LOAD(cmd const[BPF_BTF_LOAD], arg ptr[in, bpf_btf_load], size len[arg]) fd_btf
bpf$BPF_BTF_GET_FD_BY_ID(cmd const[BPF_BTF_GET_FD_BY_ID], arg ptr[in, bpf_btf_id], size len[arg]) fd_btf
bpf$BPF_TASK_FD_QUERY(cmd const[BPF_TASK_FD_QUERY], arg ptr[inout, bpf_task_fd_query], size len[arg])
bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(cmd const[BPF_MAP_LOOKUP_AND_DELETE_ELEM], arg ptr[in, bpf_map_lookup_arg], size len[arg])
bpf$BPF_MAP_FREEZE(cmd const[BPF_MAP_FREEZE], arg ptr[in, fd_bpf_map], size len[arg])
bpf$BPF_MAP_CONST_STR_FREEZE(cmd const[BPF_MAP_FREEZE], arg ptr[inout, bpf_map_const_str_freeze], size len[arg])
bpf$MAP_LOOKUP_BATCH(cmd const[BPF_MAP_LOOKUP_BATCH], arg ptr[in, bpf_map_batch_arg], size len[arg])
bpf$MAP_UPDATE_BATCH(cmd const[BPF_MAP_UPDATE_BATCH], arg ptr[in, bpf_map_batch_arg], size len[arg])
bpf$MAP_DELETE_BATCH(cmd const[BPF_MAP_DELETE_BATCH], arg ptr[in, bpf_map_batch_arg], size len[arg])
bpf$BPF_MAP_LOOKUP_AND_DELETE_BATCH(cmd const[BPF_MAP_LOOKUP_AND_DELETE_BATCH], arg ptr[in, bpf_map_batch_arg], size len[arg])
bpf$BPF_LINK_CREATE(cmd const[BPF_LINK_CREATE], arg ptr[in, bpf_link_create_arg], size len[arg]) fd_bpf_link
bpf$BPF_LINK_UPDATE(cmd const[BPF_LINK_UPDATE], arg ptr[in, bpf_link_update_arg], size len[arg])
bpf$ENABLE_STATS(cmd const[BPF_ENABLE_STATS], arg ptr[in, bpf_enable_stats_arg], size len[arg])
bpf$ITER_CREATE(cmd const[BPF_ITER_CREATE], arg ptr[in, bpf_iter_create_arg], size len[arg]) fd
bpf$LINK_GET_FD_BY_ID(cmd const[BPF_LINK_GET_FD_BY_ID], arg ptr[in, bpf_link_id], size len[arg]) fd_bpf_link
bpf$LINK_GET_NEXT_ID(cmd const[BPF_LINK_GET_NEXT_ID], arg ptr[inout, bpf_link_get_next_id_arg], size len[arg])
bpf$LINK_DETACH(cmd const[BPF_LINK_DETACH], arg ptr[in, fd_bpf_link], size len[arg])
bpf$PROG_BIND_MAP(cmd const[BPF_PROG_BIND_MAP], arg ptr[in, bpf_prog_bind_map_arg], size len[arg])
bpf$TOKEN_CREATE(cmd const[BPF_TOKEN_CREATE], arg ptr[in, bpf_token_create_arg], size len[arg]) fd_bpf_token

resource fd_bpf_prog_xdp[fd_bpf_prog]
bpf$PROG_LOAD_XDP(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog_xdp], size len[arg]) fd_bpf_prog_xdp
bpf$BPF_LINK_CREATE_XDP(cmd const[BPF_LINK_CREATE], arg ptr[in, bpf_link_create_xdp], size len[arg]) fd_bpf_link
bpf$BPF_PROG_TEST_RUN_LIVE(cmd const[BPF_PROG_TEST_RUN], arg ptr[in, bpf_test_prog_live_arg], size len[arg])
type bpf_prog_xdp bpf_prog_t[const[BPF_PROG_TYPE_XDP, int32], const[BPF_XDP, int32], const[0, int32], const[0, int32]]
type bpf_link_create_xdp bpf_link_create_arg_t[fd_bpf_prog_xdp, ifindex, const[BPF_XDP, int32], flags[xdp_flags, int32]]
xdp_flags = XDP_FLAGS_UPDATE_IF_NOEXIST, XDP_FLAGS_SKB_MODE, XDP_FLAGS_DRV_MODE, XDP_FLAGS_HW_MODE, XDP_FLAGS_REPLACE

bpf_map_const_str_freeze {
	in	fd_bpf_const_str
	out	bpf_frozen_const_str	(out_overlay)
}

bpf_map_create_arg [
	base		bpf_map_create_arg_base
	bloom_filter	bpf_map_create_arg_bf
] [varlen]

type bpf_map_create_arg_t[TYPE, KSIZE, VSIZE, MAX, FLAGS, MAP_EXTRA] {
	type			TYPE
	ksize			KSIZE
	vsize			VSIZE
	max			MAX
	flags			FLAGS
	inner			fd_bpf_map[opt]
	node			int32
	map_name		array[const[0, int8], BPF_OBJ_NAME_LEN]
	map_ifindex		ifindex[opt]
	btf_fd			fd_btf[opt]
	btf_key_type_id		btf_opt_type_id
	btf_value_type_id	btf_opt_type_id
	btf_vmlinux_type_id	btf_opt_type_id
	map_extra		MAP_EXTRA
# NEED: value_type_btf_obj_fd should also depend on the map type but AND operators are not yet supported in conditional fields.
	value_type_btf_obj_fd	fd_btf	(if[value[flags] & BPF_F_VTYPE_BTF_OBJ_FD != 0])
	pad1			const[0, int32]	(if[value[flags] & BPF_F_VTYPE_BTF_OBJ_FD == 0])
	map_token_fd		fd_bpf_token	(if[value[flags] & BPF_F_TOKEN_FD != 0])
	pad2			const[0, int32]	(if[value[flags] & BPF_F_TOKEN_FD == 0])
} [packed]

type bpf_map_create_arg_base bpf_map_create_arg_t[flags[bpf_map_type, int32], int32, int32, int32, flags[map_flags, int32], const[0, int64]]
type bpf_map_create_arg_bf bpf_map_create_arg_t[const[BPF_MAP_TYPE_BLOOM_FILTER, int32], int32, int32, int32, flags[map_flags, int32], int64[0:15]]
type bpf_map_create_arg_ringbuf bpf_map_create_arg_t[const[BPF_MAP_TYPE_RINGBUF, int32], const[0, int32], const[0, int32], int32, const[0, int32], const[0, int64]]
type bpf_map_create_arg_const_str bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], const[4, int32], const[8, int32], const[1, int32], const[BPF_F_RDONLY_PROG, int32], const[0, int64]]
type bpf_map_create_arg_tail_call bpf_map_create_arg_t[const[BPF_MAP_TYPE_PROG_ARRAY, int32], const[4, int32], const[4, int32], const[10, int32], const[0, int32], const[0, int64]]

bpf_map_get_fd_by_id_arg {
	map_id		bpf_map_id
	next_id		int32
	open_flags	flags[bpf_open_flags, int32]
}

bpf_map_lookup_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	val	ptr64[out, array[int8]]
	flags	flags[bpf_lookup_flags, int64]
}

bpf_map_update_val [
	buf	array[int8]
	udp	sock_udp
	udp6	sock_udp6
	tcp	sock_tcp
	tcp6	sock_tcp6
] [varlen]

bpf_map_update_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	val	ptr64[in, bpf_map_update_val]
	flags	flags[bpf_map_flags, int64]
}

map_bpf_const_str {
	in	fd_bpf_const_str_map
	out	fd_bpf_const_str	(out_overlay)
}

bpf_printf_str = "%-010d ", "%pK    ", "%+9llu ", "%pS    ", "%ps    ", "%pB    ", "%pI4   ", "%pi6   ", "%-5lx  "

bpf_map_update_const_str_arg {
	map	map_bpf_const_str
	key	ptr64[in, const[0, int32]]
	val	ptr64[in, string[bpf_printf_str]]
	flags	const[0, int64]
}

tail_call_map_update {
	in	tail_call_map_fd
	out	tail_call_map	(out_overlay)
}

bpf_map_update_tail_call_arg {
	map	tail_call_map_update
	key	ptr64[in, const[0, int32]]
	val	ptr64[in, fd_bpf_prog]
	flags	const[0, int64]
}

bpf_map_delete_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	value	const[0, int64]
	flags	const[0, int64]
}

bpf_map_get_next_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	next	ptr64[out, array[int8]]
	flags	const[0, int64]
}

bpf_map_batch_arg {
	in_batch	ptr64[in, array[int8]]
	out_batch	ptr64[out, array[int8]]
	key		ptr64[in, array[int8]]
	val		ptr64[in, array[int8]]
	count		int32
	map_fd		fd_bpf_map
	elem_flags	flags[bpf_batch_flags, int64]
	flags		const[0, int64]
}

bpf_iter_link_cgroup {
	order		flags[bpf_cgroup_iter_order, int32]
	cgroup_fd	fd_cgroup
	cgroup_id	int64
}

bpf_iter_link_task {
	tid	pid
	pid	pid
	pid_fd	fd_pidfd
}

bpf_iter_link_info [
	map_fd	fd_bpf_map
	cgroup	bpf_iter_link_cgroup
	task	bpf_iter_link_task
]

link_create_iter {
	iter_info	ptr[in, bpf_iter_link_info]
	iter_info_len	bytesize[iter_info, int32]
}

link_create_perf_event {
	bpf_cookie	int64
}

link_create_kprobe_multi_addrs {
	flags	flags[bpf_link_create_kprobe_multi_flags, int32]
	cnt	len[addrs, int32]
	syms	const[0, int64]
	addrs	ptr64[in, array[int64]]
	cookies	int64
}

link_create_kprobe_multi_symbols {
	flags	flags[bpf_link_create_kprobe_multi_flags, int32]
	cnt	len[syms, int32]
	syms	ptr64[in, array[ptr[in, string]]]
	addrs	const[0, int64]
	cookies	int64
}

link_create_kprobe_multi [
	addrs	link_create_kprobe_multi_addrs
	syms	link_create_kprobe_multi_symbols
]

link_create_tracing {
	target_btf_id	bpf_btf_id
	cookie		int64
}

link_create_netfilter {
	pf		flags[nfproto, int32]
	hooknum		flags[nf_dev_hooks, int32]
	priority	int32
	flags		flags[bpf_link_create_netfilter_flags, int32]
}

link_create_tcx {
	relative_link_fd	fd_bpf_link	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_LINK])
	relative_prog_fd	fd_bpf_prog	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == 0])
	relative_link_id	bpf_link_id	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_LINK_OR_ID])
	relative_prog_id	bpf_prog_id	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_ID])
	exp_revision		bpf_revision
} [packed]

link_create_uprobe_multi {
	path		ptr64[in, filename]
	offsets		ptr64[in, array[int64]]
	ref_ctr_offsets	ptr64[in, array[int64[0:5]], opt]
	cookies		int64
	cnt		len[offsets, int32]
	flags		flags[bpf_link_create_uprobe_multi_flags, int32]
	pid		pid
}

link_create_netkit {
	relative_link_fd	fd_bpf_link	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_LINK])
	relative_prog_fd	fd_bpf_prog	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == 0])
	relative_link_id	bpf_link_id	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_LINK_OR_ID])
	relative_prog_id	bpf_prog_id	(if[value[bpf_link_create_arg_t:flags] & BPF_F_LINK_OR_ID == BPF_F_ID])
	exp_revision		bpf_revision
} [packed]

link_create_arg_extra [
	target_btf_id	bpf_btf_id
	iter		link_create_iter
	perf_event	link_create_perf_event
	kprobe_multi	link_create_kprobe_multi
	tracing		link_create_tracing
	netfilter	link_create_netfilter
	tcx		link_create_tcx
	uprobe_multi	link_create_uprobe_multi
	netkit		link_create_netkit
] [varlen]

type bpf_link_create_arg_t[PROG_FD, TARGET_FD, ATTACH_TYPE, FLAGS] {
	prog_fd		PROG_FD
	target_fd	TARGET_FD
	attach_type	ATTACH_TYPE
	flags		FLAGS
	extra		optional[link_create_arg_extra]
}

type bpf_link_create_arg bpf_link_create_arg_t[fd_bpf_prog, fd_cgroup, flags[bpf_attach_types_link_create, int32], const[0, int32]]

bpf_link_update_arg {
	link_fd		fd_bpf_link
	new_prog_fd	fd_bpf_prog
	flags		flags[bpf_link_update_flags, int32]
	old_prog_fd	fd_bpf_prog
}

bpf_enable_stats_arg {
	type	flags[bpf_stat_types, int32]
}

bpf_iter_create_arg {
	link_fd	fd_bpf_link
	flags	const[0, int32]
}

bpf_batch_flags = BPF_F_LOCK

bpf_obj_pin_map [
	generic	bpf_obj_pin_map_generic
	o_path	bpf_obj_pin_map_o_path
]

bpf_obj_pin_prog [
	generic	bpf_obj_pin_prog_generic
	o_path	bpf_obj_pin_prog_o_path
]

bpf_obj_get [
	generic	bpf_obj_get_generic
	o_path	bpf_obj_get_o_path
]

# NEED: these filenames must be on bpf filesystem, can we do it somehow?
bpf_obj_pin_map_generic {
	path	ptr64[in, filename]
	fd	fd_bpf_map
	flags	const[0, int32]
	path_fd	const[0, int32]
}

bpf_obj_pin_prog_generic {
	path	ptr64[in, filename]
	fd	fd_bpf_prog
	flags	const[0, int32]
	path_fd	const[0, int32]
}

bpf_obj_get_generic {
	path		ptr64[in, filename]
	fd		const[0, int32]
	file_flags	flags[bpf_open_flags, int32]
	path_fd		const[0, int32]
}

# NEED: Specific type for O_PATH fds (for path_fd).
bpf_obj_pin_map_o_path {
	path	ptr64[in, filename]
	fd	fd_bpf_map
	flags	const[BPF_F_PATH_FD, int32]
	path_fd	fd
}

bpf_obj_pin_prog_o_path {
	path	ptr64[in, filename]
	fd	fd_bpf_prog
	flags	const[BPF_F_PATH_FD, int32]
	path_fd	fd
}

bpf_obj_get_o_path {
	path		ptr64[in, filename]
	fd		const[0, int32]
	file_flags	flags[bpf_obj_get_flags, int32]
	path_fd		fd
}

# These defines should match the mapping implemented by attach_type_to_prog_type in the kernel.
define EXP_TYPE_CGROUP_SKB	BPF_CGROUP_INET_INGRESS | BPF_CGROUP_INET_EGRESS
define EXP_TYPE_CGROUP_SOCK	BPF_CGROUP_INET_SOCK_CREATE | BPF_CGROUP_INET_SOCK_RELEASE | BPF_CGROUP_INET4_POST_BIND | BPF_CGROUP_INET6_POST_BIND
define EXP_TYPE_CGROUP_SOCK_ADDR	BPF_CGROUP_INET4_BIND | BPF_CGROUP_INET6_BIND | BPF_CGROUP_INET4_CONNECT | BPF_CGROUP_INET6_CONNECT | BPF_CGROUP_UNIX_CONNECT | BPF_CGROUP_INET4_GETPEERNAME | BPF_CGROUP_INET6_GETPEERNAME | BPF_CGROUP_UNIX_GETPEERNAME | BPF_CGROUP_INET4_GETSOCKNAME | BPF_CGROUP_INET6_GETSOCKNAME | BPF_CGROUP_UNIX_GETSOCKNAME | BPF_CGROUP_UDP4_SENDMSG | BPF_CGROUP_UDP6_SENDMSG | BPF_CGROUP_UNIX_SENDMSG | BPF_CGROUP_UDP4_RECVMSG | BPF_CGROUP_UDP6_RECVMSG | BPF_CGROUP_UNIX_RECVMSG
define EXP_TYPE_SOCK_OPS	BPF_CGROUP_SOCK_OPS
define EXP_TYPE_CGROUP_DEVICE	BPF_CGROUP_DEVICE
define EXP_TYPE_SK_MSG	BPF_SK_MSG_VERDICT
define EXP_TYPE_SK_SKB	BPF_SK_SKB_STREAM_PARSER | BPF_SK_SKB_STREAM_VERDICT | BPF_SK_SKB_VERDICT
define EXP_TYPE_LIRC_MODE2	BPF_LIRC_MODE2
define EXP_TYPE_FLOW_DISSECTOR	BPF_FLOW_DISSECTOR
define EXP_TYPE_CGROUP_SYSCTL	BPF_CGROUP_SYSCTL
define EXP_TYPE_CGROUP_SOCKOPT	BPF_CGROUP_GETSOCKOPT | BPF_CGROUP_SETSOCKOPT
define EXP_TYPE_TRACING	BPF_TRACE_ITER | BPF_TRACE_RAW_TP | BPF_TRACE_FENTRY | BPF_TRACE_FEXIT | BPF_MODIFY_RETURN
define EXP_TYPE_LSM	BPF_LSM_MAC | BPF_LSM_CGROUP
define EXP_TYPE_SK_LOOKUP	BPF_SK_LOOKUP
define EXP_TYPE_XDP	BPF_XDP
define EXP_TYPE_SCHED_CLS	BPF_TCX_INGRESS | BPF_TCX_EGRESS | BPF_NETKIT_PRIMARY | BPF_NETKIT_PEER

define EXP_MAP	EXP_TYPE_SK_MSG | EXP_TYPE_SK_SKB
define EXP_CGROUP	EXP_TYPE_CGROUP_DEVICE | EXP_TYPE_CGROUP_SKB | EXP_TYPE_CGROUP_SOCK | EXP_TYPE_CGROUP_SOCK_ADDR | EXP_TYPE_CGROUP_SOCKOPT | EXP_TYPE_CGROUP_SYSCTL | EXP_TYPE_SOCK_OPS | EXP_TYPE_LSM

bpf_attach_targets [
	cgroup		fd_cgroup	(if[value[parent:parent:type] & EXP_CGROUP != 0])
	map		fd_bpf_map	(if[value[parent:parent:type] & EXP_MAP != 0])
	ifindex		ifindex	(if[value[parent:parent:type] & BPF_PROG_TYPE_SCHED_CLS != 0])
	fallback	fd
]

define BPF_F_LINK_OR_ID	BPF_F_LINK | BPF_F_ID

bpf_attach_arg {
	target			bpf_attach_targets
	attach_bpf_fd		fd_bpf_prog
	type			flags[bpf_attach_types, int32]
	flags			flags[bpf_attach_flags, int32]
	replace_bpf_fd		fd_bpf_prog
	relative_link_fd	fd_bpf_link	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_LINK])
	relative_prog_fd	fd_bpf_prog	(if[value[flags] & BPF_F_LINK_OR_ID == 0])
	relative_link_id	bpf_link_id	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_LINK_OR_ID])
	relative_prog_id	bpf_prog_id	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_ID])
	exp_revision		bpf_revision
} [packed]

bpf_detach_arg {
	target			bpf_attach_targets
	prog			fd_bpf_prog
	type			flags[bpf_attach_types, int32]
	flags			flags[bpf_mprog_attach_flags, int32]
	replace_bpf_fd		const[0, int32]
	relative_link_fd	fd_bpf_link	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_LINK])
	relative_prog_fd	fd_bpf_prog	(if[value[flags] & BPF_F_LINK_OR_ID == 0])
	relative_link_id	bpf_link_id	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_LINK_OR_ID])
	relative_prog_id	bpf_prog_id	(if[value[flags] & BPF_F_LINK_OR_ID == BPF_F_ID])
	exp_revision		bpf_revision
} [packed]

bpf_test_prog_arg {
	prog		fd_bpf_prog
	retval		const[0, int32]
	insizedata	len[indata, int32]
	outsizedata	len[outdata, int32]
	indata		ptr64[in, array[int8]]
	outdata		ptr64[out, array[int8]]
	repeat		int32
	dur		const[0, int32]
	insizectx	len[inctx, int32]
	outsizectx	len[outctx, int32]
	inctx		ptr64[in, array[int8]]
	outctx		ptr64[in, array[int8]]
	flags		flags[bpf_prog_test_run_flags, int32]
	cpu		const[0, int32]
	batch_size	int32
}

bpf_test_prog_live_arg {
	prog		fd_bpf_prog_xdp
	retval		const[0, int32]
	insizedata	len[indata, int32]
	outsizedata	const[0, int32]
	indata		ptr64[in, array[int8]]
	outdata		const[0, int64]
	repeat		int32
	dur		const[0, int32]
	insizectx	len[inctx, int32]
	outsizectx	const[0, int32]
	inctx		ptr64[in, array[int8]]
	outctx		const[0, int64]
	flags		const[BPF_F_TEST_XDP_LIVE_FRAMES, int32]
	cpu		const[0, int32]
	batch_size	int32
}

bpf_prog_get_next_id_arg {
	start	int32	(in)
	next_id	bpf_prog_id	(out)
}

bpf_map_get_next_id_arg {
	start	int32	(in)
	next_id	bpf_map_id	(out)
}

bpf_btf_get_next_id_arg {
	start	int32	(in)
	next_id	bpf_btf_id	(out)
}

bpf_link_get_next_id_arg {
	start	int32	(in)
	next_id	bpf_link_id	(out)
}

bpf_prog_get_fd_by_id_arg {
	prog	bpf_prog_id
}

bpf_prog_bind_map_arg {
	prog_fd	fd_bpf_prog
	map_fd	fd_bpf_map
	flags	const[0, int32]
}

bpf_token_create_arg {
	flags		const[0, int32]
	bpffs_id	fd
}

bpf_get_prog_info_arg {
	prog	fd_bpf_prog
	len	len[info, int32]
	info	ptr64[out, bpf_prog_info]
}

# These are defined in bpf/verifier.c.
define MIN_BPF_FUNCINFO_SIZE	8
define MAX_FUNCINFO_REC_SIZE	252

bpf_prog_info {
	type				int32
	id				bpf_prog_id
	tag				int64
	jited_prog_len			int32
	xlated_prog_len			int32
	jited_prog_insns		int64
	xlated_prog_insns		int64
	load_time			int64
	created_by_uid			int32
	nr_map_ids			len[map_ids, int32]	(in)
# We could declare these as bpf_map_id, but this is not the best way to obtain these resources.
	map_ids				ptr64[out, array[int32]]
	name				array[int8, BPF_OBJ_NAME_LEN]
	ifindex				ifindex
	gpl_compatible			int32:1
	netns_dev			int64
	netns_ino			int64
	nr_jited_ksyms			len[jited_ksyms, int32]	(in)
	nr_jited_func_lens		len[jited_func_lens, int32]	(in)
	jited_ksyms			ptr64[out, array[int64]]
	jited_func_lens			ptr64[out, array[int32]]
	btf_id				bpf_btf_id
	func_info_rec_size		int32[MIN_BPF_FUNCINFO_SIZE:MAX_FUNCINFO_REC_SIZE]	(in)
	func_info			ptr64[out, array[bpf_func_info]]
	nr_func_info			bytesize[func_info, int32]	(in)
	nr_line_info			len[line_info, int32]	(in)
	line_info			ptr64[out, bpf_line_info]
	jited_line_info			ptr64[out, int64]
	nr_jited_line_info		len[jited_line_info, int32]	(in)
	line_info_rec_size		int32[MIN_BPF_FUNCINFO_SIZE:MAX_FUNCINFO_REC_SIZE]	(in)
	jited_line_info_rec_size	const[8, int32]	(in)
	nr_prog_tags			len[prog_tags, int32]	(in)
	prog_tags			ptr64[out, int64]
	run_time_ns			int64
	run_cnt				int64
	recursion_misses		int64
	verified_insns			int32
} [align[8]]

bpf_get_map_info_arg {
	prog	fd_bpf_map
	len	len[info, int32]
	info	ptr64[out, bpf_map_info]
}

bpf_map_info {
	type				int32
	id				bpf_map_id
	key_size			int32
	value_size			int32
	max_entries			int32
	map_flags			int32
	name				array[int8, BPF_OBJ_NAME_LEN]
	ifindex				ifindex
	btf_vmlinux_value_type_id	int32
	netns_dev			int64
	netns_ino			int64
	btf_id				int32
	btf_key_type_id			int32
	btf_value_type_id		int32
	map_extra			align64[int64]
} [align[8]]

bpf_get_btf_info_arg {
	btf	fd_btf	(in)
	len	len[info, int32]	(in)
	info	ptr64[out, bpf_btf_info]
}

bpf_btf_info {
	btf		ptr64[out, array[int8]]
	btf_size	bytesize[btf, int32]	(in)
	id		bpf_btf_id
	name		ptr64[out, array[int8]]
	name_len	bytesize[name, int32]
	kernel_btf	int32
} [align[8]]

bpf_prog_query {
	target_fd		bpf_attach_targets
	type			flags[bpf_prog_query_attach_type, int32]
	query_flags		flags[bpf_prog_query_flags, int32]
	attach_flags		int32
	prog_ids		ptr64[out, array[int32]]
	prog_cnt		len[prog_ids, int32]
	pad			const[0, int32]
	prog_attach_flags	ptr64[out, array[int32]]
	link_ids		ptr64[out, array[int32]]
	link_attach_flags	ptr64[out, array[int32]]
	revision		bpf_revision	(out)
} [packed, align[8]]

bpf_btf_load {
	btf			ptr64[in, bpf_btf_program]
	btf_log_buf		ptr64[out, array[int8]]
	btf_size		bytesize[btf, int32]
	btf_log_size		bytesize[btf_log_buf, int32]
	btf_log_level		bool32
	btf_log_true_size	int32
	btf_flags		flags[btf_load_flags, int32]
	btf_token_fd		fd_bpf_token	(if[value[btf_flags] & BPF_F_TOKEN_FD != 0])
	pad			const[0, int32]	(if[value[btf_flags] & BPF_F_TOKEN_FD == 0])
} [packed, align[8]]

bpf_btf_program {
	header	btf_header
	strings	bpf_btf_strings
} [packed]

btf_header {
	magic		const[BTF_MAGIC, int16]
	version		const[BTF_VERSION, int8]
	flags		const[0, int8]
	hdr_len		const[0x18, int32]
	type_off	const[0, int32]
	type_len	bytesize[types, int32]
	str_off		bytesize[types, int32]
	str_len		bytesize[bpf_btf_program:strings, int32]
	types		array[btf_type]
} [align[4]]

btf_type [
	int		btf_type_int
	ptr		btf_type_ref_t[BTF_KIND_PTR]
	array		btf_type_array
	struct		btf_type_struct_t[BTF_KIND_STRUCT]
	union		btf_type_struct_t[BTF_KIND_UNION]
	enum		btf_type_enum
	fwd		btf_type_fwd
	typedef		btf_type_ref_t[BTF_KIND_TYPEDEF]
	volatile	btf_type_ref_t[BTF_KIND_VOLATILE]
	const		btf_type_ref_t[BTF_KIND_CONST]
	restrict	btf_type_ref_t[BTF_KIND_RESTRICT]
	func		btf_type_func
	func_proto	btf_type_func_proto
	var		btf_type_var
	datasec		btf_type_datasec
	float		btf_type_float
	decl_tag	btf_type_decl_tag
	type_tag	btf_type_type_tag
	enum64		btf_type_enum64
] [varlen]

btf_type_int {
# Note: this is an offset in bpf_btf_program:strings
	name_off	btf_opt_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_INT, int8]
	size		const[0, int32]
	bits		int8[0:128]
	pad		const[0, int8]
	offset		int8[0:128]
	encoding	flags[btf_type_int_encoding, int8]
}

btf_type_int_encoding = BTF_INT_SIGNED, BTF_INT_CHAR, BTF_INT_BOOL

type btf_type_ref_t[TYP] {
	name_off	btf_opt_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[TYP, int8]
	type		btf_opt_type_id
}

btf_type_array {
	name_off	const[0, int32]
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_ARRAY, int8]
	size		const[0, int32]
	data		btf_array
}

btf_array {
	type		btf_type_id
	index_type	btf_type_id
	nelems		int32
}

type btf_type_struct_t[TYP] {
	name_off	btf_opt_name_off
	info_vlen	len[fields, int16]
	info_pad	const[0, int8]
	info_typ	const[TYP, int8:7]
	info_kflag	int8:1
	size		int32
	fields		array[btf_member]
}

btf_member {
	name_off	btf_opt_name_off
	type		btf_opt_type_id
	offset		int32
}

btf_type_enum {
	name_off	btf_opt_name_off
	info_vlen	len[values, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_ENUM, int8]
	size		const[4, int32]
	values		array[btf_enum]
}

btf_enum {
	name_off	btf_opt_name_off
	val		int32
}

btf_type_fwd {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_FWD, int8]
	size		const[0, int32]
}

btf_type_func {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_FUNC, int8]
	type		btf_type_id
}

btf_type_func_proto {
	name_off	const[0, int32]
	info_vlen	len[params, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_FUNC_PROTO, int8]
	size		const[0, int32]
	params		array[btf_param]
}

btf_param {
	name_off	btf_opt_name_off
	type		btf_opt_type_id
}

btf_type_var {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_VAR, int8]
	type		btf_type_id
	linkage		flags[btf_linkage_values, int32]
}

btf_type_datasec {
	name_off	btf_name_off
	info_vlen	len[secinfo, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_DATASEC, int8]
	size		bytesize[data, int32]
	secinfo		array[btf_var_secinfo]
	data		array[int8, 1:3]
} [packed]

btf_var_secinfo {
	type	btf_type_id
# NEED: offset/size are for btf_type_datasec:data and must be increasing and within bounds (see btf_datasec_check_meta)
	offset	int32
	size	int32
}

btf_float_size = 2, 4, 8, 12, 16

btf_type_float {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_FLOAT, int8]
	size		flags[btf_float_size, int32]
}

btf_type_decl_tag {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_DECL_TAG, int8]
	type		btf_type_id
# -1 or the index of a struct field or function argument.
	component_idx	int32[-1:10]
}

btf_type_type_tag {
	name_off	btf_name_off
	info_vlen	const[0, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_TYPE_TAG, int8]
	type		btf_type_id
}

btf_enum64_sizes = 1, 2, 4, 8

btf_type_enum64 {
	name_off	btf_name_off
	info_vlen	len[enum64, int16]
	info_pad	const[0, int8]
	info_typ	const[BTF_KIND_ENUM64, int8:7]
	info_kflag	int8:1
	size		flags[btf_enum64_sizes, int32]
	enum64		array[btf_enum64]
}

btf_enum64 {
	name_off	btf_name_off
	val_lo32	int32
	val_hi32	int32
}

bpf_btf_strings {
	z0	const[0, int8]
	data	array[flags[bpf_btf_strings_elem, int8]]
	z1	const[0, int8]
} [packed]

bpf_btf_strings_elem = 'a', '0', '_', '.', 0

bpf_task_fd_query {
	pid		pid	(in)
	fd		fd_perf_base	(in)
	flags		const[0, int32]	(in)
	buf_len		bytesize[buf, int32]	(in)
	buf		ptr64[in, string]	(in)
	prog_id		bpf_prog_id	(out)
	fd_type		int32	(out)
	probe_offset	int64	(out)
	probe_addr	int64	(out)
}

bpf_map_type = BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_MAP_TYPE_STACK_TRACE, BPF_MAP_TYPE_CGROUP_ARRAY, BPF_MAP_TYPE_PERCPU_HASH, BPF_MAP_TYPE_PERCPU_ARRAY, BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, BPF_MAP_TYPE_LPM_TRIE, BPF_MAP_TYPE_ARRAY_OF_MAPS, BPF_MAP_TYPE_HASH_OF_MAPS, BPF_MAP_TYPE_DEVMAP, BPF_MAP_TYPE_SOCKMAP, BPF_MAP_TYPE_CPUMAP, BPF_MAP_TYPE_XSKMAP, BPF_MAP_TYPE_SOCKHASH, BPF_MAP_TYPE_CGROUP_STORAGE, BPF_MAP_TYPE_REUSEPORT_SOCKARRAY, BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE, BPF_MAP_TYPE_QUEUE, BPF_MAP_TYPE_STACK, BPF_MAP_TYPE_SK_STORAGE, BPF_MAP_TYPE_DEVMAP_HASH, BPF_MAP_TYPE_STRUCT_OPS, BPF_MAP_TYPE_RINGBUF, BPF_MAP_TYPE_INODE_STORAGE, BPF_MAP_TYPE_TASK_STORAGE, BPF_MAP_TYPE_BLOOM_FILTER, BPF_MAP_TYPE_CGRP_STORAGE, BPF_MAP_TYPE_USER_RINGBUF, BPF_MAP_TYPE_ARENA
bpf_map_flags = BPF_ANY, BPF_NOEXIST, BPF_EXIST, BPF_F_LOCK
bpf_lookup_flags = BPF_F_LOCK
bpf_prog_type = BPF_PROG_TYPE_SOCKET_FILTER, BPF_PROG_TYPE_KPROBE, BPF_PROG_TYPE_SCHED_CLS, BPF_PROG_TYPE_SCHED_ACT, BPF_PROG_TYPE_TRACEPOINT, BPF_PROG_TYPE_XDP, BPF_PROG_TYPE_PERF_EVENT, BPF_PROG_TYPE_CGROUP_SKB, BPF_PROG_TYPE_CGROUP_SOCK, BPF_PROG_TYPE_LWT_IN, BPF_PROG_TYPE_LWT_OUT, BPF_PROG_TYPE_LWT_XMIT, BPF_PROG_TYPE_SOCK_OPS, BPF_PROG_TYPE_SK_SKB, BPF_PROG_TYPE_CGROUP_DEVICE, BPF_PROG_TYPE_SK_MSG, BPF_PROG_TYPE_RAW_TRACEPOINT, BPF_PROG_TYPE_CGROUP_SOCK_ADDR, BPF_PROG_TYPE_LWT_SEG6LOCAL, BPF_PROG_TYPE_LIRC_MODE2, BPF_PROG_TYPE_SK_REUSEPORT, BPF_PROG_TYPE_FLOW_DISSECTOR, BPF_PROG_TYPE_CGROUP_SYSCTL, BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE, BPF_PROG_TYPE_CGROUP_SOCKOPT, BPF_PROG_TYPE_TRACING, BPF_PROG_TYPE_EXT, BPF_PROG_TYPE_STRUCT_OPS, BPF_PROG_TYPE_LSM, BPF_PROG_TYPE_SK_LOOKUP, BPF_PROG_TYPE_SYSCALL, BPF_PROG_TYPE_NETFILTER
map_flags = BPF_F_NO_PREALLOC, BPF_F_NO_COMMON_LRU, BPF_F_NUMA_NODE, BPF_F_RDONLY, BPF_F_WRONLY, BPF_F_STACK_BUILD_ID, BPF_F_ZERO_SEED, BPF_F_RDONLY_PROG, BPF_F_WRONLY_PROG, BPF_F_CLONE, BPF_F_MMAPABLE, BPF_F_INNER_MAP, BPF_F_PRESERVE_ELEMS, BPF_F_LINK, BPF_F_PATH_FD, BPF_F_VTYPE_BTF_OBJ_FD, BPF_F_TOKEN_FD, BPF_F_SEGV_ON_FAULT, BPF_F_NO_USER_CONV
bpf_attach_types = BPF_XDP_DEVMAP, BPF_XDP_CPUMAP, BPF_SK_REUSEPORT_SELECT, BPF_SK_REUSEPORT_SELECT_OR_MIGRATE, BPF_PERF_EVENT, BPF_TRACE_KPROBE_MULTI, BPF_STRUCT_OPS, BPF_NETFILTER, BPF_TRACE_UPROBE_MULTI, BPF_TRACE_KPROBE_SESSION, bpf_attach_types_link_create
bpf_attach_types_link_create = BPF_CGROUP_INET_INGRESS, BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET6_POST_BIND, BPF_CGROUP_INET4_BIND, BPF_CGROUP_INET6_BIND, BPF_CGROUP_INET4_CONNECT, BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_UDP4_SENDMSG, BPF_CGROUP_UDP6_SENDMSG, BPF_CGROUP_UDP4_RECVMSG, BPF_CGROUP_UDP6_RECVMSG, BPF_CGROUP_SOCK_OPS, BPF_CGROUP_DEVICE, BPF_SK_MSG_VERDICT, BPF_SK_SKB_STREAM_PARSER, BPF_SK_SKB_STREAM_VERDICT, BPF_LIRC_MODE2, BPF_FLOW_DISSECTOR, BPF_CGROUP_SYSCTL, BPF_CGROUP_GETSOCKOPT, BPF_CGROUP_SETSOCKOPT, BPF_CGROUP_INET4_GETPEERNAME, BPF_CGROUP_INET4_GETSOCKNAME, BPF_CGROUP_INET6_GETPEERNAME, BPF_CGROUP_INET6_GETSOCKNAME, BPF_TRACE_ITER, BPF_CGROUP_INET_SOCK_RELEASE, BPF_SK_LOOKUP, BPF_XDP, BPF_SK_SKB_VERDICT, BPF_LSM_CGROUP, BPF_LSM_MAC, BPF_MODIFY_RETURN, BPF_TRACE_FENTRY, BPF_TRACE_FEXIT, BPF_TRACE_RAW_TP, BPF_TCX_EGRESS, BPF_TCX_INGRESS, BPF_NETKIT_PRIMARY, BPF_NETKIT_PEER, BPF_CGROUP_UNIX_CONNECT, BPF_CGROUP_UNIX_SENDMSG, BPF_CGROUP_UNIX_RECVMSG, BPF_CGROUP_UNIX_GETPEERNAME, BPF_CGROUP_UNIX_GETSOCKNAME
bpf_prog_load_flags = BPF_F_STRICT_ALIGNMENT, BPF_F_ANY_ALIGNMENT, BPF_F_TEST_RND_HI32, BPF_F_TEST_STATE_FREQ, BPF_F_SLEEPABLE, BPF_F_XDP_DEV_BOUND_ONLY, BPF_F_XDP_HAS_FRAGS
bpf_mprog_attach_flags = BPF_F_REPLACE, BPF_F_BEFORE, BPF_F_AFTER, BPF_F_ID, BPF_F_LINK
bpf_attach_flags = BPF_F_ALLOW_OVERRIDE, BPF_F_ALLOW_MULTI, bpf_mprog_attach_flags
bpf_link_update_flags = BPF_F_REPLACE
bpf_prog_query_flags = BPF_F_QUERY_EFFECTIVE
bpf_prog_test_run_flags = BPF_F_TEST_RUN_ON_CPU, BPF_F_TEST_XDP_LIVE_FRAMES, BPF_F_TEST_SKB_CHECKSUM_COMPLETE
bpf_prog_query_attach_type = BPF_CGROUP_INET_INGRESS, BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_SOCK_OPS, BPF_CGROUP_DEVICE, BPF_CGROUP_INET4_BIND, BPF_CGROUP_INET4_CONNECT, BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET6_BIND, BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_INET6_POST_BIND, BPF_CGROUP_UDP4_SENDMSG, BPF_CGROUP_UDP6_SENDMSG, BPF_LIRC_MODE2, BPF_CGROUP_SYSCTL, BPF_FLOW_DISSECTOR, BPF_CGROUP_UDP4_RECVMSG, BPF_CGROUP_UDP6_RECVMSG, BPF_CGROUP_GETSOCKOPT, BPF_CGROUP_SETSOCKOPT, BPF_CGROUP_INET4_GETPEERNAME, BPF_CGROUP_INET4_GETSOCKNAME, BPF_CGROUP_INET6_GETPEERNAME, BPF_CGROUP_INET6_GETSOCKNAME, BPF_CGROUP_INET_SOCK_RELEASE, BPF_SK_LOOKUP, BPF_LSM_CGROUP, BPF_SK_MSG_VERDICT, BPF_SK_SKB_STREAM_PARSER, BPF_SK_SKB_STREAM_VERDICT, BPF_SK_SKB_VERDICT, BPF_TCX_INGRESS, BPF_TCX_EGRESS, BPF_NETKIT_PRIMARY, BPF_NETKIT_PEER, BPF_CGROUP_UNIX_CONNECT, BPF_CGROUP_UNIX_SENDMSG, BPF_CGROUP_UNIX_RECVMSG, BPF_CGROUP_UNIX_GETPEERNAME, BPF_CGROUP_UNIX_GETSOCKNAME
bpf_open_flags = BPF_F_RDONLY, BPF_F_WRONLY
bpf_stat_types = BPF_STATS_RUN_TIME
bpf_core_relo_kind = BPF_CORE_FIELD_BYTE_OFFSET, BPF_CORE_FIELD_BYTE_SIZE, BPF_CORE_FIELD_EXISTS, BPF_CORE_FIELD_SIGNED, BPF_CORE_FIELD_LSHIFT_U64, BPF_CORE_FIELD_RSHIFT_U64, BPF_CORE_TYPE_ID_LOCAL, BPF_CORE_TYPE_ID_TARGET, BPF_CORE_TYPE_EXISTS, BPF_CORE_TYPE_SIZE, BPF_CORE_ENUMVAL_EXISTS, BPF_CORE_ENUMVAL_VALUE, BPF_CORE_TYPE_MATCHES
bpf_obj_get_flags = BPF_F_PATH_FD, BPF_F_RDONLY, BPF_F_WRONLY
bpf_cgroup_iter_order = BPF_CGROUP_ITER_SELF_ONLY, BPF_CGROUP_ITER_DESCENDANTS_PRE, BPF_CGROUP_ITER_DESCENDANTS_POST, BPF_CGROUP_ITER_ANCESTORS_UP
bpf_link_create_kprobe_multi_flags = BPF_F_KPROBE_MULTI_RETURN
nf_dev_hooks = NF_NETDEV_INGRESS, NF_NETDEV_EGRESS
bpf_link_create_netfilter_flags = BPF_F_NETFILTER_IP_DEFRAG
bpf_link_create_uprobe_multi_flags = BPF_F_UPROBE_MULTI_RETURN
btf_load_flags = BPF_F_TOKEN_FD
btf_linkage_values = BTF_VAR_STATIC, BTF_VAR_GLOBAL_ALLOCATED, BTF_VAR_GLOBAL_EXTERN
]

gemini-3-pro-preview

							input: 175165
							output: 43
							thoughts: 3198
						

**My Thought Process on Crafting the Test Case**

Okay, so I'm trying to figure out how to best trigger this potential crash in the bonding driver through XDP. First, I need to create an XDP link.  The `bpf$BPF_LINK_CREATE_XDP` syscall seems perfect, using the `target_ifindex` to direct where this link will live.  I'll just map the interface index into `r4`. Looking at the arguments, it expects a `bpf_link_create_arg_t` struct, which includes `ATTACH_TYPE` which is `BPF_XDP` and `PROG_FD` which maps to `r3`.

Now, how am I going to test it? I need to use `bpf$BPF_PROG_TEST_RUN_LIVE`. That takes a `bpf_test_prog_live_arg` which I'll need to set up carefully. The `inctx` field is crucial here. That's where I can specify things like the interface index using an array of 24 bytes and the `ingress_ifindex` at offset 16. So I'll need to get the ifindex of veth0 somehow using `ioctl$sock_SIOCGIFINDEX` and place it in the context.

The test argument also needs the flags set to `BPF_F_TEST_XDP_LIVE_FRAMES`, and `indata` which requires a valid ethernet frame. The size of this input data is specified by `insizedata`, which I'll set to 14.  The `inctx` must be 24 bytes, and the `flags` will be 2.

The `inctx` array is a `struct xdp_md` which has 6 32-bit integer fields that represent things such as `ingress_ifindex`, `rx_queue_index`, and others.

So, I need to make sure the target network devices are set up correctly. Specifically, I'll need `bond0` to be DOWN.  I can use `ioctl$sock_SIOCSIFFLAGS` to set both `bond0` and `veth0` flags to 0. It expects an `ifreq_t` with the device name and flags, and the flag 0 means down. Syzkaller's test environment should automatically create `bond0`, `veth0` and `veth1`, but I'll ensure they are down to avoid any unexpected state.

Now, a key point:  `bond0` might have been up before. Even if I set it down, the `rr_tx_counter` might have been allocated. Luckily the `bond_destructor` free `rr_tx_counter`. But even though the `bond_close` does not free `rr_tx_counter` I just need to make sure `bond0` is down before the test.

Finally, I will run the test.

map[ContextFile:drivers/net/bonding/bond_main.c IncludeLines:true Name:bond_close]

map[SourceCode:4298:	static int bond_close(struct net_device *bond_dev)
4299:	{
4300:		struct bonding *bond = netdev_priv(bond_dev);
4301:		struct slave *slave;
4302:	
4303:		bond_work_cancel_all(bond);
4304:		bond->send_peer_notif = 0;
4305:		if (bond_is_lb(bond))
4306:			bond_alb_deinitialize(bond);
4307:		bond->recv_probe = NULL;
4308:	
4309:		if (BOND_MODE(bond) == BOND_MODE_8023AD &&
4310:		    bond->params.broadcast_neighbor)
4311:			static_branch_dec(&bond_bcast_neigh_enabled);
4312:	
4313:		if (bond_uses_primary(bond)) {
4314:			rcu_read_lock();
4315:			slave = rcu_dereference(bond->curr_active_slave);
4316:			if (slave)
4317:				bond_hw_addr_flush(bond_dev, slave->dev);
4318:			rcu_read_unlock();
4319:		} else {
4320:			struct list_head *iter;
4321:	
4322:			bond_for_each_slave(bond, slave, iter)
4323:				bond_hw_addr_flush(bond_dev, slave->dev);
4324:		}
4325:	
4326:		return 0;
4327:	}
 SourceFile:drivers/net/bonding/bond_main.c]

gemini-3-pro-preview

							input: 179527
							output: 47
							thoughts: 269
						

**My Analysis of the Bonding Device and `rr_tx_counter`**

Okay, so I've just had a significant realization! It appears that the `bond_close` function, strangely, *doesn't* free the `rr_tx_counter`. That's a critical oversight.  This means that if a bond interface, say `bond0`, was ever brought up, the `rr_tx_counter` is allocated and then *remains* allocated until the device is completely destroyed, which is highly problematic.

Therefore, the critical test case, the most likely path to success, is to use `bond0`, because `rr_tx_counter` might still be valid!

To make this test robust, I realize that I'll need a new bond device.  But how do I create one?  `ioctl$sock_SIOCSIFNAME` doesn't seem like the right approach, after a quick review. Ah-ha! I remember that we can interact directly with the sysfs file system. I can use `openat$sysfs` to write to `/sys/class/net/bonding_masters`!

Let's see. My mental model is that I should be able to create `bond1` with the following:
```
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond1\x00', 0x7)
```
That should do the trick! Now, I just need to verify that interacting with `/sys/class/net/bonding_masters` is actually working as expected. Let's confirm that.

map[ContextFile:drivers/net/bonding/bond_sysfs.c IncludeLines:true Name:bonding_store_bonds]

map[SourceCode:  73:	/* "store" function for the bond_masters attribute.  This is what
  74:	 * creates and deletes entire bonds.
  75:	 *
  76:	 * The class parameter is ignored.
  77:	 */
  78:	static ssize_t bonding_store_bonds(const struct class *cls,
  79:					   const struct class_attribute *attr,
  80:					   const char *buffer, size_t count)
  81:	{
  82:		const struct bond_net *bn =
  83:			container_of_const(attr, struct bond_net, class_attr_bonding_masters);
  84:		char command[IFNAMSIZ + 1] = {0, };
  85:		char *ifname;
  86:		int rv, res = count;
  87:	
  88:		sscanf(buffer, "%16s", command); /* IFNAMSIZ*/
  89:		ifname = command + 1;
  90:		if ((strlen(command) <= 1) ||
  91:		    !dev_valid_name(ifname))
  92:			goto err_no_cmd;
  93:	
  94:		if (command[0] == '+') {
  95:			pr_info("%s is being created...\n", ifname);
  96:			rv = bond_create(bn->net, ifname);
  97:			if (rv) {
  98:				if (rv == -EEXIST)
  99:					pr_info("%s already exists\n", ifname);
 100:				else
 101:					pr_info("%s creation failed\n", ifname);
 102:				res = rv;
 103:			}
 104:		} else if (command[0] == '-') {
 105:			struct net_device *bond_dev;
 106:	
 107:			rtnl_lock();
 108:			bond_dev = bond_get_by_name(bn, ifname);
 109:			if (bond_dev) {
 110:				pr_info("%s is being deleted...\n", ifname);
 111:				unregister_netdevice(bond_dev);
 112:			} else {
 113:				pr_err("unable to delete non-existent %s\n", ifname);
 114:				res = -ENODEV;
 115:			}
 116:			rtnl_unlock();
 117:		} else
 118:			goto err_no_cmd;
 119:	
 120:		/* Always return either count or an error.  If you return 0, you'll
 121:		 * get called forever, which is bad.
 122:		 */
 123:		return res;
 124:	
 125:	err_no_cmd:
 126:		pr_err("no command found in bonding_masters - use +ifname or -ifname\n");
 127:		return -EPERM;
 128:	}
 SourceFile:drivers/net/bonding/bond_sysfs.c]

gemini-3-pro-preview

							input: 181095
							output: 39
							thoughts: 1789
						

**Refining the XDP BPF Program with Bonding**

Okay, here's the plan. I'm going to leverage bonding and XDP for this. First, I can create a new bond device, `bond1`, using the `/sys/class/net/bonding_masters` interface.  That seems straightforward. Next, I need a `veth` pair.  I considered using netlink to create it, but I see that syzkaller likely already gives me `veth0`. And it's probably not enslaved by default, so I should just use `veth0`. Now, `veth0` might be up, so I'll set it DOWN using `ioctl(SIOCSIFFLAGS)`.

Now, I'm going to set the bond mode to ROUNDROBIN (0) using `/sys/class/net/bond1/bonding/mode`.  Then, I'll enslave `veth0` to `bond1` via `/sys/class/net/bond1/bonding/slaves`.  With the bonding infrastructure set, I'll load the XDP BPF program. Then, I'll attach the XDP BPF program to `bond1` using `bpf$BPF_LINK_CREATE_XDP`. Next, I need to get the ifindex of `veth0` using `ioctl(SIOCGIFINDEX)`. Finally, I'll test the BPF program with `bpf$BPF_PROG_TEST_RUN_LIVE`. The ingress ifindex will be set to the ifindex of `veth0`.

I can translate that into the syzkaller program like this.
```
# Create bond1
r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)

# Set bond1 mode to ROUNDROBIN (0)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)

# Set veth0 DOWN
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', 0x0})

# Enslave veth0 to bond1
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)

# Load BPF program
r4 = bpf$PROG_LOAD_XDP(&(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=[{0xb7, 0x0, 0x0, 0x0, 0x3}, {0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}, 0x70)

# Get bond1 ifindex
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})

# Attach BPF program to bond1
r6 = bpf$BPF_LINK_CREATE_XDP(&(0x7f00000002c0)={r4, r5, 0x27, 0x0})

# Get veth0 if

requested entity does not exist

map[ContextFile:bpf.txt IncludeLines:true Name:bpf_prog_t]

map[SourceCode: SourceFile:]

gemini-3-pro-preview

							input: 183969
							output: 21
							thoughts: 20
						

Okay, here's the summary, expressed as though I'm the one thinking it:

**Finding the BPF Program Type**

Right, let's see. I need to find the definition of `bpf_prog_t`. Where's that lurking? Ah, the filename is a good hint – `bpf_prog.txt`. That makes sense. Hopefully, it's a straightforward textual description there, perhaps an excerpt from the kernel documentation or even the definition itself. I'll check that file for my next step. Time to dig in there and find that definition.

map[File:bpf_prog.txt]

map[Output:# Copyright 2023 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

include <uapi/linux/bpf.h>
include <uapi/linux/bpf_common.h>

define BPF_LINE_INFO_SIZE	sizeof(struct bpf_line_info)
define BPF_FUNC_INFO_SIZE	sizeof(struct bpf_func_info)
define BPF_CORE_RELO_SIZE	sizeof(struct bpf_core_relo)

type bpf_prog_t[TYPE, ATTACH_TYPE, BTF_ID, PROG_FD] {
	type			TYPE
	ninsn			bytesize8[insns, int32]
	insns			ptr64[in, bpf_instructions]
	license			ptr64[in, string[bpf_licenses]]
	loglev			int32
	logsize			len[log, int32]
	log			ptr64[out, array[int8], opt]
	kern_version		flags[bpf_kern_version, int32]
	flags			flags[bpf_prog_load_flags, int32]
	prog_name		array[const[0, int8], BPF_OBJ_NAME_LEN]
	prog_ifindex		ifindex[opt]
	expected_attach_type	ATTACH_TYPE
	btf_fd			fd_btf[opt]
	func_info_rec_size	const[BPF_FUNC_INFO_SIZE, int32]
	func_info		ptr64[in, bpf_func_info, opt]
	func_info_cnt		len[func_info, int32]
	line_info_rec_size	const[BPF_LINE_INFO_SIZE, int32]
	line_info		ptr64[in, bpf_line_info, opt]
	line_info_cnt		len[line_info, int32]
	attach_btf_id		BTF_ID
	attach_prog_fd		PROG_FD
	core_relo_cnt		len[core_relos, int32]
	fd_array		ptr64[in, array[fd_bpf_map], opt]
	core_relos		ptr64[in, array[bpf_core_relo], opt]
	core_relo_rec_size	const[BPF_CORE_RELO_SIZE, int32]
	log_true_size		int32
	prog_token_fd		fd_bpf_token	(if[value[flags] & BPF_F_TOKEN_FD != 0])
	pad			const[0, int32]	(if[value[flags] & BPF_F_TOKEN_FD == 0])
} [packed]

# These flags should match the mappings in bpf_prog_load_check_attach and attach_type_to_prog_type upstream.
cgroup_sock_attach_types = BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_INET_SOCK_RELEASE, BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET6_POST_BIND
cgroup_sock_addr_attach_types = BPF_CGROUP_INET4_BIND, BPF_CGROUP_INET6_BIND, BPF_CGROUP_INET4_CONNECT, BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_UNIX_CONNECT, BPF_CGROUP_INET4_GETPEERNAME, BPF_CGROUP_INET6_GETPEERNAME, BPF_CGROUP_UNIX_GETPEERNAME, BPF_CGROUP_INET4_GETSOCKNAME, BPF_CGROUP_INET6_GETSOCKNAME, BPF_CGROUP_UNIX_GETSOCKNAME, BPF_CGROUP_UDP4_SENDMSG, BPF_CGROUP_UDP6_SENDMSG, BPF_CGROUP_UNIX_SENDMSG, BPF_CGROUP_UDP4_RECVMSG, BPF_CGROUP_UDP6_RECVMSG, BPF_CGROUP_UNIX_RECVMSG
cgroup_skb_attach_types = BPF_CGROUP_INET_INGRESS, BPF_CGROUP_INET_EGRESS
cgroup_sockopt_attach_types = BPF_CGROUP_SETSOCKOPT, BPF_CGROUP_GETSOCKOPT
sk_lookup_attach_types = BPF_SK_LOOKUP
sk_reuseport_attach_types = BPF_SK_REUSEPORT_SELECT, BPF_SK_REUSEPORT_SELECT_OR_MIGRATE
netfilter_attach_types = BPF_NETFILTER
sock_ops_attach_types = BPF_CGROUP_SOCK_OPS
cgroup_device_attach_types = BPF_CGROUP_DEVICE
sk_msg_attach_types = BPF_SK_MSG_VERDICT
sk_skb_attach_types = BPF_SK_SKB_STREAM_PARSER, BPF_SK_SKB_STREAM_VERDICT, BPF_SK_SKB_VERDICT
lirc_mode2_attach_types = BPF_LIRC_MODE2
flow_dissector_attach_types = BPF_FLOW_DISSECTOR
cgroup_sysctl_attach_types = BPF_CGROUP_SYSCTL
tracing_attach_types = BPF_TRACE_ITER, BPF_TRACE_RAW_TP, BPF_TRACE_FENTRY, BPF_TRACE_FEXIT, BPF_MODIFY_RETURN
lsm_attach_types = BPF_LSM_MAC, BPF_LSM_CGROUP
xdp_attach_types = BPF_XDP
sched_cls_attach_types = BPF_TCX_INGRESS, BPF_TCX_EGRESS, BPF_NETKIT_PRIMARY, BPF_NETKIT_PEER

bpf_prog_attach_types [
	cgroup_sock		flags[cgroup_sock_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_SOCK])
	cgroup_sock_addr	flags[cgroup_sock_addr_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_SOCK_ADDR])
	cgroup_skb		flags[cgroup_skb_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_SKB])
	cgroup_sockopt		flags[cgroup_sockopt_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_SOCKOPT])
	sk_lookup		flags[sk_lookup_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SK_LOOKUP])
	sk_reuseport		flags[sk_reuseport_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SK_REUSEPORT])
	netfilter		flags[netfilter_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_NETFILTER])
	sock_ops		flags[sock_ops_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SOCK_OPS])
	cgroup_device		flags[cgroup_device_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_DEVICE])
	sk_msg			flags[sk_msg_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SK_MSG])
	sk_skb			flags[sk_skb_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SK_SKB])
	lirc_mode2		flags[lirc_mode2_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_LIRC_MODE2])
	flow_dissector		flags[flow_dissector_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_FLOW_DISSECTOR])
	cgroup_sysctl		flags[cgroup_sysctl_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_CGROUP_SYSCTL])
	tracing			flags[tracing_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_TRACING])
	lsm			flags[lsm_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_LSM])
	xdp			flags[xdp_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_XDP])
	sched_cls		flags[sched_cls_attach_types, int32]	(if[value[bpf_prog_t:type] == BPF_PROG_TYPE_SCHED_CLS])
	fallback		flags[bpf_attach_types, int32]
]

type bpf_prog bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]

bpf_licenses = "GPL", "syzkaller"
bpf_kern_version = 0x40f00, 0x41000, 0x41100

bpf_func_info {
# This is instruction index, so should not be too large.
	insn_off	int32[0:10]
	type_id		btf_type_id
}

bpf_line_info {
# This is instruction index, so should not be too large.
	insn_off	int32[0:5]
	file_name_off	btf_opt_name_off
	line_off	int32
	line_col	int32
}

bpf_core_relo {
# This is instruction index, so should not be too large.
	insn_off	int32[0:5]
	type_id		btf_type_id
	access_str_off	btf_opt_name_off
	kind		flags[bpf_core_relo_kind, int32]
}

bpf_instructions [
	raw	array[bpf_insn]
	framed	bpf_framed_program
	ringbuf	bpf_program_ringbuf
] [varlen]

bpf_framed_program {
	initr0	bpf_insn_init_r0
	body	array[bpf_insn]
	exit	bpf_insn_exit
} [packed]

bpf_program_ringbuf {
	initr0		bpf_insn_init_r0
	reserve		bpf_insn_ringbuf_reserve
	null_check	bpf_insn_null_check[BPF_REG_9]
	body		array[bpf_insn]
	free		bpf_insn_ringbuf_free
	exit		bpf_insn_exit
} [packed]

bpf_insn [
	generic		bpf_insn_generic
	ldst		bpf_insn_ldst
	alu		bpf_insn_alu
	jmp		bpf_insn_jmp
	call		bpf_insn_call_helper
	func		bpf_insn_call_func
	kfunc		bpf_insn_call_kfunc
	exit		bpf_insn_exit
	initr0		bpf_insn_init_r0
	map_fd		bpf_insn_map_fd
	map_idx		bpf_insn_map_idx
	map_val		bpf_insn_map_value
	map_idx_val	bpf_insn_map_idx_value
	btf_id		bpf_insn_btf_id
	cb_func		bpf_insn_cb_func
	printk		bpf_insn_trace_printk
	snprintf	bpf_insn_snprintf
	tail_call	bpf_insn_tail_call
	ringbuf_query	bpf_insn_ringbuf_query
	ringbuf_output	bpf_insn_ringbuf_output
] [varlen]

bpf_insn_generic {
	code	int8
	dst	int8:4
	src	int8:4
	off	int16
	imm	int32
}

type bpf_insn_ldst_t[CLASS, SZ, MODE, DST, SRC, OFF, IMM] {
	code_class	int8:3[CLASS]
	code_size	int8:2[SZ]
	code_mode	int8:3[MODE]
	dst		DST
	src		SRC
	off		OFF
	imm		IMM
}

type bpf_insn_ldst bpf_insn_ldst_t[bpf_ldst_insn, bpf_ldst_size, bpf_ldst_mode, flags[bpf_reg, int8:4], flags[bpf_reg, int8:4], flags[bpf_insn_offsets, int16], flags[bpf_insn_immediates, int32]]
type bpf_insn_st64_reg[SRC, DST, OFF] bpf_insn_ldst_t[BPF_STX, BPF_DW0, BPF_MEM0, const[DST, int8:4], const[SRC, int8:4], const[OFF, int16], const[0, int32]]

bpf_ldst_insn = BPF_LD, BPF_LDX, BPF_ST, BPF_STX
bpf_ldst_size = BPF_W0, BPF_H0, BPF_B0, BPF_DW0
bpf_ldst_mode = BPF_IMM0, BPF_ABS0, BPF_IND0, BPF_MEM0, BPF_XADD0, BPF_MEMSX0

define BPF_W0	BPF_W >> 3
define BPF_H0	BPF_H >> 3
define BPF_B0	BPF_B >> 3
define BPF_DW0	BPF_DW >> 3

define BPF_IMM0	BPF_IMM >> 5
define BPF_ABS0	BPF_ABS >> 5
define BPF_IND0	BPF_IND >> 5
define BPF_MEM0	BPF_MEM >> 5
define BPF_XADD0	BPF_XADD >> 5
define BPF_MEMSX0	BPF_MEMSX >> 5

type bpf_insn_alu_t[CLASS, SOURCE, OP, DST, SRC, OFF, IMM] {
	code_class	int8:3[CLASS]
	code_s		int8:1[SOURCE]
	code_op		int8:4[OP]
	dst		DST
	src		SRC
	off		OFF
	imm		IMM
}

type bpf_insn_alu bpf_insn_alu_t[bpf_alu_insn, bpf_alu_source, bpf_alu_op, flags[bpf_reg, int8:4], flags[bpf_reg, int8:4], flags[bpf_insn_offsets, int16], flags[bpf_insn_immediates, int32]]
type bpf_insn_mov_imm[DST, IMM] bpf_insn_alu_t[BPF_ALU64, BPF_K0, BPF_MOV0, const[DST, int8:4], const[0, int8:4], const[0, int16], const[IMM, int32]]
type bpf_insn_mov_imm_any[DST] bpf_insn_alu_t[BPF_ALU64, BPF_K0, BPF_MOV0, const[DST, int8:4], const[0, int8:4], const[0, int16], int32]
type bpf_insn_mov_imm_flag[DST, FLAG] bpf_insn_alu_t[BPF_ALU64, BPF_K0, BPF_MOV0, const[DST, int8:4], const[0, int8:4], const[0, int16], flags[FLAG, int32]]
type bpf_insn_mov_reg[SRC, DST] bpf_insn_alu_t[BPF_ALU64, BPF_X0, BPF_MOV0, const[DST, int8:4], const[SRC, int8:4], const[0, int16], const[0, int32]]
type bpf_insn_op_imm[DST, OP, IMM] bpf_insn_alu_t[BPF_ALU64, BPF_K0, OP, const[DST, int8:4], const[0, int8:4], const[0, int16], const[IMM, int32]]

bpf_alu_source = BPF_K0, BPF_X0
bpf_alu_insn = BPF_ALU, BPF_ALU64
bpf_alu_op = BPF_ADD0, BPF_SUB0, BPF_MUL0, BPF_DIV0, BPF_OR0, BPF_AND0, BPF_LSH0, BPF_RSH0, BPF_NEG0, BPF_MOD0, BPF_XOR0, BPF_MOV0, BPF_ARSH0, BPF_END0

define BPF_ADD0	BPF_ADD >> 4
define BPF_SUB0	BPF_SUB >> 4
define BPF_MUL0	BPF_MUL >> 4
define BPF_DIV0	BPF_DIV >> 4
define BPF_OR0	BPF_OR >> 4
define BPF_AND0	BPF_AND >> 4
define BPF_LSH0	BPF_LSH >> 4
define BPF_RSH0	BPF_RSH >> 4
define BPF_NEG0	BPF_NEG >> 4
define BPF_MOD0	BPF_MOD >> 4
define BPF_XOR0	BPF_XOR >> 4
define BPF_MOV0	BPF_MOV >> 4
define BPF_ARSH0	BPF_ARSH >> 4
define BPF_END0	BPF_END >> 4

define BPF_K0	BPF_K >> 3
define BPF_X0	BPF_X >> 3

bpf_insn_jmp {
	code_class	const[BPF_JMP, int8:3]
	code_s		int8:1
	code_op		flags[bpf_jmp_op, int8:4]
	dst		flags[bpf_reg, int8:4]
	src		flags[bpf_reg, int8:4]
	off		flags[bpf_insn_offsets, int16]
	imm		flags[bpf_insn_immediates, int32]
}

# Equivalent to: if reg != 0 goto +1;
type bpf_insn_not_null_jmp[REG] {
	code_class	const[BPF_JMP, int8:3]
	code_s		const[BPF_K0, int8:1]
	code_op		const[BPF_JNE0, int8:4]
	dst		const[REG, int8:4]
	src		const[0, int8:4]
	off		const[1, int16]
	imm		const[0, int32]
}

bpf_jmp_op = BPF_JA0, BPF_JEQ0, BPF_JGT0, BPF_JGE0, BPF_JSET0, BPF_JNE0, BPF_JSGT0, BPF_JSGE0, BPF_CALL0, BPF_EXIT0, BPF_JLT0, BPF_JLE0, BPF_JSLT0, BPF_JSLE0

define BPF_JA0	BPF_JA >> 4
define BPF_JEQ0	BPF_JEQ >> 4
define BPF_JGT0	BPF_JGT >> 4
define BPF_JGE0	BPF_JGE >> 4
define BPF_JSET0	BPF_JSET >> 4
define BPF_JNE0	BPF_JNE >> 4
define BPF_JSGT0	BPF_JSGT >> 4
define BPF_JSGE0	BPF_JSGE >> 4
define BPF_CALL0	BPF_CALL >> 4
define BPF_EXIT0	BPF_EXIT >> 4
define BPF_JLT0	BPF_JLT >> 4
define BPF_JLE0	BPF_JLE >> 4
define BPF_JSLT0	BPF_JSLT >> 4
define BPF_JSLE0	BPF_JSLE >> 4

type bpf_insn_call_helper_t[FUNC] {
	code	const[bpf_call_code, int8]
	regs	const[0, int8]
	off	const[0, int16]
	func	FUNC
}

type bpf_insn_call_helper bpf_insn_call_helper_t[int32[0:__BPF_FUNC_MAX_ID]]

bpf_insn_call_func {
	code	const[bpf_call_code, int8]
	dst	const[0, int8:4]
	src	const[BPF_PSEUDO_CALL, int8:4]
	off	const[0, int16]
# NEED: to limit the call offset to the program size, we'd need support for path expressions inside ranges of values.
	func	int32[-8:8]
}

bpf_insn_call_kfunc {
	code	const[bpf_call_code, int8]
	dst	const[0, int8:4]
	src	const[BPF_PSEUDO_KFUNC_CALL, int8:4]
	off	const[0, int16]
	kfunc	btf_type_id
}

define bpf_call_code	BPF_JMP | BPF_CALL

bpf_insn_exit {
	code	const[bpf_exit_code, int8]
	regs	const[0, int8]
	off	const[0, int16]
	imm	const[0, int32]
}

define bpf_exit_code	BPF_JMP | BPF_EXIT

bpf_insn_init_r0 {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	const[BPF_REG_0, int8:4]
	src	const[0, int8:4]
	off	const[0, int16]
	imm	int32
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	int32
}

type bpf_insn_mov_imm64[DST, IMM1, IMM2] {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	const[DST, int8:4]
	src	const[0, int8:4]
	off	const[0, int16]
	imm	const[IMM1, int32]
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[IMM2, int32]
}

type bpf_insn_map_fd_t[DST, MAP_FD] {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	DST
	src	const[BPF_PSEUDO_MAP_FD, int8:4]
	off	const[0, int16]
	imm	MAP_FD
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[0, int32]
}

type bpf_insn_map_fd bpf_insn_map_fd_t[flags[bpf_reg, int8:4], fd_bpf_map]
type bpf_insn_tail_call_map_fd[DST] bpf_insn_map_fd_t[const[DST, int8:4], tail_call_map]
type bpf_insn_ringbuf_fd[DST] bpf_insn_map_fd_t[const[DST, int8:4], ringbuf_map_fd]

bpf_insn_map_idx {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	flags[bpf_reg, int8:4]
	src	const[BPF_PSEUDO_MAP_IDX, int8:4]
	off	const[0, int16]
	imm	map_fd_id
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[0, int32]
}

type bpf_insn_map_value_t[DST, MAP_FD, VALUE_OFFSET] {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	DST
	src	const[BPF_PSEUDO_MAP_VALUE, int8:4]
	off	const[0, int16]
	imm	MAP_FD
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	VALUE_OFFSET
}

type bpf_insn_map_value bpf_insn_map_value_t[flags[bpf_reg, int8:4], fd_bpf_map, int32]
type bpf_insn_const_str[DST] bpf_insn_map_value_t[const[DST, int8:4], bpf_frozen_const_str, const[0, int32]]

bpf_insn_map_idx_value {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	flags[bpf_reg, int8:4]
	src	const[BPF_PSEUDO_MAP_IDX_VALUE, int8:4]
	off	const[0, int16]
	imm	map_fd_id
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	int32
}

bpf_insn_cb_func {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	flags[bpf_reg, int8:4]
	src	const[BPF_PSEUDO_FUNC, int8:4]
	off	const[0, int16]
# NEED: to limit the call offset to the program size, we'd need support for path expressions inside ranges of values.
	imm	int32[-8:8]
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[0, int32]
}

bpf_insn_btf_id {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	flags[bpf_reg, int8:4]
	src	const[BPF_PSEUDO_BTF_ID, int8:4]
	off	const[0, int16]
	imm	btf_type_id
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[0, int32]
}

define bpf_insn_load_imm_dw	BPF_LD | BPF_DW | BPF_IMM

# Slightly prune state space, these values frequently must be 0.
bpf_insn_offsets = 0, 1, 2, 4, 6, 8, 12, 16, 24, 32, 48, 64, 80, 128, 256, -1, -2, -4, -8, -12, -16, -32, -64
bpf_insn_immediates = 0, 1, 4, 8, 16, -1, -4, -16
bpf_reg = BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5, BPF_REG_6, BPF_REG_7, BPF_REG_8, BPF_REG_9, BPF_REG_10, __MAX_BPF_REG

# Equivalent to:
# if reg != 0 goto +1;
# exit;
# This is useful to check null pointers. We exit if the pointer is null and
# continue the normal flow otherwise.
type bpf_insn_null_check[REG] {
	cond_jump	bpf_insn_not_null_jmp[REG]
	exit		bpf_insn_exit
}

# Format specifiers for bpf_trace_printk, encoded as a zero-terminated string
# of 7 characters. For example, field 'p' corresponds to "%p     ".
type bpf_insn_mov_printk_str_hex[DST] [
	p	bpf_insn_mov_imm64[DST, 0x25702020, 0x20202000]
	d	bpf_insn_mov_imm64[DST, 0x25642020, 0x20202000]
	i	bpf_insn_mov_imm64[DST, 0x25692020, 0x20202000]
	u	bpf_insn_mov_imm64[DST, 0x25752020, 0x20202000]
	x	bpf_insn_mov_imm64[DST, 0x25782020, 0x20202000]
	ld	bpf_insn_mov_imm64[DST, 0x256c6420, 0x20202000]
	li	bpf_insn_mov_imm64[DST, 0x256c6920, 0x20202000]
	lu	bpf_insn_mov_imm64[DST, 0x256c7520, 0x20202000]
	lx	bpf_insn_mov_imm64[DST, 0x256c7820, 0x20202000]
	lld	bpf_insn_mov_imm64[DST, 0x256c6c64, 0x20202000]
	lli	bpf_insn_mov_imm64[DST, 0x256c6c69, 0x20202000]
	llu	bpf_insn_mov_imm64[DST, 0x256c6c75, 0x20202000]
	llx	bpf_insn_mov_imm64[DST, 0x256c6c78, 0x20202000]
	s	bpf_insn_mov_imm64[DST, 0x25732020, 0x20202000]
]

# (18) r1 = "%d     "
# (7b) *(u64 *)(r10 -8) = r1
# (bf) r1 = r10
# (07) r1 += -8
# (b7) r2 = 8
# (b7) r3 = X
# (85) call bpf_trace_printk#-108352
bpf_insn_trace_printk {
	insn1	bpf_insn_mov_printk_str_hex[BPF_REG_1]
	insn2	bpf_insn_st64_reg[BPF_REG_1, BPF_REG_10, -8]
	insn3	bpf_insn_mov_reg[BPF_REG_10, BPF_REG_1]
	insn4	bpf_insn_op_imm[BPF_REG_1, BPF_ADD0, -8]
	insn5	bpf_insn_mov_imm[BPF_REG_2, 8]
	insn6	bpf_insn_mov_imm_any[BPF_REG_3]
	insn7	bpf_insn_call_helper_t[const[BPF_FUNC_trace_printk, int32]]
}

# (b7) r8 = 0
# (7b) *(u64 *)(r10 -8) = r8
# (b7) r8 = X
# (7b) *(u64 *)(r10 -16) = r8
# (bf) r1 = r10
# (07) r1 += -8
# (bf) r4 = r10
# (07) r4 += -16
# (b7) r2 = 8
# (18) r3 = map[id:31][0]+0
# (b7) r5 = 8
# (85) call bpf_snprintf#168880
bpf_insn_snprintf {
	insn1	bpf_insn_mov_imm[BPF_REG_8, 0]
	insn2	bpf_insn_st64_reg[BPF_REG_8, BPF_REG_10, -8]
	insn3	bpf_insn_mov_imm_any[BPF_REG_8]
	insn4	bpf_insn_st64_reg[BPF_REG_8, BPF_REG_10, -16]
	insn5	bpf_insn_mov_reg[BPF_REG_10, BPF_REG_1]
	insn6	bpf_insn_op_imm[BPF_REG_1, BPF_ADD0, -8]
	insn7	bpf_insn_mov_reg[BPF_REG_10, BPF_REG_4]
	insn8	bpf_insn_op_imm[BPF_REG_4, BPF_ADD0, -16]
	insn9	bpf_insn_mov_imm[BPF_REG_2, 8]
	insn10	bpf_insn_const_str[BPF_REG_3]
	insn11	bpf_insn_mov_imm[BPF_REG_5, 8]
	insn12	bpf_insn_call_helper_t[const[BPF_FUNC_snprintf, int32]]
}

# (18) r2 = map[id:10]
# (b7) r3 = 2
# (85) call bpf_tail_call#12
# (b7) r0 = 0
bpf_insn_tail_call {
	insn1	bpf_insn_tail_call_map_fd[BPF_REG_2]
	insn2	bpf_insn_mov_imm[BPF_REG_3, 0]
	insn3	bpf_insn_call_helper_t[const[BPF_FUNC_tail_call, int32]]
	insn4	bpf_insn_mov_imm[BPF_REG_0, 0]
}

# (18) r1 = map[id:16]
# (b7) r2 = 8
# (b7) r3 = 0
# (85) call bpf_ringbuf_reserve#320112
# (bf) r9 = r0
bpf_insn_ringbuf_reserve {
	insn1	bpf_insn_ringbuf_fd[BPF_REG_1]
	insn2	bpf_insn_mov_imm[BPF_REG_2, 20]
	insn3	bpf_insn_mov_imm[BPF_REG_3, 0]
	insn4	bpf_insn_call_helper_t[const[BPF_FUNC_ringbuf_reserve, int32]]
	insn5	bpf_insn_mov_reg[BPF_REG_0, BPF_REG_9]
}

# (bf) r1 = r9
# (b7) r2 = BPF_RB_X
# (85) call bpf_ringbuf_{submit,discard}#322192
# (bf) r0 = 0
bpf_insn_ringbuf_free {
	insn1	bpf_insn_mov_reg[BPF_REG_9, BPF_REG_1]
	insn2	bpf_insn_mov_imm_flag[BPF_REG_2, bpf_ringbuf_wakeup_flags]
	insn3	bpf_insn_call_helper_t[flags[bpf_helpers_ringbuf_free, int32]]
	insn4	bpf_insn_mov_imm[BPF_REG_0, 0]
}

bpf_helpers_ringbuf_free = BPF_FUNC_ringbuf_submit, BPF_FUNC_ringbuf_discard

# (18) r1 = map[id:16]
# (b7) r2 = 0
# (85) call bpf_ringbuf_query#322192
bpf_insn_ringbuf_query {
	insn1	bpf_insn_tail_call_map_fd[BPF_REG_1]
	insn2	bpf_insn_mov_imm[BPF_REG_2, 0]
	insn3	bpf_insn_call_helper_t[const[BPF_FUNC_ringbuf_query, int32]]
}

# (18) r1 = map[id:16]
# (b7) r8 = X
# (7b) *(u64 *)(r10 -8) = r8
# (bf) r2 = r10
# (07) r2 += -8
# (b7) r3 = 8
# (b7) r4 = BPF_RB_X
# (85) call bpf_ringbuf_output#322192
bpf_insn_ringbuf_output {
	insn1	bpf_insn_tail_call_map_fd[BPF_REG_1]
	insn2	bpf_insn_mov_imm_any[BPF_REG_8]
	insn3	bpf_insn_st64_reg[BPF_REG_8, BPF_REG_10, -8]
	insn4	bpf_insn_mov_reg[BPF_REG_10, BPF_REG_2]
	insn5	bpf_insn_op_imm[BPF_REG_2, BPF_ADD0, -8]
	insn6	bpf_insn_mov_imm[BPF_REG_3, 8]
	insn7	bpf_insn_mov_imm_flag[BPF_REG_4, bpf_ringbuf_wakeup_flags]
	insn8	bpf_insn_call_helper_t[const[BPF_FUNC_ringbuf_output, int32]]
}

define MAX_BPF_REG	__MAX_BPF_REG

bpf_ringbuf_wakeup_flags = 0, BPF_RB_NO_WAKEUP, BPF_RB_FORCE_WAKEUP
]

gemini-3-pro-preview

							input: 194351
							output: 916
							thoughts: 6453
						

**Syzkaller BPF Program Analysis and Refinement**

Okay, so I'm diving into this syzkaller-generated BPF program and figuring out the most efficient way to express it. I'm seeing that we start with loading a BPF program, then creating a link, and finally running a test. Initially, I was looking at `bpf_prog_t` and `bpf_instructions`, seeing that we could directly use `bpf$PROG_LOAD_XDP`. The `bpf_instructions` being a `raw array[bpf_insn]` is fine, and I got the initial structure. However, I need to make sure I am using the correct approach.

I then realized that `bpf_prog_t` has many fields, and it's simpler to just leverage `bpf$PROG_LOAD` with the `AUTO` keyword. This lets syzkaller handle populating the struct. Then I started to see that I had the correct `bpf_prog_xdp`, where `expected_attach_type` is correctly set to `BPF_XDP` (39), which meant that I was on the right path. So, I am using `AUTO` and let syzkaller fill the rest.

Moving on to `bpf$BPF_LINK_CREATE_XDP`, it looks like everything should work with `AUTO` and `&void` for the optional extra field. The argument's size is also taken care of. Then I was on to `bpf$BPF_PROG_TEST_RUN_LIVE`, and I saw that the `inctx` field is of type `array[int8]`. And, I need to pass an `int32` variable (`r7`) as input. So, I'll use a `&AUTO` structure to handle this. Syzkaller allows passing an `int32` to the `array[int8]` using the `AUTO` cast. I had to double-check that by creating an internal struct. Then I went through the entire program to ensure I have the right parameters.

I then did a detailed review of all the syscalls. I made sure to include the `ioctl` calls to get the interface indexes. I found and corrected the input data to `bpf$BPF_PROG_TEST_RUN_LIVE`. I ensured that I was using the correct `ioctl` call arguments.

And, finally, I'm using `0x5` (BPF_PROG_LOAD) for the BPF load. Everything looked correct.

I now need to test and ensure that I did not miss anything.

unknown syscall ioctl$sock_SIOCSIFFLAGS

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', 0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 202312
							output: 918
							thoughts: 378
						

**Debugging a Network Interface Flag Setting**

Okay, so I'm running into a problem: `ioctl$sock_SIOCSIFFLAGS` isn't recognized. That's a classic sign of a missing definition. Let's dig into `socket.txt` to find where `SIOCSIFFLAGS` is defined and how it's used. Ah, here it is: the `ifreq_ioctls` list! It seems `SIOCSIFFLAGS` is definitely present in the relevant `ioctl` calls. Based on the documentation, I'm expecting something like this: `ioctl$sock_ifreq(fd sock, cmd flags[ifreq_ioctls], arg ptr[inout, ifreq])`.  Specifically, the expected call is `ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})`.

Now, let me refresh my memory on the `ifreq` structure. Right, `ifreq` is basically a struct containing a name and a union `ifru`, which can hold various interface-specific data. It seems like the critical part of the structure relevant to my issue is `ifru_flags`. So, my interpretation checks out: `ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})`. This seems to be the correct usage of that ioctl command. Let's run this and see what we get. I'll test it and see if it behaves as expected.

wrong array arg *prog.UnionType
line #9:72: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=[<<<!!ERROR!!>>>@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 204169
							output: 921
							thoughts: 230
						

**BPF Instruction Parsing and Program Loading**

Okay, so I'm looking at this `bpf_instructions` structure and it's a *union*. That's the key. This means the compiler lays out various sub-structures, `raw`, `framed`, and `ringbuf`, in the same memory location. The actual interpretation depends on how it's used. Based on the way I'm seeing this program loading, it looks like we're using the `raw` member.

Looking at the example, I'm pretty sure we need to specify `@raw=[...]`. We're loading a BPF program, as seen with `bpf$PROG_LOAD`. And the important part for me right now is how the instructions are being provided. We have this `@raw` assignment, and it looks like a structure with an array of `bpf_insn` elements.

Let me just test this theory one more time and see if I've understood the instruction format correctly.

missing struct bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]] fields 4/28
line #9:180: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}<<<!!ERROR!!>>>, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00'}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 205761
							output: 805
							thoughts: 290
						

**BPF Program Loading Optimization**

Okay, so I'm looking at this `bpf_prog_t` struct, and it's got a whopping 28 fields! But my `bpf$PROG_LOAD` call only specified 4. I was thinking, why bother filling everything out manually? I can leverage Syzkaller's `&AUTO` feature. That should handle the remaining fields and let the kernel figure out the defaults or appropriate values.

Initially, I had a size argument in the `bpf$PROG_LOAD` call, but then it clicked - `bpf$PROG_LOAD` is using `len[arg]` to determine the size of the program being loaded. So I can drop that size argument altogether. It makes the call cleaner and less verbose.

So now my call is:
```
r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00'})
```

I'm feeling good about this, time to test it out and see if this simpler method works as expected.

missing struct bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]] fields 4/28
line #9:144: r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00'}<<<!!ERROR!!>>>)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00'})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &AUTO={r4, r5, 0x27, 0x0, @void})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &AUTO={r4, 0x0, 0xe, 0x0, &AUTO='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &AUTO={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1})
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 207341
							output: 921
							thoughts: 772
						

**Analyzing Syzkaller's Field Handling with `&AUTO`**

Okay, so I'm digging into how syzkaller handles struct literals with the `&AUTO` syntax, and I've hit a potential snag. I was thinking that using `&AUTO={...}` would let me omit fields, but it looks like that's not the case. It appears that if you're going to use a struct literal with `&AUTO`, you're still forced to provide *all* the fields, which is not ideal. I was hoping for more flexible partial initialization.

However, I've got to give credit where it's due - the syntax `&AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}` *does* seem to work. So I need to verify what the correct syntax is when providing the full struct.

Okay, let's step through this. I need to be sure I understand the `bpf_prog_t` struct, because that's what we're feeding to the `bpf$PROG_LOAD` call. I'll make sure I'm not missing any fields. I've enumerated them to ensure I've covered all the bases: `type`, `ninsn`, `insns`, `license`, `loglev`, `logsize`, `log`, `kern_version`, `flags`, `prog_name`, `prog_ifindex`, `expected_attach_type`, `btf_fd`, `func_info_rec_size`, `func_info`, `func_info_cnt`, `line_info_rec_size`, `line_info`, `line_info_cnt`, `attach_btf_id`, `attach_prog_fd`, `core_relo_cnt`, `fd_array`, `core_relos`, `core_relo_rec_size`, `log_true_size`, `prog_token_fd`, and `pad`. That's 28 fields in total. No shortcuts there.

Finally, I'm going to set up a test case. I'll execute the `bpf$PROG_LOAD` call as shown:
```
r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
```
Let's see if it works. I'm ready to roll.

wrong int arg *prog.UnionType
line #9:182: r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x0<<<!!ERROR!!>>>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &AUTO={r4, r5, 0x27, 0x0, @void})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &AUTO={r4, 0x0, 0xe, 0x0, &AUTO='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &AUTO={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1})
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 210165
							output: 919
							thoughts: 1163
						

**Analyzing the BPF Program Loading Structure**

Okay, so I'm looking at the `bpf_prog_load` structure and trying to understand how it's being populated. First, the `expected_attach_type` field. Ah, right, that's a union defined by `bpf_prog_attach_types`.  Given the program's type is `BPF_PROG_TYPE_XDP`, I need to set `@xdp` to `0x0`.

Now, let's step through the fields methodically.  I'll double-check everything:

1.  `type`: `0x6` (XDP, correct)
2.  `ninsn`: `0x2` (instruction count, seems reasonable)
3.  `insns`: points to the raw instruction data
4.  `license`:  'GPL\x00', as expected.
5.  `loglev`: `0x0`
6.  `logsize`: `0x0`
7.  `log`: `0x0`
8.  `kern_version`: `0x0`
9.  `flags`: `0x0`
10. `prog_name`: `""` (empty string)
11. `prog_ifindex`: `0x0`
12. `expected_attach_type`: `@xdp=0x0` (confirmed)
13. `btf_fd`: `0x0`
14. `func_info_rec_size`: `0x0`
15. `func_info`: `0x0`
16. `func_info_cnt`: `0x0`
17. `line_info_rec_size`: `0x0`
18. `line_info`: `0x0`
19. `line_info_cnt`: `0x0`
20. `attach_btf_id`: `0x0`
21. `attach_prog_fd`: `0x0`
22. `core_relo_cnt`: `0x0`
23. `fd_array`: `0x0`
24. `core_relos`: `0x0`
25. `core_relo_rec_size`: `0x0`
26. `log_true_size`: `0x0`
27.  Aha!  I almost missed it.  `prog_token_fd` is conditional. If `flags & BPF_F_TOKEN_FD` is *not* set, the field is replaced by `pad`.  Since `flags` is `0x0`, `prog_token_fd` isn't present, and it's `pad = 0x0`.

So, counting carefully, there are *27* fields total, including the conditional one. I need to make sure I account for that conditional field when interpreting the program loading structure.  That's key.

Alright, the resulting structure in the code should be `r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})`. Let's give this a test to verify it.

wrong int arg *prog.UnionType
line #9:262: r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0<<<!!ERROR!!>>>})

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &AUTO={0x6, 0x2, &AUTO=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &AUTO={r4, r5, 0x27, 0x0, @void})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &AUTO={r4, 0x0, 0xe, 0x0, &AUTO='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &AUTO={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1})
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 213403
							output: 1037
							thoughts: 1524
						

**Analyzing BPF Program Loading with Syzkaller**

Okay, so I'm digging into how to load a BPF program correctly within syzkaller, specifically looking at how the `attach_prog_fd` field of the `bpf_prog_t` struct is handled.  Initially, my thought was that it was directly tied to `fd_bpf_prog[opt]`, but that's not quite right. `opt` means it's either zero or a valid file descriptor.  I started going through the fields in `bpf_prog_t`, itemizing them.

Now, considering the `bpf_prog_t` structure, I've got a good handle on each of the fields: `type`, `ninsn`, `insns`, `license`, and so on, all the way down to `pad`. The thought crossed my mind about `func_info_rec_size`, `line_info_rec_size`, and `core_relo_rec_size`, which are constants (`BPF_FUNC_INFO_SIZE`, `BPF_LINE_INFO_SIZE`, `BPF_CORE_RELO_SIZE`).  I was initially thinking that if I simply supplied `0x0`, syzkaller would complain about them being `const`, but I realized with the use of `AUTO` or that they would be omitted. I had a quick re-think and now realize that the  `&AUTO={...}` in syzkaller is a way to supply specific fields while allowing the rest to be defaulted. I need *all* fields, or use just `&AUTO` for random struct generation.

Then, there's a specific `bpf$PROG_LOAD_XDP` call which seems tailored to this. However, that call sets certain fields such as `type`, `expected_attach_type`, `attach_btf_id`, and `attach_prog_fd` to constants. But I started to wonder if these constant fields still needed to be provided explicitly in a struct literal. Nope! Syzkaller expects *all* fields in the struct literal, but constant fields can just be their values.

Ultimately, instead of the specialized call, I'm just going to go with the regular `bpf$PROG_LOAD` and fill out *all* of the fields of the `bpf_prog_t` struct explicitly, making sure I set the constants correctly and provide valid BPF instructions for the program itself.  I'm going to set `func_info_rec_size` to 8 (BPF_FUNC_INFO_SIZE), `line_info_rec_size` to 16 (BPF_LINE_INFO_SIZE), and `core_relo_rec_size` to 16 (BPF_CORE_RELO_SIZE).  I'll define the instructions as well. Time to test this approach!

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 216883
							output: 1038
							thoughts: 3095
						

**Debugging a BPF Program Load with Syzkaller**

Okay, so I'm trying to figure out why I'm getting a "wrong int arg" error when loading this BPF program using Syzkaller. It looks like the issue is related to the data structure used for the program, `bpf_prog_t`, and how Syzkaller is interpreting its fields, particularly the unions.

First, I double-checked the field definitions within the `bpf_prog_t` struct, noting that field 27 is `pad` which is a constant zero. Then I reviewed the other fields and their types, including `attach_prog_fd`, `fd_array`, and `core_relos`. I went back and examined `bpf_prog_t` again, and saw that the `bpf_prog_attach_types` field is a union.

The error message hints that a union field is expecting a specific type, but receiving an integer. I initially considered `attach_prog_fd` but realized it is optional, not a union. I also thought about `fd_array` and `core_relos` and eliminated these too. So I had to go back to the union, `bpf_prog_attach_types`, and the value I was providing for the `expected_attach_type` field.  I was providing `@xdp=0x0`.

I realized that if the program type is XDP, the `xdp` field of this union becomes relevant.  The program type is 6 (BPF_PROG_TYPE_XDP). However, Syzkaller appears to require `@` syntax for conditional unions. So, the `@xdp=0x0` should be correct.

The error persists. I double-checked the fields in `bpf_prog_t` and wondered if it might be an issue with how I'm declaring the `bpf$PROG_LOAD_XDP` call.

If the program type is indeed `BPF_PROG_TYPE_XDP`, which is 6, the `expected_attach_type` becomes `const[BPF_XDP, int32]`. The value for `BPF_XDP` is actually 39 (0x27). I'm providing `0x0` which is the value associated with XDP via `@xdp=0x0`.

I will now try providing `0x27` directly for `expected_attach_type` when using `bpf$PROG_LOAD_XDP` to see if that resolves the issue. This makes sense.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 221874
							output: 1043
							thoughts: 2640
						

**Analyzing the `bpf_prog_t` Structure in Syzkaller for XDP Program Loading**

Okay, so I'm digging into how `bpf_prog_load` works in Syzkaller, specifically for XDP programs. The first thing that jumps out is the structure definition: `bpf_prog_xdp` is essentially a `bpf_prog_t`, and I need to understand its fields. The core issue is how Syzkaller expects this struct to be populated.

I initially see that `attach_btf_id` and `attach_prog_fd` are just zero, which seems fine for my use case.  I then start listing all the fields in the structure. I'm focusing on the fields. I step through the members: `type`, `ninsn`, `insns`, `license` and the rest. I check each field and its respective data types. I confirm that fields such as `btf_fd` are also being set to zero.

I then think about the conditional field `prog_token_fd` and `pad`. If `flags` is zero, `prog_token_fd` isn't present, but `pad` should be there. This is important: are these fields actually handled as conditional in the syzkaller version I'm using?

I'm thinking: perhaps there is a difference in struct definitions between the syzkaller version and the kernel. To be sure, I need to check the definition of `bpf_prog_t` in the syzkaller configuration to verify these conditional fields are correctly defined.

Ah, yes, in Syzkaller, the conditional fields are evaluated based on the value of another field, so they are only included or excluded during parsing. If `flags` is 0, the struct should only include `pad` and omit `prog_token_fd`. Then a crucial question hits me: what if the syzkaller version doesn't handle the conditional field? I have to re-examine the `bpf_prog.txt` definition to confirm its correctness.

I then check `bpf_prog.txt` again to re-validate the definition. It appears that the correct definition that I'm referencing includes these conditional fields, so this should not be an issue.

Now, could `fd_array`, `core_relos`, `prog_token_fd`, or `pad` be a union? That doesn't seem likely based on their declared types: arrays and resource.

Now I decide to let Syzkaller populate the structure with `&AUTO`, but making sure the fields are provided. The error complains about missing fields.

So, I tried a basic `&AUTO` definition, but that clearly fails. Syzkaller is complaining about missing fields. I have to look at the error message, syzkaller is expecting 28 fields. I count the fields and confirm the count. 

Wait, the struct has 28 fields if the conditional fields `prog_token_fd` and `pad` are considered, which makes sense, but conditional fields are only present if their conditions are met. I think to myself: does Syzkaller force me to include all fields in a struct literal even if they're conditional?

No, if a field is conditional, it should be either present or not present. In this case, I decide it must not be evaluating that condition at the struct parsing stage.

So, I will try providing all 28 fields in the literal, just to be explicit.
I'll create the program load with all fields: `r4 = bpf$PROG_LOAD_XDP(...)`, including all 28 fields. I'll test this out and see if it works.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 226654
							output: 1013
							thoughts: 2164
						

**Debugging a BPF Program Load: A Step-by-Step Analysis**

Okay, so I'm hitting an error during a BPF program load, specifically at the 27th field. The error output clearly highlights the issue with the value `0x0<<<!!ERROR!!>>>, 0x0}`.  The field in question is `prog_token_fd`, which is defined as `fd_bpf_token`.  Right, `fd_bpf_token` is a resource type, meaning `0x0` should be a valid value for it, as well as the special resource values such as `0xffffffffffffffff`. This is important because the definition for `fd_bpf_token` is `resource fd_bpf_token[fd]`, meaning `0x0` should be acceptable.

But, just to be sure, is `prog_token_fd` *actually* the 27th field? Time to double-check the `bpf_prog_t` struct definition. I go through the struct, and it looks like `prog_token_fd` *is* indeed the 27th field, and it also appears to be conditionally included based on the value of the `flags` field.  The structure's fields and their values are re-checked:

1.  `attach_btf_id`: `0x0`
2.  `attach_prog_fd`: `0x0`
3.  `core_relo_cnt`: `0x0`
4.  `fd_array`: `0x0`
5.  `core_relos`: `0x0`
6.  `core_relo_rec_size`: `0x10`
7.  `log_true_size`: `0x0`
8.  `prog_token_fd`: `0x0`
9.  `pad`: `0x0`

I recall that `fd_array` is defined as `ptr64[in, array[fd_bpf_map], opt]`, and `core_relos` is defined as `ptr64[in, array[bpf_core_relo], opt]`.  Since it's an optional pointer (`opt`), `0x0` should be perfectly acceptable as a null pointer, which is standard behavior in syzkaller.

Let me think… could *another* field be the problem?  I look closely at the structure and realize that because `prog_token_fd` is conditional, the number of fields to specify may be fewer than anticipated.  The error message pinpointed the 27th field, so I had assumed a fixed number of fields.  But maybe there are fewer!  I go back through the field list, carefully noting any `len` fields (which, in syzkaller, are automatically calculated and NOT specified in the struct).  Also, any conditional fields based on `flags`.
I also review fields before `attach_btf_id`:
1. `func_info_rec_size`: `0x8`
2. `func_info`: `0x0`
3. `func_info_cnt`: `0x0`
4. `line_info_rec_size`: `0x10`
5. `line_info`: `0x0`
6. `line_info_cnt`: `0x0`
7. `func_info_cnt` is `len[func_info, int32]`.

Aha! Those `len` fields are not included in the literal!  I make a list of fields *we* need to provide:

1.  `type`
2.  `insns`
3.  `license`
4.  `loglev`
5.  `log`
6.  `kern_version`
7.  `flags`
8.  `prog_name`
9.  `prog_ifindex`
10. `expected_attach_type`
11. `btf_fd`
12. `func_info_rec_size`
13. `func_info`
14. `line_info_rec_size`
15. `line_info`
16. `attach_btf_id`
17. `attach_prog_fd`
18. `fd_array`
19. `core_relos`
20. `core_relo_rec_size`
21. `log_true_size`
22. `prog_token_fd`
23. `pad`

That'

wrong addr arg *prog.LenType
line #9:52: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, <<<!!ERROR!!>>>&(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 231128
							output: 1038
							thoughts: 288
						

**Debugging a Syzkaller Struct Literals Issue**

Okay, so I'm looking at this `ninsn` variable, and it's defined as `bytesize8[insns, int32]`. Right, so `bytesize8` is essentially a `len` type. My initial thought was that, like other `len` fields in syzkaller, it would be automatically omitted in the struct literal. But hang on, maybe that's not the case here. It seems `bytesize8` might be treated differently.

Let me think this through. If `bytesize8` were omitted, then `insns` would be the second field, and the error I'm seeing wouldn't make sense. The error message explicitly points to a "wrong addr arg *prog.LenType". That means syzkaller *expects* a `LenType` argument, which it's *not* getting because I'm providing an address like `&(0x7f0000000200)={...}`. So, `ninsn` is definitely *not* being omitted.

The key to this is likely that `len` fields are *only* omitted if I use `&AUTO={...}` or if I simply don't provide the `len` fields at all. I was using `&(0x7f00000001c0)={...}`, so I'm explicitly telling it to use an address; therefore, I *must* provide the `len` fields!

Alright, if I need to provide the `len` field, I should simply supply a value, I’ll try setting `ninsn` to `0x2`. Let’s try that.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 233125
							output: 1040
							thoughts: 5587
						

**Debugging a BPF Program Load Error**

Okay, here's the breakdown of my thought process in tackling this persistent BPF program load error. The core issue keeps popping up at the 27th field of my `bpf_prog_t` struct, but the error message is unhelpful, claiming a `wrong int arg *prog.UnionType`. This is frustrating, so let's start with a systematic examination.

First, I meticulously went through the fields I'm providing to the `bpf$PROG_LOAD_XDP` syscall, counting them to confirm the error's location. Then, based on the structure definition, I identified that the 27th field should be `pad` because `flags` is zero. `pad` is a constant integer, so why the `UnionType` error? That doesn't make any sense.

My next line of thought focused on whether a union could be present at that location or have some interaction. I carefully checked the `bpf_prog_t` struct definition again, searching for unions amongst the fields, especially considering the conditional inclusion of `prog_token_fd` or `pad`. I re-examined the definitions of fields like `core_relos`, `fd_array`, and other related fields that might be implemented as unions but I could not find anything that seemed relevant.

The error message felt misleading. Maybe there's a problem with syzkaller's interpretation, and the union is somewhere else in the struct. I considered, could it be `expected_attach_type`? I reminded myself that the correct syscall is `bpf$PROG_LOAD_XDP` and that meant the structure was `bpf_prog_xdp`, meaning that it shouldn't be a union, as `expected_attach_type` should be `const[BPF_XDP, int32]`, so it’s NOT a union.

I looked at the original error message again, and the specific field that was failing. Could there be a mismatch in the syzkaller definition and what's present on the target kernel? I checked the number of arguments, and whether syzkaller had a different definition.

I started to explore another possibility, the use of `&AUTO` might let syzkaller generate a valid program, and that the root of the error might be elsewhere. But, `&AUTO` can cause problems. Perhaps omitting trailing zeros in the structure literal was the key, as syzkaller should automatically handle the zero padding. However, this didn't work either.

Now I turned back to basics, and carefully verified that the struct literal was correct, and that the lengths, for example, `ninsn`, were correct. I carefully checked the structure field by field, making sure that I was providing the correct values for everything.

I decided that, maybe I was missing something about the total number of fields, and the error was reporting the field offset but not the total number of fields in the struct. I had to provide ALL 28 fields or else it would complain about not having enough arguments.

I tried providing all 27 arguments again. But it said `wrong int arg *prog.UnionType` at the 27th field again! I was back to the `UnionType` error.

I had a flash of inspiration. Since I was loading an XDP program, and I am using `bpf$PROG_LOAD_XDP`, what if `bpf_prog_t` is defined as something different in syzkaller? What if in my syzkaller version, there is a mismatch with the target kernel for `bpf_prog_xdp`, maybe I can use `@xdp=0x0` for `expected_attach_type`. I should try this before going further.

wrong union arg for "const"
line #9:219: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, <<<!!ERROR!!>>>@xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 240856
							output: 1037
							thoughts: 2888
						

**Debugging a BPF Program Load Issue**

Okay, here's the situation. I'm hitting a "wrong union arg for 'const'" error when loading a BPF program with `bpf$PROG_LOAD_XDP`. The error points to field 27 of the `bpf_prog_t` struct, which is being interpreted incorrectly. The `expected_attach_type` is correctly set to `0x27` (BPF_XDP). Let's review the struct's fields: `type`, `ninsn`, `insns`, `license`, and so on.

I need to figure out what field 27 is, and why it's causing this issue. Initially, I thought that it was `pad` which is declared as `const[0, int32]` when `flags` is zero. However, given the error, and that I'm providing 0 for it, this seems unlikely. The `flags` field controls the presence of `prog_token_fd` or `pad` as part of a union.

I need to confirm the definition of `bpf_prog_t` from the system to check if a different version of the struct is causing the problem.  However, the `bpf_prog.txt` definition matches. So the problem must lie elsewhere.

Looking at the error message, the problem occurs at field 27, even though I've explicitly set several fields. Let's painstakingly recount the struct fields and then try to load the program with the right flags. It seems that `fd_array` is at the 23rd field.

I have to carefully consider the implications of different `len` fields, like `logsize`, and how those interact with other fields like `log`. I need to ensure that the provided values align with how syzkaller interprets them and that I'm setting any `len` fields correctly.

The core of the issue seems to be how I'm handling the union/struct within the `bpf_prog_t` definition. The best approach now seems to be to use `bpf$PROG_LOAD` without the `XDP` and explicitly define all fields within the struct. The problem now is with the `expected_attach_type` which is actually a union. I'm going to set it correctly as `@xdp=0x0`. Let's give it a try.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 245594
							output: 1042
							thoughts: 1756
						

**Debugging a BPF Program Load Error**

Okay, this is frustrating. The error is *still* pinpointing the 27th field in `bpf_prog_t`! Let's go over this again. I need to re-examine the `bpf_prog.txt` definition of `bpf_prog_t`. 

I'm starting to think about flags. I provided `0x0` for the flags, but if it is not 0, then `prog_token_fd` will be `fd_bpf_token`. `fd_bpf_token` is a resource so `0x0` should be valid. 

Could the problem be with the 27th field being a union? I don't have access to the system's syzkaller source code. I can't look at the system's syzkaller directly, which is a major hinderance. I'm going to try using `&AUTO` for the whole struct and let syzkaller fill in the blanks. The issue is that it might not be the correct program type. But I could generate a BPF program and then overwrite the necessary instructions with the appropriate ones. The problem with `&AUTO` is it requires ALL of the fields. So if I try `bpf$PROG_LOAD(0x5, &AUTO, 0x90)` syzkaller would generate a random program, and I need an `XDP_TX` program. I can't use the `bpf` syscall directly since it's not a raw syscall in syzkaller.

Let's look at the error message again: `wrong int arg *prog.UnionType`. This means the 27th field is a union. Is it `fd_array`, `core_relos`, `prog_token_fd`, or `pad`? Let me double-check `bpf_prog.txt`. No other unions are defined, and `expected_attach_type` is the 12th field.

The error is definitely on the 27th field. I provided 27 fields and the error says `wrong int arg *prog.UnionType`. Okay, I know what I'm going to do. Let me just add one more, providing 28 fields. I'll test it out.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 249195
							output: 1656
							thoughts: 5235
						

**Debugging the BPF Program Loading Error**

Okay, here's the breakdown of my thought process in tackling this persistent error at the 27th field, assuming I'm dealing with the BPF program loading issue. First, the error points to a union within the `bpf_prog_t` struct, but which one? I systematically eliminate each potential union: `fd_array`, `core_relos`, `attach_prog_fd`, `attach_btf_id`, `line_info`, `func_info`, `btf_fd`, and even `expected_attach_type`, which is actually the culprit! Syzkaller is interpreting the initial values correctly up until that point.

The problem lies not with the presence of the union itself but with how syzkaller is parsing the struct. Because `expected_attach_type` is correctly parsed as `@xdp=0x0` I can exclude it. Then, I realized I must check how I am defining the struct. I had defined all the fields, including the length fields. Because I am using a concrete address to the struct using `&(0x7f00000001c0)`, I have to provide all the members of the struct.

My solution will be to bypass the struct parsing entirely. I'll construct the `bpf_prog_t` data directly as a byte string, crafting the necessary struct layout based on the system's `bpf_prog.txt` definition. Because I am not using the default syzkaller syntax for struct literals, I can completely bypass the union issue. I can directly pass a string of bytes using `&AUTO="...bytes..."`, bypassing the union parsing and the error. I'll load the program with the `bpf$PROG_LOAD` syscall, pointing to my crafted byte array. That should solve the issue!

wrong string arg
line #9:46: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)=ANY=<<<!!ERROR!!>>>"\x06\x00\x00\x00\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x7f\x40\x02\x00\x00\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00", 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)=ANY="\x06\x00\x00\x00\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x7f\x40\x02\x00\x00\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00", 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)=ANY="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)=ANY="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x80\x03\x00\x00\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\xc0\x03\x00\x00\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00", 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 257128
							output: 1035
							thoughts: 4155
						

**Debugging a BPF Program Load with Syzkaller**

Okay, so I'm trying to figure out why I'm getting a "wrong int arg *prog.UnionType" error when loading a BPF program. It seems like a type mismatch, and I suspect it's related to how syzkaller handles unions within the `bpf_prog_t` struct.

First, I tried a simple approach: using `ANY` for `ptr` arguments within a struct, but that's a no-go. I considered `syz_execute_func`, but quickly dismissed it. The next idea was using `bpf$PROG_LOAD_XDP` with `&AUTO` to generate a program and then overwrite instructions. However, there's no `memcpy` in Syzkaller.

So, I circled back to `bpf$PROG_LOAD`, figuring I'd provide a struct. Then, I needed to understand the struct's layout to provide correct data. I started digging into the fields, and it became clear that there was something wrong with my understanding of the 27th field, `pad`, which I was providing as 0.

I kept exploring, checking the struct definition, and noticed that `prog_token_fd` might be included if flags were not 0. But I provided `0x0` for `flags`, so `pad` is the correct field, according to the struct.
But what if the error is at another field?

I looked at the kernel struct `union bpf_attr`. The key discovery was the `union` containing `attach_prog_fd` and `attach_btf_obj_fd`. However, the syzkaller `bpf_prog.txt` doesn't define it as a union, so I still wasn't sure why syzkaller was complaining about a union. I began to recheck all possible unions.
I was checking possible unions:
*   `expected_attach_type`, which is a `bpf_prog_attach_types` type.

I then went back to counting fields, carefully, and realized I might have miscounted and provided an incorrect field for my error. It seemed like the error pointed to the 27th field, and that, if `flags` were 0, should be `pad`! But I still suspected it had to do with the type of the arguments.

So, I re-examined the struct definition and confirmed that if `flags` is 0, the 27th field is indeed `pad`, and that `prog_token_fd` is not present, so the count is correct. I finally realize that `expected_attach_type` is indeed a union, which I was specifying through the `@xdp=0x0` argument, and that I should not need to specify the next field, the `pad`, at all. But I still need to fix the format.

I thought I could provide `@void` for the 27th field, and that I'm providing too many fields in the struct.

I will try loading the `bpf_prog_t` struct, but without providing the last field. I hope this resolves the type mismatch issue!

missing struct bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]] fields 27/28
line #9:303: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void}<<<!!ERROR!!>>>, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 263348
							output: 18
							thoughts: 3453
						

**Debugging a BPF Program Load with Syzkaller**

Okay, so I'm getting a `missing fields 27/28` error when trying to load this BPF program. That's a classic - I'm providing 27 fields and the system expects 28. The tricky part is figuring out *which* field I'm missing or misinterpreting. This means the 27th field should *not* be the last. I initially thought to simply provide an additional field, which is field 28. Then I remember I've tried this before, and it complained about a "wrong int arg *prog.UnionType" at the 27th field. This means the problem could be related to unions.

First thought, the 27th field is related to a Union. I went through the struct members systematically, checking if any of the fields could be unions: `prog_token_fd`, `pad`, `log_true_size`, `core_relo_rec_size`, `core_relos`, `fd_array`, `core_relo_cnt`, `attach_prog_fd`, `attach_btf_id`, `line_info_cnt`, `line_info`, `line_info_rec_size`, `func_info_cnt`, `func_info`, `func_info_rec_size`, `btf_fd`. Nope, not those. Wait, `expected_attach_type` is a union - I remember this from last time. But then it clicked that I was assigning 0x0 instead of the '@xdp=0x0' syntax. Is there another one?

So, I re-examined the `bpf_prog_t` struct definition again. The key is in the conditional fields, specifically `prog_token_fd` and `pad`. These are mutually exclusive, dependent on the `flags` field. If `flags` is zero, `prog_token_fd` is omitted, and `pad` is included. So, if I provide zero for the flags, then there should be 27 fields! So why does syzkaller think there are 28 fields? This is where the syzkaller struct matching and conditional field logic comes in. Since it's giving the missing fields error, it thinks the total number of fields is 28!

This is where the logic needs to be perfect: The `flags` field is the 9th field, and I'm providing `0x0` for it. I re-read the `bpf_prog_t` struct in `bpf_prog.txt`. It indicates that both `prog_token_fd` and `pad` are present. This does not make sense. I went through the struct again, counting the fields to eliminate any mistakes.

Then, the pieces start falling into place. If syzkaller thinks there are 28 fields, it means it is *not* evaluating the conditions correctly. I'm providing 27 fields, and it's complaining about 28. Could it be that `prog_token_fd` and `pad` are BOTH present, and the error lies in the value that I provided for one of these fields. So the 27th field is now `prog_token_fd`, and the 28th field is `pad`. Providing 0x0 means the system treats it as an integer, but `prog_token_fd` is a resource. A resource can still have a value of 0. Why is it saying `wrong int arg *prog.UnionType`?

I reread the exact error message. It's at the 27th field. If it says "wrong int arg", the issue is the 27th field is a union.

Counting all the fields, `prog_token_fd` is the 27th field, and `pad` is the 28th field. Is `prog_token_fd` a union? It's a resource (fd_bpf_token), so it's not a union. Checking the remaining possibilities: `fd_array`, `core_relos`, `attach_prog_fd`, `attach_btf_id`, `line_info`, `func_info` - Not unions. But `expected_attach_type` IS a union! So the issue has to be that I'm passing `0x0` for the union.

I then went back to that error "wrong int arg *prog.UnionType". I can't just pass 0x0 to a union field! That explains why it is complaining about the 27th field. This means I need to provide the correct value for the union field. So `0x0` for `@xdp=0

map[File:sys.txt]

map[Output:# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Description of syscall arguments. See README.md for details.

include <linux/socket.h>
include <linux/ptrace.h>
include <linux/resource.h>
include <linux/stat.h>
include <linux/mman.h>
include <linux/time.h>
include <linux/mount.h>
include <linux/fs.h>
include <linux/eventpoll.h>
include <linux/signalfd.h>
include <linux/eventfd.h>
include <linux/timerfd.h>
include <linux/personality.h>
include <linux/wait.h>
include <linux/user.h>
include <linux/un.h>
include <linux/ioctl.h>
include <linux/fadvise.h>
include <linux/falloc.h>
include <linux/kexec.h>
include <linux/elf.h>
include <linux/fiemap.h>
include <linux/kd.h>
include <linux/vt.h>
include <linux/if_alg.h>
include <linux/nfc.h>
include <linux/sockios.h>
include <linux/net_tstamp.h>
include <linux/termios.h>
include <linux/fcntl.h>
include <linux/sched.h>
include <linux/mqueue.h>
include <linux/mempolicy.h>
include <linux/in.h>
include <linux/ip.h>
include <linux/tcp.h>
include <linux/udp.h>
include <linux/kcmp.h>
include <linux/nfs.h>
include <linux/syslog.h>
include <linux/exportfs.h>
include <linux/splice.h>
include <linux/filelock.h>
include <fs/overlayfs/overlayfs.h>
include <uapi/linux/memfd.h>
include <uapi/linux/module.h>
include <linux/ioprio.h>
include <linux/membarrier.h>
include <uapi/linux/kcov.h>
include <uapi/linux/membarrier.h>
include <uapi/linux/capability.h>
include <uapi/linux/seccomp.h>
include <uapi/linux/wait.h>
include <uapi/linux/watch_queue.h>
include <kernel/sched/sched.h>
include <uapi/linux/close_range.h>
include <uapi/linux/netfilter/xt_cgroup.h>
include <fs/smb/client/cifsglob.h>
include <xen/interface/io/xs_wire.h>
include <uapi/linux/prctl.h>
include <asm/prctl.h>
include <linux/reboot.h>
include <linux/swap.h>

resource fd[int32]: -1
resource fd_dir[fd]: AT_FDCWD

# alignptr/align32/align64/padto64 can be used when ABI uses int64/intptr to hold a smaller type.
# E.g. pid/uid stored as intptr/int64.
type alignptr[T] {
	v	T
} [align[PTR_SIZE]]

type align32[T] {
	v	T
} [align[4]]

type align64[T] {
	v	T
} [align[8]]

type padto32[T] {
	v	T
} [size[4]]

type padto64[T] {
	v	T
} [size[8]]

type signalno int32[0:65]
type signalnoptr intptr[0:65]

# syz_execute_func caused multiple problems:
# 1. First it lead to corpus explosion. The program used existing values in registers
# to pollute output area. We tried to zero registers (though, not reliably).
# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample:
# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4
#	430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44
#	9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464
#	660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100")
# 3. The code can also execute syscalls (and it is know to), but it's not subject to
# target.SanitizeCall. As the result it can do things that programs are not supposed to do.
# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable
# to syz_execute_func based on corpus contents. Mechanics are also not known.
# It also did not cause finding of any new bugs (at least not that I know of).
# So it's disabled on all OSes until we figure out how to resolve all these problems.
syz_execute_func(text ptr[in, text[target]]) (disabled)

# Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653
openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd

open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd (automatic_helper)
# Just so that we have something that creates fd_dir resources.
open$dir(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd_dir (automatic_helper)
openat$dir(fd const[AT_FDCWD], file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd_dir (automatic_helper)
openat(fd fd_dir[opt], file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd
openat2$dir(fd const[AT_FDCWD], file ptr[in, filename], how ptr[in, open_how], size bytesize[how]) fd_dir (automatic_helper)
openat2(fd fd_dir[opt], file ptr[in, filename], how ptr[in, open_how], size bytesize[how]) fd
creat(file ptr[in, filename], mode flags[open_mode]) fd
close(fd fd)
read(fd fd, buf buffer[out], count len[buf])
pread64(fd fd, buf buffer[out], count len[buf], pos fileoff)
readv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec])
preadv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], off_low int32, off_high int32)
preadv2(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], off_low int32, off_high int32, flags flags[rwf_flags])
write(fd fd, buf buffer[in], count len[buf])
pwrite64(fd fd, buf buffer[in], count len[buf], pos fileoff)
writev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec])
pwritev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off_low int32, off_high int32)
pwritev2(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off_low int32, off_high int32, flags flags[rwf_flags])
# lseek can return negative offsets when the file has FMODE_UNSIGNED_OFFSET flag:
# https://elixir.bootlin.com/linux/v6.11-rc7/source/fs/read_write.c#L56
# It's unclear how it's then even possible to distinguish error from valid offset, but it's not our problem.
# We just have to ignore return values of lseek.
lseek(fd fd, offset fileoff, whence flags[seek_whence]) (ignore_return)
copy_file_range(fd_in fd, off_in ptr[inout, fileoff[int64], opt], fd_out fd, off_out ptr[inout, fileoff[int64], opt], len intptr, flags flags[copy_file_range_flags])

rwf_flags = RWF_DSYNC, RWF_HIPRI, RWF_SYNC, RWF_NOWAIT, RWF_APPEND
copy_file_range_flags = 0

dup(oldfd fd) fd
dup2(oldfd fd, newfd fd) fd
dup3(oldfd fd, newfd fd, flags flags[dup_flags]) fd

pipe(pipefd ptr[out, pipefd])
pipe2(pipefd ptr[out, pipefd], flags flags[pipe_flags])

tee(fdin fd, fdout fd, len intptr, f flags[splice_flags])
splice(fdin fd, offin ptr[in, fileoff[int64]], fdout fd, offout ptr[in, fileoff[int64]], len intptr, f flags[splice_flags])
vmsplice(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], f flags[splice_flags])
sendfile(fdout fd, fdin fd, off ptr[inout, fileoff[intptr], opt], count intptr)
sendfile64(fdout fd, fdin fd, off ptr[inout, fileoff[int64], opt], count intptr)

cachestat_range {
	off	fileoff[int64]
	len	int64
}

cachestat {
	nr_cache		int64
	nr_dirty		int64
	nr_writeback		int64
	nr_evicted		int64
	nr_recently_evicted	int64
}

stat(file ptr[in, filename], statbuf ptr[out, stat])
lstat(file ptr[in, filename], statbuf ptr[out, stat])
fstat(fd fd, statbuf ptr[out, stat])
newfstatat(dfd const[AT_FDCWD], file ptr[in, filename], statbuf ptr[out, stat], flag flags[statx_flags])
stat64(file ptr[in, filename], statbuf ptr[out, stat64])
lstat64(file ptr[in, filename], statbuf ptr[out, stat64])
fstat64(fd fd, statbuf ptr[out, stat64])
fstatat64(dfd const[AT_FDCWD], file ptr[in, filename], statbuf ptr[out, stat64], flag flags[statx_flags])
statx(fd fd_dir, file ptr[in, filename], flags flags[statx_flags], mask flags[statx_mask], statxbuf ptr[out, statx])
cachestat(fd fd, cstat_range ptr[in, cachestat_range], cstat ptr[out, cachestat], flags const[0])

poll(fds ptr[in, array[pollfd]], nfds len[fds], timeout int32)
ppoll(fds ptr[in, array[pollfd]], nfds len[fds], tsp ptr[in, timespec], sigmask ptr[in, sigset_t], size len[sigmask])
select(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timeval])
pselect6(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timespec], sig ptr[in, sigset_size])

resource fd_epoll[fd]
epoll_create(size int32) fd_epoll
epoll_create1(flags flags[epoll_flags]) fd_epoll
epoll_ctl$EPOLL_CTL_ADD(epfd fd_epoll, op const[EPOLL_CTL_ADD], fd fd, ev ptr[in, epoll_event])
epoll_ctl$EPOLL_CTL_MOD(epfd fd_epoll, op const[EPOLL_CTL_MOD], fd fd, ev ptr[in, epoll_event])
epoll_ctl$EPOLL_CTL_DEL(epfd fd_epoll, op const[EPOLL_CTL_DEL], fd fd)
epoll_wait(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout int32)
epoll_pwait(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout int32, sigmask ptr[in, sigset_t], size bytesize[sigmask])
epoll_pwait2(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout ptr[in, timespec], sigmask ptr[in, sigset_t], size bytesize[sigmask])

resource fd_timer[fd]
signalfd(fd fd, mask ptr[in, sigset_t], size len[mask]) fd
signalfd4(fd fd, mask ptr[in, sigset_t], size len[mask], flags flags[signalfd_flags]) fd
timerfd_create(clockid flags[clock_type], flags flags[timerfd_create_flags]) fd_timer
timerfd_settime(fd fd_timer, flags flags[timerfd_settime_flags], new ptr[in, itimerspec], old ptr[out, itimerspec])
timerfd_gettime(fd fd_timer, cur ptr[out, itimerspec])
ioctl$TFD_IOC_SET_TICKS(fd fd_timer, cmd const[TFD_IOC_SET_TICKS], arg ptr[in, int64])

resource fd_event[fd]
eventfd(initval int32) fd_event
eventfd2(initval int32, flags flags[eventfd_flags]) fd_event
read$eventfd(fd fd_event, val ptr[out, int64], len len[val])
write$eventfd(fd fd_event, val ptr[in, int64], len len[val])

brk(brk intptr)
mmap(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd, offset intptr[0:0xffffffff, 0x1000])
munmap(addr vma, len len[addr])
mremap(addr vma, len len[addr], newlen len[newaddr], flags flags[mremap_flags], newaddr vma)
remap_file_pages(addr vma, size len[addr], prot flags[mmap_prot], pgoff intptr, flags flags[mmap_flags])
mprotect(addr vma, len len[addr], prot flags[mmap_prot])
msync(addr vma, len len[addr], f flags[msync_flags])
madvise(addr vma, len len[addr], advice flags[madvise_flags])
process_madvise(pidfd fd_pidfd, vec ptr[in, array[iovec_in]], vlen len[vec], advice flags[madvise_flags], flags const[0])
process_mrelease(pidfd fd_pidfd, flags const[0])
fadvise64(fd fd, offset fileoff, len intptr, advice flags[fadvise_flags])
readahead(fd fd, off intptr, count intptr)
mbind(addr vma, len len[addr], mode flags[mbind_mode], nodemask ptr[in, int64], maxnode intptr, flags flags[mbind_flags])
move_pages(pid pid, nr len[pages], pages ptr[in, array[vma]], nodes ptr[in, array[int32], opt], status ptr[out, array[int32]], flags flags[move_pages_flags])
migrate_pages(pid pid, maxnode intptr, old ptr[in, int64], new ptr[in, int64])
set_mempolicy(mode flags[mbind_mode], nodemask ptr[in, int64], maxnode intptr)
get_mempolicy(mode ptr[out, int32], nodemask ptr[out, int64], maxnode intptr, addr vma, flags flags[mempolicy_flags])
set_mempolicy_home_node(addr vma, len len[addr], home_node intptr[0:3], flags const[0])
mincore(addr vma, size len[addr], vec buffer[out])
mlock(addr vma, size len[addr])
mlock2(addr vma, size len[addr], flags flags[mlock_flags])
munlock(addr vma, size len[addr])
mlockall(flags flags[mlockall_flags])
munlockall()
kcmp(pid1 pid, pid2 pid, type flags[kcmp_flags], fd1 fd, fd2 fd)
kcmp$KCMP_EPOLL_TFD(pid1 pid, pid2 pid, type const[KCMP_EPOLL_TFD], fd1 fd, idx2 ptr[in, kcmp_epoll_slot])

resource fd_memfd[fd]
memfd_create(name ptr[in, string], flags flags[memfd_flags]) fd_memfd
memfd_flags = MFD_CLOEXEC, MFD_ALLOW_SEALING, MFD_HUGETLB
_ = MFD_HUGE_SHIFT, MFD_HUGE_MASK, MFD_HUGE_64KB, MFD_HUGE_512KB, MFD_HUGE_1MB, MFD_HUGE_2MB, MFD_HUGE_8MB, MFD_HUGE_16MB

memfd_secret(flags flags[memfd_secret_flags]) fd
memfd_secret_flags = O_CLOEXEC

resource pkey[int32]: -1
pkey_alloc(flags const[0], val flags[pkey_flags]) pkey
pkey_free(key pkey)
pkey_mprotect(addr vma, len len[addr], prot flags[mmap_prot], key pkey)
syz_pkey_set(key pkey, val flags[pkey_flags])

pkey_flags = PKEY_DISABLE_ACCESS, PKEY_DISABLE_WRITE

restart_syscall()

# Almighty!
ioctl(fd fd, cmd int32, arg buffer[in])

ioctl$int_in(fd fd, cmd flags[ioctl_int_in], v ptr[in, int64])
ioctl$int_out(fd fd, cmd flags[ioctl_int_out], v ptr[out, intptr])

ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX])
ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX])
ioctl$FITHAW(fd fd, cmd const[FITHAW])

# FIFREEZE is enabled in sandbox mode only because it can easily kill the machine.
ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (snapshot)

fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd
fcntl$getflags(fd fd, cmd flags[fcntl_getflags])
fcntl$setflags(fd fd, cmd const[F_SETFD], flags flags[fcntl_flags])
fcntl$setstatus(fd fd, cmd const[F_SETFL], flags flags[fcntl_status])
fcntl$lock(fd fd, cmd flags[fcntl_lock], lock ptr[in, flock])
fcntl$getown(fd fd, cmd const[F_GETOWN]) pid (automatic_helper)
fcntl$setown(fd fd, cmd const[F_SETOWN], pid pid)
fcntl$getownex(fd fd, cmd const[F_GETOWN_EX], arg ptr[out, f_owner_ex])
fcntl$setownex(fd fd, cmd const[F_SETOWN_EX], arg ptr[in, f_owner_ex])
fcntl$setsig(fd fd, cmd const[F_SETSIG], sig signalnoptr)
fcntl$setlease(fd fd, cmd const[F_SETLEASE], typ flags[flock_type])
fcntl$notify(fd fd, cmd const[F_NOTIFY], typ flags[fcntl_notify])
fcntl$setpipe(fd fd, cmd const[F_SETPIPE_SZ], sz intptr)
fcntl$addseals(fd fd, cmd const[F_ADD_SEALS], seals flags[seal_types])
fcntl$F_GET_RW_HINT(fd fd, cmd const[F_GET_RW_HINT], hint ptr[out, int64])
fcntl$F_GET_FILE_RW_HINT(fd fd, cmd const[F_GET_FILE_RW_HINT], hint ptr[out, int64])
fcntl$F_SET_RW_HINT(fd fd, cmd const[F_SET_RW_HINT], hint ptr[in, flags[fcntl_rw_hint, int64]])
fcntl$F_SET_FILE_RW_HINT(fd fd, cmd const[F_SET_FILE_RW_HINT], hint ptr[in, flags[fcntl_rw_hint, int64]])

# Only some commands break return values.
# When/if we have stricter enforcement of arguments, we may remove some of breaks_returns attributes.
ptrace(req flags[ptrace_req], pid pid) (breaks_returns)
ptrace$peek(req flags[ptrace_req_peek], pid pid, addr ptr[out, intptr]) (breaks_returns)
ptrace$poke(req flags[ptrace_req_poke], pid pid, addr ptr[out, intptr], data intptr) (breaks_returns)
ptrace$peekuser(req const[PTRACE_PEEKUSR], pid pid, addr intptr) (breaks_returns)
ptrace$pokeuser(req const[PTRACE_POKEUSR], pid pid, addr intptr, data intptr) (breaks_returns)
ptrace$getregs(req flags[ptrace_req_getregs], pid pid, ignored intptr, data buffer[out]) (breaks_returns)
ptrace$getregset(req const[PTRACE_GETREGSET], pid pid, what flags[pthread_regset], data ptr[in, iovec_out]) (breaks_returns)
ptrace$setregs(req flags[ptrace_req_setregs], pid pid, ignored intptr, data buffer[in]) (breaks_returns)
ptrace$setregset(req const[PTRACE_SETREGSET], pid pid, what flags[pthread_regset], data ptr[in, iovec_in]) (breaks_returns)
ptrace$getsig(req const[PTRACE_GETSIGINFO], pid pid, ignored intptr, data ptr[out, siginfo]) (breaks_returns)
ptrace$setsig(req const[PTRACE_SETSIGINFO], pid pid, ignored intptr, data ptr[in, siginfo]) (breaks_returns)
ptrace$setopts(req flags[ptrace_req_setopts], pid pid, ignored intptr, flags flags[ptrace_options]) (breaks_returns)
ptrace$getenv(req const[PTRACE_GETEVENTMSG], pid pid, ignored intptr, data ptr[out, intptr]) (breaks_returns)
ptrace$cont(req flags[ptrace_req_cont], pid pid, ignored intptr, data intptr) (breaks_returns)
ptrace$PTRACE_SECCOMP_GET_FILTER(req const[PTRACE_SECCOMP_GET_FILTER], pid pid, addr intptr, data ptr[out, array[int8]]) (breaks_returns)
ptrace$PTRACE_SECCOMP_GET_METADATA(req const[PTRACE_SECCOMP_GET_METADATA], pid pid, addr len[data], data ptr[in, seccomp_metadata]) (breaks_returns)
ptrace$PTRACE_SETSIGMASK(req const[PTRACE_SETSIGMASK], pid pid, size bytesize[data], data ptr[in, sigset_t]) (breaks_returns)
ptrace$PTRACE_GETSIGMASK(req const[PTRACE_GETSIGMASK], pid pid, size bytesize[data], data ptr[out, sigset_t]) (breaks_returns)
ptrace$ARCH_GET_FS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_GET_FS]) (breaks_returns)
ptrace$ARCH_GET_GS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_GET_GS]) (breaks_returns)
ptrace$ARCH_SET_GS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_SET_GS]) (breaks_returns)
ptrace$ARCH_GET_CPUID(req const[PTRACE_ARCH_PRCTL], pid pid, arg const[0], code const[ARCH_GET_CPUID]) (breaks_returns)
ptrace$ARCH_SET_CPUID(req const[PTRACE_ARCH_PRCTL], pid pid, arg boolptr, code const[ARCH_SET_CPUID]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_X32(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_X32]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_32(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_32]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_64(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_64]) (breaks_returns)
ptrace$ARCH_SHSTK_STATUS(req const[PTRACE_ARCH_PRCTL], pid pid, res ptr[out, intptr], cmd const[ARCH_SHSTK_STATUS]) (breaks_returns)
ptrace$ARCH_SHSTK_LOCK(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_LOCK]) (breaks_returns)
ptrace$ARCH_SHSTK_UNLOCK(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_UNLOCK]) (breaks_returns)
ptrace$ARCH_SHSTK_ENABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_ENABLE]) (breaks_returns)
ptrace$ARCH_SHSTK_DISABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_DISABLE]) (breaks_returns)
ptrace$ARCH_GET_UNTAG_MASK(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], cmd const[ARCH_GET_UNTAG_MASK]) (breaks_returns)
ptrace$ARCH_GET_MAX_TAG_BITS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], cmd const[ARCH_GET_MAX_TAG_BITS]) (breaks_returns)
ptrace$ARCH_ENABLE_TAGGED_ADDR(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr[1:6], cmd const[ARCH_ENABLE_TAGGED_ADDR]) (breaks_returns)
ptrace$ARCH_FORCE_TAGGED_SVA(req const[PTRACE_ARCH_PRCTL], pid pid, arg const[0], cmd const[ARCH_FORCE_TAGGED_SVA]) (breaks_returns)

map_shadow_stack(addr vma, size bytesize[addr], flags boolptr)

seccomp_metadata {
	filter_off	int64
	flags		const[0, int64]
}

ptrace_peeksiginfo_args {
	off	int64
	flags	flags[ptrace_peeksiginfo_flags, int32]
	nr	len[syscall:data, int32]
}

ptrace$peeksig(req const[PTRACE_PEEKSIGINFO], pid pid, args ptr[in, ptrace_peeksiginfo_args], data ptr[out, array[siginfo]])

capget(hdr ptr[in, cap_header], data ptr[in, cap_data])
capset(hdr ptr[in, cap_header], data ptr[in, cap_data])

resource fd_mq[fd]
mq_open(name ptr[in, string], flags flags[mq_open_flags], mode flags[open_mode], attr ptr[in, mq_attr]) fd_mq
mq_timedsend(mqd fd_mq, msg buffer[in], msglen len[msg], prio intptr, timeout ptr[in, timespec, opt])
mq_timedreceive(mqd fd_mq, msg buffer[out], msglen len[msg], prio intptr, timeout ptr[in, timespec, opt])
mq_notify(mqd fd_mq, notif ptr[in, sigevent])
mq_getsetattr(mqd fd_mq, attr ptr[in, mq_attr], oldattr ptr[out, mq_attr, opt])
mq_unlink(name ptr[in, string])

mknod(file ptr[in, filename], mode flags[mknod_mode], dev int32)
mknod$loop(file ptr[in, filename], mode flags[mknod_mode], dev proc[1792, 2])
mknodat$loop(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev proc[1792, 2])
mknodat$null(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev const[0x103])
mknodat(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev int32)
chmod(file ptr[in, filename], mode flags[open_mode])
fchmod(fd fd, mode flags[open_mode])
fchmodat(dirfd fd_dir, file ptr[in, filename], mode flags[open_mode])
chown(file ptr[in, filename], uid uid, gid gid)
lchown(file ptr[in, filename], uid uid, gid gid)
fchown(fd fd, uid uid, gid gid)
fchownat(dirfd fd_dir, file ptr[in, filename], uid uid, gid gid, flags flags[at_flags])
fallocate(fd fd, mode flags[fallocate_mode], off intptr, len intptr)
faccessat(dirfd fd_dir, pathname ptr[in, filename], mode flags[open_mode])
faccessat2(dirfd fd_dir, pathname ptr[in, filename], mode flags[open_mode], flags flags[faccessat_flags])
utime(filename ptr[in, filename], times ptr[in, utimbuf])
utimes(filename ptr[in, filename], times ptr[in, itimerval])
futimesat(dir fd_dir, pathname ptr[in, filename], times ptr[in, itimerval])
utimensat(dir fd_dir, pathname ptr[in, filename], times ptr[in, itimerval], flags flags[utimensat_flags])

# Small trick - syzkaller cannot give the proper stack pointer to clone(), but we can do it with the aid of pseudo syscalls.
syz_clone(flags flags[clone_flags], stack buffer[in], stack_len bytesize[stack], parentid ptr[out, int32], childtid ptr[out, int32], tls buffer[in]) pid (automatic_helper)

syz_clone3(args ptr[in, clone_args], size bytesize[args]) pid (automatic_helper)

# We need these disabled definitions to simplify the presence and the NR checking.
clone(flags flags[clone_flags], sp buffer[in], parentid ptr[out, int32], childtid ptr[out, int32], tls buffer[in]) (breaks_returns, disabled)
clone3(args ptr[in, clone_args], size bytesize[args]) pid (breaks_returns, disabled)

clone_args {
	flags		flags[clone3_flags, int64]
	pidfd		ptr64[out, fd_pidfd]
	child_tid	ptr64[out, pid]
	parent_tid	ptr64[out, pid]
	exit_signal	align64[signalno]
	stack		ptr64[out, array[int8]]
	stack_size	bytesize[stack, int64]
	tls		ptr64[out, array[int8]]
	set_tid		ptr64[in, array[pid]]
	set_tid_size	len[set_tid, int64]
	cgroup		align64[fd_cgroup]
}

resource pid[int32]: 0, -1
resource uid[int32]: 0, -1, 0xee00, 0xee01
resource gid[int32]: 0, -1, 0xee00, 0xee01

getgid() gid (automatic_helper)
getegid() gid (automatic_helper)
setuid(uid uid)
setgid(gid gid)
getuid() uid (automatic_helper)
geteuid() uid (automatic_helper)
setpgid(pid pid, pgid pid)
getpgid(pid pid) pid (automatic_helper)
getpgrp(pid pid) pid (automatic_helper)
getpid() pid (automatic_helper)
gettid() pid (automatic_helper)
setreuid(ruid uid, euid uid)
setregid(rgid gid, egid gid)
setresuid(ruid uid, euid uid, suid uid)
setresgid(rgid gid, egid gid, sgid gid)
getresuid(ruid ptr[out, uid], euid ptr[out, uid], suid ptr[out, uid])
getresgid(rgid ptr[out, gid], egid ptr[out, gid], sgid ptr[out, gid])
setfsuid(fsuid uid)
setfsgid(fsgid gid)
getgroups(size len[list], list ptr[inout, array[gid]])
setgroups(size len[list], list ptr[in, array[gid]])
personality(persona flags[personality_flags])
# Don't mess with parent (fuzzer). If we ptrace attach to it, it will hang.
# If we setrlimit for parent, it will misbehave. Killing - the same. Nothing good.
#getppid() pid
#getsid(pid pid) pid
#setsid() pid

link(old ptr[in, filename], new ptr[in, filename])
linkat(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename], flags flags[linkat_flags])
symlinkat(old ptr[in, filename], newfd fd_dir, new ptr[in, filename])
symlink(old ptr[in, filename], new ptr[in, filename])
unlink(path ptr[in, filename])
unlinkat(fd fd_dir, path ptr[in, filename], flags flags[unlinkat_flags])
readlink(path ptr[in, filename], buf buffer[out], siz len[buf])
readlinkat(fd fd_dir, path ptr[in, filename], buf buffer[out], siz len[buf])
rename(old ptr[in, filename], new ptr[in, filename])
renameat(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename])
renameat2(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename], flags flags[renameat2_flags])
mkdir(path ptr[in, filename], mode flags[open_mode])
mkdirat(fd fd_dir[opt], path ptr[in, filename], mode flags[open_mode])
rmdir(path ptr[in, filename])
truncate(file ptr[in, filename], len intptr)
ftruncate(fd fd, len intptr)
flock(fd fd, op flags[flock_op])
fsync(fd fd)
fdatasync(fd fd)
sync()
syncfs(fd fd)
sync_file_range(fd fd, off intptr, nbytes intptr, flags flags[sync_file_flags])
lookup_dcookie(cookie intptr, buf buffer[out], len len[buf])
getdents(fd fd_dir, ent buffer[out], count len[ent])
getdents64(fd fd_dir, ent buffer[out], count len[ent])
name_to_handle_at(fd fd_dir, file ptr[in, filename], handle ptr[in, file_handle], mnt ptr[out, int32], flags flags[name_to_handle_at_flags])
open_by_handle_at(mountdirfd fd, handle ptr[in, file_handle], flags flags[open_flags])
chroot(dir ptr[in, filename])
getcwd(buf buffer[out], size len[buf])
chdir(dir ptr[in, filename])
fchdir(fd fd)
pivot_root(new_root ptr[in, filename], put_old ptr[in, filename])

sysfs$1(option const[1], fsname ptr[in, string])
sysfs$2(option const[2], fsindex intptr, fsname buffer[out])
sysfs$3(option const[3])
statfs(path ptr[in, filename], buf buffer[out])
fstatfs(fd fd, buf buffer[out])

uselib(lib ptr_binfmt_file)
init_module(mod ptr[in, binfmt_elf64], len len[mod], args ptr[in, string])
finit_module(fd fd_binfmt, args ptr[in, string], flags flags[finit_module_flags])
delete_module(name ptr[in, string], flags flags[delete_module_flags])
kexec_load(entry intptr, nr_segments len[segments], segments ptr[in, array[kexec_segment]], flags flags[kexec_load_flags])
syslog(cmd flags[syslog_cmd], buf ptr[out, array[int8], opt], len len[buf])
uname(buf buffer[out])
sysinfo(info buffer[out])
ustat(dev intptr, buf ptr[out, ustat])
acct(filename ptr[in, filename, opt])

getrusage(who flags[rusage_who], usage ptr[out, rusage])
getrlimit(res flags[rlimit_type], rlim ptr[out, rlimit])
setrlimit(res flags[rlimit_type], rlim ptr[in, rlimit])
prlimit64(pid pid, res flags[rlimit_type], new ptr[in, rlimit, opt], old ptr[out, rlimit, opt])

iopl(level int8)
ioperm(from intptr, num intptr, on intptr)
ioprio_get$pid(which flags[ioprio_which_pid], who pid)
ioprio_get$uid(which flags[ioprio_which_uid], who uid)
ioprio_set$pid(which flags[ioprio_which_pid], who pid, ioprio flags[ioprio_priorities])
ioprio_set$uid(which flags[ioprio_which_uid], who uid, ioprio flags[ioprio_priorities])

# NEED: we can express the construction of integers using structs with flags
# and bitfields, which are normally obtained using a combination of bitwise
# operations with the help of macros. However, structs can't be directly passed
# as a syscall argument; therefore, such constructions can't be directly passed either.
# One example is ioprio argument for ioprio_set, where we could have expressed the
# construction less messy. For now, some subset of valid values are enumerated as
# in ioprio_priorities.

# ioprio priority values are obtained using IOPRIO_PRIO_VALUE(class, data) macro.
# the behaviour of the macro is mimicked below and some priority values are enumerated.
ioprio_priorities = IOPRIO_CLASS_NONE_PRIO, IOPRIO_CLASS_IDLE_PRIO, IOPRIO_CLASS_RT_HIGH_PRIO, IOPRIO_CLASS_BE_HIGH_PRIO, IOPRIO_CLASS_RT_MID_PRIO, IOPRIO_CLASS_BE_MID_PRIO, IOPRIO_CLASS_RT_LOW_PRIO, IOPRIO_CLASS_BE_LOW_PRIO

# The classes RT and BE take data values from the range [0:7]. Use a subset of the available
# values (0, 4, 7) to ease collisions, and to avoid redundancy. The classes NONE and IDLE
# have only one valid priority value each with data set to 0.
define IOPRIO_CLASS_NONE_PRIO	(IOPRIO_CLASS_NONE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_IDLE_PRIO	(IOPRIO_CLASS_IDLE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_RT_HIGH_PRIO	(IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_BE_HIGH_PRIO	(IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_RT_MID_PRIO	((IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT) + 4)
define IOPRIO_CLASS_BE_MID_PRIO	((IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT) + 4)
define IOPRIO_CLASS_RT_LOW_PRIO	((IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT) + 7)
define IOPRIO_CLASS_BE_LOW_PRIO	((IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT) + 7)

resource timerid[int32]
timer_create(id flags[clock_id], ev ptr[in, sigevent], timerid ptr[out, timerid])
timer_gettime(timerid timerid, setting ptr[out, itimerspec])
timer_getoverrun(timerid timerid)
timer_settime(timerid timerid, flags flags[timer_flags], new ptr[in, itimerspec], old ptr[out, itimerspec, opt])
timer_delete(timerid timerid)

time(t ptr[out, intptr])
clock_gettime(id flags[clock_id], tp ptr[out, timespec])
clock_settime(id flags[clock_id], tp ptr[in, timespec])
clock_adjtime(id flags[clock_id], tx ptr[in, timex])
clock_getres(id flags[clock_id], tp ptr[out, timespec])
clock_nanosleep(id flags[clock_id], flags flags[timer_flags], rqtp ptr[in, timespec], rmtp ptr[out, timespec, opt])
rt_sigaction(sig signalno, act ptr[in, sigaction], oact ptr[out, sigaction, opt], sigsetsize len[fake], fake ptr[out, sigset_t])
rt_sigprocmask(how flags[sigprocmask_how], nset ptr[in, sigset_t], oset ptr[out, sigset_t, opt], sigsetsize len[nset])
rt_sigreturn()
rt_sigpending(set ptr[out, sigset_t], sigsetsize len[set])
rt_sigtimedwait(these ptr[in, sigset_t], info ptr[out, siginfo, opt], ts ptr[in, timespec], sigsetsize len[these])
rt_sigsuspend(new ptr[in, sigset_t], sigsetsize len[new])
rt_sigqueueinfo(pid pid, sig signalno, info ptr[in, siginfo])
rt_tgsigqueueinfo(gid pid, tid pid, sig signalno, info ptr[in, siginfo])
sigaltstack(ss ptr[in, sigaltstack], oss ptr[out, sigaltstack, opt])
tgkill(gid pid, tid pid, sig signalno)
tkill(tid pid, sig signalno)
pause()
alarm(seconds intptr)
nanosleep(req ptr[in, timespec], rem ptr[out, timespec, opt])
getitimer(which flags[getitimer_which], cur ptr[out, itimerval])
setitimer(which flags[getitimer_which], new ptr[in, itimerval], old ptr[out, itimerval, opt])
exit(code intptr)
exit_group(code intptr)
waitid(which flags[waitid_which], pid pid, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt])
waitid$P_PIDFD(which const[P_PIDFD], pidfd fd_pidfd, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt])
wait4(pid pid, status ptr[out, int32, opt], options flags[wait_options], ru ptr[out, rusage, opt])
times(buf ptr[out, tms])
# Can send signals to all processes (pid=-1) so it's enabled only in snapshot mode.
kill(pid pid, sig signalno) (snapshot)

set_thread_area(info ptr[in, user_desc])
get_thread_area(info ptr[in, user_desc])
modify_ldt$read(func const[0], buf buffer[out], len len[buf])
modify_ldt$write(func const[1], buf ptr[in, user_desc], len len[buf])
modify_ldt$read_default(func const[2], buf buffer[out], len len[buf])
modify_ldt$write2(func const[17], buf ptr[in, user_desc], len len[buf])
process_vm_readv(pid pid, loc_vec ptr[in, array[iovec_out]], loc_vlen len[loc_vec], rem_vec ptr[in, array[iovec_out]], rem_vlen len[rem_vec], flags const[0])
process_vm_writev(pid pid, loc_vec ptr[in, array[iovec_out]], loc_vlen len[loc_vec], rem_vec ptr[in, array[iovec_out]], rem_vlen len[rem_vec], flags const[0])
set_tid_address(tidptr ptr[out, int32])
getpriority(which flags[priority_which], who pid)
setpriority(which flags[priority_which], who pid, prio intptr)
sched_getscheduler(pid pid)
sched_setscheduler(pid pid, policy flags[sched_policy], prio ptr[in, int32])
sched_rr_get_interval(pid pid, tp ptr[out, timespec])
sched_getparam(pid pid, prio ptr[out, int32])
sched_setparam(pid pid, prio ptr[in, int32])
sched_getaffinity(pid pid, cpusetsize len[mask], mask ptr[out, int64])
sched_setaffinity(pid pid, cpusetsize len[mask], mask ptr[in, int64])
sched_getattr(pid pid, attr ptr[out, sched_attr], size len[attr], flags const[0])
sched_setattr(pid pid, attr ptr[in, sched_attr], flags const[0])
sched_yield()
getrandom(buf buffer[out], len len[buf], flags flags[getrandom_flags])

reboot(magic1 const[LINUX_REBOOT_MAGIC1], magic2 const[LINUX_REBOOT_MAGIC2], cmd flags[reboot_commands], arg const[0]) (snapshot)

reboot_commands = LINUX_REBOOT_CMD_RESTART, LINUX_REBOOT_CMD_HALT, LINUX_REBOOT_CMD_CAD_ON, LINUX_REBOOT_CMD_CAD_OFF, LINUX_REBOOT_CMD_POWER_OFF, LINUX_REBOOT_CMD_RESTART2, LINUX_REBOOT_CMD_SW_SUSPEND, LINUX_REBOOT_CMD_KEXEC

swapon(specialfile ptr[in, filename], swap_flags flags[swap_flags]) (snapshot)
swapoff(specialfile ptr[in, filename]) (snapshot)

swap_flags = SWAP_FLAG_PRIO_MASK, SWAP_FLAG_PREFER, SWAP_FLAG_DISCARD, SWAP_FLAG_DISCARD_ONCE, SWAP_FLAG_DISCARD_PAGES

sethostname(name ptr[in, array[int8]], len bytesize[name]) (snapshot)
setdomainname(name ptr[in, array[int8]], len bytesize[name]) (snapshot)

gettimeofday(tv ptr[out, timeval], tz ptr[out, timezone])
settimeofday(tv ptr[out, timeval], tz ptr[out, timezone]) (snapshot)
adjtimex(txc_p ptr[in, __kernel_timex]) (snapshot)

timezone {
	tz_minuteswest	int32
	tz_dsttime	int32
}

__kernel_timex {
	modes		flags[adjtimex_modes, int32]
	pad0		const[0, int32]
	offset		int64
	freq		int64
	maxerror	int64
	esterror	int64
	status		int32
	pad1		const[0, int32]
	constant	int64
	precision	int64
	tolerance	int64
	int		timeval
	tick		int64
	ppsfreq		int64
	jitter		int64
	shift		int32
	pad2		const[0, int32]
	stabil		int64
	jitcnt		int64
	calcnt		int64
	errcnt		int64
	stbcnt		int64
	tai		int32
	pad3		array[const[0, int32], 11]
}

adjtimex_modes = ADJ_OFFSET, ADJ_FREQUENCY, ADJ_MAXERROR, ADJ_ESTERROR, ADJ_STATUS, ADJ_TIMECONST, ADJ_TAI, ADJ_SETOFFSET, ADJ_MICRO, ADJ_NANO, ADJ_TICK

membarrier(cmd flags[membarrier_cmd], flags const[0])

membarrier_cmd = MEMBARRIER_CMD_GLOBAL, MEMBARRIER_CMD_GLOBAL_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_QUERY, MEMBARRIER_CMD_REGISTER_GLOBAL_EXPEDITED, MEMBARRIER_CMD_SHARED

rseq(rseq ptr[in, rseq], rseq_len bytesize[rseq], flags boolptr, sig const[0])

rseq {
	cpu_id_start	const[0, int32]
	cpu_id		const[0, int32]
	rseq_cs		ptr64[in, rseq_cs, opt]
	flags		flags[rseq_cs_flags, int32]
} [align[32]]

rseq_cs {
	version			const[0, int32]
	flags			flags[rseq_cs_flags, int32]
	start_ip		int64
	post_commit_offset	int64
	abort_ip		int64
} [align[32]]

rseq_cs_flags = RSEQ_CS_FLAG_NO_RESTART_ON_PREEMPT, RSEQ_CS_FLAG_NO_RESTART_ON_SIGNAL, RSEQ_CS_FLAG_NO_RESTART_ON_MIGRATE

# start/end are unused for now, no definition of SYS_RISCV_FLUSH_ICACHE_LOCAL in uapi headers.
riscv_flush_icache(start const[0], end const[0], flags bool32)

syz_open_procfs(pid pid, file ptr[in, string[procfs_proc_file]]) fd

# TODO: some of net files are only available in the init namespace (e.g. bluetooth bnep and hci).
# We could find some way to open these files in the init namespace
# esp. taking into account that we create bluetooth sockets in init namespace.
procfs_proc_file = "auxv", "cmdline", "environ", "autogroup", "cgroup", "clear_refs", "comm", "coredump_filter", "cpuset", "gid_map", "io", "limits", "loginuid", "maps", "mountinfo", "mounts", "mountstats", "numa_maps", "oom_adj", "oom_score", "oom_score_adj", "pagemap", "personality", "projid_map", "sched", "schedstat", "sessionid", "setgroups", "smaps", "smaps_rollup", "totmaps", "stack", "stat", "statm", "status", "syscall", "timers", "uid_map", "wchan", "map_files", "attr", "attr/current", "attr/exec", "attr/fscreate", "attr/keycreate", "attr/prev", "attr/sockcreate", "ns", "children", "task", "fd", "fd/3", "fd/4", "fdinfo", "fdinfo/3", "fdinfo/4", "net", "net/anycast6", "net/arp", "net/bnep", "net/connector", "net/dev", "net/dev_mcast", "net/dev_snmp6", "net/fib_trie", "net/fib_triestat", "net/hci", "net/icmp", "net/icmp6", "net/if_inet6", "net/igmp", "net/igmp6", "net/ip6_flowlabel", "net/ip6_mr_cache", "net/ip6_mr_vif", "net/ip6_tables_matches", "net/ip6_tables_names", "net/ip6_tables_targets", "net/ip_mr_cache", "net/ip_mr_vif", "net/ip_tables_matches", "net/ip_tables_names", "net/ip_tables_targets", "net/ipv6_route", "net/l2cap", "net/llc/core", "net/llc/socket", "net/mcfilter", "net/mcfilter6", "net/netfilter", "net/netlink", "net/netstat", "net/nfsfs", "net/packet", "net/protocols", "net/psched", "net/ptype", "net/raw", "net/raw6", "net/rfcomm", "net/route", "net/rpc", "net/rt6_stats", "net/rt_acct", "net/rt_cache", "net/sco", "net/sctp", "net/snmp", "net/snmp6", "net/sockstat", "net/sockstat6", "net/softnet_stat", "net/stat", "net/tcp", "net/tcp6", "net/udp", "net/udp6", "net/udplite", "net/udplite6", "net/unix", "net/wireless", "net/xfrm_stat", "net/ip_vs", "net/ip_vs_stats", "net/ip_vs_stats_percpu", "net/nf_conntrack", "net/nf_conntrack_expect", "net/vlan/config", "net/vlan/vlan0", "net/vlan/vlan1", "net/kcm", "net/psched", "timerslack_ns"

openat$procfs(fd const[AT_FDCWD], file ptr[in, string[procfs_file]], flags const[O_RDONLY], mode const[0]) fd

procfs_file = "/proc/keys", "/proc/key-users", "/proc/crypto", "/proc/consoles", "/proc/cgroups", "/proc/zoneinfo", "/proc/vmstat", "/proc/vmallocinfo", "/proc/tty/drivers", "/proc/tty/ldiscs", "/proc/timer_list", "/proc/sysvipc/sem", "/proc/sysvipc/msg", "/proc/sysvipc/shm", "/proc/stat", "/proc/slabinfo", "/proc/schedstat", "/proc/partitions", "/proc/meminfo", "/proc/mdstat", "/proc/locks", "/proc/diskstats", "/proc/cpuinfo", "/proc/consoles", "/proc/bus/input/devices", "/proc/bus/input/handlers", "/proc/asound/seq/clients", "/proc/asound/seq/clients", "/proc/asound/seq/timer", "/proc/asound/timers"

resource fd_yama_ptrace_scope[fd]

# 0 - YAMA_SCOPE_DISABLED
# 1 - YAMA_SCOPE_RELATIONAL
# 2 - YAMA_SCOPE_CAPABILITY
# 3 - YAMA_SCOPE_NO_ATTACH
yama_modes = "0", "1", "2", "3"

openat$yama_ptrace_scope(fd const[AT_FDCWD], file ptr[in, string["/proc/sys/kernel/yama/ptrace_scope"]], flags const[O_RDWR], mode const[0]) fd_yama_ptrace_scope
write$yama_ptrace_scope(fd fd_yama_ptrace_scope, data ptr[in, string[yama_modes]], count len[data])

# Write into some interesting sysct's and sysfs/procfs files.
resource fd_sysctl[fd]

openat$sysctl(fd const[AT_FDCWD], file ptr[in, string[sysctl_file]], flags const[O_WRONLY], mode const[0]) fd_sysctl
write$sysctl(fd fd_sysctl, val ptr[in, string[sysctl_value]], len len[val])

sysctl_file = "/sys/kernel/mm/ksm/run", "/proc/sys/vm/compact_memory", "/proc/sys/vm/drop_caches", "/proc/sys/net/ipv4/tcp_timestamps", "/proc/sys/net/ipv4/tcp_sack", "/proc/sys/net/ipv4/tcp_dsack", "/proc/sys/net/ipv4/tcp_window_scaling", "/proc/sys/net/ipv4/tcp_syncookies", "/proc/sys/net/ipv4/tcp_recovery", "/proc/sys/net/ipv4/tcp_mtu_probing", "/proc/sys/net/ipv4/tcp_rfc1337", "/proc/self/clear_refs"
# Most of these values are suitable for all sysctl_file files.
sysctl_value = "0", "1", "2", "3", "4", "5", "6", "7"

# Write to this file triggers khugepaged scan.
# We don't want to write small values as we only want the explicitly triggered scan.
resource fd_khugepaged_scan[fd]

openat$khugepaged_scan(fd const[AT_FDCWD], file ptr[in, string["/sys/kernel/mm/transparent_hugepage/khugepaged/scan_sleep_millisecs"]], flags const[O_WRONLY], mode const[0]) fd_khugepaged_scan
write$khugepaged_scan(fd fd_khugepaged_scan, val ptr[in, string["1000000"]], len len[val])

resource fd_tcp_congestion[fd]

openat$tcp_congestion(fd const[AT_FDCWD], file ptr[in, string["/proc/sys/net/ipv4/tcp_congestion_control"]], flags const[O_WRONLY], mode const[0]) fd_tcp_congestion
write$tcp_congestion(fd fd_tcp_congestion, val ptr[in, string[tcp_congestion]], len len[val])

tcp_congestion = "reno", "bbr", "bic", "cdg", "cubic", "dctcp", "westwood", "highspeed", "hybla", "htcp", "vegas", "nv", "veno", "scalable", "lp", "yeah", "illinois"

resource fd_tcp_mem[fd]

openat$tcp_mem(fd const[AT_FDCWD], file ptr[in, string[tcp_mem_files]], flags const[O_WRONLY], mode const[0]) fd_tcp_mem
write$tcp_mem(fd fd_tcp_mem, val ptr[in, tcp_mem_values], len len[val])

tcp_mem_files = "/proc/sys/net/ipv4/tcp_rmem", "/proc/sys/net/ipv4/tcp_wmem"

tcp_mem_values {
	v0	fmt[oct, int64]
	sp0	const[' ', int8]
	v1	fmt[oct, int64]
	sp1	const[' ', int8]
	v2	fmt[oct, int64]
	z	const[0, int8]
} [packed]

# /proc/self/reclaim is ChromeOS-specific:
# https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4c3ad28b9c913%5E%21/
resource fd_proc_reclaim[fd]

openat$proc_reclaim(fd const[AT_FDCWD], file ptr[in, string["/proc/self/reclaim"]], flags const[O_WRONLY], mode const[0]) fd_proc_reclaim
write$proc_reclaim(fd fd_proc_reclaim, val ptr[in, string[proc_reclaim_vals]], len len[val])

proc_reclaim_vals = "file", "anon", "all"

resource fd_pidfd[fd]

openat$pidfd(fd const[AT_FDCWD], file ptr[in, string["/proc/self"]], flags flags[open_flags], mode const[0]) fd_pidfd
openat$thread_pidfd(fd const[AT_FDCWD], file ptr[in, string["/proc/thread-self"]], flags flags[open_flags], mode const[0]) fd_pidfd
pidfd_send_signal(fd fd_pidfd, sig signalno, info ptr[in, siginfo], flags const[0])

# pidfd_open is dangerous, so we use syz_pidfd_open instead.
pidfd_open(pid pid, flags const[0]) fd_pidfd (disabled)
syz_pidfd_open(pid pid, flags const[0]) fd_pidfd
pidfd_getfd(pidfd fd_pidfd, fd fd, flags const[0]) fd

close_range(fd fd, max_fd fd, flags flags[close_range_flags])

# Uncomment on your own account.
#syz_open_dev$char(dev const[0xc], major intptr, minor intptr) fd
#syz_open_dev$block(dev const[0xb], major intptr, minor intptr) fd

# /dev/console known to cause problems on at least two different kernels.
# It can turn off all output or produce massive amounts of garbage on console.
# Disable it for now.
#syz_open_dev$console(dev ptr[in, string["/dev/console"]], id const[0], flags flags[open_flags]) fd

resource fd_autofs[fd]

# These devices are relatively safe (don't reboot and don't corrupt kernel memory).
# They need a more comprehensive support. But let at least open them for now,
# maybe fuzzer will be able to skrew them in a useful way.
# TODO: all these devices returning just fd need proper interface descriptions.
openat$vcs(fd const[AT_FDCWD], file ptr[in, string["/dev/vcs"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsn(dev ptr[in, string["/dev/vcs#"]], id intptr, flags flags[open_flags]) fd
openat$vcsa(fd const[AT_FDCWD], file ptr[in, string["/dev/vcsa"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsa(dev ptr[in, string["/dev/vcsa#"]], id intptr, flags flags[open_flags]) fd
openat$vcsu(fd const[AT_FDCWD], file ptr[in, string["/dev/vcsu"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsu(dev ptr[in, string["/dev/vcsu#"]], id intptr, flags flags[open_flags]) fd
syz_open_dev$ircomm(dev ptr[in, string["/dev/ircomm#"]], id intptr, flags flags[open_flags]) fd
syz_open_dev$audion(dev ptr[in, string["/dev/audio#"]], id intptr, flags flags[open_flags]) fd

openat$null(fd const[AT_FDCWD], file ptr[in, string["/dev/null"]], flags flags[open_flags], mode const[0]) fd
openat$zero(fd const[AT_FDCWD], file ptr[in, string["/dev/zero"]], flags flags[open_flags], mode const[0]) fd
openat$full(fd const[AT_FDCWD], file ptr[in, string["/dev/full"]], flags flags[open_flags], mode const[0]) fd
openat$irnet(fd const[AT_FDCWD], file ptr[in, string["/dev/irnet"]], flags flags[open_flags], mode const[0]) fd
openat$hwrng(fd const[AT_FDCWD], file ptr[in, string["/dev/hwrng"]], flags flags[open_flags], mode const[0]) fd
openat$hpet(fd const[AT_FDCWD], file ptr[in, string["/dev/hpet"]], flags flags[open_flags], mode const[0]) fd
openat$autofs(fd const[AT_FDCWD], file ptr[in, string["/dev/autofs"]], flags flags[open_flags], mode const[0]) fd_autofs
openat$keychord(fd const[AT_FDCWD], file ptr[in, string["/dev/keychord"]], flags flags[open_flags], mode const[0]) fd
openat$zygote(fd const[AT_FDCWD], file ptr[in, string["/dev/socket/zygote"]], flags flags[open_flags], mode const[0]) fd
openat$pktcdvd(fd const[AT_FDCWD], file ptr[in, string["/dev/pktcdvd/control"]], flags flags[open_flags], mode const[0]) fd
openat$lightnvm(fd const[AT_FDCWD], file ptr[in, string["/dev/lightnvm/control"]], flags flags[open_flags], mode const[0]) fd
openat$xenevtchn(fd const[AT_FDCWD], file ptr[in, string["/dev/xen/evtchn"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_control(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm-control"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_monitor(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm-monitor"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_plock(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm_plock"]], flags flags[open_flags], mode const[0]) fd
openat$btrfs_control(fd const[AT_FDCWD], file ptr[in, string["/dev/btrfs-control"]], flags flags[open_flags], mode const[0]) fd
openat$ubi_ctrl(fd const[AT_FDCWD], file ptr[in, string["/dev/ubi_ctrl"]], flags flags[open_flags], mode const[0]) fd
openat$cachefiles(fd const[AT_FDCWD], file ptr[in, string["/dev/cachefiles"]], flags flags[open_flags], mode const[0]) fd
openat$ndctl0(fd const[AT_FDCWD], file ptr[in, string["/dev/ndctl0"]], flags flags[open_flags], mode const[0]) fd
openat$nmem0(fd const[AT_FDCWD], file ptr[in, string["/dev/nmem0"]], flags flags[open_flags], mode const[0]) fd
openat$nvram(fd const[AT_FDCWD], file ptr[in, string["/dev/nvram"]], flags flags[open_flags], mode const[0]) fd
openat$ocfs2_control(fd const[AT_FDCWD], file ptr[in, string["/dev/ocfs2_control"]], flags flags[open_flags], mode const[0]) fd
openat$nvme_fabrics(fd const[AT_FDCWD], file ptr[in, string["/dev/nvme-fabrics"]], flags flags[open_flags], mode const[0]) fd

pipefd {
	rfd	fd
	wfd	fd
}

type iovec[DIR, T] {
	addr	ptr[DIR, T]
	len	len[addr, intptr]
}
type iovec_in iovec[in, array[int8]]
type iovec_out iovec[out, array[int8]]
type iovec_inout iovec[inout, array[int8]]

stat {
	st_dev		intptr
	st_ino		intptr
	st_mode		int32
	st_nlink	int32
	st_uid		uid
	st_gid		gid
	st_rdev		intptr
	__pad1		const[0, intptr]
	st_size		intptr
	st_blksize	int32
	__pad2		const[0, int32]
	st_blocks	intptr
	st_atime	intptr
	st_atime_nsec	intptr
	st_mtime	intptr
	st_mtime_nsec	intptr
	st_ctime	intptr
	st_ctime_nsec	intptr
	__unused4	const[0, int32]
	__unused5	const[0, int32]
}

statx {
	mask		int32
	blksize		int32
	attributes	int64
	nlink		int32
	uid		uid
	gid		gid
	mode		int16
	__spare0	int16
	ino		int64
	size		int64
	blocks		int64
	__spare1	int64
	atime		statx_timestamp
	btime		statx_timestamp
	ctime		statx_timestamp
	mtime		statx_timestamp
	rdev_major	int32
	rdev_minor	int32
	dev_major	int32
	dev_minor	int32
	__spare2	array[int64, 14]
}

define STAT64_SIZE	sizeof(struct stat64)

type stat64 array[int8, STAT64_SIZE]

pollfd {
	fd	fd
	events	flags[pollfd_events, int16]
	revents	const[0, int16]
}

sigset_t {
	mask	array[intptr, _NSIG_WORDS]
}

sigset_size {
	ss	ptr[inout, sigset_t]
	len	len[ss, intptr]
}

resource time_sec[intptr]
resource time_nsec[intptr]
resource time_usec[intptr]

# prog knowns about this struct type
timespec {
	sec	time_sec
	nsec	time_nsec
}

# prog knowns about this struct type
timeval {
	sec	time_sec
	usec	time_usec
}

statx_timestamp {
	sec		int64
	nsec		int32
	__reserved	int32
}

itimerspec {
	interv	timespec
	value	timespec
}

itimerval {
	interv	timeval
	value	timeval
}

utimbuf {
	actime	intptr
	modtime	intptr
}

sigevent {
	val	const[0, intptr]
	signo	signalno
	notify	flags[sigev_notify, int32]
	u	sigevent_u
} [size[SIGEVENT_SIZE]]

sigevent_u [
	tid	pid
	thr	sigevent_thread
]

define SIGEVENT_SIZE	sizeof(struct sigevent)

sigevent_thread {
# NEED: this is function pointer and pthread_attr_t (?)
	func	buffer[in]
	attr	buffer[in]
}

cap_header {
	var	flags[cap_version, int32]
	pid	pid
}

cap_data {
	eff0	int32
	perm0	int32
	inher0	int32
	eff1	int32
	perm1	int32
	inher1	int32
}

epoll_event {
	ev	flags[epoll_ev, int32]
	data	const[0, int64]
# TODO: this packed only on amd64
} [packed]

# TODO: fd_set needs to be a separate type
fd_set {
	mask0	int64
	mask1	int64
	mask2	int64
	mask3	int64
	mask4	int64
	mask5	int64
	mask6	int64
	mask7	int64
}

sock_fprog {
	len	len[filter, int16]
	filter	ptr[in, array[sock_filter]]
}

sock_filter {
	code	int16
	jt	int8
	jf	int8
	k	int32
}

file_handle [
	raw				file_handle_raw
	shmem				file_handle_t[1, fid_shmem]
	fuse				file_handle_t[0x81, fid_fuse]
	fuse_with_parent		file_handle_t[0x82, fid_fuse_with_parent]
	nfs				file_handle_t[36, fid_nfs]
	FILEID_INO32_GEN		file_handle_t[FILEID_INO32_GEN, fid_FILEID_INO32_GEN]
	FILEID_INO32_GEN_PARENT		file_handle_t[FILEID_INO32_GEN_PARENT, fid_FILEID_INO32_GEN_PARENT]
	FILEID_UDF_WITHOUT_PARENT	file_handle_t[FILEID_UDF_WITHOUT_PARENT, fid_FILEID_UDF_WITHOUT_PARENT]
	FILEID_UDF_WITH_PARENT		file_handle_t[FILEID_UDF_WITH_PARENT, fid_FILEID_UDF_WITH_PARENT]
	FILEID_BTRFS_WITH_PARENT	file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
	FILEID_BTRFS_WITH_PARENT_ROOT	file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
	FILEID_BTRFS_WITHOUT_PARENT	file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
	ceph_nfs_snapfh			file_handle_t[FILEID_BTRFS_WITH_PARENT, ceph_nfs_snapfh]
	ceph_nfs_fh			file_handle_t[FILEID_INO32_GEN, ceph_nfs_fh]
	ceph_nfs_confh			file_handle_t[FILEID_INO32_GEN_PARENT, ceph_nfs_confh]
	GFS2_SMALL_FH_SIZE		file_handle_t[GFS2_SMALL_FH_SIZE, fid_GFS2_SMALL_FH_SIZE]
	GFS2_LARGE_FH_SIZE		file_handle_t[GFS2_LARGE_FH_SIZE, fid_GFS2_LARGE_FH_SIZE]
	OVL_FILEID_V0			file_handle_t[OVL_FILEID_V0, ovl_fb]
	OVL_FILEID_V1			file_handle_t[OVL_FILEID_V1, ovl_fh]
	FILEID_NILFS_WITHOUT_PARENT	file_handle_t[FILEID_NILFS_WITHOUT_PARENT, nilfs_fid]
	FILEID_NILFS_WITH_PARENT	file_handle_t[FILEID_NILFS_WITH_PARENT, nilfs_fid]
	reiserfs_2			file_handle_t[2, fid_reiserfs_2]
	reiserfs_3			file_handle_t[3, fid_reiserfs_3]
	reiserfs_4			file_handle_t[4, fid_reiserfs_4]
	reiserfs_5			file_handle_t[5, fid_reiserfs_5]
	reiserfs_6			file_handle_t[6, fid_reiserfs_6]
	xfs				file_handle_t[0x81, xfs_fid64]
	xfs_parent			file_handle_t[0x82, xfs_fid64]
	orangefs			file_handle_t[1, fid_orangefs]
	orangefs_parent			file_handle_t[2, fid_orangefs_parent]
	isofs				file_handle_t[1, isofs_fid]
	isofs_parent			file_handle_t[2, isofs_fid]
	ocfs2				file_handle_t[1, fid_ocfs2]
	ocfs2_parent			file_handle_t[2, fid_ocfs2_parent]
] [varlen]

file_handle_raw {
	handle_bytes	bytesize[f_handle, int32]
	handle_type	flags[fid_type, int32]
	f_handle	align32[array[int8]]
}

type file_handle_t[TYPE, FID] {
	handle_bytes	bytesize[f_handle, int32]
	handle_type	const[TYPE, int32]
	f_handle	FID
}

fid_shmem {
	gen	int32
	ino	int64
} [packed]

fid_fuse {
	nodeid_hi	int32
	nodeid_lo	int32
	generation	int32
}

fid_fuse_with_parent {
	base		fid_fuse
	parent_fid	fid_fuse
} [packed]

fid_FILEID_INO32_GEN {
	ino	int32
	gen	int32
}

fid_FILEID_INO32_GEN_PARENT {
	base		fid_FILEID_INO32_GEN
	parent_ino	int32
	parent_gen	int32
}

fid_FILEID_UDF_WITHOUT_PARENT {
	block		int32
	partref		int16
	parent_partref	int16
	generation	int32
}

fid_FILEID_UDF_WITH_PARENT {
	base			fid_FILEID_UDF_WITHOUT_PARENT
	parent_block		int32
	parent_generation	int32
}

btrfs_fid {
	objectid		int64
	root_objectid		int64
	gen			int32
	parent_objectid		int64
	parent_gen		int32
	parent_root_objectid	int64
} [packed]

ceph_nfs_snapfh {
	ino		int64
	snapid		int64
	parent_ino	int64
	hash		int32
} [packed]

ceph_nfs_fh {
	ino	int64
}

ceph_nfs_confh {
	ino		int64
	parent_ino	int64
}

fid_GFS2_SMALL_FH_SIZE {
	no_formal_ino_hi	int32be
	no_formal_ino_lo	int32be
	no_addr_hi		int32be
	no_addr_lo		int32be
}

fid_GFS2_LARGE_FH_SIZE {
	base		fid_GFS2_SMALL_FH_SIZE
	parent_fid	fid_GFS2_SMALL_FH_SIZE
}

define GFS2_SMALL_FH_SIZE	4
define GFS2_LARGE_FH_SIZE	8

fid_nfs {
	fileid_hi	int32
	fileid_lo	int32
	type		int32
# The total size is encoded in file_handle.handle_type, so we make this const size.
	size		const[NFS_MAXFHSIZE, int16]
	data		array[int8, NFS_MAXFHSIZE]
} [align[4]]

fid_reiserfs_2 {
	objectid	int32
	dir_id		int32
}

fid_reiserfs_3 {
	objectid	int32
	dir_id		int32
	generation	int32
}

fid_reiserfs_4 {
	objectid	int32
	dir_id		int32
	parent_objectid	int32
	parent_dir_id	int32
}

fid_reiserfs_5 {
	objectid	int32
	dir_id		int32
	generation	int32
	parent_objectid	int32
	parent_dir_id	int32
}

fid_reiserfs_6 {
	objectid		int32
	dir_id			int32
	generation		int32
	parent_objectid		int32
	parent_dir_id		int32
	parent_generation	int32
}

xfs_fid64 {
	ino		int64
	gen		int32
	parent_ino	int64
	parent_gen	int32
} [align[4]]

fid_orangefs {
	khandle	array[int8, 16]
	fs_id	int32
}

fid_orangefs_parent {
	base		fid_orangefs
	parent_fid	fid_orangefs
}

nilfs_fid {
	cno		int64
	ino		int64
	gen		int32
	parent_gen	int32
	parent_ino	int64
} [packed]

isofs_fid {
	block			int32
	offset			int16
	parent_offset		int16
	generation		int32
	parent_block		int32
	parent_generation	int32
}

fid_ocfs2 {
	blkno_hi	int32
	blkno_lo	int32
	generation	int32
}

fid_ocfs2_parent {
	base		fid_ocfs2
	parent_fid	fid_ocfs2
}

fid_type = FILEID_ROOT, FILEID_INO32_GEN, FILEID_INO32_GEN_PARENT, FILEID_BTRFS_WITHOUT_PARENT, FILEID_BTRFS_WITH_PARENT, FILEID_BTRFS_WITH_PARENT_ROOT, FILEID_UDF_WITHOUT_PARENT, FILEID_UDF_WITH_PARENT, FILEID_NILFS_WITHOUT_PARENT, FILEID_NILFS_WITH_PARENT, FILEID_FAT_WITHOUT_PARENT, FILEID_FAT_WITH_PARENT, FILEID_LUSTRE, FILEID_KERNFS

mq_attr {
	mq_flags	intptr
	mq_maxmsg	intptr
	mq_msgsize	intptr
	mq_curmsgs	intptr
	__reserved	array[const[0, intptr], 4]
}

kexec_segment {
	buf	buffer[in]
	sz	len[buf, intptr]
# TODO: this is address in kernel
	mem	intptr
	memsz	intptr
}

rusage {
	utime	timeval
	stime	timeval
	maxrss	intptr
	ixrss	intptr
	idrss	intptr
	isrss	intptr
	minflt	intptr
	majflt	intptr
	nswap	intptr
	inblock	intptr
	oublock	intptr
	msgsnd	intptr
	msgrcv	intptr
	signals	intptr
	nvcsw	intptr
	nivcsw	intptr
}

rlimit {
	soft	intptr
	hard	intptr
}

sigaction {
	sa_handler	ptr[in, text[target]]
	sa_flags	flags[sigaction_flags, intptr]
	sa_restorer	ptr[in, text[target]]
	sa_mask		sigset_t
}

sigaltstack {
	ss_sp		ptr[out, array[int8]]
	ss_flags	flags[sigaltstack_flags, int32]
	ss_size		bytesize[ss_sp, intptr]
}

sigaltstack_flags = SS_ONSTACK, SS_DISABLE, SS_AUTODISARM

tms {
	utime	intptr
	stime	intptr
	cutime	intptr
	cstime	intptr
}

siginfo {
	signo	signalno
	errno	int32
	code	int32
} [size[SIGINFO_SIZE]]

define SIGINFO_SIZE	sizeof(struct siginfo)

timex {
	stuff0	intptr
	stuff1	intptr
	stuff2	intptr
	stuff3	intptr
	stuff4	intptr
	stuff5	intptr
	stuff6	intptr
	stuff7	intptr
	stuff8	intptr
	stuff9	intptr
	stuff10	intptr
	stuff11	intptr
	stuff12	intptr
	stuff13	intptr
	stuff14	intptr
	stuff15	intptr
	stuff16	intptr
	stuff17	intptr
	stuff18	intptr
	stuff19	intptr
	stuff20	intptr
	stuff21	intptr
	stuff22	intptr
	stuff23	intptr
	stuff24	intptr
	stuff25	intptr
}

ustat {
	f_tfree		int32
	f_tinode	intptr
	f_fname		array[int8, 6]
	f_fpack		array[int8, 6]
}

user_desc {
	entry_number	int32
# Base should be vma and limit should be len[base]
# But these fields are int32, so we can't use vma.
	base_addr	flags[user_desc_bases, int32]
	limit		flags[user_desc_limits, int32]
	seg_32bit	int32:1
	contents	int32:2
	read_exec_only	int32:1
	limit_in_pages	int32:1
	seg_not_present	int32:1
	useable		int32:1
	lm		int32:1
}

user_desc_bases = 0, 4096, 1048576, 536870912, 536872960, 536875008, -1
user_desc_limits = 0, 1024, 4096, 8192, 16384, -1

sched_attr {
	size		bytesize[parent, int32]
	sched_policy	flags[sched_policy, int32]
	sched_flags	flags[sched_attr_flags, int64]
	sched_nice	int32
	sched_priority	int32
	sched_runtime	int64
	sched_deadline	int64
	sched_period	int64
	sched_util_min	int32
	sched_util_max	int32
}

sched_policy = SCHED_NORMAL, SCHED_FIFO, SCHED_RR, SCHED_BATCH, SCHED_IDLE, SCHED_DEADLINE
sched_attr_flags = SCHED_FLAG_RESET_ON_FORK, SCHED_FLAG_RECLAIM, SCHED_FLAG_DL_OVERRUN, SCHED_FLAG_KEEP_POLICY, SCHED_FLAG_KEEP_PARAMS, SCHED_FLAG_UTIL_CLAMP_MIN, SCHED_FLAG_UTIL_CLAMP_MAX, SCHED_FLAG_SUGOV

flock {
	type	flags[flock_type, int16]
	whence	flags[seek_whence, int16]
	start	intptr
	len	intptr
	pid	pid
}

f_owner_ex {
	type	flags[f_owner_type, int32]
	pid	pid
}

ucred {
	pid	pid
	uid	uid
	gid	gid
}

kcmp_epoll_slot {
	efd	fd_epoll
	tfd	fd
	toff	int32
}

open_how {
	flags	flags[open_flags, int64]
	mode	flags[open_mode, int64]
	resolve	flags[resolve_flags, int64]
}

# Not providing O_WRONLY means O_RDONLY.
open_flags = O_WRONLY, O_RDWR, O_APPEND, FASYNC, O_CLOEXEC, O_CREAT, O_DIRECT, O_DIRECTORY, O_EXCL, O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_PATH, O_SYNC, O_TRUNC, __O_TMPFILE
open_mode = S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
resolve_flags = RESOLVE_CACHED, RESOLVE_BENEATH, RESOLVE_IN_ROOT, RESOLVE_NO_MAGICLINKS, RESOLVE_NO_SYMLINKS, RESOLVE_NO_XDEV
madvise_flags = MADV_NORMAL, MADV_RANDOM, MADV_SEQUENTIAL, MADV_WILLNEED, MADV_DONTNEED, MADV_REMOVE, MADV_DONTFORK, MADV_DOFORK, MADV_HWPOISON, MADV_SOFT_OFFLINE, MADV_MERGEABLE, MADV_UNMERGEABLE, MADV_HUGEPAGE, MADV_NOHUGEPAGE, MADV_DONTDUMP, MADV_DODUMP, MADV_WIPEONFORK, MADV_KEEPONFORK, MADV_COLD, MADV_PAGEOUT, MADV_POPULATE_READ, MADV_POPULATE_WRITE, MADV_COLLAPSE
fadvise_flags = POSIX_FADV_NORMAL, POSIX_FADV_SEQUENTIAL, POSIX_FADV_RANDOM, POSIX_FADV_NOREUSE, POSIX_FADV_WILLNEED, POSIX_FADV_DONTNEED
move_pages_flags = MPOL_MF_MOVE, MPOL_MF_MOVE_ALL
msync_flags = MS_ASYNC, MS_SYNC, MS_INVALIDATE
mmap_prot = PROT_EXEC, PROT_READ, PROT_WRITE, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP
mmap_flags = MAP_SHARED, MAP_PRIVATE, MAP_32BIT, MAP_ANONYMOUS, MAP_DENYWRITE, MAP_EXECUTABLE, MAP_FILE, MAP_FIXED, MAP_GROWSDOWN, MAP_HUGETLB, MAP_LOCKED, MAP_NONBLOCK, MAP_NORESERVE, MAP_POPULATE, MAP_STACK, MAP_UNINITIALIZED, MAP_SHARED_VALIDATE, MAP_SYNC, MAP_FIXED_NOREPLACE
mremap_flags = MREMAP_MAYMOVE, MREMAP_FIXED, MREMAP_DONTUNMAP
mbind_mode = MPOL_DEFAULT, MPOL_BIND, MPOL_INTERLEAVE, MPOL_PREFERRED, MPOL_F_STATIC_NODES, MPOL_F_RELATIVE_NODES
mbind_flags = MPOL_MF_STRICT, MPOL_MF_MOVE, MPOL_MF_MOVE_ALL
pipe_flags = O_NONBLOCK, O_CLOEXEC, O_DIRECT, O_NOTIFICATION_PIPE
mlock_flags = MLOCK_ONFAULT
mlockall_flags = MCL_CURRENT, MCL_FUTURE, MCL_ONFAULT
dup_flags = O_CLOEXEC
splice_flags = SPLICE_F_MOVE, SPLICE_F_NONBLOCK, SPLICE_F_MORE, SPLICE_F_GIFT
seek_whence = SEEK_SET, SEEK_CUR, SEEK_END, SEEK_DATA, SEEK_HOLE
signalfd_flags = SFD_NONBLOCK, SFD_CLOEXEC
eventfd_flags = EFD_CLOEXEC, EFD_NONBLOCK, EFD_SEMAPHORE
timerfd_create_flags = TFD_NONBLOCK, TFD_CLOEXEC
timerfd_settime_flags = TFD_TIMER_ABSTIME, TFD_TIMER_CANCEL_ON_SET
clock_type = CLOCK_REALTIME, CLOCK_REALTIME_COARSE, CLOCK_MONOTONIC, CLOCK_MONOTONIC_COARSE, CLOCK_MONOTONIC_RAW, CLOCK_BOOTTIME, CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID, CLOCK_REALTIME_ALARM, CLOCK_BOOTTIME_ALARM
sigev_notify = SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD, SIGEV_THREAD_ID
cap_version = _LINUX_CAPABILITY_VERSION_1, _LINUX_CAPABILITY_VERSION_2, _LINUX_CAPABILITY_VERSION_3
epoll_flags = EPOLL_CLOEXEC
epoll_ev = POLLIN, POLLOUT, POLLRDHUP, POLLPRI, POLLERR, POLLHUP, EPOLLET, EPOLLONESHOT, EPOLLEXCLUSIVE, EPOLLWAKEUP
pollfd_events = POLLIN, POLLPRI, POLLOUT, POLLERR, POLLHUP, POLLNVAL, POLLRDNORM, POLLRDBAND, POLLWRNORM, POLLWRBAND, POLLMSG, POLLREMOVE, POLLRDHUP, POLLFREE, POLL_BUSY_LOOP
mknod_mode = S_IFREG, S_IFCHR, S_IFBLK, S_IFIFO, S_IFSOCK, S_ISUID, S_ISGID, S_ISVTX, open_mode
at_flags = AT_EMPTY_PATH, AT_SYMLINK_NOFOLLOW, AT_SYMLINK_FOLLOW, AT_NO_AUTOMOUNT, AT_EMPTY_PATH
fallocate_mode = FALLOC_FL_KEEP_SIZE, FALLOC_FL_PUNCH_HOLE, FALLOC_FL_COLLAPSE_RANGE, FALLOC_FL_ZERO_RANGE, FALLOC_FL_INSERT_RANGE, FALLOC_FL_UNSHARE_RANGE, FALLOC_FL_NO_HIDE_STALE
linkat_flags = AT_EMPTY_PATH, AT_SYMLINK_FOLLOW
unlinkat_flags = AT_REMOVEDIR
renameat2_flags = RENAME_EXCHANGE, RENAME_NOREPLACE, RENAME_WHITEOUT
flock_op = LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB
statx_flags = AT_SYMLINK_NOFOLLOW, AT_SYMLINK_FOLLOW, AT_NO_AUTOMOUNT, AT_EMPTY_PATH, AT_STATX_SYNC_TYPE, AT_STATX_SYNC_AS_STAT, AT_STATX_FORCE_SYNC, AT_STATX_DONT_SYNC
statx_mask = STATX_TYPE, STATX_MODE, STATX_NLINK, STATX_UID, STATX_GID, STATX_ATIME, STATX_MTIME, STATX_CTIME, STATX_INO, STATX_SIZE, STATX_BLOCKS, STATX_BASIC_STATS, STATX_BTIME
name_to_handle_at_flags = AT_EMPTY_PATH, AT_SYMLINK_FOLLOW, AT_HANDLE_FID
mq_open_flags = O_WRONLY, O_RDWR, O_NONBLOCK, O_CREAT, O_EXCL, O_CREAT
finit_module_flags = MODULE_INIT_IGNORE_MODVERSIONS, MODULE_INIT_IGNORE_VERMAGIC
delete_module_flags = O_NONBLOCK, O_TRUNC
kexec_load_flags = KEXEC_ON_CRASH, KEXEC_PRESERVE_CONTEXT, KEXEC_ARCH_386, KEXEC_ARCH_X86_64, KEXEC_ARCH_PPC, KEXEC_ARCH_PPC64, KEXEC_ARCH_IA_64, KEXEC_ARCH_ARM, KEXEC_ARCH_S390, KEXEC_ARCH_SH, KEXEC_ARCH_MIPS, KEXEC_ARCH_MIPS_LE, KEXEC_ARCH_DEFAULT
faccessat_flags = AT_EACCESS, AT_SYMLINK_NOFOLLOW, AT_EMPTY_PATH
sync_file_flags = SYNC_FILE_RANGE_WAIT_BEFORE, SYNC_FILE_RANGE_WRITE, SYNC_FILE_RANGE_WAIT_AFTER
kcmp_flags = KCMP_FILE, KCMP_FILES, KCMP_FS, KCMP_IO, KCMP_SIGHAND, KCMP_SYSVSEM, KCMP_VM
rusage_who = RUSAGE_SELF, RUSAGE_CHILDREN, RUSAGE_THREAD
rlimit_type = RLIMIT_AS, RLIMIT_CORE, RLIMIT_CPU, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_LOCKS, RLIMIT_MEMLOCK, RLIMIT_MSGQUEUE, RLIMIT_NICE, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_RTPRIO, RLIMIT_RTTIME, RLIMIT_SIGPENDING, RLIMIT_STACK
# The ones that disable console output are intentionally omitted.
syslog_cmd = SYSLOG_ACTION_CLOSE, SYSLOG_ACTION_OPEN, SYSLOG_ACTION_READ, SYSLOG_ACTION_READ_ALL, SYSLOG_ACTION_READ_CLEAR, SYSLOG_ACTION_SIZE_UNREAD, SYSLOG_ACTION_SIZE_BUFFER
ioprio_which_pid = IOPRIO_WHO_PROCESS, IOPRIO_WHO_PGRP
ioprio_which_uid = IOPRIO_WHO_USER
personality_flags = PER_LINUX, PER_SVR4, PER_SVR3, PER_OSR5, PER_WYSEV386, PER_ISCR4, PER_BSD, PER_XENIX, PER_LINUX32, PER_IRIX32, PER_IRIXN32, PER_IRIX64, PER_RISCOS, PER_SOLARIS, PER_UW7, PER_OSF4, PER_HPUX, ADDR_NO_RANDOMIZE, MMAP_PAGE_ZERO, ADDR_COMPAT_LAYOUT, READ_IMPLIES_EXEC, ADDR_LIMIT_32BIT, SHORT_INODE, WHOLE_SECONDS, STICKY_TIMEOUTS, ADDR_LIMIT_3GB
clock_id = CLOCK_REALTIME, CLOCK_REALTIME_COARSE, CLOCK_MONOTONIC, CLOCK_MONOTONIC_COARSE, CLOCK_MONOTONIC_RAW, CLOCK_BOOTTIME, CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID
sigprocmask_how = SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK
getitimer_which = ITIMER_REAL, ITIMER_VIRTUAL, ITIMER_PROF
wait_options = WNOHANG, WUNTRACED, WCONTINUED, WEXITED, WSTOPPED, WCONTINUED, WNOHANG, WNOWAIT, __WCLONE, __WALL, __WNOTHREAD
waitid_which = P_PID, P_PGID, P_ALL
sigaction_flags = SA_NOCLDSTOP, SA_NOCLDWAIT, SA_NODEFER, SA_ONSTACK, SA_RESETHAND, SA_RESTART, SA_SIGINFO
timer_flags = TIMER_ABSTIME
utimensat_flags = AT_SYMLINK_NOFOLLOW
priority_which = PRIO_PROCESS, PRIO_PGRP, PRIO_USER
mempolicy_flags = MPOL_F_MEMS_ALLOWED, MPOL_F_ADDR, MPOL_F_NODE
ptrace_req = PTRACE_LISTEN, PTRACE_KILL, PTRACE_INTERRUPT, PTRACE_ATTACH, PTRACE_DETACH
ptrace_req_peek = PTRACE_PEEKTEXT, PTRACE_PEEKDATA
ptrace_req_poke = PTRACE_POKETEXT, PTRACE_POKEDATA
ptrace_req_getregs = PTRACE_GETREGS, PTRACE_GETFPREGS
ptrace_req_setregs = PTRACE_SETREGS, PTRACE_SETFPREGS
ptrace_req_setopts = PTRACE_SETOPTIONS, PTRACE_SEIZE
ptrace_req_cont = PTRACE_CONT, PTRACE_SYSCALL, PTRACE_SINGLESTEP, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP
pthread_regset = NT_PRSTATUS, NT_PRFPREG, NT_PRPSINFO, NT_TASKSTRUCT, NT_AUXV, NT_386_TLS, NT_386_IOPERM, NT_X86_XSTATE
ptrace_options = PTRACE_O_EXITKILL, PTRACE_O_TRACECLONE, PTRACE_O_TRACEEXEC, PTRACE_O_TRACEEXIT, PTRACE_O_TRACEFORK, PTRACE_O_TRACESYSGOOD, PTRACE_O_TRACEVFORK, PTRACE_O_TRACEVFORKDONE
fcntl_dupfd = F_DUPFD, F_DUPFD_CLOEXEC
fcntl_getflags = F_GETFD, F_GETFL, F_GETSIG, F_GETLEASE, F_GETPIPE_SZ, F_GET_SEALS
fcntl_lock = F_SETLK, F_SETLKW, F_GETLK, F_OFD_GETLK, F_OFD_SETLK, F_OFD_SETLKW
fcntl_flags = FD_CLOEXEC
fcntl_status = O_APPEND, FASYNC, O_DIRECT, O_NOATIME, O_NONBLOCK
flock_type = F_RDLCK, F_WRLCK, F_UNLCK
f_owner_type = F_OWNER_TID, F_OWNER_PID, F_OWNER_PGRP
fcntl_notify = DN_MULTISHOT, DN_ACCESS, DN_MODIFY, DN_CREATE, DN_DELETE, DN_RENAME, DN_ATTRIB
seal_types = F_SEAL_SEAL, F_SEAL_SHRINK, F_SEAL_GROW, F_SEAL_WRITE
ioctl_int_in = FIONBIO, FIOASYNC
ioctl_int_out = FIOQSIZE, FIGETBSZ
fcntl_rw_hint = RWF_WRITE_LIFE_NOT_SET, RWH_WRITE_LIFE_NONE, RWH_WRITE_LIFE_SHORT, RWH_WRITE_LIFE_MEDIUM, RWH_WRITE_LIFE_LONG, RWH_WRITE_LIFE_EXTREME
fiemap_flags = FIEMAP_FLAG_SYNC, FIEMAP_FLAG_XATTR, FIEMAP_FLAG_CACHE
fiemap_extent_flags = FIEMAP_EXTENT_LAST, FIEMAP_EXTENT_UNKNOWN, FIEMAP_EXTENT_DELALLOC, FIEMAP_EXTENT_ENCODED, FIEMAP_EXTENT_DATA_ENCRYPTED, FIEMAP_EXTENT_NOT_ALIGNED, FIEMAP_EXTENT_DATA_INLINE, FIEMAP_EXTENT_DATA_TAIL, FIEMAP_EXTENT_UNWRITTEN, FIEMAP_EXTENT_MERGED, FIEMAP_EXTENT_SHARED
getrandom_flags = GRND_NONBLOCK, GRND_RANDOM
clone_flags = CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_PTRACE, CLONE_VFORK, CLONE_PARENT, CLONE_THREAD, CLONE_NEWNS, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID, CLONE_UNTRACED, CLONE_CHILD_SETTID, CLONE_NEWCGROUP, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET, CLONE_IO, CLONE_PIDFD, CLONE_NEWTIME
clone3_flags = CLONE_CLEAR_SIGHAND, CLONE_INTO_CGROUP, clone_flags
ptrace_peeksiginfo_flags = PTRACE_PEEKSIGINFO_SHARED
close_range_flags = CLOSE_RANGE_UNSHARE

# Consts for target.SpecialFileLenghts.
_ = SMB_PATH_MAX, XT_CGROUP_PATH_MAX, XENSTORE_REL_PATH_MAX

# misc
_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, PTRACE_TRACEME, SYSLOG_ACTION_CONSOLE_ON, SYSLOG_ACTION_CONSOLE_OFF, SYSLOG_ACTION_CONSOLE_LEVEL, SYSLOG_ACTION_CLEAR, __NR_mmap2

# Hardcode KCOV_REMOTE_ENABLE value for amd64 until new kcov patches reach mainline.
define KCOV_REMOTE_ENABLE	1075340134

# Not yet implemented syscalls:
# umask
# vhangup
# _sysctl
# nfsservctl
# getcpu

# Probably no sense in calling these.
# Also affect system-wide state, so not reproducible anyway.
# sched_get_priority_max
# sched_get_priority_min
]

gemini-3-pro-preview

							input: 293826
							output: 1040
							thoughts: 7357
						

**Debugging a BPF Program Load with Syzkaller**

Okay, so `syz_execute_func` is off the table, and I need a way to load a BPF program that returns `XDP_TX` (3). My initial thought was to leverage `bpf$PROG_LOAD` with `&AUTO`, hoping for a lucky random program. But that won't guarantee the `XDP_TX` return. The question then becomes, can I leverage `bpf$PROG_LOAD_XDP`? Let's troubleshoot the error message: *“wrong int arg \*prog.UnionType”* at the 27th field.

The first instinct is to zero out the field, so `@xdp=0x0` seems reasonable for field 27, in case it is a union. However, what if the 27th field is actually at the END of the struct? Is `expected_attach_type` at the end? No. Checking the kernel source, `expected_attach_type` isn’t at the end of the `bpf_attr` union. What if the 27th field is the `prog_token_fd`? No, that’s a resource. Is `pad` a union? No.

Rethinking, could the 25th, 26th and 27th fields be `core_relo_rec_size`, `log_true_size`, and `prog_token_fd`, respectively? If `flags` is not zero, `prog_token_fd` is included. I can set `prog_token_fd` to `0x0`. Wait, syzkaller allows `0x0` for resources. What if `flags` is zero, so `pad` is included? `pad` is just a constant `0x0`. Why is the error `wrong int arg *prog.UnionType`?

Now, the error might not be at the 27th field. Let’s count the fields in the error string again. Field 27 is definitely `0x0`, as indicated by the error string. Let's re-verify the structure using kernel sources. It’s definitely: `core_relo_rec_size` as the 25th field; `core_relo_cnt` as the 22nd; `fd_array` the 23rd; and `core_relos` the 24th field.

I considered `attach_prog_fd` as a possible union field. But it's just an optional resource.

Back to square one: can I use `bpf$PROG_LOAD` and `&AUTO`? It is likely that the generated random program will NOT return `XDP_TX`. To make the program return `XDP_TX`, I need `bpf$PROG_LOAD` with a proper struct. Can I use a string, like `&(0x7f00000001c0)="..."`? Syzkaller complains. It expects `ptr[in, bpf_prog]`. Syzkaller does not have a `bpf()` call, and `syz_execute_func` is disabled.

Let’s try fixing the struct again. Examining the `bpf_prog_t` structure, I realize the 27th field could be related to `attach_prog_fd` or `expected_attach_type`, which is the 12th field. Re-examining the provided struct, and I did provide `@xdp=0x0`. And `expected_attach_type` should be `0x27`. Why is the error still there? Let's check the fields. It seems `0x0` is still the 27th field.

However, maybe `bpf_prog_t` has the union `prog_token_fd`? It's a resource, which is not a union. `pad` is a constant. Let's try `bpf$PROG_LOAD_XDP`. But it’s the same error. I have checked for `bpf_prog_xdp`, and it does expect `0x27` for `expected_attach_type`. So why the error? The 27th field is still `0x0`.

I can try using the `&AUTO` flag for the struct, but then I'd have to specify all other fields, it won't work. The error message does reference field 27 as a `UnionType`. So this means the problem is actually at the last field. The last field is supposed to be `pad`, which is not a union. However, `prog_token_fd` is a union

wrong int arg *prog.UnionType
line #9:307: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, 0x0<<<!!ERROR!!>>>}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 303548
							output: 1031
							thoughts: 1458
						

**Decoding the BPF Program Structure**

Okay, so I've hit an error, a nasty one, right at the 28th field. The dreaded `0x0<<<!!ERROR!!>>>` in the `bpf_prog_t` struct! This strongly suggests a union. Let's start the analysis and see what is where.

First, I checked the structure of `bpf_prog_t` again. I noticed a `prog_token_fd` field, potentially at the 27th position, followed by a `pad` field, depending on the `flags` value. My initial thought was that `pad` might be the union, but it's defined as a constant, so that's out. Then I realized: if `flags` is zero, `prog_token_fd` isn't included and `pad` is. Maybe they're *both* included? No, that's not possible. But if `prog_token_fd` is included and `@void` is provided, that could be a union!

However, `prog_token_fd` is a resource (`fd_bpf_token`), which means it can't be `@void`. Something must be wrong here. Then it hit me: the key lies in syzkaller's behavior. If syzkaller is accepting `@void` for a resource, then the prior field, *must* be the union!

So, which field could it be? Let's go back through `bpf_prog_t`. No unions at the start, or in fields like `core_relos` or `attach_prog_fd`. But wait! `expected_attach_type` *could* be a union!  I *did* provide `@xdp=0x0` for this. Hmm.

But that still leaves me with the 27th field, and syzkaller's `@void` value. Time to re-examine the structure. After checking `bpf_prog_t` again, I noticed that `attach_prog_fd`, which is `PROG_FD`, which itself is `fd_bpf_prog[opt]`! And that `[opt]` is the key!

The `optional[T]` definition in `bpf.txt` shows that `fd_bpf_prog[opt]` *is* indeed a union!  Yes!

The `opt` attribute means a union! And I see this pattern in several fields: `btf_fd fd_btf[opt]`, and `prog_ifindex ifindex[opt]`. Both are using `optional[T]`!

Okay, so the unions are: `prog_ifindex`, `btf_fd`, and `attach_prog_fd` (which is `fd_bpf_prog[opt]`). The `ptr64[..., opt]` fields (like `log`) are *not* unions; the `opt` there is a built-in attribute.

So, let's list them all out, with the correct identification of unions now. I now list the fields:

1.  `type`: `0x6`
2.  `ninsn`: `0x2`
3.  `insns`: `&(0x7f0000000200)=@raw=[...]`
4.  `license`: `&(0x7f0000000240)='GPL\x00'`
5.  `loglev`: `0x0`
6.  `logsize`: `0x0`
7.  `log`: `0x0` (ptr64 opt is NOT a union)
8.  `kern_version`: `0x0`
9.  `flags`: `0x0`
10. `prog_name`: `""`
11. `prog_ifindex`: `@void` (union)
12. `expected_attach_type`: `@xdp=0x0` (union)
13. `btf_fd`: `@void` (union)
14. `func_info_rec_size`: `0x8`
15. `func_info`: `0x0`
16. `func_info_cnt`: `0x0`
17. `line_info_rec_size`: `0x10`
18. `line_info`: `0x0`
19. `line_info_cnt`: `0x0`
20. `attach_btf_id`: `0x0`
21. `attach_prog_fd`: `@void` (union)

wrong union arg for "ifindex"
line #9:210: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", <<<!!ERROR!!>>>@void, @xdp=0x0, @void, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, @void, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", @void, @xdp=0x0, @void, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, @void, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 307352
							output: 1033
							thoughts: 4174
						

**Debugging a BPF Program Load in Syzkaller: A Deep Dive**

Okay, so I'm hitting this `wrong union arg for "ifindex"` error, but `ifindex` is a resource, not a union, so that's a red herring.  The error *must* be about a union, and I need to figure out *which* field is actually a union. `prog_ifindex` is an `int`, `btf_fd` is an `int`, `attach_prog_fd` is also an `int`... the problem *isn't* with those! The union *must* be further down. I carefully count the fields in my structure definition; I see 27 fields in the `bpf_prog_t` struct, with the error highlighting the 27th element.  

I know that `expected_attach_type` (field 12) *is* a union when using the plain `bpf$PROG_LOAD`, but I'm calling `bpf$PROG_LOAD_XDP`, which expects `expected_attach_type` to be a specific constant, so that's not it. Okay, maybe the XDP variant of the program struct changes the union! What about `fd_array`, `core_relos`, `log`, `func_info` or `line_info`? Nope. That's not it, and checking the definitions of `bpf_prog_t` shows no other unions!

The error message still says "wrong int arg", and it is at the 27th field, meaning I'm passing a wrong type, or maybe something is just missing! I remember trying to use `BPF_PROG_LOAD_XDP` with 0x27 for `expected_attach_type`, which should be fine but still gave an error. The XDP version is expecting the value as const. I re-examine the definition, and it appears the struct definition in the arguments to `bpf_prog_xdp`, which has `const[0, int32]` as the value to be used.

I think again about the 27th field. Could `prog_token_fd` be the union? No, it's a resource type. Maybe `pad`? But it is defined as `const[0, int32]`. The `pad` field *is* a const! But I am still getting the error. Maybe my system has a *different* definition of `bpf_prog_t`? Maybe `core_relos` or `fd_array` is defined as a union in my environment?

If I am really stuck, I could just try to make syzkaller generate the whole program itself with `&AUTO`, but I have to provide all the fields which I can't and don't want to. So I look at ways to manually create the structure and pass the pointer. I think about using `write` to a pipe and then `read` to load the structure, but how would the program know it's a structure and not a string? I realize `bpf$PROG_LOAD` wants a struct, not a raw byte string! The syntax `&(0x7f00000001c0)=ANY=[...]` won't work either. Then I decide to try the same thing again: omit the 27th field, hoping syzkaller can figure out.

missing struct bpf_prog_t[const[BPF_PROG_TYPE_XDP, int32], const[BPF_XDP, int32], const[0, int32], const[0, int32]] fields 26/28
line #9:296: r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0}<<<!!ERROR!!>>>, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 313648
							output: 1040
							thoughts: 3198
						

**Debugging a BPF Program Load Issue**

Okay, here's the situation as I see it. I'm hitting a snag with `bpf$PROG_LOAD`.  The error message is `missing fields 26/28`. This is leading me down a rabbit hole of struct field expectations, and I need to figure out *why* syzkaller thinks there are 28 fields when, logically, there should only be 27, or perhaps even a conditional arrangement.

My initial thought was straightforward: it *expects* 28 fields. So, I tried providing 26, 27, and finally, 28, but each attempt resulted in an error related to a missing or incorrect argument. Specifically, when supplying 28 fields, it complains about `wrong int arg *prog.UnionType` at the 28th field, which is perplexing.  I carefully checked the structure layout for `bpf_prog_t`, and here's what I've found:

1.  I went field by field, thinking it might be a simple missing or misaligned element.

Then, I noticed something key: the 27th and 28th fields, `prog_token_fd` and `pad` respectively, are conditional.  `prog_token_fd` is present *only* if a certain flag is set, otherwise `pad` is included. My immediate assumption was that syzkaller's parser was blindly expecting all fields, regardless of the conditional nature. Hence, I'm getting the "missing field" error.  I tested to see if providing zeros for `prog_token_fd` and `pad` at the same time will work but that did not.

Next, I looked at this problem from another angle. I am thinking that since syzkaller doesn't seem to recognize conditional elements inside the structs in the expected way, I need to provide `@void` for any fields declared as unions.

I identified the union fields in the struct. I tested providing `@void` to the optional union fields, but that generated an error.

The error message `wrong int arg *prog.UnionType` at the 28th field is what keeps coming back.  Even when I use `@void` for fields declared as unions, I still get the same error. That's a huge clue.  It implies something about the way the struct literal is being parsed, and that the union is being interpreted as an integer.

I had the thought to use `&AUTO`. But `&AUTO` requires ALL fields, so that is not helpful.

I looked at the bpf_prog_t again to confirm the expected field structure.

My current theory is: even with the conditional fields, I may need to provide a value for `pad` to have the struct complete, even if `prog_token_fd` is `0x0`.

I am also considering if syzkaller is able to parse a partially initialized structure using designated initializers, but since syzkaller does not support the use of designated initializers, I need to provide values for all fields.

I will attempt providing `@void` as the 28th field to test this new line of thought. Let's see if this resolves the error.

wrong int arg *prog.UnionType
line #9:300: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0<<<!!ERROR!!>>>, @void}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, @void}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 318880
							output: 1044
							thoughts: 2938
						

**Analyzing the BPF Program Loading Structure**

Okay, here's the situation: I'm staring at an error message that keeps pointing to the 27th field of the BPF program loading structure. The system's telling me it's a union, specifically `0x0<<<!!ERROR!!>>>, @void}`. This is where things get tricky. I need to figure out *what* union is hiding in that spot. I've walked through the fields several times now: `type`, `ninsn`, `insns`, `license`, `loglev`, `logsize`, `log`, `kern_version`, and so on, all the way to `pad`. The 27th field is `prog_token_fd`. It's a resource type, pointing to a file descriptor. Looking at the `bpf.txt` file, I see it's defined as `fd_bpf_token[fd]`.

Initially, I considered if other fields could be unions, like `log_true_size`, `core_relo_rec_size`, `core_relos`, `fd_array`, etc. I even checked `attach_prog_fd` again, which turned out to be `PROG_FD` and is a union. Earlier, I'd tried `@void` for `attach_prog_fd`, but that triggered a "wrong union arg for 'ifindex'" error, related to how syzkaller handles `[opt]` fields. The system expects either `@val=0x0` or `@void` for optional union fields, but that doesn't apply to the cases I'm looking at.

The 27th field is `prog_token_fd`, and the associated conditional field is `pad` which is zero. I initially assumed `flags` might be the cause of the problem, so maybe conditional fields are NOT the source of the union.

I tried a pipe-based approach with `write` and `read` to manipulate memory, but that seemed too indirect.  I could have `bpf$PROG_LOAD_XDP` load a program to trigger the bug.

I need the program to return `XDP_TX`. To make that happen, I can load a program which uses `bpf$PROG_LOAD`.

So, back to the 27th field. If it's a union, and I provided `0x0` initially, what if I provide `@void`? When I try `@void`, syzkaller expects a 28th field, which means `@void` was successfully parsed as the 27th field. This suggests there's a union with a `void` option, and that's an `optional` field. I checked all the fields in the struct again and `prog_token_fd` isn't `optional[fd_bpf_token]` itself. I started thinking about the `extra` field, which I know is present in `bpf_link_create_arg_t`, so it shouldn't be included as a field within this `bpf_prog_t` struct, but perhaps it is still an option.

So, I think I have the following option: let's test providing `@val=0x0` for the 27th field. Fingers crossed.

wrong option "val" of union "_bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]_prog_token_fd_wrapper", available options are: "value", "void"
line #9:301: r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @val<<<!!ERROR!!>>>=0x0, 0x0}, 0x90)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @val=0x0, 0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 323943
							output: 1042
							thoughts: 398
						

**Decoding the BPF Program Loading Structure**

Okay, let's break this down. That 27th field, looking at the struct, I've got it: it's `_bpf_prog_t_prog_token_fd_wrapper`. Right, that's the wrapper for the conditional field `prog_token_fd`. In syzkaller, the way they handle these conditional fields is through unions, where you've got either a `value` or a `void` option, got it. So, for `prog_token_fd`, I need to specify `@void`.

And then the 28th field is `pad`, another conditional field. That means I need to use `@value=0x0` for padding it. Makes perfect sense.

Alright, let's put this into practice and test it out. Here's a quick test:

```
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
```

bad string value "bond1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", expect ["\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "lo\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "tunl0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gretap0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip_vti0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6_vti0\x00\x00\x00\x00\x00\x00\x00\x00" "sit0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6tnl0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gretap0\x00\x00\x00\x00\x00\x00" "bond0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dummy0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "rose0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "erspan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "bridge0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vcan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "team0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "syz_tun\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_bridge\x00" "veth1_to_bridge\x00" "veth0_to_bond\x00\x00\x00" "veth1_to_bond\x00\x00\x00" "veth0_to_team\x00\x00\x00" "veth1_to_team\x00\x00\x00" "bridge_slave_0\x00\x00" "bridge_slave_1\x00\x00" "bond_slave_0\x00\x00\x00\x00" "bond_slave_1\x00\x00\x00\x00" "team_slave_0\x00\x00\x00\x00" "team_slave_1\x00\x00\x00\x00" "syzkaller0\x00\x00\x00\x00\x00\x00" "syzkaller1\x00\x00\x00\x00\x00\x00" "veth0_to_hsr\x00\x00\x00\x00" "veth1_to_hsr\x00\x00\x00\x00" "hsr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6erspan0\x00\x00\x00\x00\x00\x00" "vxcan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "caif0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "batadv0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_batadv\x00" "veth1_to_batadv\x00" "batadv_slave_0\x00\x00" "batadv_slave_1\x00\x00" "netdevsim0\x00\x00\x00\x00\x00\x00" "netpci0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nicvf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "xfrm0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_virt_wifi\x00" "veth1_virt_wifi\x00" "virt_wifi0\x00\x00\x00\x00\x00\x00" "veth0_vlan\x00\x00\x00\x00\x00\x00" "veth1_vlan\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan0\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan1\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_macvtap\x00\x00\x00" "veth1_macvtap\x00\x00\x00" "macvtap0\x00\x00\x00\x00\x00\x00\x00\x00" "macsec0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg0\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg1\x00\x00\x00\x00\x00\x00\x00\x00"]
line #10:66: ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00'<<<!!ERROR!!>>>, <r5=>0x0})

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='+bond1\x00', 0x7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond1/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000100)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond1/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000280)={'bond1\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 329029
							output: 1001
							thoughts: 1863
						

**My Thought Process: Network Interface Bonding and BPF Program Execution**

Okay, so I need to configure a bonded network interface and attach a BPF program. First things first: I have to ensure that the interface I intend to use is available. Checking the `devnames` list... Aha! `bond1` isn't in there.  Okay, no problem. I can use `bond0` instead. But I should confirm that `bond0` isn't already UP, so I'll set it DOWN just in case.

Now, previously I would have needed to remove any existing slaves from `bond0`, but the syzkaller test environment doesn't enslave anything to `bond0` by default.  So, I can skip those steps. Great! This simplifies things.

Here's the plan:

1.  **Socket and IOCTL:** I create a socket and use `ioctl` to set `bond0` to DOWN. I also set `veth0` DOWN.
2.  **Sysfs and Bonding Mode:** Open the sysfs entry for `bond0` bonding mode and write `0` to set it to round-robin.
3.  **Sysfs and Enslaving:** Open the sysfs entry for `bond0` slaves and write `+veth0` to enslave `veth0`.
4.  **BPF Program Load:** Load the BPF program (with some inline assembly in there).
5.  **Get ifindex:** Get the ifindex for `bond0` using `ioctl`.
6.  **BPF Link Create:** Attach the BPF program to `bond0` using `bpf_link_create_xdp`.
7.  **Get ifindex:** Get the ifindex for `veth0` using `ioctl`.
8.  **BPF Test Run Live:** Now, I'll execute the `BPF_PROG_TEST_RUN_LIVE` call to run the program and assess.

Let's test this to ensure it works as expected.

wrong struct arg for "array"
line #12:193: bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={<<<!!ERROR!!>>>0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)={0x0, 0x0, 0x0, r7, 0x0, 0x0}, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 332589
							output: 1090
							thoughts: 2238
						

**Navigating the `inctx` Structure in Syzkaller**

Okay, so I'm tackling this `inctx` parameter. It's defined as `ptr64[in, array[int8]]`, meaning it's a 64-bit pointer to an array of 8-bit integers. My initial thought was to use a struct, but Syzkaller wants an array.  So, I switched to the array syntax.  However, using `[0x0, 0x0, 0x0, r7, 0x0, 0x0]` immediately presented a problem: `r7` would be truncated to a single byte! And `r7` holds an `ifindex`, which is an `int32`.

The question becomes: how do I effectively pass a 4-byte `int32` (`r7`) *within* this byte array? `&AUTO` might be useful, but `ANY` is not supported for structs, and I also tried `ANY` with string and it failed. So, back to the array. Perhaps I could somehow cast a struct to an array with `ANY`? No, no support.

I considered `bpf$BPF_PROG_TEST_RUN` but that's essentially the same issue with the `inctx` type.  I even briefly entertained using pipes and `write` to insert `r7` into memory at the correct offset, but `write` takes an input buffer, and I couldn't feed `r7` directly. I also briefly considered `setsockopt` and `getsockopt`, but they either write to or read from memory, not necessarily the correct memory.

Then, a breakthrough! I remembered that `ioctl$sock_SIOCGIFINDEX` *writes* the `ifindex` to memory. The structure for `ifreq_t[ifindex]` places the `ifindex` at offset 16 within a 40-byte buffer. Looking at the `xdp_md` struct, `ingress_ifindex` is at offset 12, not 16. That doesn't match!

I realized I can initialize the `array[int8]` with a list of values, for example, `[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]`. Now, even though `r7` will be cast to `int8`, it *should* work!  The `ifindex` of `veth0` is typically small, and since the system is little-endian, the first byte of `ingress_ifindex` at offset 12 will *be* `r7`, and the rest will be 0. Brilliant! I think I've cracked it.  Now, let's test!

wrong array arg *prog.BufferType
line #12:193: bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=[<<<!!ERROR!!>>>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x2, 0x0, 0x1}, 0x50)

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'veth0\x00', <r7=>0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 336962
							output: 1024
							thoughts: 4424
						

**Navigating the `inctx` Conundrum for `bpf$BPF_PROG_TEST_RUN_LIVE`**

Okay, here's the breakdown of my thinking to get the right value into the `inctx` argument for `bpf$BPF_PROG_TEST_RUN_LIVE`. First, I see that `inctx` is a `ptr64[in, array[int8]]`. In syzkaller, `array[int8]` means buffer/string, not a regular array, so I MUST pass a string. I need `ingress_ifindex`, which is essentially an integer value (like `r7`), but syzkaller's `ptr[in]` for strings is giving me a headache.  I need to get that integer value into memory at the correct location (offset 12) within this buffer that `inctx` expects.

My initial thought was to use `write`, but that won't work directly with an integer. I considered `getsockopt`, but that writes a socket option value not the value I need. After that I looked at `ioctl`, Specifically, `ioctl$sock_SIOCGIFINDEX` looks promising, because it writes an ifindex to a memory location.

I calculated that if I pass `0x7f00000003bc` to `ioctl$, then` ifindex` will be written at offset 16 from there. Since `ingress_ifindex` is at offset 12 in `inctx`, and I want `ingress_ifindex` to be set, I need `ioctl` to write to `0x7f00000003bc`.  Then I realized I would need to have the `ioctl` write into this space correctly. Since the `ifreq` struct is 40 bytes and the `inctx` only requires a 24-byte buffer, I needed to ensure that I was writing into the right area. The ifreq struct contains an ifr_name field which is 16 bytes. Then I discovered that the `data` field of `inctx` becomes garbage, because I'm passing a string to `ifr_name`.

I also noticed that, the data, meta, and end values in `inctx` needed to be correct, according to the `bpf_prog_test_run_xdp` function and in order to ensure the `data` value is no greater than `data_end`. Therefore, I realized that I could rename the interface. So I came up with an idea to rename the interface `veth0` to `veth`, which would allow the `data` value to be zero. Now, `data` is 0, which ensures the test will pass!

Now, I was ready to use a plan, and I realized that syzkaller was overwriting the data that was passed in `inctx`. Specifically, the issue is that syzkaller copies the data to memory before each syscall call. However, for `ptr[out]` it does not.

I then explored using a `bpf` map, `bpf$MAP_UPDATE_ELEM` and `bpf$MAP_LOOKUP_ELEM` to write into the memory and read from the memory, and again, the value would be overwritten.

Ultimately, I realized that `bpf$BPF_PROG_TEST_RUN_LIVE` would overwrite the memory. I noticed that if I used `""/0`, this would result in 0 bytes being written. That's a good thing! The kernel will still read `insizectx` bytes, which is 24 bytes in this case. So using `""/0` should do the trick, and avoid the overwrite problem, and let the code work!

bad string value "veth\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", expect ["\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "lo\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "tunl0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gretap0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip_vti0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6_vti0\x00\x00\x00\x00\x00\x00\x00\x00" "sit0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6tnl0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gretap0\x00\x00\x00\x00\x00\x00" "bond0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dummy0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "rose0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "erspan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "bridge0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vcan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "team0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "syz_tun\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_bridge\x00" "veth1_to_bridge\x00" "veth0_to_bond\x00\x00\x00" "veth1_to_bond\x00\x00\x00" "veth0_to_team\x00\x00\x00" "veth1_to_team\x00\x00\x00" "bridge_slave_0\x00\x00" "bridge_slave_1\x00\x00" "bond_slave_0\x00\x00\x00\x00" "bond_slave_1\x00\x00\x00\x00" "team_slave_0\x00\x00\x00\x00" "team_slave_1\x00\x00\x00\x00" "syzkaller0\x00\x00\x00\x00\x00\x00" "syzkaller1\x00\x00\x00\x00\x00\x00" "veth0_to_hsr\x00\x00\x00\x00" "veth1_to_hsr\x00\x00\x00\x00" "hsr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6erspan0\x00\x00\x00\x00\x00\x00" "vxcan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "caif0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "batadv0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_batadv\x00" "veth1_to_batadv\x00" "batadv_slave_0\x00\x00" "batadv_slave_1\x00\x00" "netdevsim0\x00\x00\x00\x00\x00\x00" "netpci0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nicvf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "xfrm0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_virt_wifi\x00" "veth1_virt_wifi\x00" "virt_wifi0\x00\x00\x00\x00\x00\x00" "veth0_vlan\x00\x00\x00\x00\x00\x00" "veth1_vlan\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan0\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan1\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_macvtap\x00\x00\x00" "veth1_macvtap\x00\x00\x00" "macvtap0\x00\x00\x00\x00\x00\x00\x00\x00" "macsec0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg0\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg1\x00\x00\x00\x00\x00\x00\x00\x00"]
line #11:83: ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='veth\x00'<<<!!ERROR!!>>>})

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='veth\x00'})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'veth\x00'})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 346414
							output: 1026
							thoughts: 3881
						

**A Deep Dive into BPF Program Loading and Interface Renaming**

Okay, so I've hit a snag. I was trying to rename a virtual Ethernet interface (`veth0`) to a shorter name, and my initial thought was to use something like `"veth"` directly. However, the `devnames` list doesn't include `"veth\x00"`, so I can't do that.  Time to get clever.  I began searching the `devnames` list for names that were exactly 4 bytes long, with names such as `"hsr0"`, `"sit0"`, and `"gre0"` coming up as possibilities. The plan was to rename `veth0` to `"hsr0"` since it exists.  But, I have a problem! `hsr0` also appears in `devnames`. If I renamed `veth0` to `hsr0`, the ifr_name field would then be `"hsr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"`. Fortunately, the structure definition is such that I can use this to my advantage.

I was able to successfully rename `veth0` to `"hsr0"`.  Now, the next part involves manipulating BPF programs and hitting that elusive bug. My initial attempt at loading a BPF program directly using struct literals was failing. I needed to get a specific BPF program to run. It had to return `XDP_TX` to trigger the bug.  I tried a few things, but it all came down to a more involved approach: load it using `bpf$PROG_LOAD` but control the underlying struct and write it to memory.

First, I thought I could use `pipe` and `read` to write the struct to memory, and then pass this address to `bpf$PROG_LOAD`. I'm starting to get closer, I'm thinking. I knew that I could use `bpf$PROG_LOAD` and provide the struct as a string and use `&AUTO` for the pointer, and syzkaller will generate a random program, but this might not return `XDP_TX`, and so I started exploring the structure of `bpf_prog_t`, the structure passed into `bpf$PROG_LOAD`.  It seems my original thoughts were not quite right, and after some examination of the bpf_prog.txt definitions, it's clear the 27th and 28th fields are unions.  Specifically, `prog_token_fd` and `pad` are conditional fields!

I finally realized that because I was setting `flags` to 0, I should use `@void` for `prog_token_fd` (which is the 27th field), and `@value=0x0` for `pad` (which is the 28th field).  My prior failure was using `@val=0x0` when it should have been `@value=0x0`.

So, the next iteration is to correct the struct literal I'm providing to `bpf$PROG_LOAD`. `prog_ifindex`, `btf_fd`, and `attach_prog_fd`, should all be `0x0`. I'm getting there. I'm going to try it now.

missing struct ifreq_dev_t[devnames, ifindex] fields 1/3
line #12:66: ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00'}<<<!!ERROR!!>>>)

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='hsr0\x00'})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00'})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 352157
							output: 1031
							thoughts: 253
						

**Analyzing the `ifreq_dev_t` Structure**

Okay, so I'm looking at this `ifreq_dev_t` structure, and it seems like it's got three fields, right? Let's see... `type ifreq_dev_t[DEVNAME, ELEM] { ifr_ifrn string[DEVNAME, IFNAMSIZ] (in) elem ELEM } [size[IFREQ_SIZE]]`. Hmm, wait a minute, `ifr_ifrn` and `elem` are the two explicitly defined fields. What's the third one? Is it `size`? No, `size` appears to be an attribute, not a field.

Aha! Now I see, `ifreq_t[ifindex]` is actually a `ifreq_dev_t[devnames, ifindex]`.  So that clarifies things. If I just provide something like `{'hsr0\x00'}`, that's only one field. I'm missing the `elem` field! I should have known that.

So, the `ioctl` call has to look like this: `ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00', 0x0})`. Okay, but wait, `ifindex` is a resource, and can be zero... Right, so `0x0` is valid as `elem`.

Alright, I think I've got a handle on this now. I should test it to be sure!

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='hsr0\x00'})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00', 0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 353816
							output: 44
							thoughts: 1149
						

**Debugging a BPF XDP Test on a Bonded Interface**

Okay, so the test didn't crash. Good. But why? My initial thought was that maybe `bond0` wasn't created, or that `veth0` wasn't enslaved to it. But wait, in this test environment, `bond0` might not even exist if I don't use `syz_init_net_socket`. However, Syzkaller's default setup *should* create `bond0` and `veth0` anyway. Then it hit me: the bond's mode might be locked if it's currently up.

To deal with this, I tried setting `bond0` down: I used `SIOCSIFFLAGS` (`0x8914`) to set `ifru_flags` to `0x0`, which should bring it down. But then, a new problem arose: what if `bond0` has slaves? If it does, I can't directly change its mode.

So, the obvious next step is to check for slaves. I could just create a brand new bond device. I tried writing to `/sys/class/net/bonding_masters` to create `bond1`. However, I recall that `bond1` wasn't in `devnames` previously. So, I need to stick with `bond0` and deal with its existing slaves. I can remove them by writing to `/sys/class/net/bond0/bonding/slaves`. I'll remove `bond_slave_0` and `bond_slave_1`.

Now, if `bond0` is in `devnames`, I can proceed. But what if the `bpf$BPF_PROG_TEST_RUN_LIVE` test failed? I need to figure out what's causing that failure. Perhaps `veth0` must be UP for `bpf$BPF_PROG_TEST_RUN_LIVE` to succeed? I looked into `bpf_prog_test_run_xdp`, which uses `dev_get_by_index`. It doesn't explicitly check if the interface is UP, but then I remembered that `veth_enable_xdp_range` is actually called when `dev_xdp_propagate` is called. Ah, and `dev_xdp_propagate` is called from `bond_xdp_set`. So, if `veth0` is DOWN, `dev_xdp_propagate` calls `veth_xdp_set`. `veth_xdp_set` calls `veth_enable_xdp`, and `veth_enable_xdp` calls `veth_enable_xdp_range`. This latter function registers `xdp_rxq_info`.

This is crucial. `xdp_rxq_info` is *definitely* registered now. But could `bpf_prog_test_run_xdp` fail because it checks `if (!xdp_rxq_info_is_reg(&rxqueue->xdp_rxq))`? No, it *should* be registered at this point!

Now, the final thing that occurs to me is: what if `bpf_prog_run_xdp` doesn't call `xdp_master_redirect` because `bpf_master_redirect_enabled_key` isn't enabled? I recall that it is enabled in `bond_xdp_set`! Since I attached the program to `bond0`, `bond_xdp_set` would have been called and incremented `bpf_master_redirect_enabled_key`.

Just to be thorough, I considered how `bpf$BPF_LINK_CREATE_XDP` works. It calls `bpf_xdp_link_attach`. Does *that* call `bond_xdp_set`? I need to check `dev_xdp_attach_link`.

map[ContextFile:net/core/dev.c IncludeLines:true Name:dev_xdp_attach_link]

map[SourceCode:10482:	static int dev_xdp_attach_link(struct net_device *dev,
10483:				       struct netlink_ext_ack *extack,
10484:				       struct bpf_xdp_link *link)
10485:	{
10486:		return dev_xdp_attach(dev, extack, link, NULL, NULL, link->flags);
10487:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 356007
							output: 42
							thoughts: 12
						

Here's my attempt at summarizing the thought process, tailored for an expert audience:

**Examining the XDP Attachment**

Okay, let's dive in. The task at hand is to understand, and probably troubleshoot, something related to `dev_xdp_attach`. I'm immediately thinking, "What's the context? What's *broken* or being investigated?" Is this about a specific device, a particular XDP program, an attachment failure, performance issues, or maybe just general observation? I need more information to form a complete picture. The `dev_xdp_attach` function is the core of attaching XDP programs to network interfaces, so I need to mentally reconstruct the call stack and data flow surrounding it. This likely involves looking at the device driver, the XDP infrastructure in the kernel, and potentially the eBPF program itself if we're debugging. I'm thinking about the return codes; are we looking at an error during the attach, perhaps a rejected program, or something else? I'm already mentally running through the typical failure points: incorrect program type, incompatible features, resource exhaustion, or driver-specific limitations. We need to consider how this function interacts with the eBPF verifier, the XDP hook, and the network device's configuration. It's time to start digging into the relevant source code, logs, and maybe even some system traces. Time to get to work!

map[ContextFile:net/core/dev.c IncludeLines:true Name:dev_xdp_attach]

map[SourceCode:10355:	static int dev_xdp_attach(struct net_device *dev, struct netlink_ext_ack *extack,
10356:				  struct bpf_xdp_link *link, struct bpf_prog *new_prog,
10357:				  struct bpf_prog *old_prog, u32 flags)
10358:	{
10359:		unsigned int num_modes = hweight32(flags & XDP_FLAGS_MODES);
10360:		struct bpf_prog *cur_prog;
10361:		struct net_device *upper;
10362:		struct list_head *iter;
10363:		enum bpf_xdp_mode mode;
10364:		bpf_op_t bpf_op;
10365:		int err;
10366:	
10367:		ASSERT_RTNL();
10368:	
10369:		/* either link or prog attachment, never both */
10370:		if (link && (new_prog || old_prog))
10371:			return -EINVAL;
10372:		/* link supports only XDP mode flags */
10373:		if (link && (flags & ~XDP_FLAGS_MODES)) {
10374:			NL_SET_ERR_MSG(extack, "Invalid XDP flags for BPF link attachment");
10375:			return -EINVAL;
10376:		}
10377:		/* just one XDP mode bit should be set, zero defaults to drv/skb mode */
10378:		if (num_modes > 1) {
10379:			NL_SET_ERR_MSG(extack, "Only one XDP mode flag can be set");
10380:			return -EINVAL;
10381:		}
10382:		/* avoid ambiguity if offload + drv/skb mode progs are both loaded */
10383:		if (!num_modes && dev_xdp_prog_count(dev) > 1) {
10384:			NL_SET_ERR_MSG(extack,
10385:				       "More than one program loaded, unset mode is ambiguous");
10386:			return -EINVAL;
10387:		}
10388:		/* old_prog != NULL implies XDP_FLAGS_REPLACE is set */
10389:		if (old_prog && !(flags & XDP_FLAGS_REPLACE)) {
10390:			NL_SET_ERR_MSG(extack, "XDP_FLAGS_REPLACE is not specified");
10391:			return -EINVAL;
10392:		}
10393:	
10394:		mode = dev_xdp_mode(dev, flags);
10395:		/* can't replace attached link */
10396:		if (dev_xdp_link(dev, mode)) {
10397:			NL_SET_ERR_MSG(extack, "Can't replace active BPF XDP link");
10398:			return -EBUSY;
10399:		}
10400:	
10401:		/* don't allow if an upper device already has a program */
10402:		netdev_for_each_upper_dev_rcu(dev, upper, iter) {
10403:			if (dev_xdp_prog_count(upper) > 0) {
10404:				NL_SET_ERR_MSG(extack, "Cannot attach when an upper device already has a program");
10405:				return -EEXIST;
10406:			}
10407:		}
10408:	
10409:		cur_prog = dev_xdp_prog(dev, mode);
10410:		/* can't replace attached prog with link */
10411:		if (link && cur_prog) {
10412:			NL_SET_ERR_MSG(extack, "Can't replace active XDP program with BPF link");
10413:			return -EBUSY;
10414:		}
10415:		if ((flags & XDP_FLAGS_REPLACE) && cur_prog != old_prog) {
10416:			NL_SET_ERR_MSG(extack, "Active program does not match expected");
10417:			return -EEXIST;
10418:		}
10419:	
10420:		/* put effective new program into new_prog */
10421:		if (link)
10422:			new_prog = link->link.prog;
10423:	
10424:		if (new_prog) {
10425:			bool offload = mode == XDP_MODE_HW;
10426:			enum bpf_xdp_mode other_mode = mode == XDP_MODE_SKB
10427:						       ? XDP_MODE_DRV : XDP_MODE_SKB;
10428:	
10429:			if ((flags & XDP_FLAGS_UPDATE_IF_NOEXIST) && cur_prog) {
10430:				NL_SET_ERR_MSG(extack, "XDP program already attached");
10431:				return -EBUSY;
10432:			}
10433:			if (!offload && dev_xdp_prog(dev, other_mode)) {
10434:				NL_SET_ERR_MSG(extack, "Native and generic XDP can't be active at the same time");
10435:				return -EEXIST;
10436:			}
10437:			if (!offload && bpf_prog_is_offloaded(new_prog->aux)) {
10438:				NL_SET_ERR_MSG(extack, "Using offloaded program without HW_MODE flag is not supported");
10439:				return -EINVAL;
10440:			}
10441:			if (bpf_prog_is_dev_bound(new_prog->aux) && !bpf_offload_dev_match(new_prog, dev)) {
10442:				NL_SET_ERR_MSG(extack, "Program bound to different device");
10443:				return -EINVAL;
10444:			}
10445:			if (bpf_prog_is_dev_bound(new_prog->aux) && mode == XDP_MODE_SKB) {
10446:				NL_SET_ERR_MSG(extack, "Can't attach device-bound programs in generic mode");
10447:				return -EINVAL;
10448:			}
10449:			if (new_prog->expected_attach_type == BPF_XDP_DEVMAP) {
10450:				NL_SET_ERR_MSG(extack, "BPF_XDP_DEVMAP programs can not be attached to a device");
10451:				return -EINVAL;
10452:			}
10453:			if (new_prog->expected_attach_type == BPF_XDP_CPUMAP) {
10454:				NL_SET_ERR_MSG(extack, "BPF_XDP_CPUMAP programs can not be attached to a device");
10455:				return -EINVAL;
10456:			}
10457:		}
10458:	
10459:		/* don't call drivers if the effective program didn't change */
10460:		if (new_prog != cur_prog) {
10461:			bpf_op = dev_xdp_bpf_op(dev, mode);
10462:			if (!bpf_op) {
10463:				NL_SET_ERR_MSG(extack, "Underlying driver does not support XDP in native mode");
10464:				return -EOPNOTSUPP;
10465:			}
10466:	
10467:			err = dev_xdp_install(dev, mode, bpf_op, extack, flags, new_prog);
10468:			if (err)
10469:				return err;
10470:		}
10471:	
10472:		if (link)
10473:			dev_xdp_set_link(dev, mode, link);
10474:		else
10475:			dev_xdp_set_prog(dev, mode, new_prog);
10476:		if (cur_prog)
10477:			bpf_prog_put(cur_prog);
10478:	
10479:		return 0;
10480:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 358732
							output: 1028
							thoughts: 1274
						

**Debugging a BPF Program Load for XDP_TX with Bonding**

Okay, so I'm trying to figure out how to load a BPF program that returns `XDP_TX` without using that `bpf$PROG_LOAD` struct literal and, more importantly, figure out what's causing this `wrong int arg *prog.UnionType` error I'm seeing. Let's trace my thinking.

First, I knew that `dev_xdp_attach` calls `dev_xdp_install`, and that calls `bpf_op`. And in the bonding context, `bpf_op` becomes `bond_xdp_set`. Ah-ha! That's how `bond_xdp_set` is being called, which increments the `bpf_master_redirect_enabled_key`! Good to know.

Now, back to the problem. Loading that BPF program with `XDP_TX`... I initially considered using `bpf$PROG_LOAD` with `&AUTO` and `syz_execute_func`, but that's disabled. So, I figured, let's just provide the struct directly. Seems simple, right?

But I keep running into this "wrong union arg" error at the 28th field. I initially thought it was the `pad` field, since it's conditional.  I went back to look at `bpf_prog_t`, and noticed that `pad`'s definition includes a `const[0, int32]`, as well as it being conditional, so it's a union and I need to provide the correct value. And, in the `syzkaller` implementation, all conditional fields are implemented as unions! So, I provided `@value=0x0`.

Yet, the error persisted. So, now I'm thinking, did I screw up something else? The error message said, "wrong union arg for `ifindex`"! But `prog_ifindex` is NOT a union. So, if it's not a union, it should be just a plain integer (0x0). Okay, let me write out all the fields and their values again... to make sure I'm not missing anything. I need to make *absolutely sure* the struct is correct.

After reviewing the struct, I am certain I provided all the correct field values (as shown in the provided struct literal). Let's just test this exact struct!

undeclared variable r5
line #10:55: bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5<<<!!ERROR!!>>>, 0x27, 0x0, @void}, 0x20)

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', 0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='hsr0\x00'})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00', 0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 361654
							output: 1031
							thoughts: 75
						

Okay, here's my interpretation of this debugging thought process, as if I were experiencing it:

**Missing Register Assignment - Quick Fix Needed!**

Right, that's it! *Facepalm* I was so focused on the `ioctl` call with `SIOCGIFINDEX` and the target `bond0` interface that I completely spaced on assigning a crucial value to `r5`. Looking at the trace, I can see that `r5` is supposed to be holding something when it's passed into the system call. The call `ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})` is going to fail if `r5` isn't properly initialized. I see it's currently a null pointer (`0x0`), and that's not what I need. Better get that fixed before I waste any more time! Gotta assign something valid to r5.

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000040)={'veth0\x00', @ifru_flags=0x0})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='0\x00', 0x2)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000140)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000180)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x2, &(0x7f0000000200)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000280)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000400)={'veth0\x00', @ifru_names='hsr0\x00'})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000003bc)={'hsr0\x00', 0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 363010
							output: 1104
							thoughts: 1937
						

**Debugging XDP on Bond Interfaces: A Deep Dive**

Okay, so I got the code to compile and run, but it didn't crash. That's not what I expected. I'm running an XDP program on a bonded interface and expected a crash when a crucial component of the bond was uninitialized. Let's trace this.

I initially thought maybe `bpf$BPF_PROG_TEST_RUN_LIVE` failed, but that wasn't it. Could the state of the slave interface, `veth0`, be influencing the results? No, `bpf_prog_test_run_xdp` doesn't check the interface state. Ah, but `veth_enable_xdp_range` registers `xdp_rxq_info` only if `veth_enable_xdp` has been called. When does that happen? It is called when an XDP program is attached to the device. I attached the XDP program to `bond0`, not `veth0`! Does attaching to the bond interface propagate to its slaves?

I need to confirm this with `bond_xdp_set`. Yes, it does! `dev_xdp_propagate` is used to do it. So, the XDP program *is* effectively attached to `veth0`. Hold on, I renamed `veth0` to `hsr0` after attaching the XDP program. Does renaming clear the XDP program? No. I check the interface index using `ioctl$sock_SIOCGIFINDEX` and how `bpf_prog_test_run_xdp` uses it. The XDP program uses the correct `ifindex` to find the device using `dev_get_by_index`. It checks if `xdp_rxq_info_is_reg` is valid, and it is, because `veth_enable_xdp_range` had registered it.

So, the BPF program runs. It returns `XDP_TX` as expected. That calls `xdp_master_redirect`, which calls `bond_xdp_get_xmit_slave`, which ends up using `bond_xdp_xmit_roundrobin_slave_get`. That function accesses `bond->rr_tx_counter`. The critical question is, *was* the `rr_tx_counter` allocated? It should have crashed because `bond0` was DOWN at this point.

Why didn't it crash? Maybe `bond0` was UP before? The syzkaller test environment might have set `bond0` UP initially. If that happened, `bond_open` was called, which would have allocated `bond->rr_tx_counter`. Even if I set `bond0` DOWN later, `bond_close` *doesn't* free `rr_tx_counter`!

The `rr_tx_counter` remains valid! That's the root cause of the unexpected behavior. I need to create a *truly* fresh bond device. I can't use `syz_emit_ethernet`. I could try netlink, but that's complex. What about `/sys/class/net/bonding_masters`? I thought I could use `write(r0, "+bond1", 7)` but that fails since `bond1` is not in `devnames` already.

Wait, I can rename `bond0` to `bond1`, but then I can't be sure it is truly uninitialized. How about using `+bond_slave_0`? Will it work? I check if `bond_slave_0` is a valid name and it is. I can create a new bond device with this name using sysfs, but it might already exist and fail with `-EEXIST`.

I check what device names already exist: `"dummy0"`, `"team0"`, `"syz_tun"`, `"bridge0"`, `"vcan0"`, `"hsr0"`, `"batadv0"`, `"xfrm0"`, `"macvlan0"`, `"ipvlan0"`, `"geneve0"`, `"wg0"`, `"wlan0"`. They all exist, as syzkaller creates them. There's `"bond_slave_1"`, `"veth0_to_bond"`, `"veth1_to_bond"`, `"veth0_to_team"`, and `"veth1_to_team"`, which also already exist!

Aha! Instead of creating a *new* one, I can just *delete* and *recreate* `bond0`! That should give me a completely clean state. So I write `-bond0` to delete and `+bond0` to recreate it. Then I

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 0x7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8923, &(0x7f0000000340)={'veth0\x00', @ifru_names='hsr0\x00'})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000003bc)={'hsr0\x00', 0x0})
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000380)={r4, 0x0, 0xe, 0x0, &(0x7f00000003c0)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x18, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 367101
							output: 980
							thoughts: 6338
						

**XDP Bug Investigation: A Deep Dive**

Okay, so the program hasn't crashed yet. That's... unexpected. Let's start by methodically retracing the steps. First, ensure `bond0` is being properly deleted and recreated using the sysfs interface. `bond0` should be taken down and then brought back up to ensure a clean slate. Next, configure the bonding mode to ROUNDROBIN.  Then,  we need to take down 'lo' and enslave it to `bond0`. Now, load and attach the BPF program to `bond0` and  run a test.

My immediate focus is checking the data structures to ensure the BPF program gets the right context. The code seems to be correctly setting the ifindex for `hsr0` in the right location within the user-space buffer,  and initializing the data, data_end and data_meta fields to zero, but still, no crash. That’s perfect because those are all exactly what I expected. So far so good!

I’m focusing now on `rx_queue_index`. The important part here is the copy of the `ifreq` struct back to user space. It copies everything, including what syzkaller initialized to zero. This should work. Then I go into checking the `bpf_prog_test_run_xdp` function and its arguments. The batch size is fine, but there is a conditional check in  `xdp_convert_md_to_buff` related to `ingress_ifindex`.

Here's the problem. The kernel checks if the `ingress_ifindex` is zero; if it's not, it checks whether `rx_queue_index` falls within the valid range of receive queues for the device. If the `ingress_ifindex` is set, `xdp_convert_md_to_buff` now has to correctly account for the rxq and verify that the queue it’s referencing is registered. The problem is that the registration logic is device-specific, and many drivers, like the veth driver, register their own `xdp_rxq_info` separate from the generic `netdev_rx_queue` struct, so the test fails because the registered xdp_rxq_info does not exist where the test code is looking for it. In short, drivers register their XDP queue information in their own structs, not in the standard `netdev_rx_queue` struct. The kernel then fails to find a registered `xdp_rxq` in the generic `netdev_rx_queue` struct.

So, if we provide `ingress_ifindex`, `xdp_convert_md_to_buff` will fail because the device's XDP queue information is not registered where the test is looking. In fact, it seems like if `ingress_ifindex` is given, `xdp_convert_md_to_buff` ALWAYS fails on all the devices.

Aha! If we don’t provide `ingress_ifindex`, the test *should* succeed, because then it defaults to using the `loopback_dev`, which will be a bond slave, and therefore trigger the bug!

Now, the plan is this: Syzkaller program to reproduce the bug:
1.  Delete and recreate `bond0`.
2.  Set `bond0` to ROUNDROBIN mode.
3.  Set 'lo' DOWN.
4.  Enslave 'lo' to `bond0`.
5.  Load the XDP program.
6.  Attach the XDP program to `bond0`.
7.  Run `bpf$BPF_PROG_TEST_RUN_LIVE` with `insizectx=0`.

The final Syzkaller program should just be a matter of getting the right arguments to `bpf$BPF_PROG_TEST_RUN_LIVE`. Now, let's execute!

wrong addr arg *prog.ConstType
line #13:65: bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0x0, <<<!!ERROR!!>>>&(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'lo\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+lo\x00', 4)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 375483
							output: 989
							thoughts: 338
						

**Debugging a Data Structure's Serialization**

Okay, so I thought I had a problem, but it seems I jumped the gun. The `insizedata` field...it's *not* being omitted. Wait, that's right, `insizedata` is defined as `len[indata, int32]`. The lightbulb is starting to flicker. Why isn't it being skipped? Ah, because I'm explicitly providing the structure itself! If I'm giving the system the struct definition directly, I *have* to provide *all* the fields, including those length (`len`) fields. That's the key.

Alright, let's build the entire thing explicitly, ensuring all fields are present:

1.  `r4` - That's in.
2.  `0x0` - Got it.
3.  `0xe` (insizedata) - Yep, there it is, no omission.
4.  `0x0` (outsizedata) - Check.
5.  `&(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00'` - The data pointer. Got it.
6.  `0x0` (outdata) - Okay.
7.  `0x1` (repeat) - Keeping track.
8.  `0x0` (dur) - No problem.
9.  `0x0` (insizectx) - Included.
10. `0x0` (outsizectx) - Fine.
11. `&(0x7f00000003c0)=""/0` - The context pointer. No issues.
12. `0x0` (outctx) - There.
13. `0x2` (flags) - Set.
14. `0x0` (cpu) - Ready.
15. `0x1` (batch\_size) - Final field.

Now, let's run this and see if it behaves as expected. Should be good to go.

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 0x2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'lo\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+lo\x00', 4)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
bpf$BPF_PROG_TEST_RUN_LIVE(0xa, &(0x7f0000000340)={r4, 0x0, 0xe, 0x0, &(0x7f0000000380)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0x0, 0x1, 0x0, 0x0, 0x0, &(0x7f00000003c0)=""/0, 0x0, 0x2, 0x0, 0x1}, 0x50)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 377347
							output: 41
							thoughts: 431
						

**Debugging a Potential Network Crash**

Okay, so the system *didn't* crash. That's good, but why? I need to understand this. My immediate thought is to check if `lo` (the loopback interface) was successfully enslaved to `bond0`. Let's see... I used `write(r3, "+lo\x00", 4)` to attempt the enslavement, so now I need to verify its success.

Wait a minute... `lo` is *always* UP by default. Of course! I explicitly set it DOWN earlier using an `ioctl$sock_ifreq` call: `ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'lo\x00', @ifru_flags=0x0})`. That should have set `@ifru_flags` to 0, effectively bringing it down before the attempted bond.

So, *bond_enslave* should have worked. But did it? Let's trace it again, specifically the checks within `bond_enslave`.

First, it checks if the slave is a master device. That's a good sanity check.
```c
	if (slave_dev->flags & IFF_MASTER &&
	    !netif_is_bond_master(slave_dev)) {
		BOND_NL_ERR(bond_dev, extack,
			    "Device type (master device) cannot be enslaved");
		return -EPERM;
	}
```
`lo` is *not* a master device. So, that's fine.

Next, it checks for `NETIF_F_VLAN_CHALLENGED`. Does `lo` have this feature? I don't recall off the top of my head, but I need to make a mental note to check this later; I'll keep going for now.

The code then tests for the slave's state being `IFF_UP`.
```c
	if (slave_dev->flags & IFF_UP) {
		SLAVE_NL_ERR(bond_dev, slave_dev, extack,
			     "Device can not be enslaved while up");
		return -EPERM;
	}
```
But *I* set it DOWN earlier. `slave_dev->flags & IFF_UP` should have evaluated to false. Excellent.

Finally, it checks if `slave_ops` has `ndo_set_mac_address` or if the device is Infiniband.
```c
	if (!slave_ops->ndo_set_mac_address ||
	    slave_dev->type == ARPHRD_INFINIBAND) {
```
Does `lo` have `ndo_set_mac_address`? Let me mentally review the `loopback_ops` structure to be certain. I'm pretty sure it's present, but a quick check won't hurt. With all of these conditions met, the crash, if it would have occurred, should not have.

map[ContextFile:drivers/net/loopback.c IncludeLines:true Name:loopback_ops]

map[SourceCode: 154:	static const struct net_device_ops loopback_ops = {
 155:		.ndo_init        = loopback_dev_init,
 156:		.ndo_start_xmit  = loopback_xmit,
 157:		.ndo_get_stats64 = loopback_get_stats64,
 158:		.ndo_set_mac_address = eth_mac_addr,
 159:	};
 SourceFile:drivers/net/loopback.c]

gemini-3-pro-preview

							input: 378645
							output: 48
							thoughts: 2136
						

**XDP and Bonded Interfaces: A Deep Dive**

Okay, so I've been digging into this XDP stuff, especially with bonded interfaces. The initial thought was, "Hey, `ndo_set_mac_address` is there, great!" But then, the immediate questions arise: What about `ndo_bpf` and `ndo_xdp_xmit`?

Alright, let's break this down. The code checks for XDP support in the slave device during bond enslavement. If the slave *doesn't* support XDP (meaning it lacks those two key function pointers), and there's an XDP program attached to the bond, enslavement fails with an `EOPNOTSUPP` error.  This makes sense.

Now, I started wondering about `loopback_ops` and XDP.  No, it doesn't support XDP.  If I attach the XDP program to `bond0` and then try to enslave `lo`, it *should* fail because `lo` doesn't have the necessary XDP support!  But I realized I'd been attaching the XDP program after enslaving `lo`.

Okay, the program attaches the XDP program *after* enslaving `lo`. If I attach the XDP program *after* enslaving `lo`, `bond_xdp_set` will be called.  `bond_xdp_set` iterates through the slaves of the bond. If ANY slave doesn't support XDP, it fails! In my case,  `bond_xdp_set` FAILS! And because `bond_xdp_set` fails, `bpf_master_redirect_enabled_key` is NEVER incremented. Consequently, `xdp_master_redirect` is NEVER called. This is why I didn't see a crash!

So, the conclusion: I MUST use a slave that supports XDP.  `veth` comes to mind. But `veth` introduces a new problem!  If I use `veth`, `bpf_prog_test_run_xdp` requires `ingress_ifindex`. But then I found that `xdp_convert_md_to_buff` ALWAYS fails for `veth` because the `veth` driver doesn't register `device->_rx[i].xdp_rxq`.

Is there ANY device that supports XDP AND registers `device->_rx[i].xdp_rxq`?

What about `loopback` again? It doesn't. If `loopback` doesn't support XDP, how can `bpf_prog_test_run_xdp` use it at all?  Aha! `bpf_prog_test_run_xdp` uses the `loopback_dev` as a *fake* device, just to get a `rxqueue`!  It initializes `rxqueue->xdp_rxq` itself! But it DOES NOT register it!

Crucially, `xdp_rxq_info_is_reg` checks registration.  `bpf_prog_test_run_xdp` *doesn't* register it and only *conditionally* checks the registration for `loopback_dev`. It only checks the registration if `ingress_ifindex` is provided!

So, without `ingress_ifindex`, it uses the fake `loopback_dev` without any registration checks. But `loopback_dev` still can't be a bond slave, so `bond_xdp_set` still fails.

Here's a thought:  Enslave `veth0` to `bond0`, attach the XDP program to `bond0` (which works because `veth0` has XDP support), and run `bpf_prog_test_run_xdp` *without* `ingress_ifindex`. In this case, `xdp->rxq->dev` becomes `loopback_dev`!  `bpf_prog_run_xdp` then checks if `loopback_dev` is a bond slave.  But `loopback_dev` isn't a bond slave – I enslaved `veth0`, not `lo`!  So `xdp_master_redirect` isn't called!

Is there ANY way to make `loopback_dev` a bond slave AND attach an XDP program to `bond0`? What if I attach the program *before* enslaving? If I attach the XDP program first, `bond_xdp_set` succeeds because the bond has no slaves yet. Then `bpf_master_redirect_enabled_key` is incremented. Then I enslave `lo`! But if `bond->xdp_prog` is set,

requested entity does not exist

map[ContextFile:drivers/net/netdevsim/netdev.c IncludeLines:true Name:nsim_init_netdev]

map[SourceCode: SourceFile:]

gemini-3-pro-preview

							input: 381875
							output: 27
							thoughts: 21
						

Here's a summary of my thought process:

**Diving into the `netdevsim` Details**

Okay, so I'm thinking, "Where's the best place to start looking for information on this `xdp_rxq_info_reg` thing?" It strikes me that `netdevsim` is the most logical candidate. Given my experience, I'm assuming that this is likely a registration of a piece of data to do with XDP RX queue information. Therefore, `netdevsim` is probably the testbed for this. Time to dig in and see what I can find!

no matches

map[Expression:xdp_rxq_info_reg.*netdevsim]

map[Output:]

gemini-3-pro-preview

							input: 382066
							output: 26
							thoughts: 21
						

Here's my thought process, as if I were considering this myself:

**Investigating `netdevsim` and `xdp_rxq_info_reg`**

Okay, so I need to look into `netdevsim` and how it interacts with `xdp_rxq_info_reg`. I'm guessing there's a potential area for investigation there, perhaps a performance bottleneck, or maybe just a point of interest for future development. My immediate thought is to check the codebase. I need to understand how the simulated network devices in `netdevsim` handle XDP RX queues and whether they properly utilize or interact with `xdp_rxq_info_reg`. Is this information being exposed, consumed, and managed correctly within the simulation framework? If not, why? And how can we improve it? This could relate to features, performance, or correct simulation of hardware nuances.

no matches

map[Expression:xdp_rxq_info_reg.*nsim]

map[Output:]

gemini-3-pro-preview

							input: 382316
							output: 21
							thoughts: 12
						

Okay, let's see...

**XDP and `netdevsim` - A Quick Check**

Hmm, I was just pondering something... does this `netdevsim` tool, which is pretty handy for emulating network devices in a lab setting, actually have any support for XDP? I can't immediately recall seeing it explicitly mentioned, and that's something I'd need to consider. If it did, that would open up some intriguing possibilities for quickly prototyping and testing XDP programs without needing dedicated hardware or even a full kernel module setup. If not, it becomes another factor in the tool selection process. Time to dig a bit deeper and see what the documentation says... or maybe I should just test it!

map[Expression:ndo_bpf.*nsim]

map[Output:drivers/net/netdevsim/netdev.c=642=static const struct net_device_ops nsim_netdev_ops = {
--
drivers/net/netdevsim/netdev.c-658-	.ndo_get_iflink		= nsim_get_iflink,
drivers/net/netdevsim/netdev.c:659:	.ndo_bpf		= nsim_bpf,
drivers/net/netdevsim/netdev.c-660-	.ndo_open		= nsim_open,
]

gemini-3-pro-preview

							input: 382647
							output: 24
							thoughts: 29
						

Okay, here's my interpretation of those thoughts, tailored for an expert audience, and delivered as a first-person summary:

**The Simulation Framework: BPF and XDP Transmission**

Alright, so I'm thinking about `netdevsim`. The initial thought is a positive one – yep, *it does* implement `ndo_bpf`! That's a solid start. It means I can leverage the simulation environment for BPF-related network function testing and experimentation, which is fantastic. Now, the next question immediately pops into my head, and it's a critical one for my specific use case: does `netdevsim` also expose `ndo_xdp_xmit`? This is the crucial missing link. If it's supported, I could explore XDP-accelerated packet transmission within the simulated environment, and simulate different XDP functions such as load balancing. If not, I'll need to develop a suitable workaround or consider alternatives such as hooking into the simulation's packet injection path directly. I need to figure this out before going further.

no matches

map[Expression:ndo_xdp_xmit.*nsim]

map[Output:]

gemini-3-pro-preview

							input: 382939
							output: 26
							thoughts: 211
						

**XDP Rx Queue Registration Investigation**

Okay, so there's no `ndo_xdp_xmit` defined, which immediately tells me that `bond_enslave` will fail for the `netdevsim` device. That's a definite roadblock. Now, I need to figure out if *any* device actually registers a `device->_rx[i].xdp_rxq` structure. I need to understand if the XDP RX queue info is being populated at all within the kernel's device registration process.

Right, let's revisit `xdp_rxq_info_reg`. It takes the `xdp_rxq`, a `net_device`, a `queue_index`, and a `napi_id`. The typical call, if it's being used, would involve passing the address of the specific `xdp_rxq` within the `net_device` struct's `_rx` array. So, the registration would be something like:

`xdp_rxq_info_reg(&dev->_rx[i].xdp_rxq, dev, i, napi_id);`

Therefore, I'm going to grep the kernel source for instances of `&dev->_rx`, `&ndev->_rx`, and `&netdev->_rx`. This will allow me to track any registration of an XDP RX queue structure. That should give me the information I need to understand the usage, or lack thereof, of `_rx` and its XDP components.

map[Expression:xdp_rxq_info_reg.*_rx]

map[Output:
Full output is too long, showing 500 out of 525 lines.
Use more precise expression if possible.

[Documentation/networking/page_pool.rst=127=Registration
 --
 Documentation/networking/page_pool.rst-146-
 Documentation/networking/page_pool.rst:147:    err = xdp_rxq_info_reg(&xdp_rxq, ndev, 0);
 Documentation/networking/page_pool.rst-148-    if (err)
 --
 Documentation/networking/page_pool.rst-150-
 Documentation/networking/page_pool.rst:151:    err = xdp_rxq_info_reg_mem_model(&xdp_rxq, MEM_TYPE_PAGE_POOL, page_pool);
 Documentation/networking/page_pool.rst-152-    if (err)
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c=196=int ena_xdp_register_rxq_info(struct ena_ring *rx_ring)
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c-199-
 drivers/net/ethernet/amazon/ena/ena_xdp.c:200:	rc = xdp_rxq_info_reg(&rx_ring->xdp_rxq, rx_ring->netdev, rx_ring->qid, 0);
 drivers/net/ethernet/amazon/ena/ena_xdp.c-201-
 --
 drivers/net/ethernet/amazon/ena/ena_xdp.c-210-
 drivers/net/ethernet/amazon/ena/ena_xdp.c:211:	rc = xdp_rxq_info_reg_mem_model(&rx_ring->xdp_rxq, MEM_TYPE_PAGE_SHARED, NULL);
 drivers/net/ethernet/amazon/ena/ena_xdp.c-212-
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c=128=int aq_vec_ring_alloc(struct aq_vec_s *self, struct aq_nic_s *aq_nic,
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-148-		ring = &self->ring[i][AQ_VEC_RX_ID];
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c:149:		if (xdp_rxq_info_reg(&ring->xdp_rxq,
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-150-				     aq_nic->ndev, idx,
 --
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-154-		}
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c:155:		if (xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/aquantia/atlantic/aq_vec.c-156-					       MEM_TYPE_PAGE_SHARED, NULL) < 0) {
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c=3884=static int bnxt_alloc_rx_rings(struct bnxt *bp)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3910-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:3911:		rc = xdp_rxq_info_reg(&rxr->xdp_rxq, bp->dev, i, 0);
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3912-		if (rc < 0)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3914-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:3915:		rc = xdp_rxq_info_reg_mem_model(&rxr->xdp_rxq,
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-3916-						MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c=15905=static int bnxt_queue_mem_alloc(struct net_device *dev, void *qmem, int idx)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15930-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:15931:	rc = xdp_rxq_info_reg(&clone->xdp_rxq, bp->dev, idx, 0);
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15932-	if (rc < 0)
 --
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15934-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c:15935:	rc = xdp_rxq_info_reg_mem_model(&clone->xdp_rxq,
 drivers/net/ethernet/broadcom/bnxt/bnxt.c-15936-					MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c=745=static void nicvf_rcv_queue_config(struct nicvf *nic, struct queue_set *qs,
 --
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c-773-	/* Driver have no proper error path for failed XDP RX-queue info reg */
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c:774:	WARN_ON(xdp_rxq_info_reg(&rq->xdp_rxq, nic->netdev, qidx, 0) < 0);
 drivers/net/ethernet/cavium/thunder/nicvf_queues.c-775-
 --
 drivers/net/ethernet/engleder/tsnep_main.c=1915=static int tsnep_queue_open(struct tsnep_adapter *adapter,
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1936-		 */
 drivers/net/ethernet/engleder/tsnep_main.c:1937:		retval = xdp_rxq_info_reg(&rx->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/engleder/tsnep_main.c-1938-					  rx->queue_index, queue->napi.napi_id);
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1940-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1941:		retval = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/engleder/tsnep_main.c-1942-						    MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1945-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1946:		retval = xdp_rxq_info_reg(&rx->xdp_rxq_zc, adapter->netdev,
 drivers/net/ethernet/engleder/tsnep_main.c-1947-					  rx->queue_index, queue->napi.napi_id);
 --
 drivers/net/ethernet/engleder/tsnep_main.c-1949-			goto failed;
 drivers/net/ethernet/engleder/tsnep_main.c:1950:		retval = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq_zc,
 drivers/net/ethernet/engleder/tsnep_main.c-1951-						    MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c=1025=static int dpaa_fq_init(struct dpaa_fq *dpaa_fq, bool td_enable)
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1166-	    dpaa_fq->fq_type == FQ_TYPE_RX_PCD) {
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1167:		err = xdp_rxq_info_reg(&dpaa_fq->xdp_rxq, dpaa_fq->net_dev,
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1168-				       dpaa_fq->fqid, 0);
 --
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1173-
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:1174:		err = xdp_rxq_info_reg_mem_model(&dpaa_fq->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c-1175-						 MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c=3895=static int dpaa2_eth_setup_rx_flow(struct dpaa2_eth_priv *priv,
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3929-
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3930:	err = xdp_rxq_info_reg(&fq->channel->xdp_rxq, priv->net_dev,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3931-			       fq->flowid, 0);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3936-
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c:3937:	err = xdp_rxq_info_reg_mem_model(&fq->channel->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c-3938-					 MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c=173=static int dpaa2_xsk_disable_pool(struct net_device *dev, u16 qid)
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-190-	xsk_pool_dma_unmap(pool, 0);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:191:	err = xdp_rxq_info_reg_mem_model(&ch->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-192-					 MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c=220=static int dpaa2_xsk_enable_pool(struct net_device *dev,
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-251-	ch = priv->channel[qid];
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:252:	err = xdp_rxq_info_reg_mem_model(&ch->xdp_rxq, MEM_TYPE_XSK_BUFF_POOL, NULL);
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-253-	if (err) {
 --
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-289-err_bp_alloc:
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c:290:	err2 = xdp_rxq_info_reg_mem_model(&priv->channel[qid]->xdp_rxq,
 drivers/net/ethernet/freescale/dpaa2/dpaa2-xsk.c-291-					  MEM_TYPE_PAGE_ORDER0, NULL);
 --
 drivers/net/ethernet/freescale/fec_main.c=469=fec_enet_create_page_pool(struct fec_enet_private *fep,
 --
 drivers/net/ethernet/freescale/fec_main.c-491-
 drivers/net/ethernet/freescale/fec_main.c:492:	err = xdp_rxq_info_reg(&rxq->xdp_rxq, fep->netdev, rxq->id, 0);
 drivers/net/ethernet/freescale/fec_main.c-493-	if (err < 0)
 --
 drivers/net/ethernet/freescale/fec_main.c-495-
 drivers/net/ethernet/freescale/fec_main.c:496:	err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/freescale/fec_main.c-497-					 rxq->page_pool);
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c=697=int fun_rxq_create_dev(struct funeth_rxq *q, struct fun_irq *irq)
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-703-
 drivers/net/ethernet/fungible/funeth/funeth_rx.c:704:	err = xdp_rxq_info_reg(&q->xdp_rxq, q->netdev, q->qidx,
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-705-			       irq->napi.napi_id);
 --
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-708-
 drivers/net/ethernet/fungible/funeth/funeth_rx.c:709:	err = xdp_rxq_info_reg_mem_model(&q->xdp_rxq, MEM_TYPE_PAGE_SHARED,
 drivers/net/ethernet/fungible/funeth/funeth_rx.c-710-					 NULL);
 --
 drivers/net/ethernet/google/gve/gve_main.c=1185=static int gve_reg_xsk_pool(struct gve_priv *priv, struct net_device *dev,
 --
 drivers/net/ethernet/google/gve/gve_main.c-1192-	rx = &priv->rx[qid];
 drivers/net/ethernet/google/gve/gve_main.c:1193:	err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1194-					 MEM_TYPE_XSK_BUFF_POOL, pool);
 --
 drivers/net/ethernet/google/gve/gve_main.c=1233=static int gve_reg_xdp_info(struct gve_priv *priv, struct net_device *dev)
 --
 drivers/net/ethernet/google/gve/gve_main.c-1248-
 drivers/net/ethernet/google/gve/gve_main.c:1249:		err = xdp_rxq_info_reg(&rx->xdp_rxq, dev, i,
 drivers/net/ethernet/google/gve/gve_main.c-1250-				       napi->napi_id);
 --
 drivers/net/ethernet/google/gve/gve_main.c-1257-		else if (gve_is_qpl(priv))
 drivers/net/ethernet/google/gve/gve_main.c:1258:			err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1259-							 MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/google/gve/gve_main.c-1261-		else
 drivers/net/ethernet/google/gve/gve_main.c:1262:			err = xdp_rxq_info_reg_mem_model(&rx->xdp_rxq,
 drivers/net/ethernet/google/gve/gve_main.c-1263-							 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c=3558=static int i40e_configure_rx_ring(struct i40e_ring *ring)
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3579-	if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/i40e/i40e_main.c:3580:		err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3581-					 ring->queue_index,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3591-		ring->rx_buf_len = xsk_pool_get_rx_frame_size(ring->xsk_pool);
 drivers/net/ethernet/intel/i40e/i40e_main.c:3592:		err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3593-					 ring->queue_index,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3597-			return err;
 drivers/net/ethernet/intel/i40e/i40e_main.c:3598:		err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3599-						 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/i40e/i40e_main.c-3607-	} else {
 drivers/net/ethernet/intel/i40e/i40e_main.c:3608:		err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/i40e/i40e_main.c-3609-						 MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/ice/ice_base.c=658=static int ice_vsi_cfg_rxq(struct ice_rx_ring *ring)
 --
 drivers/net/ethernet/intel/ice/ice_base.c-666-		if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/ice/ice_base.c:667:			err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-668-						 ring->q_index,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-684-				xsk_pool_get_rx_frame_size(ring->xsk_pool);
 drivers/net/ethernet/intel/ice/ice_base.c:685:			err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-686-						 ring->q_index,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-690-				return err;
 drivers/net/ethernet/intel/ice/ice_base.c:691:			err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ice/ice_base.c-692-							 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/ice/ice_base.c-705-			if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) {
 drivers/net/ethernet/intel/ice/ice_base.c:706:				err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev,
 drivers/net/ethernet/intel/ice/ice_base.c-707-							 ring->q_index,
 --
 drivers/net/ethernet/intel/idpf/xdp.c=45=static int __idpf_xdp_rxq_info_init(struct idpf_rx_queue *rxq, void *arg)
 --
 drivers/net/ethernet/intel/idpf/xdp.c-50-
 drivers/net/ethernet/intel/idpf/xdp.c:51:	err = __xdp_rxq_info_reg(&rxq->xdp_rxq, vport->netdev, rxq->idx,
 drivers/net/ethernet/intel/idpf/xdp.c-52-				 rxq->q_vector->napi.napi_id,
 --
 drivers/net/ethernet/intel/idpf/xdp.c-57-	if (idpf_queue_has(XSK, rxq)) {
 drivers/net/ethernet/intel/idpf/xdp.c:58:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq,
 drivers/net/ethernet/intel/idpf/xdp.c-59-						 MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igb/igb_main.c=4445=int igb_setup_rx_resources(struct igb_ring *rx_ring)
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4453-		xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
 drivers/net/ethernet/intel/igb/igb_main.c:4454:	res = xdp_rxq_info_reg(&rx_ring->xdp_rxq, rx_ring->netdev,
 drivers/net/ethernet/intel/igb/igb_main.c-4455-			       rx_ring->queue_index, 0);
 --
 drivers/net/ethernet/intel/igb/igb_main.c=4783=void igb_configure_rx_ring(struct igb_adapter *adapter,
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4794-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/igb/igb_main.c:4795:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igb/igb_main.c-4796-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igb/igb_main.c-4799-	} else {
 drivers/net/ethernet/intel/igb/igb_main.c:4800:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igb/igb_main.c-4801-						   MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/igc/igc_main.c=534=int igc_setup_rx_resources(struct igc_ring *rx_ring)
 --
 drivers/net/ethernet/intel/igc/igc_main.c-543-		xdp_rxq_info_unreg(&rx_ring->xdp_rxq);
 drivers/net/ethernet/intel/igc/igc_main.c:544:	res = xdp_rxq_info_reg(&rx_ring->xdp_rxq, ndev, index,
 drivers/net/ethernet/intel/igc/igc_main.c-545-			       rx_ring->q_vector->napi.napi_id);
 --
 drivers/net/ethernet/intel/igc/igc_main.c=625=static void igc_configure_rx_ring(struct igc_adapter *adapter,
 --
 drivers/net/ethernet/intel/igc/igc_main.c-637-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/igc/igc_main.c:638:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igc/igc_main.c-639-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/igc/igc_main.c-642-	} else {
 drivers/net/ethernet/intel/igc/igc_main.c:643:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/igc/igc_main.c-644-						   MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c=4497=void ixgbe_configure_rx_ring(struct ixgbe_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4508-	if (ring->xsk_pool) {
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:4509:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4510-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4513-	} else {
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:4514:		WARN_ON(xdp_rxq_info_reg_mem_model(&ring->xdp_rxq,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-4515-						   MEM_TYPE_PAGE_SHARED, NULL));
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c=7159=int ixgbe_setup_rx_resources(struct ixgbe_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-7197-	/* XDP RX-queue info */
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:7198:	if (xdp_rxq_info_reg(&rx_ring->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c-7199-			     rx_ring->queue_index, ixgbe_rx_napi_id(rx_ring)) < 0)
 --
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c=3524=int ixgbevf_setup_rx_resources(struct ixgbevf_adapter *adapter,
 --
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c-3546-	/* XDP RX-queue info */
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c:3547:	if (xdp_rxq_info_reg(&rx_ring->xdp_rxq, adapter->netdev,
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c-3548-			     rx_ring->queue_index, 0) < 0)
 --
 drivers/net/ethernet/marvell/mvneta.c=3356=static int mvneta_create_page_pool(struct mvneta_port *pp,
 --
 drivers/net/ethernet/marvell/mvneta.c-3378-
 drivers/net/ethernet/marvell/mvneta.c:3379:	err = __xdp_rxq_info_reg(&rxq->xdp_rxq, pp->dev, rxq->id, 0,
 drivers/net/ethernet/marvell/mvneta.c-3380-				 PAGE_SIZE);
 --
 drivers/net/ethernet/marvell/mvneta.c-3383-
 drivers/net/ethernet/marvell/mvneta.c:3384:	err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/marvell/mvneta.c-3385-					 rxq->page_pool);
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c=2942=static int mvpp2_rxq_init(struct mvpp2_port *port,
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2989-	if (priv->percpu_pools) {
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2990:		err = xdp_rxq_info_reg(&rxq->xdp_rxq_short, port->dev, rxq->logic_rxq, 0);
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2991-		if (err < 0)
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2993-
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2994:		err = xdp_rxq_info_reg(&rxq->xdp_rxq_long, port->dev, rxq->logic_rxq, 0);
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2995-		if (err < 0)
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-2998-		/* Every RXQ has a pool for short and another for long packets */
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:2999:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq_short,
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3000-						 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3004-
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:3005:		err = xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq_long,
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c-3006-						 MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c=1051=int otx2_cq_init(struct otx2_nic *pfvf, u16 qidx)
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1066-		if (pfvf->xdp_prog) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1067:			xdp_rxq_info_reg(&cq->xdp_rxq, pfvf->netdev, qidx, 0);
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1068-			pool = &qset->pool[qidx];
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1069-			if (pool->xsk_pool) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1070:				xdp_rxq_info_reg_mem_model(&cq->xdp_rxq,
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1071-							   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1074-			} else if (pool->page_pool) {
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c:1075:				xdp_rxq_info_reg_mem_model(&cq->xdp_rxq,
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c-1076-							   MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/mellanox/mlx4/en_rx.c=237=int mlx4_en_create_rx_ring(struct mlx4_en_priv *priv,
 --
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-274-
 drivers/net/ethernet/mellanox/mlx4/en_rx.c:275:	if (xdp_rxq_info_reg(&ring->xdp_rxq, priv->dev, queue_index, 0) < 0)
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-276-		goto err_pp;
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-277-
 drivers/net/ethernet/mellanox/mlx4/en_rx.c:278:	err = xdp_rxq_info_reg_mem_model(&ring->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/mellanox/mlx4/en_rx.c-279-					 ring->pp);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c=713=static int mlx5e_init_ptp_rq(struct mlx5e_ptp *c, struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c-734-
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c:735:	return xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, 0);
 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c-736-}
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c=60=static int mlx5e_init_xsk_rq(struct mlx5e_channel *c,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c-89-
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c:90:	return xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq_xdp_ix, c->napi.napi_id);
 drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c-91-}
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c=728=static int mlx5e_init_rxq_rq(struct mlx5e_channel *c, struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-752-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:753:	return __xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, c->napi.napi_id,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-754-				  xdp_frag_size);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c=898=static int mlx5e_alloc_rq(struct mlx5e_params *params,
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-996-	if (xsk) {
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:997:		err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-998-						 MEM_TYPE_XSK_BUFF_POOL, NULL);
 --
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-1034-		if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) {
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c:1035:			err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c-1036-							 MEM_TYPE_PAGE_POOL, rq->page_pool);
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c=2003=static int fbnic_alloc_rx_qt_resources(struct fbnic_net *fbn,
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2013-
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2014:	err = xdp_rxq_info_reg(&qt->xdp_rxq, fbn->netdev, qt->sub0.q_idx,
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2015-			       nv->napi.napi_id);
 --
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2018-
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2019:	err = xdp_rxq_info_reg_mem_model(&qt->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c-2020-					 qt->sub0.page_pool);
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c=75=static int lan966x_fdma_rx_alloc_page_pool(struct lan966x_rx *rx)
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c-102-		xdp_rxq_info_unreg_mem_model(&port->xdp_rxq);
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c:103:		xdp_rxq_info_reg_mem_model(&port->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c-104-					   rx->page_pool);
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c=124=int lan966x_xdp_port_init(struct lan966x_port *port)
 --
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c-127-
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c:128:	return xdp_rxq_info_reg(&port->xdp_rxq, port->dev, 0,
 drivers/net/ethernet/microchip/lan966x/lan966x_xdp.c-129-				lan966x->napi.napi_id);
 --
 drivers/net/ethernet/microsoft/mana/mana_en.c=2579=static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc,
 --
 drivers/net/ethernet/microsoft/mana/mana_en.c-2682-
 drivers/net/ethernet/microsoft/mana/mana_en.c:2683:	WARN_ON(xdp_rxq_info_reg(&rxq->xdp_rxq, ndev, rxq_idx,
 drivers/net/ethernet/microsoft/mana/mana_en.c-2684-				 cq->napi.napi_id));
 drivers/net/ethernet/microsoft/mana/mana_en.c:2685:	WARN_ON(xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/microsoft/mana/mana_en.c-2686-					   rxq->page_pool));
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c=284=nfp_net_rx_ring_alloc(struct nfp_net_dp *dp, struct nfp_net_rx_ring *rx_ring)
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-298-	if (dp->netdev) {
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c:299:		err = xdp_rxq_info_reg(&rx_ring->xdp_rxq, dp->netdev,
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-300-				       rx_ring->idx, rx_ring->r_vec->napi.napi_id);
 --
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-303-
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c:304:		err = xdp_rxq_info_reg_mem_model(&rx_ring->xdp_rxq, mem_type, NULL);
 drivers/net/ethernet/netronome/nfp/nfp_net_dp.c-305-		if (err)
 --
 drivers/net/ethernet/qlogic/qede/qede_main.c=1822=static void qede_init_fp(struct qede_dev *edev)
 --
 drivers/net/ethernet/qlogic/qede/qede_main.c-1853-			/* Driver have no error path from here */
 drivers/net/ethernet/qlogic/qede/qede_main.c:1854:			WARN_ON(xdp_rxq_info_reg(&fp->rxq->xdp_rxq, edev->ndev,
 drivers/net/ethernet/qlogic/qede/qede_main.c-1855-						 fp->rxq->rxq_id, 0) < 0);
 drivers/net/ethernet/qlogic/qede/qede_main.c-1856-
 drivers/net/ethernet/qlogic/qede/qede_main.c:1857:			if (xdp_rxq_info_reg_mem_model(&fp->rxq->xdp_rxq,
 drivers/net/ethernet/qlogic/qede/qede_main.c-1858-						       MEM_TYPE_PAGE_ORDER0,
 --
 drivers/net/ethernet/sfc/rx_common.c=221=void efx_init_rx_queue(struct efx_rx_queue *rx_queue)
 --
 drivers/net/ethernet/sfc/rx_common.c-263-	/* Initialise XDP queue information */
 drivers/net/ethernet/sfc/rx_common.c:264:	rc = xdp_rxq_info_reg(&rx_queue->xdp_rxq_info, efx->net_dev,
 drivers/net/ethernet/sfc/rx_common.c-265-			      rx_queue->core_index, 0);
 --
 drivers/net/ethernet/sfc/siena/rx_common.c=224=void efx_siena_init_rx_queue(struct efx_rx_queue *rx_queue)
 --
 drivers/net/ethernet/sfc/siena/rx_common.c-262-	/* Initialise XDP queue information */
 drivers/net/ethernet/sfc/siena/rx_common.c:263:	rc = xdp_rxq_info_reg(&rx_queue->xdp_rxq_info, efx->net_dev,
 drivers/net/ethernet/sfc/siena/rx_common.c-264-			      rx_queue->core_index, 0);
 --
 drivers/net/ethernet/socionext/netsec.c=1294=static int netsec_setup_rx_dring(struct netsec_priv *priv)
 --
 drivers/net/ethernet/socionext/netsec.c-1319-
 drivers/net/ethernet/socionext/netsec.c:1320:	err = xdp_rxq_info_reg(&dring->xdp_rxq, priv->ndev, 0, priv->napi.napi_id);
 drivers/net/ethernet/socionext/netsec.c-1321-	if (err)
 --
 drivers/net/ethernet/socionext/netsec.c-1323-
 drivers/net/ethernet/socionext/netsec.c:1324:	err = xdp_rxq_info_reg_mem_model(&dring->xdp_rxq, MEM_TYPE_PAGE_POOL,
 drivers/net/ethernet/socionext/netsec.c-1325-					 dring->page_pool);
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c=1780=static int __init_dma_rx_desc_rings(struct stmmac_priv *priv,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1797-	if (rx_q->xsk_pool) {
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:1798:		WARN_ON(xdp_rxq_info_reg_mem_model(&rx_q->xdp_rxq,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1799-						   MEM_TYPE_XSK_BUFF_POOL,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1805-	} else {
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:1806:		WARN_ON(xdp_rxq_info_reg_mem_model(&rx_q->xdp_rxq,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-1807-						   MEM_TYPE_PAGE_POOL,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c=2125=static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv,
 --
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-2196-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:2197:	ret = xdp_rxq_info_reg(&rx_q->xdp_rxq, priv->dev,
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c-2198-			       rx_q->queue_index,
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c=584=static int prueth_create_xdp_rxqs(struct prueth_emac *emac)
 --
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-590-
 drivers/net/ethernet/ti/icssg/icssg_prueth.c:591:	ret = xdp_rxq_info_reg(rxq, emac->ndev, 0, emac->napi_rx.napi_id);
 drivers/net/ethernet/ti/icssg/icssg_prueth.c-592-	if (ret)
 --
 drivers/net/hyperv/netvsc.c=1762=struct netvsc_device *netvsc_device_add(struct hv_device *device,
 --
 drivers/net/hyperv/netvsc.c-1796-
 drivers/net/hyperv/netvsc.c:1797:		ret = xdp_rxq_info_reg(&nvchan->xdp_rxq, ndev, i, 0);
 drivers/net/hyperv/netvsc.c-1798-
 --
 drivers/net/hyperv/netvsc.c-1803-
 drivers/net/hyperv/netvsc.c:1804:		ret = xdp_rxq_info_reg_mem_model(&nvchan->xdp_rxq,
 drivers/net/hyperv/netvsc.c-1805-						 MEM_TYPE_PAGE_SHARED, NULL);
 --
 drivers/net/tun.c=690=static int tun_attach(struct tun_struct *tun, struct file *file,
 --
 drivers/net/tun.c-743-		/* Setup XDP RX-queue info, for new tfile getting attached */
 drivers/net/tun.c:744:		err = xdp_rxq_info_reg(&tfile->xdp_rxq,
 drivers/net/tun.c-745-				       tun->dev, tfile->queue_index, 0);
 --
 drivers/net/tun.c-747-			goto out;
 drivers/net/tun.c:748:		err = xdp_rxq_info_reg_mem_model(&tfile->xdp_rxq,
 drivers/net/tun.c-749-						 MEM_TYPE_PAGE_SHARED, NULL);
 --
 drivers/net/veth.c=1106=static int veth_enable_xdp_range(struct net_device *dev, int start, int end,
 --
 drivers/net/veth.c-1116-			netif_napi_add(dev, &rq->xdp_napi, veth_poll);
 drivers/net/veth.c:1117:		err = xdp_rxq_info_reg(&rq->xdp_rxq, dev, i, rq->xdp_napi.napi_id);
 drivers/net/veth.c-1118-		if (err < 0)
 --
 drivers/net/veth.c-1120-
 drivers/net/veth.c:1121:		err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq,
 drivers/net/veth.c-1122-						 MEM_TYPE_PAGE_SHARED,
 --
 drivers/net/virtio_net.c=3173=static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index)
 --
 drivers/net/virtio_net.c-3177-
 drivers/net/virtio_net.c:3178:	err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index,
 drivers/net/virtio_net.c-3179-			       vi->rq[qp_index].napi.napi_id);
 --
 drivers/net/virtio_net.c-3182-
 drivers/net/virtio_net.c:3183:	err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq,
 drivers/net/virtio_net.c-3184-					 MEM_TYPE_PAGE_SHARED, NULL);
 --
 drivers/net/virtio_net.c=5864=static int virtnet_rq_bind_xsk_pool(struct virtnet_info *vi, struct receive_queue *rq,
 --
 drivers/net/virtio_net.c-5871-	if (pool) {
 drivers/net/virtio_net.c:5872:		err = xdp_rxq_info_reg(&rq->xsk_rxq_info, vi->dev, qindex, rq->napi.napi_id);
 drivers/net/virtio_net.c-5873-		if (err < 0)
 --
 drivers/net/virtio_net.c-5875-
 drivers/net/virtio_net.c:5876:		err = xdp_rxq_info_reg_mem_model(&rq->xsk_rxq_info,
 drivers/net/virtio_net.c-5877-						 MEM_TYPE_XSK_BUFF_POOL, NULL);
 --
 drivers/net/vmxnet3/vmxnet3_drv.c=1377=vmxnet3_create_pp(struct vmxnet3_adapter *adapter,
 --
 drivers/net/vmxnet3/vmxnet3_drv.c-1397-
 drivers/net/vmxnet3/vmxnet3_drv.c:1398:	err = xdp_rxq_info_reg(&rq->xdp_rxq, adapter->netdev, rq->qid,
 drivers/net/vmxnet3/vmxnet3_drv.c-1399-			       rq->napi.napi_id);
 --
 drivers/net/vmxnet3/vmxnet3_drv.c-1402-
 drivers/net/vmxnet3/vmxnet3_drv.c:1403:	err = xdp_rxq_info_reg_mem_model(&rq->xdp_rxq, MEM_TYPE_PAGE_POOL, pp);
 drivers/net/vmxnet3/vmxnet3_drv.c-1404-	if (err)
 --
 drivers/net/xen-netfront.c=2166=static int xennet_create_page_pool(struct netfront_queue *queue)
 --
 drivers/net/xen-netfront.c-2185-
 drivers/net/xen-netfront.c:2186:	err = xdp_rxq_info_reg(&queue->xdp_rxq, queue->info->netdev,
 drivers/net/xen-netfront.c-2187-			       queue->id, 0);
 --
 drivers/net/xen-netfront.c-2192-
 drivers/net/xen-netfront.c:2193:	err = xdp_rxq_info_reg_mem_model(&queue->xdp_rxq,
 drivers/net/xen-netfront.c-2194-					 MEM_TYPE_PAGE_POOL, queue->page_pool);
 --
 include/net/xdp.h=466=xdp_get_frame_len(const struct xdp_frame *xdpf)
 --
 include/net/xdp.h-479-
 include/net/xdp.h:480:int __xdp_rxq_info_reg(struct xdp_rxq_info *xdp_rxq,
 include/net/xdp.h-481-		       struct net_device *dev, u32 queue_index,
 --
 include/net/xdp.h=483=static inline int
 include/net/xdp.h:484:xdp_rxq_info_reg(struct xdp_rxq_info *xdp_rxq,
 include/net/xdp.h-485-		 struct net_device *dev, u32 queue_index,
]
]

gemini-3-pro-preview

							input: 398251
							output: 1176
							thoughts: 4499
						

**XDP Master Redirect and Bond Interface Vulnerability**

Okay, so here's what I've figured out. `xdp_convert_md_to_buff` is fundamentally broken when using `ingress_ifindex` because it relies on a structure that *no* driver appears to initialize correctly for the RX queue. This means any attempt to use the `bpf_prog_test_run_xdp` function with `ingress_ifindex` is destined to fail. Even the loopback device, whose XDP RX queue *isn't* registered, is handled specifically in the test case and works only without that index. If we're not providing this index, the program will just work with the loopback device. The loopback device is the default interface. The consequence is that we can't properly test XDP programs through this mechanism if the input interface is involved.

Furthermore, if the `ingress_ifindex` is not provided, the `rxq->dev` will default to `loopback_dev`, and then if we're trying to achieve something like `xdp_master_redirect`, this device must be a bond slave to make it work. And that's where things get interesting. The kernel prevents `lo` from being a bond slave if the bond has an XDP program attached. The kernel also prevents an XDP program from being attached if `lo` is a bond slave. A complete impasse.

However, there might be a workaround. What if the XDP program is attached to the bond when there are no slaves? We can try to enslave loopback after. The kernel doesn't permit it through a check (`bond_enslave`). It fails with `-EOPNOTSUPP`. That approach is a dead end.

Okay, let's explore if there are any other ways to invoke `xdp_master_redirect`. Specifically, `netif_is_bond_slave(xdp->rxq->dev)` needs to be true. So `xdp->rxq->dev` needs to be something other than the default loopback device. Which is interesting, since the function `bpf_prog_test_run_xdp` always sets `xdp->rxq->dev` to be `loopback_dev` unless `ingress_ifindex` is provided. If `ingress_ifindex` *is* provided, we run into the problem where it checks for an initialization that is missing. So we're back to that problem and we have to abandon the idea.

So here's what seems feasible: Instead of using `bpf_prog_test_run_xdp`, we can send real packets. If we set up a bond interface with a slave that supports XDP, we can send traffic, have the XDP program run, and then trigger the crash when calling `xdp_master_redirect`. The idea is to make `xdp->rxq->dev` a real device, not the loopback.

Let's break this down:

1.  We delete and recreate `bond0`.
2.  Set `bond0` to ROUNDROBIN mode.
3.  Set `veth0` DOWN.
4.  Enslave `veth0` to `bond0`.
5.  Load the XDP program, and then set it up to return `XDP_TX`.
6.  Attach the XDP program to `bond0`.
7.  Set `veth0` UP.
8.  Set `veth1` UP (the other end of the veth pair).
9.  Create an `AF_PACKET` socket.
10. Bind the socket to `veth1`.
11. Send a packet.

This should lead to the XDP program running on `veth0` because it's enslaved to `bond0`. When the XDP program returns `XDP_TX`, the `xdp_master_redirect` is called, and that's when things will crash. This happens because the bond interface `bond0` is not yet UP. So, the `rr_tx_counter` is NULL.

Crucially, it is possible to bring `veth0` up without explicitly bringing the bond interface up. We can use `ioctl(SIOCSIFFLAGS)` to set the `IFF_UP` flag on `veth0`. Now, because `bond0` is not UP, the call to `bond_open` never occurs, so the `rr_tx_counter` remains `NULL`.

Okay, the syzkaller program is now ready. The crucial point is creating the `AF_PACKET` socket and binding it to `veth1` to send a packet. The bind structure needs to be correct. We're using the standard ethernet protocol

wrong array arg *prog.ConstType
line #17:60: bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, [<<<!!ERROR!!>>>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x14)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000003c0)={'veth1\x00', <r6=>0x0})
r7 = socket$packet(0x11, 0x2, 0x300)
bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x14)
sendto(r7, &(0x7f0000000440)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0xe, 0x0, 0x0, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 405082
							output: 1181
							thoughts: 136
						

**My Reasoning on Structure Definition**

Okay, so I initially assumed that a particular element, let's call it `sll_halen`, was being implicitly handled or omitted. But wait a minute, no, it's *there*! And it's defined as `len[sll_addr, int8]`. That clarifies things. It means if I'm going to provide the structure explicitly, I *absolutely* have to include those `len` fields. There's no getting around it, that's core to how this is built.

So, the consequence of this realization is that I need to define it *this* way:

`@ll={0x11, 0x300, r6, 0x0, 0x0, 0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}`

It's time to take this and test it. This should be a robust structure definition, and if I am correct, this should work. Time to get this set up, and evaluate the response.

wrong array arg *prog.UnionType
line #17:65: bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, 0x8, [<<<!!ERROR!!>>>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x14)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000003c0)={'veth1\x00', <r6=>0x0})
r7 = socket$packet(0x11, 0x2, 0x300)
bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, 0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x14)
sendto(r7, &(0x7f0000000440)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0xe, 0x0, 0x0, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 406791
							output: 1174
							thoughts: 711
						

**Debugging a Structure Field Mismatch**

Okay, first thought: `sll_addr` is defined as `array[int8, 8]`. So why the heck is the error message saying `UnionType`? That's just baffling. Let's verify the structure definition for `sockaddr_ll` in `socket.txt`. Yep, there it is: `sll_addr` is indeed an array of 8 bytes.

The error states I'm passing a *wrong array* argument. Something isn't connecting here. Is there a union lurking in this struct? No, a quick scan doesn't reveal any unions within `sockaddr_ll` itself. Hmm, wait a minute, `sockaddr_ll` is *part* of a union, `sockaddr_storage`! I see.

Since `bind` expects an `addr ptr[in, sockaddr_storage]`, passing `@ll={...}` *should* be correct since `ll` is a field within `sockaddr_storage`. But I'm still stuck with the "UnionType" error. `sll_addr` itself is definitely not a union.

Maybe there's a problem with the field order? No, the order is correct. I can count: `sll_family`, `sll_protocol`, `sll_ifindex`, `sll_hatype`, `sll_pkttype`, `sll_halen`, and finally, `sll_addr`. It's the 7th field!

Let's rethink: I am giving an array `[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]`. But why does it say `UnionType`? Is `sll_addr` *actually* an array, or is there a type mismatch at work? I'll re-check the definition one more time to be absolutely sure. Yep, still an array.

I've got it! In syzkaller, `array[int8]` is represented as `BufferType`. My argument *must* be a string! So, I need to pass a string literal like `"\x00\x00\x00\x00\x00\x00\x00\x00"`. Hopefully, that will work. I'll test that.

wrong string arg
line #17:64: bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, 0x8, <<<!!ERROR!!>>>'\x00\x00\x00\x00\x00\x00\x00\x00'}, 0x14)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000003c0)={'veth1\x00', <r6=>0x0})
r7 = socket$packet(0x11, 0x2, 0x300)
bind(r7, &(0x7f0000000400)=@ll={0x11, 0x300, r6, 0x0, 0x0, 0x8, '\x00\x00\x00\x00\x00\x00\x00\x00'}, 0x14)
sendto(r7, &(0x7f0000000440)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 0xe, 0x0, 0x0, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 409325
							output: 19
							thoughts: 3906
						

**Debugging a `sockaddr_ll` Union in Syzkaller**

Okay, I'm encountering a `wrong array arg *prog.UnionType` error when trying to use `sockaddr_ll` with `bind` in my syzkaller fuzzer, and I'm really trying to understand this.

Initially, I see the error is flagged on the array which is the hardware address (sll\_addr) in the struct, and it seems like there is an issue with the union that the function is expecting.

I double-checked the `sockaddr_ll` definition and it does indeed have `sll_addr` defined as an `array[int8, 8]`. Then, I remember I *must* provide `len` fields for structs when defined explicitly, so I'm not overlooking that. Since `sockaddr_ll` is a union option within `sockaddr_storage`, padding is a key consideration. The struct is automatically padded by syzkaller to 128 bytes, which `sockaddr_ll` is not.

I started down the path of trying different methods of writing the `sockaddr_ll` struct to memory, using `ioctl$sock_SIOCGIFINDEX` to write the interface index to the `sll_ifindex` field, and then trying to write the rest of the struct with a string before `bind`. This won't work though because I'd need to write 4 bytes for the fields I set with ioctl and then 4 bytes of 0.

However, I'm trying to use the `@ll={...}` syntax for `sockaddr_ll` in the `bind` call. The problem is that syzkaller is still reporting the union error on the hardware address (`sll_addr`). I know I'm providing an array, not a union, so I kept tracing back to try and find the root cause of this error.

I re-examined the struct definitions to confirm the types of each field in `sockaddr_ll`. There are no apparent unions in `sockaddr_ll`. The error *must* be about the way I'm passing this structure to `bind` because `sll_addr` is *definitely* an array.

I considered that there might be a difference in the system's syzkaller definitions, but the check of `socket.txt` for the current system came back with the same definitions that I'm working with.

I checked again and ensured that I'm passing the correct union type using `@ll` and not something else.

Then it hits me: the error is flagging the 7th field, the array, but says it's expecting a union. If that field is not a union then where is the union?

I went back to the documentation again and discovered I can use `sendto` if the socket is AF\_PACKET. This method avoids some of the issues I was having with `bind`. I just need to specify the interface with the `sockaddr_ll` struct to the sendto call directly.

I considered `syz_emit_ethernet` but couldn't find its definition.

The ultimate solution I landed on, and the one I'm currently investigating, is using the `sendto` function and passing the `sockaddr_ll` struct correctly.

map[File:vnet.txt]

map[Output:# Copyright 2017 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

include <linux/types.h>
include <linux/byteorder/generic.h>

syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt])

vnet_fragmentation {
# If set and we have remaining data after fragmentation, it is written in an additional fragment.
# If not set, data remaining after fragmentation is discarded.
	full	int32[0:1]
	count	int32[1:4]
	frags	array[int32[0:4096], 4]
}

hop_limits = 0, 1, 255

resource tcp_seq_num[int32]: 0x41424344

tcp_resources {
	seq	tcp_seq_num
	ack	tcp_seq_num
}

# These pseudo syscalls read a packet from /dev/net/tun and extract tcp sequence and acknowledgement numbers from it.
# They also adds the inc arguments to the returned values, this way sequence numbers get incremented.
syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32)
syz_extract_tcp_res$synack(res ptr[out, tcp_resources], seq_inc const[1], ack_inc const[0])

################################################################################
################################### Ethernet ###################################
################################################################################

# https://en.wikipedia.org/wiki/Ethernet_frame#Structure
# https://en.wikipedia.org/wiki/IEEE_802.1Q

include <uapi/linux/if.h>
include <uapi/linux/if_ether.h>

type mac_addr_t[LAST] {
	a0	array[const[0xaa, int8], 5]
	a1	LAST
} [packed]

mac_addr_link_local {
	a0	const[0x1, int8]
	a1	const[0x80, int8]
	a2	const[0xc2, int8]
	a3	const[0x0, int8]
	a4	const[0x0, int8]
	a5	flags[mac_addr_link_local_values, int8]
} [packed]

mac_addr_link_local_values = 0x0, 0x1, 0x2, 0x3, 0xe

# This corresponds to the last digit in DEV_MAC/DEV_IPV4/DEV_IPV6 in executor/common_linux.h
type netdev_addr_id int8[10:68]

mac_addr [
	empty		array[const[0x0, int8], 6]
# These correspond to LOCAL_MAC/REMOTE_MAC/DEV_MAC in executor/common_linux.h
	local		mac_addr_t[const[0xaa, int8]]
	remote		mac_addr_t[const[0xbb, int8]]
	dev		mac_addr_t[netdev_addr_id]
	broadcast	array[const[0xff, int8], 6]
	multicast	array[const[0xbb, int8], 6]
	link_local	mac_addr_link_local
	random		array[int8, 6]
]

type mac_addr_mask array[flags[mac_addr_mask_vals, int8], 6]
mac_addr_mask_vals = 0, 0xff

vlan_tag_ad {
	tpid	const[ETH_P_8021AD, int16be]
	pcp	int16:3
	dei	int16:1
	vid	int16:12[0:4]
} [packed]

vlan_tag_q {
	tpid	const[ETH_P_8021Q, int16be]
	pcp	int16:3
	dei	int16:1
	vid	int16:12[0:4]
} [packed]

vlan_tag {
	tag_ad	optional[vlan_tag_ad]
	tag_q	vlan_tag_q
} [packed]

eth_packet {
	dst_mac	mac_addr
	src_mac	mac_addr
	vtag	optional[vlan_tag]
	payload	eth_payload
} [packed]

eth_payload {
	eth2	eth2_packet
} [packed]

################################################################################
################################## Ethernet 2 ##################################
################################################################################

# https://en.wikipedia.org/wiki/Ethernet_frame#Ethernet_II

ether_types = ETH_P_LOOP, ETH_P_PUP, ETH_P_PUPAT, ETH_P_TSN, ETH_P_IP, ETH_P_X25, ETH_P_ARP, ETH_P_IEEEPUP, ETH_P_IEEEPUPAT, ETH_P_BATMAN, ETH_P_DEC, ETH_P_DNA_DL, ETH_P_DNA_RC, ETH_P_DNA_RT, ETH_P_LAT, ETH_P_DIAG, ETH_P_CUST, ETH_P_SCA, ETH_P_TEB, ETH_P_RARP, ETH_P_ATALK, ETH_P_AARP, ETH_P_8021Q, ETH_P_ERSPAN, ETH_P_ERSPAN2, ETH_P_IPV6, ETH_P_PAUSE, ETH_P_SLOW, ETH_P_WCCP, ETH_P_MPLS_UC, ETH_P_MPLS_MC, ETH_P_ATMMPOA, ETH_P_PPP_DISC, ETH_P_PPP_SES, ETH_P_LINK_CTL, ETH_P_ATMFATE, ETH_P_PAE, ETH_P_AOE, ETH_P_8021AD, ETH_P_802_EX1, ETH_P_TIPC, ETH_P_MACSEC, ETH_P_8021AH, ETH_P_MVRP, ETH_P_1588, ETH_P_NCSI, ETH_P_PRP, ETH_P_FCOE, ETH_P_TDLS, ETH_P_FIP, ETH_P_80221, ETH_P_HSR, ETH_P_LOOPBACK, ETH_P_QINQ1, ETH_P_QINQ2, ETH_P_QINQ3, ETH_P_EDSA, ETH_P_AF_IUCV, ETH_P_802_3_MIN, ETH_P_802_3, ETH_P_AX25, ETH_P_ALL, ETH_P_802_2, ETH_P_SNAP, ETH_P_DDCMP, ETH_P_WAN_PPP, ETH_P_PPP_MP, ETH_P_LOCALTALK, ETH_P_CAN, ETH_P_CANFD, ETH_P_PPPTALK, ETH_P_TR_802_2, ETH_P_MOBITEX, ETH_P_CONTROL, ETH_P_IRDA, ETH_P_ECONET, ETH_P_HDLC, ETH_P_ARCNET, ETH_P_DSA, ETH_P_TRAILER, ETH_P_PHONET, ETH_P_IEEE802154, ETH_P_CAIF, ETH_P_XDSA, ETH_P_MAP

eth2_packet [
	generic	eth2_packet_generic
	arp	eth2_packet_t[ETH_P_ARP, arp_packet]
	ipv4	eth2_packet_t[ETH_P_IP, ipv4_packet]
	ipv6	eth2_packet_t[ETH_P_IPV6, ipv6_packet]
	llc	eth2_packet_t[ETH_P_802_2, llc_packet]
	llc_tr	eth2_packet_t[ETH_P_TR_802_2, llc_packet]
	x25	eth2_packet_t[ETH_P_X25, x25_packet]
	mpls_uc	eth2_packet_t[ETH_P_MPLS_UC, mpls_packet]
	mpls_mc	eth2_packet_t[ETH_P_MPLS_MC, mpls_packet]
	can	eth2_packet_t[ETH_P_CAN, can_frame]
	canfd	eth2_packet_t[ETH_P_CANFD, canfd_frame]
] [varlen]

eth2_packet_generic {
	etype	flags[ether_types, int16be]
	payload	array[int8]
} [packed]

type eth2_packet_t[TYPE, PAYLOAD] {
	etype	const[TYPE, int16be]
	payload	PAYLOAD
} [packed]

################################################################################
###################################### ARP #####################################
################################################################################

# https://en.wikipedia.org/wiki/Address_Resolution_Protocol#Packet_structure

include <uapi/linux/if_arp.h>

arp_htypes = ARPHRD_NETROM, ARPHRD_ETHER, ARPHRD_EETHER, ARPHRD_AX25, ARPHRD_PRONET, ARPHRD_CHAOS, ARPHRD_IEEE802, ARPHRD_ARCNET, ARPHRD_APPLETLK, ARPHRD_DLCI, ARPHRD_ATM, ARPHRD_METRICOM, ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ARPHRD_CAN, ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_HDLC, ARPHRD_LAPB, ARPHRD_DDCMP, ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, ARPHRD_FCFABRIC, ARPHRD_IEEE802_TR, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, ARPHRD_IEEE80211_RADIOTAP, ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ARPHRD_VOID, ARPHRD_NONE

arp_ops = ARPOP_REQUEST, ARPOP_REPLY, ARPOP_RREQUEST, ARPOP_RREPLY, ARPOP_InREQUEST, ARPOP_InREPLY, ARPOP_NAK

arp_packet [
	generic		arp_packet_t[flags[arp_htypes, int16be], flags[ether_types, int16be], array[int8, 0:16]]
	ether_ipv4	arp_packet_t[const[ARPHRD_ETHER, int16be], const[ETH_P_IP, int16be], ipv4_addr]
	ether_ipv6	arp_packet_t[const[ARPHRD_ETHER, int16be], const[ETH_P_IPV6, int16be], ipv6_addr]
] [varlen]

type arp_packet_t[HTYPE, PTYPE, ADDR] {
	htype	HTYPE
	ptype	PTYPE
	hlen	const[6, int8]
	plen	len[spa, int8]
	op	flags[arp_ops, int16be]
	sha	mac_addr
	spa	ADDR
	tha	mac_addr
	tpa	ADDR
} [packed]

################################################################################
################################## 802.2 (LLC) #################################
################################################################################

# https://en.wikipedia.org/wiki/IEEE_802.2
# https://en.wikipedia.org/wiki/Subnetwork_Access_Protocol

include <uapi/linux/llc.h>

# Adding '1' as a SAP value since the lower bit in SAP has a special meaning.
sap_values = 1, LLC_SAP_NULL, LLC_SAP_LLC, LLC_SAP_SNA, LLC_SAP_PNM, LLC_SAP_IP, LLC_SAP_BSPAN, LLC_SAP_MMS, LLC_SAP_8208, LLC_SAP_3COM, LLC_SAP_PRO, LLC_SAP_SNAP, LLC_SAP_BANYAN, LLC_SAP_NETBEUI, LLC_SAP_LANMGR, LLC_SAP_IMPL, LLC_SAP_DISC, LLC_SAP_OSI, LLC_SAP_LAR, LLC_SAP_RM, LLC_SAP_GLOBAL

llc_generic_packet {
	dsap	flags[sap_values, int8]
	ssap	flags[sap_values, int8]
	ctrl	array[int8, 1:2]
	payload	array[int8]
} [packed]

sap_snap_values = 1, LLC_SAP_SNAP

llc_snap_packet {
	dsap		flags[sap_snap_values, int8]
	ssap		flags[sap_snap_values, int8]
	control		array[int8, 1:2]
	oui		array[int8, 3]
	protocol_id	flags[ether_types, int16be]
	payload		array[int8]
} [packed]

llc_payload [
	llc	llc_generic_packet
	snap	llc_snap_packet
] [varlen]

llc_packet {
# TODO: is there length or not? I don't see it in packet format...
#	length	len[payload, int16be]
	payload	llc_payload
} [packed]

################################################################################
###################################### x25 #####################################
################################################################################

# Documentation/networking/x25.txt
# Documentation/networking/x25-iface.txt
# http://www.dafuer.com/kleinehelferlein/x25layer.htm

include <uapi/linux/if_x25.h>
include <net/x25.h>

x25_iface_types = X25_IFACE_DATA, X25_IFACE_CONNECT, X25_IFACE_DISCONNECT, X25_IFACE_PARAMS

x25_frame_types = X25_CALL_REQUEST, X25_CALL_ACCEPTED, X25_CLEAR_REQUEST, X25_CLEAR_CONFIRMATION, X25_DATA, X25_INTERRUPT, X25_INTERRUPT_CONFIRMATION, X25_RR, X25_RNR, X25_REJ, X25_RESET_REQUEST, X25_RESET_CONFIRMATION, X25_REGISTRATION_REQUEST, X25_REGISTRATION_CONFIRMATION, X25_RESTART_REQUEST, X25_RESTART_CONFIRMATION, X25_DIAGNOSTIC, X25_ILLEGAL

x25_packet {
	iface	flags[x25_iface_types, int8]
	wtf	int8
	frame	flags[x25_frame_types, int8]
	payload	array[int8]
} [packed]

################################################################################
##################################### IPv4 #####################################
################################################################################

# https://tools.ietf.org/html/rfc791#section-3.1
# https://en.wikipedia.org/wiki/IPv4#Header

# TODO: https://en.wikipedia.org/wiki/IPsec#Authentication_Header
# TODO: https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload

include <uapi/linux/in.h>
include <uapi/linux/ip.h>
include <uapi/linux/l2tp.h>
include <net/cipso_ipv4.h>
include <security/smack/smack.h>

type ipv4_addr_t[LAST] {
	a0	const[0xac, int8]
	a1	const[0x14, int8]
	a2	const[0x14, int8]
	a3	LAST
} [packed]

ipv4_addr_initdev {
	a0	const[0xac, int8]
	a1	const[0x1e, int8]
	a2	int8[0:1]
	a3	proc[1, 1, int8]
}

ipv4_addr [
# Few public random addresses 100.1.1.[0-2]
	rand_addr	int32be[0x64010100:0x64010102]
# 0.0.0.0
	empty		const[0x0, int32be]
# These correspond to LOCAL_IPV4/REMOTE_IPV4/DEV_IPV4 in executor/common_linux.h
	local		ipv4_addr_t[const[170, int8]]
	remote		ipv4_addr_t[const[187, int8]]
	dev		ipv4_addr_t[netdev_addr_id]
	initdev		ipv4_addr_initdev
# 127.0.0.1
	loopback	const[0x7f000001, int32be]
# 224.0.0.1
	multicast1	const[0xe0000001, int32be]
# 224.0.0.2
	multicast2	const[0xe0000002, int32be]
# 255.255.255.255
	broadcast	const[0xffffffff, int32be]
# 10.1.1.[0-2] can be used for custom things within the image
	private		int32be[0xa010100:0xa010102]
] [size[4]]

type ipv4_addr_mask flags[ipv4_addr_mask_vals, int32be]
ipv4_addr_mask_vals = 0, 0xff000000, 0xffffff00, 0xffffffff, 0xff

# http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml#ip-parameters-1
ipv4_option [
	generic			ipv4_option_generic
	end			ipv4_option_end
	noop			ipv4_option_noop
	lsrr			ipv4_option_route[IPOPT_LSRR]
	ssrr			ipv4_option_route[IPOPT_SSRR]
	rr			ipv4_option_route[IPOPT_RR]
	timestamp		ipv4_option_timestamp[IPOPT_TS_TSONLY, int32be]
	timestamp_addr		ipv4_option_timestamp[IPOPT_TS_TSANDADDR, ipv4_option_timestamp_timestamp]
	timestamp_prespec	ipv4_option_timestamp[IPOPT_TS_PRESPEC, ipv4_option_timestamp_timestamp]
	cipso			ipv4_option_cipso
	ra			ipv4_option_ra
# IPOPT_SEC and IPOPT_SID are not supported by Linux kernel
] [varlen]

ipv4_option_types = IPOPT_SEC, IPOPT_LSRR, IPOPT_TIMESTAMP, IPOPT_CIPSO, IPOPT_RR, IPOPT_SID, IPOPT_SSRR, IPOPT_RA

ipv4_option_generic {
	type	flags[ipv4_option_types, int8]
	length	len[parent, int8]
	data	array[int8, 0:16]
} [packed]

# https://tools.ietf.org/html/rfc791#section-3.1
ipv4_option_end {
	type	const[IPOPT_END, int8]
} [packed]

# https://tools.ietf.org/html/rfc791#section-3.1
ipv4_option_noop {
	type	const[IPOPT_NOOP, int8]
} [packed]

# https://tools.ietf.org/html/rfc791#section-3.1
type ipv4_option_route[OPT] {
	type	const[OPT, int8]
	length	len[parent, int8]
	pointer	int8[4:255]
	data	array[ipv4_addr]
} [packed]

# https://tools.ietf.org/html/rfc791#section-3.1
# http://www.networksorcery.com/enp/protocol/ip/option004.htm
type ipv4_option_timestamp[TYP, TSTAMP] {
	type		const[IPOPT_TIMESTAMP, int8]
	length		len[parent, int8]
	pointer		int8[5:255]
	flg		const[TYP, int8:4]
	oflw		int8:4
	timestamps	array[TSTAMP]
} [packed]

ipv4_option_timestamp_timestamp {
	addr		ipv4_addr
	timestamp	int32be
} [packed]

ipv4_option_cipso_tag_types = CIPSO_V4_TAG_INVALID, CIPSO_V4_TAG_RBITMAP, CIPSO_V4_TAG_ENUM, CIPSO_V4_TAG_RANGE, CIPSO_V4_TAG_PBITMAP, CIPSO_V4_TAG_FREEFORM

# TODO: describe particular tag types
ipv4_option_cipso_tag {
	type	flags[ipv4_option_cipso_tag_types, int8]
	length	len[parent, int8]
	data	array[int8, 0:16]
} [packed]

# https://www.ietf.org/archive/id/draft-ietf-cipso-ipsecurity-01.txt
ipv4_option_cipso {
	type	const[IPOPT_CIPSO, int8]
	length	len[parent, int8]
	doi	flags[cipso_doi, int32be]
	tags	array[ipv4_option_cipso_tag]
} [packed]

cipso_doi = CIPSO_V4_DOI_UNKNOWN, SMACK_CIPSO_DOI_DEFAULT, SMACK_CIPSO_DOI_INVALID, 1, 2, 3

# https://tools.ietf.org/html/rfc2113
ipv4_option_ra {
	type	const[IPOPT_RA, int8]
	length	len[parent, int8]
	value	bool16
} [packed]

ipv4_options {
	options	array[ipv4_option]
} [packed, align[4]]

ipv4_types = IPPROTO_IP, IPPROTO_ICMP, IPPROTO_IGMP, IPPROTO_IPIP, IPPROTO_TCP, IPPROTO_EGP, IPPROTO_PUP, IPPROTO_UDP, IPPROTO_IDP, IPPROTO_TP, IPPROTO_DCCP, IPPROTO_IPV6, IPPROTO_RSVP, IPPROTO_GRE, IPPROTO_ESP, IPPROTO_AH, IPPROTO_MTP, IPPROTO_BEETPH, IPPROTO_ENCAP, IPPROTO_PIM, IPPROTO_COMP, IPPROTO_SCTP, IPPROTO_UDPLITE, IPPROTO_MPLS, IPPROTO_RAW, IPPROTO_L2TP

type ipv4_header[PROTO] {
	ihl		bytesize4[parent, int8:4]
	version		const[4, int8:4]
	ecn		int8:2
	dscp		int8:6
# TODO: if s/ipv4_packet_t/ipv4_packet/, (1) this crashes, (2) only at runtime with:
# panic: len field "total_len" references non existent field "ipv4_packet", pos="len"/"total_len"
	total_len	len[ipv4_packet_t, int16be]
	id		int16be[100:104]
# TODO: frag_off is actually 13 bits, 3 bits are flags
	frag_off	int16be[0:0]
	ttl		int8
	protocol	PROTO
	csum		csum[parent, inet, int16be]
	src_ip		ipv4_addr
	dst_ip		ipv4_addr
	options		ipv4_options
} [packed]

type ipv4_packet_t[PROTO, PAYLOAD] {
	header	ipv4_header[PROTO]
	payload	PAYLOAD
} [packed]

ipv4_packet [
	generic	ipv4_packet_t[flags[ipv4_types, int8], array[int8]]
	tcp	ipv4_packet_t[const[IPPROTO_TCP, int8], tcp_packet]
	udp	ipv4_packet_t[const[IPPROTO_UDP, int8], udp_packet]
	icmp	ipv4_packet_t[const[IPPROTO_ICMP, int8], icmp_packet]
	dccp	ipv4_packet_t[const[IPPROTO_DCCP, int8], dccp_packet]
	igmp	ipv4_packet_t[const[IPPROTO_IGMP, int8], igmp_packet]
	gre	ipv4_packet_t[const[IPPROTO_GRE, int8], gre_packet]
# TODO: what proto do we need for tipc (there is no IPPROTO_TIPC)?
	tipc	ipv4_packet_t[const[IPPROTO_TCP, int8], tipc_packet]
] [varlen]

################################################################################
##################################### IPv6 #####################################
################################################################################

# https://tools.ietf.org/html/rfc2460#section-3
# https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header

include <uapi/linux/in6.h>
include <uapi/linux/ipv6.h>
include <uapi/linux/seg6.h>
include <uapi/linux/ip6_tunnel.h>
include <net/ipv6.h>

ipv6_types = IPPROTO_IP, IPPROTO_ICMP, IPPROTO_IGMP, IPPROTO_IPIP, IPPROTO_TCP, IPPROTO_EGP, IPPROTO_PUP, IPPROTO_UDP, IPPROTO_IDP, IPPROTO_TP, IPPROTO_DCCP, IPPROTO_IPV6, IPPROTO_RSVP, IPPROTO_GRE, IPPROTO_ESP, IPPROTO_AH, IPPROTO_MTP, IPPROTO_BEETPH, IPPROTO_ENCAP, IPPROTO_PIM, IPPROTO_COMP, IPPROTO_SCTP, IPPROTO_UDPLITE, IPPROTO_MPLS, IPPROTO_RAW, IPPROTO_HOPOPTS, IPPROTO_ROUTING, IPPROTO_FRAGMENT, IPPROTO_ICMPV6, IPPROTO_NONE, IPPROTO_DSTOPTS, IPPROTO_MH, NEXTHDR_HOP, NEXTHDR_ROUTING, NEXTHDR_FRAGMENT, NEXTHDR_GRE, NEXTHDR_ESP, NEXTHDR_AUTH, NEXTHDR_ICMP, NEXTHDR_NONE, NEXTHDR_DEST, NEXTHDR_MOBILITY, IPPROTO_L2TP

ipv6_addr_empty {
	a0	array[const[0x0, int8], 16]
} [packed, align[4]]

type ipv6_addr_t[LAST] {
	a0	const[0xfe, int8]
	a1	const[0x80, int8]
	a2	array[const[0x0, int8], 13]
	a3	LAST
} [packed, align[4]]

ipv6_addr_initdev {
	a0	const[0xfe, int8]
	a1	const[0x88, int8]
	a2	array[const[0x0, int8], 12]
	a3	int8[0:1]
	a4	proc[1, 1, int8]
} [packed, align[4]]

ipv6_addr_loopback {
	a0	const[0, int64be]
	a1	const[1, int64be]
} [packed, align[4]]

ipv6_addr_ipv4 {
	a0	array[const[0x0, int8], 10]
	a1	array[const[0xff, int8], 2]
	a3	ipv4_addr
} [packed, align[4]]

ipv6_addr_multicast1 {
	a0	const[0xff, int8]
	a1	const[0x1, int8]
	a2	array[const[0x0, int8], 13]
	a3	const[0x1, int8]
} [packed, align[4]]

ipv6_addr_multicast2 {
	a0	const[0xff, int8]
	a1	const[0x2, int8]
	a2	array[const[0x0, int8], 13]
	a3	const[0x1, int8]
} [packed, align[4]]

type ipv6_addr_private[BYTE2] {
	a0	const[0xfc, int8]
	a1	const[BYTE2, int8]
	a2	array[const[0x0, int8], 13]
	a3	int8[0:1]
} [packed, align[4]]

ipv6_addr_random = `20010000000000000000000000000000`, `20010000000000000000000000000001`, `20010000000000000000000000000002`

ipv6_addr [
# Few public random addresses
	rand_addr	stringnoz[ipv6_addr_random]
	empty		ipv6_addr_empty
# These correspond to LOCAL_IPV6/REMOTE_IPV6/DEV_IPV6 in executor/common_linux.h
	local		ipv6_addr_t[const[0xaa, int8]]
	remote		ipv6_addr_t[const[0xbb, int8]]
	dev		ipv6_addr_t[netdev_addr_id]
	initdev		ipv6_addr_initdev
# Some special addresses:
	loopback	ipv6_addr_loopback
	ipv4		ipv6_addr_ipv4
	mcast1		ipv6_addr_multicast1
	mcast2		ipv6_addr_multicast2
# Several custom private ranges with 2 addresses each: fc0X::/127.
# Can be used for custom things within the tested image.
	private0	ipv6_addr_private[0]
	private1	ipv6_addr_private[1]
	private2	ipv6_addr_private[2]
] [size[16]]

type ipv6_addr_mask array[flags[ipv4_addr_mask_vals, int32be], 4]

# TODO: Describe more types of headers
# NEXTHDR_HOP, NEXTHDR_TCP, NEXTHDR_UDP, NEXTHDR_IPV6, NEXTHDR_FRAGMENT, NEXTHDR_GRE, NEXTHDR_ESP, NEXTHDR_AUTH, NEXTHDR_ICMP, NEXTHDR_NONE, NEXTHDR_DEST, NEXTHDR_SCTP, NEXTHDR_MOBILITY
# https://tools.ietf.org/html/rfc2402
# https://tools.ietf.org/html/rfc2406
# https://tools.ietf.org/html/rfc3775

# https://tools.ietf.org/html/rfc2460#section-4
# The length field in each of the extension headers specifies the
# length of the header in 8-octet units not including the first 8 octets.
ipv6_ext_header [
	hopopts		ipv6_hopopts_ext_header
	routing		ipv6_rt_hdr
	srh		ipv6_sr_hdr
	fragment	ipv6_fragment_ext_header
	dstopts		ipv6_dstopts_ext_header
] [varlen]

ipv6_hopopts_ext_header {
	next_header	flags[ipv6_types, int8]
	length		bytesize8[options, int8]
	pad		array[const[0, int8], 6]
	options		array[ipv6_tlv_option]
} [packed, align[8]]

ipv6_routing_types = IPV6_SRCRT_STRICT, IPV6_SRCRT_TYPE_0, IPV6_SRCRT_TYPE_2

ipv6_rt_hdr {
	next_header	flags[ipv6_types, int8]
	length		bytesize8[data, int8]
	routing_type	flags[ipv6_routing_types, int8]
	segments_left	int8
	reserved	const[0, int32]
	data		array[ipv6_addr]
} [packed, align[8]]

ipv6_sr_hdr {
	nexthdr		flags[ipv6_types, int8]
	hdrlen		bytesize8[segments, int8]
	type		const[IPV6_SRCRT_TYPE_4, int8]
	segments_left	len[segments, int8]
	first_segment	int8
	flags		flags[ipv6_sr_flags, int8]
	tag		int16
	segments	array[ipv6_addr]
# TODO: this may be followed by sr6_tlv_hmac if SR6_FLAG1_HMAC is set.
# However, if we place it here, we won't be able to calculate hdrlen (len of 2 fields),
# and if we move segments and sr6_tlv_hmac into a separate struct,
# we won't be able to calculate segments_left because it will need to
# refer to a field of a subobject. What may help is allowing specifying
# subfields as len/bytesize targets, e.g. "len[payload.segments]", or "bytesize[parent_struct.foo]".
} [packed, align[8]]

ipv6_sr_flags = SR6_FLAG1_PROTECTED, SR6_FLAG1_OAM, SR6_FLAG1_ALERT, SR6_FLAG1_HMAC

ipv6_fragment_ext_header {
	next_header	flags[ipv6_types, int8]
	reserved1	const[0, int8]
	fragment_off_hi	int8
	m_flag		int8:1
	reserved2	const[0, int8:2]
	fragment_off_lo	int8:5
	identification	int32[100:104]
} [packed, align[8]]

ipv6_dstopts_ext_header {
	next_header	flags[ipv6_types, int8]
	length		bytesize8[options, int8]
	pad		array[const[0, int8], 6]
	options		array[ipv6_tlv_option]
} [packed, align[8]]

ipv6_tlv_option [
	generic	ipv6_tlv_generic
	pad1	ipv6_tlv_pad1
	padn	ipv6_tlv_padn
	ra	ipv6_tlv_ra
	jumbo	ipv6_tlv_jumbo
	calipso	ipv6_tlv_calipso
	hao	ipv6_tlv_hao
	enc_lim	ipv6_tlv_enc_lim
] [varlen]

ipv6_tlv_generic {
	type	int8
	length	len[data, int8]
	data	array[int8]
} [packed]

ipv6_tlv_pad1 {
	type	const[IPV6_TLV_PAD1, int8]
	len	const[1, int8]
	pad	const[0, int8]
} [packed]

ipv6_tlv_padn {
	type	const[IPV6_TLV_PADN, int8]
	len	len[pad, int8]
	pad	array[const[0, int8]]
} [packed]

ipv6_tlv_ra {
	type	const[IPV6_TLV_ROUTERALERT, int8]
	len	const[2, int8]
	ra	int16be
} [packed]

ipv6_tlv_jumbo {
	type	const[IPV6_TLV_JUMBO, int8]
	len	const[4, int8]
	pkt_len	int32be
} [packed]

# https://tools.ietf.org/html/rfc5570#section-5.1
ipv6_tlv_calipso {
	type	const[IPV6_TLV_CALIPSO, int8]
	len	bytesize[payload, int8]
	payload	ipv6_tlv_calipso_payload
} [packed]

# TODO: checksum is generally incorrect.
ipv6_tlv_calipso_payload {
	domain			flags[calipso_doi, int32be]
	compartment_length	bytesize4[compartment_bitmap, int8]
	sensitivity_level	int8
	checksum		int16
	compartment_bitmap	array[int64]
} [packed]

calipso_doi = 0, 1, 2, 3

ipv6_tlv_hao {
	type	const[IPV6_TLV_HAO, int8]
	len	bytesize[addr, int8]
	addr	ipv6_addr
} [packed]

ipv6_tlv_enc_lim {
	type		const[IPV6_TLV_TNL_ENCAP_LIMIT, int8]
	len		const[1, int8]
	encap_limit	int8
} [packed]

ipv6_packet [
	generic		ipv6_packet_t[flags[ipv6_types, int8], array[int8]]
	tcp		ipv6_packet_t[const[IPPROTO_TCP, int8], tcp_packet]
	udp		ipv6_packet_t[const[IPPROTO_UDP, int8], udp_packet]
	icmpv6		ipv6_packet_t[const[IPPROTO_ICMPV6, int8], icmpv6_packet]
	dccp_packet	ipv6_packet_t[const[IPPROTO_DCCP, int8], dccp_packet]
	gre_packet	ipv6_packet_t[const[IPPROTO_GRE, int8], gre_packet]
# TODO: what proto do we need for tipc (there is no IPPROTO_TIPC)?
	tipc_packet	ipv6_packet_t[const[IPPROTO_TCP, int8], tipc_packet]
] [varlen]

type ipv6_packet_t[PROTO, PAYLOAD] {
	priority	int8:4
	version		const[6, int8:4]
# TODO: flow_label is actually 20 bits, 4 bits are part of priority
	flow_label	array[int8, 3]
	length		len[payload, int16be]
	next_header	PROTO
	hop_limit	flags[hop_limits, int8]
	src_ip		ipv6_addr
	dst_ip		ipv6_addr
	payload		ipv6_packet_payload[PAYLOAD]
} [packed]

type ipv6_packet_payload[PAYLOAD] {
	ext_headers	array[ipv6_ext_header]
	payload		PAYLOAD
} [packed]

################################################################################
###################################### TCP #####################################
################################################################################

# https://tools.ietf.org/html/rfc793#section-3.1
# https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
# http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml

include <net/tcp.h>
include <uapi/linux/tcp.h>

tcp_option [
	generic		tcp_generic_option
	nop		tcp_nop_option
	eol		tcp_eol_option
	mss		tcp_mss_option
	window		tcp_window_option
	sack_perm	tcp_sack_perm_option
	sack		tcp_sack_option
	timestamp	tcp_timestamp_option
	md5sig		tcp_md5sig_option
	fastopen	tcp_fastopen_option
	exp_fastopen	tcp_exp_fastopen_option
	exp_smc		tcp_exp_smc_option
	mptcp		tcp_mptcp_option
] [varlen]

tcp_option_types = TCPOPT_NOP, TCPOPT_EOL, TCPOPT_MSS, TCPOPT_WINDOW, TCPOPT_SACK_PERM, TCPOPT_SACK, TCPOPT_TIMESTAMP, TCPOPT_MD5SIG, TCPOPT_FASTOPEN, TCPOPT_EXP

tcp_generic_option {
	type	flags[tcp_option_types, int8]
	length	len[parent, int8]
	data	array[int8, 0:16]
} [packed]

# https://tools.ietf.org/html/rfc793#section-3.1
tcp_nop_option {
	type	const[TCPOPT_NOP, int8]
} [packed]

# https://tools.ietf.org/html/rfc793#section-3.1
tcp_eol_option {
	type	const[TCPOPT_EOL, int8]
} [packed]

# https://tools.ietf.org/html/rfc793#section-3.1
tcp_mss_option {
	type		const[TCPOPT_MSS, int8]
	length		len[parent, int8]
	seg_size	int16
} [packed]

# https://tools.ietf.org/html/rfc7323#section-2
tcp_window_option {
	type	const[TCPOPT_WINDOW, int8]
	length	len[parent, int8]
	shift	int8
} [packed]

# https://tools.ietf.org/html/rfc2018#section-2
tcp_sack_perm_option {
	type	const[TCPOPT_SACK_PERM, int8]
	length	len[parent, int8]
} [packed]

# https://tools.ietf.org/html/rfc2018#section-3
tcp_sack_option {
	type	const[TCPOPT_SACK, int8]
	length	len[parent, int8]
	data	array[int32be]
} [packed]

# https://tools.ietf.org/html/rfc7323#section-3
tcp_timestamp_option {
	type	const[TCPOPT_TIMESTAMP, int8]
	length	len[parent, int8]
	tsval	int32be
	tsecr	int32be
} [packed]

# https://tools.ietf.org/html/rfc2385#section-3.0
tcp_md5sig_option {
	type	const[TCPOPT_MD5SIG, int8]
	length	len[parent, int8]
	md5	array[int8, 16]
} [packed]

# https://tools.ietf.org/html/rfc7413#section-4.1.1
tcp_fastopen_option {
	type	const[TCPOPT_FASTOPEN, int8]
	length	len[parent, int8]
	data	array[int8, 0:16]
} [packed]

tcp_exp_fastopen_option {
	type	const[TCPOPT_EXP, int8]
	length	len[parent, int8]
	subtype	const[TCPOPT_FASTOPEN_MAGIC, int16be]
	data	array[int8, 0:16]
} [packed]

tcp_exp_smc_option {
	type	const[TCPOPT_EXP, int8]
	length	len[parent, int8]
	subtype	const[TCPOPT_SMC_MAGIC, int32be]
} [packed]

tcp_options {
	options	array[tcp_option]
} [packed, align[4]]

tcp_flags = TCPHDR_FIN, TCPHDR_SYN, TCPHDR_RST, TCPHDR_PSH, TCPHDR_ACK, TCPHDR_URG, TCPHDR_ECE, TCPHDR_CWR, TCPHDR_SYN_ECN

tcp_header {
	src_port	sock_port
	dst_port	sock_port
	seq_num		tcp_seq_num
	ack_num		tcp_seq_num
	ns		int8:1
	reserved	const[0, int8:3]
	data_off	bytesize4[parent, int8:4]
	flags		flags[tcp_flags, int8]
	window_size	int16be
	csum		csum[tcp_packet, pseudo, IPPROTO_TCP, int16be]
	urg_ptr		int16be
	options		tcp_options
} [packed]

tcp_packet {
	header	tcp_header
	payload	tcp_payload
} [packed]

tcp_payload {
	payload	array[int8]
} [packed]

################################################################################
###################################### UDP #####################################
################################################################################

# https://tools.ietf.org/html/rfc768
# https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure

include <net/gue.h>

udp_packet {
	src_port	sock_port
	dst_port	sock_port
	length		len[parent, int16be]
	csum		csum[parent, pseudo, IPPROTO_UDP, int16be]
	payload		udp_payload
} [packed]

udp_payload [
	opaque	array[int8]
	gue	gue_packet
	wg	wg_packet
] [varlen]

gue_packet {
	hdr	guehdr
	opaque	array[int8]
} [packed]

guehdr {
	hlen		bytesize4[parent, int8:5]
	control		int8:1
	version		int8:2
	proto_ctype	int8
	flags		flags[guehdr_flags, int16]
	priv		optional[flags[guehdr_prov_flags, int32]]
} [packed]

guehdr_flags = GUE_FLAG_PRIV
guehdr_prov_flags = GUE_PFLAG_REMCSUM

################################################################################
###################################### GRE #####################################
################################################################################

# https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

include <net/gre.h>

gre_packet {
	pptp		gre_packet_pptp
# TODO: add more packets
# TODO: the payload should be ipv4_packet/ipv6_packet, but this creates recursion
# ipv4 -> gre -> ipv4 -> ...
	cisco_ipv4	gre_packet_cisco[ETH_P_IP, array[int8]]
	cisco_ipv6	gre_packet_cisco[ETH_P_IPV6, array[int8]]
	erspan1		gre_packet_erspan[ETH_P_ERSPAN, erspan_md1_msg]
	erspan2		gre_packet_erspan[ETH_P_ERSPAN2, erspan_md2_msg]
	teb		gre_packet_erspan[ETH_P_TEB, array[int8]]
} [packed]

type gre_packet_cisco[PROTO, PAYLOAD] {
	C		int16:1
	R		const[0, int16:1]
	K		int16:1
	S		int16:1
	reserved	const[0, int16:9]
	version		const[0, int16:3]
	protocol	const[PROTO, int16be]
# checksum, key, sequence number
	add		array[int16be, 0:3]
	payload		PAYLOAD
} [packed]

gre_packet_pptp {
	C		const[0, int16:1]
	R		const[0, int16:1]
	K		const[1, int16:1]
	S		int16:1
	reserved	const[0, int16:4]
	A		int16:1
	flags		const[0, int16:4]
	version		const[1, int16:3]
	protocol	const[0x880b, int16be]
	payload_len	bytesize[payload, int16be]
	key_call_id	pptp_call_id
# sequence/ack number
	add		array[int16be, 0:2]
	payload		ppp_packet
} [packed]

type ppp_packet array[int8]

type gre_packet_erspan[PROTO, PAYLOAD] {
	H		const[8, int16]
	protocol	const[PROTO, int16be]
	seq		int32be[0:4]
	payload		PAYLOAD
} [packed]

################################################################################
##################################### ERSPAN ###################################
################################################################################

include <net/erspan.h>
include <uapi/linux/erspan.h>

type erspan_base_hdr[VER] {
	vlan_upper		int8:4
	ver			const[VER, int8:4]
	vlan			int8:8
	session_id_upper	int8:2
	t			int8:1
	en			int8:2
	cos			int8:3
	session_id		int8:8
} [packed]

erspan_md1 {
	index	int32be
} [packed]

erspan_md1_msg {
	base	erspan_base_hdr[1]
	version	const[1, int32]
	payload	erspan_md1
}

erspan_md2 {
	timestamp	int32be
	sgt		int16be
	hwid_upper	int8:2
	ft		int8:5
	p		int8:1
	o		int8:1
	gra		int8:2
	dir		int8:1
	hwid		int8:1
} [packed]

erspan_md2_msg {
	base	erspan_base_hdr[2]
	version	const[2, int32]
	payload	erspan_md2
}

################################################################################
###################################### ICMP ####################################
################################################################################

# https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#ICMP_datagram_structure
# https://tools.ietf.org/html/rfc792
# https://tools.ietf.org/html/rfc4884#section-4.1
# http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

include <uapi/linux/icmp.h>

icmp_ipv4_header {
	ihl		bytesize4[parent, int8:4]
	version		const[4, int8:4]
	ecn		int8:2
	dscp		int8:6
	total_len	int16be
	id		icmp_id
	frag_off	int16be
	ttl		int8
	protocol	flags[ipv4_types, int8]
	csum		int16be
	src_ip		ipv4_addr
	dst_ip		ipv4_addr
	options		ipv4_options
} [packed]

icmp_echo_reply_packet {
	type	const[ICMP_ECHOREPLY, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	id	icmp_id
	seq_num	int16be
	data	array[int8]
} [packed]

type icmp_id int16be[100:104]

icmp_dest_unreach_codes = ICMP_NET_UNREACH, ICMP_HOST_UNREACH, ICMP_PROT_UNREACH, ICMP_PORT_UNREACH, ICMP_FRAG_NEEDED, ICMP_SR_FAILED, ICMP_NET_UNKNOWN, ICMP_HOST_UNKNOWN, ICMP_HOST_ISOLATED, ICMP_NET_ANO, ICMP_HOST_ANO, ICMP_NET_UNR_TOS, ICMP_HOST_UNR_TOS, ICMP_PKT_FILTERED, ICMP_PREC_VIOLATION, ICMP_PREC_CUTOFF

icmp_dest_unreach_packet {
	type	const[ICMP_DEST_UNREACH, int8]
	code	flags[icmp_dest_unreach_codes, int8]
	csum	csum[parent, inet, int16be]
	unused	const[0, int8]
	length	int8
	mtu	int16be
	iph	icmp_ipv4_header
	data	array[int8, 0:8]
} [packed]

icmp_source_quench_packet {
	type	const[ICMP_SOURCE_QUENCH, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	unused	const[0, int32]
	iph	icmp_ipv4_header
	data	array[int8, 0:8]
} [packed]

icmp_redirect_codes = ICMP_REDIR_NET, ICMP_REDIR_HOST, ICMP_REDIR_NETTOS, ICMP_REDIR_HOSTTOS

icmp_redirect_packet {
	type	const[ICMP_REDIRECT, int8]
	code	flags[icmp_redirect_codes, int8]
	csum	csum[parent, inet, int16be]
	ip	ipv4_addr
	iph	icmp_ipv4_header
	data	array[int8, 0:8]
} [packed]

icmp_echo_packet {
	type	const[ICMP_ECHO, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	id	int16be
	seq_num	int16be
	data	array[int8]
} [packed]

icmp_time_exceeded_codes = ICMP_EXC_TTL, ICMP_EXC_FRAGTIME

icmp_time_exceeded_packet {
	type	const[ICMP_TIME_EXCEEDED, int8]
	code	flags[icmp_time_exceeded_codes, int8]
	csum	csum[parent, inet, int16be]
	unused1	const[0, int8]
	length	int8
	unused2	const[0, int16]
	iph	icmp_ipv4_header
	data	array[int8, 0:8]
} [packed]

icmp_parameter_prob_packet {
	type	const[ICMP_PARAMETERPROB, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	pointer	int8
	length	int8
	unused	const[0, int16]
	iph	icmp_ipv4_header
	data	array[int8, 0:8]
} [packed]

icmp_timestamp_packet {
	type		const[ICMP_TIMESTAMP, int8]
	code		const[0, int8]
	csum		csum[parent, inet, int16be]
	id		int16be
	seq_num		int16be
	orig_ts		int32be
	recv_ts		int32be
	trans_ts	int32be
} [packed]

icmp_timestamp_reply_packet {
	type		const[ICMP_TIMESTAMPREPLY, int8]
	code		const[0, int8]
	csum		csum[parent, inet, int16be]
	id		int16be
	seq_num		int16be
	orig_ts		int32be
	recv_ts		int32be
	trans_ts	int32be
} [packed]

icmp_info_request_packet {
	type	const[ICMP_INFO_REQUEST, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	id	int16be
	seq_num	int16be
} [packed]

icmp_info_reply_packet {
	type	const[ICMP_INFO_REPLY, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	id	int16be
	seq_num	int16be
} [packed]

icmp_address_request_packet {
	type	const[ICMP_ADDRESS, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	mask	int32be
} [packed]

icmp_address_reply_packet {
	type	const[ICMP_ADDRESSREPLY, int8]
	code	const[0, int8]
	csum	csum[parent, inet, int16be]
	mask	int32be
} [packed]

icmp_types = ICMP_ECHOREPLY, ICMP_DEST_UNREACH, ICMP_SOURCE_QUENCH, ICMP_REDIRECT, ICMP_ECHO, ICMP_TIME_EXCEEDED, ICMP_PARAMETERPROB, ICMP_TIMESTAMP, ICMP_TIMESTAMPREPLY, ICMP_INFO_REQUEST, ICMP_INFO_REPLY, ICMP_ADDRESS, ICMP_ADDRESSREPLY

icmp_packet [
	echo_reply	icmp_echo_reply_packet
	dest_unreach	icmp_dest_unreach_packet
	source_quench	icmp_source_quench_packet
	redirect	icmp_redirect_packet
	echo		icmp_echo_packet
	time_exceeded	icmp_time_exceeded_packet
	parameter_prob	icmp_parameter_prob_packet
	timestamp	icmp_timestamp_packet
	timestamp_reply	icmp_timestamp_reply_packet
	info_request	icmp_info_request_packet
	info_reply	icmp_info_reply_packet
	address_request	icmp_address_request_packet
	address_reply	icmp_address_reply_packet
] [varlen]

################################################################################
##################################### ICMPv6 ###################################
################################################################################

# https://tools.ietf.org/html/rfc4443
# http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml

include <uapi/linux/icmpv6.h>

icmpv6_ipv6_packet {
	priority	int8:4
	version		const[6, int8:4]
	flow_label	array[int8, 3]
	length		int16be
	next_header	flags[ipv6_types, int8]
	hop_limit	flags[hop_limits, int8]
	src_ip		ipv6_addr
	dst_ip		ipv6_addr
	ext_headers	array[ipv6_ext_header]
	data		array[int8]
} [packed]

icmpv6_dest_unreach_codes = ICMPV6_NOROUTE, ICMPV6_ADM_PROHIBITED, ICMPV6_NOT_NEIGHBOUR, ICMPV6_ADDR_UNREACH, ICMPV6_PORT_UNREACH, ICMPV6_POLICY_FAIL, ICMPV6_REJECT_ROUTE

icmpv6_dest_unreach_packet {
	type	const[ICMPV6_DEST_UNREACH, int8]
	code	flags[icmpv6_dest_unreach_codes, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	length	int8
	unused	array[const[0, int8], 3]
	packet	icmpv6_ipv6_packet
} [packed]

icmpv6_pkt_toobig_packet {
	type	const[ICMPV6_PKT_TOOBIG, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	mtu	int32be
	packet	icmpv6_ipv6_packet
} [packed]

icmpv6_time_exceed_codes = ICMPV6_EXC_HOPLIMIT, ICMPV6_EXC_FRAGTIME

icmpv6_time_exceed_packet {
	type	const[ICMPV6_TIME_EXCEED, int8]
	code	flags[icmpv6_time_exceed_codes, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	length	int8
	unused	array[const[0, int8], 3]
	packet	icmpv6_ipv6_packet
} [packed]

icmpv6_param_prob_codes = ICMPV6_HDR_FIELD, ICMPV6_UNK_NEXTHDR, ICMPV6_UNK_OPTION

icmpv6_param_prob_packet {
	type	const[ICMPV6_PARAMPROB, int8]
	code	flags[icmpv6_param_prob_codes, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	pointer	int32be
	packet	icmpv6_ipv6_packet
} [packed]

icmpv6_echo_request_packet {
	type	const[ICMPV6_ECHO_REQUEST, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	id	int16be
	seq_num	int16be
	data	array[int8]
} [packed]

icmpv6_echo_reply_packet {
	type	const[ICMPV6_ECHO_REPLY, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	id	int16be
	seq_num	int16be
	data	array[int8]
} [packed]

icmpv6_mld_types = ICMPV6_MGM_QUERY, ICMPV6_MGM_REPORT, ICMPV6_MGM_REDUCTION

# https://tools.ietf.org/html/rfc2710#section-3
icmpv6_mld_packet {
	type	flags[icmpv6_mld_types, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	mrd	int16be
	unused	int16
	addr	ipv6_addr
} [packed]

# https://tools.ietf.org/html/rfc3810#section-5.1
icmpv6_mldv2_listener_query_packet {
	type		const[ICMPV6_MGM_QUERY, int8]
	code		const[0, int8]
	csum		csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	mrd		int16be
	unused		int16
	mca		ipv6_addr
	qrv		int8:3
	suppress	int8:1
	resv2		int8:4
	qqic		int8
	nsrcs		len[srcs, int16be]
	srcs		array[ipv6_addr]
} [packed]

icmpv6_mldv2_grec {
	type		int8
	auxwords	len[aux, int8]
	nsrcs		len[srcs, int16be]
	mca		ipv6_addr
	srcs		array[ipv6_addr]
	aux		array[int32]
} [packed]

# https://tools.ietf.org/html/rfc3810#section-5.2
icmpv6_mldv2_listener_report_packet {
	type	const[ICMPV6_MLD2_REPORT, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	unused	int16
	ngrec	len[grec, int16be]
	grec	array[icmpv6_mldv2_grec]
} [packed]

icmpv6_ni_types = ICMPV6_NI_QUERY, ICMPV6_NI_REPLY

# https://tools.ietf.org/html/rfc4620#section-4
icmpv6_ni_packet {
	type	flags[icmpv6_ni_types, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	qtype	int16be
	flags	int16be
	nonce	int64be
	data	array[int8]
} [packed]

icmpv6_ndisc_option_types = ND_OPT_SOURCE_LL_ADDR, ND_OPT_TARGET_LL_ADDR, ND_OPT_PREFIX_INFO, ND_OPT_REDIRECT_HDR, ND_OPT_MTU, ND_OPT_NONCE, ND_OPT_ROUTE_INFO, ND_OPT_RDNSS, ND_OPT_DNSSL, ND_OPT_6CO

# https://tools.ietf.org/html/rfc4861#section-4.6
icmpv6_ndisc_option {
	option_type	flags[icmpv6_ndisc_option_types, int8]
	length		bytesize8[parent, int8]
# TODO: define the option formats
	data		array[int8]
} [packed]

# https://tools.ietf.org/html/rfc4861#section-4.1
icmpv6_ndisc_router_solicit_packet {
	type	const[NDISC_ROUTER_SOLICITATION, int8]
	code	const[0, int8]
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	unused	array[const[0, int8], 4]
	options	array[icmpv6_ndisc_option]
} [packed]

# https://tools.ietf.org/html/rfc4861#section-4.2
icmpv6_ndisc_router_advert_packet {
	type		const[NDISC_ROUTER_ADVERTISEMENT, int8]
	code		const[0, int8]
	csum		csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	cur_hop_limit	flags[hop_limits, int8]
# TODO: Implement bitflags for the router advert flags
	router_flags	int8
	router_lifetime	int16
	reachable_time	int32
	retrans_time	int32
	options		array[icmpv6_ndisc_option]
} [packed]

# https://tools.ietf.org/html/rfc4861#section-4.3
icmpv6_ndisc_neigh_solicit_packet {
	type		const[NDISC_NEIGHBOUR_SOLICITATION, int8]
	code		const[0, int8]
	csum		csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	target_addr	ipv6_addr
	options		array[icmpv6_ndisc_option]
} [packed]

# https://tools.ietf.org/html/rfc4861#section-4.4
icmpv6_ndisc_neigh_advert_packet {
	type		const[NDISC_NEIGHBOUR_ADVERTISEMENT, int8]
	code		const[0, int8]
	csum		csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
# TODO: Implement bitflags for the neighbor advert flags
	neighbor_flags	int8
	unused		array[const[0, int8], 3]
	target_addr	ipv6_addr
	options		array[icmpv6_ndisc_option]
} [packed]

# https://tools.ietf.org/html/rfc4861#section-4.5
icmpv6_ndisc_redir_packet {
	type		const[NDISC_REDIRECT, int8]
	code		const[0, int8]
	csum		csum[parent, pseudo, IPPROTO_ICMPV6, int16be]
	unused		array[const[0, int8], 4]
	target_addr	ipv6_addr
	dst_addr	ipv6_addr
	options		array[icmpv6_ndisc_option]
} [packed]

icmpv6_packet [
	dest_unreach	icmpv6_dest_unreach_packet
	pkt_toobig	icmpv6_pkt_toobig_packet
	time_exceed	icmpv6_time_exceed_packet
	param_prob	icmpv6_param_prob_packet
	echo_request	icmpv6_echo_request_packet
	echo_reply	icmpv6_echo_reply_packet
	mld		icmpv6_mld_packet
	mlv2_query	icmpv6_mldv2_listener_query_packet
	mlv2_report	icmpv6_mldv2_listener_report_packet
	ni		icmpv6_ni_packet
	ndisc_rs	icmpv6_ndisc_router_solicit_packet
	ndisc_ra	icmpv6_ndisc_router_advert_packet
	ndisc_na	icmpv6_ndisc_neigh_advert_packet
	ndisc_ns	icmpv6_ndisc_neigh_solicit_packet
	ndisc_redir	icmpv6_ndisc_redir_packet
# TODO: ICMPV6_DHAAD_REQUEST, ICMPV6_DHAAD_REPLY, ICMPV6_MOBILE_PREFIX_SOL, ICMPV6_MOBILE_PREFIX_ADV (with ipv6 ext headers)
] [varlen]

################################################################################
###################################### DCCP ####################################
################################################################################

# https://tools.ietf.org/html/rfc4340#section-5

include <uapi/linux/dccp.h>

# TODO: describe each type
dccp_types = DCCP_PKT_REQUEST, DCCP_PKT_RESPONSE, DCCP_PKT_DATA, DCCP_PKT_ACK, DCCP_PKT_DATAACK, DCCP_PKT_CLOSEREQ, DCCP_PKT_CLOSE, DCCP_PKT_RESET, DCCP_PKT_SYNC, DCCP_PKT_SYNCACK, DCCP_PKT_INVALID

dccp_header {
	src_port	sock_port
	dst_port	sock_port
	offset		bytesize4[parent, int8]
	cscov		const[1, int8:4]
# TODO: cscov might have other values, affects checksummed data
	ccval		int8:4
	csum		csum[parent, pseudo, IPPROTO_DCCP, int16be]
	x		const[0, int8:1]
	type		flags[dccp_types, int8:4]
	reserved1	int8:3
	seq_num		array[int8, 3]
	reserved2	int8
	ack_num		array[int8, 3]
# TODO: seq_num and ack_num might have different size depending on x
# TODO: options
} [packed]

dccp_packet {
	header	dccp_header
	payload	array[int8]
} [packed]

################################################################################
###################################### IGMP ####################################
################################################################################

# https://tools.ietf.org/html/rfc2236
# https://tools.ietf.org/html/rfc3376#section-4

include <uapi/linux/igmp.h>

igmp_types = IGMP_HOST_MEMBERSHIP_QUERY, IGMP_HOST_MEMBERSHIP_REPORT, IGMP_DVMRP, IGMP_PIM, IGMP_TRACE, IGMPV2_HOST_MEMBERSHIP_REPORT, IGMP_HOST_LEAVE_MESSAGE, IGMPV3_HOST_MEMBERSHIP_REPORT, IGMP_MTRACE_RESP, IGMP_MTRACE

igmp_packet {
	type	flags[igmp_types, int8]
	mrtime	int8
	csum	csum[parent, inet, int16be]
	addr	ipv4_addr
	data	array[int8]
} [packed]

# TODO: describe particular IGMP packets
# TODO: open IGMP sockets from userspace

################################################################################
###################################### MPLS ####################################
################################################################################

# https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching

mpls_packet {
	labels	array[mpls_label]
	payload	mpls_payload
} [packed]

mpls_label {
	label	int32be:20
	tc	const[0, int32be:3]
	s	int32be:1
	ttl	const[0, int32be:8]
}

mpls_payload [
	generic	array[int8]
	ipv4	ipv4_packet
	ipv6	ipv6_packet
	llc	llc_packet
] [varlen]

################################################################################
###################################### TIPC ####################################
################################################################################

# http://tipc.sourceforge.net/protocol.html
# http://tipc.sourceforge.net/protocol.html#anchor50

# TODO: describe more TIPC packets, the current description is far from being complete.
# But first we need to ensure that syzkaller manages to enable TIPC receiving,
# because currently it always crashes kernel earlier.
# Also, do we need to nest TIPC packets in UDP for UDP media?

include <uapi/linux/tipc.h>
include <net/tipc/msg.h>

tipc_packet [
	payload_conn		tipc_payload_msg[tipc_payload_hdr6[TIPC_CONN_MSG]]
	payload_mcast		tipc_payload_msg[tipc_payload_hdr11[TIPC_MCAST_MSG]]
	payload_named		tipc_payload_msg[tipc_payload_hdr10[TIPC_NAMED_MSG]]
	payload_direct		tipc_payload_msg[tipc_payload_hdr8[TIPC_DIRECT_MSG]]
	name_distributor	tipc_name_distributor_msg
] [varlen]

type tipc_payload_msg[HDR] {
	hdr	tipc_payload_hdr[HDR]
	data	array[const[0, int8]]
}

type tipc_payload_hdr[HDR] {
	hdr	HDR
}

type tipc_payload_hdr6[TYP] {
# w0
	message_size		bytesize[tipc_payload_msg, int32be:17]
	y			const[0, int32be:1]
	s			int32be:1
	d			int32be:1
	n			int32be:1
	hsize			bytesize4[tipc_payload_hdr, int32be:4]
	user			flags[tipc_importance, int32be:4]
	ver			const[TIPC_VERSION, int32be:3]
# w1
	broadcast_acknowledge	int32be:16
	res			const[0, int32be:3]
	lcs			flags[tipc_scope, int32be:2]
	reroute			int32be:4
	error			flags[tipc_error, int32be:4]
	mtype			const[TYP, int32be:3]
# w2
	link_sequence		int32be:16
	link_acknowledge	int32be:16
# w3
	previous_node		int32be[0:4]
# w4
	originating_port	int32be[20000:20004]
# w5
	destination_port	int32be[20000:20004]
} [size[24]]

type tipc_payload_hdr8[TYP] {
	hdr6			tipc_payload_hdr6[TYP]
# w6
	originating_node	int32be[0:4]
# w7
	destination_node	int32be[0:4]
} [size[32]]

type tipc_payload_hdr10[TYP] {
	hdr8		tipc_payload_hdr8[TYP]
# w8
	name_type	int32be[0:4]
# w9
	name_instance	int32be[0:4]
} [size[40]]

type tipc_payload_hdr11[TYP] {
	hdr10			tipc_payload_hdr10[TYP]
# w10
	name_sequence_upper	int32be[0:4]
} [size[44]]

tipc_name_distributor_msg {
	hdr	tipc_name_distributor_hdr
	data	array[tipc_name_publication]
}

tipc_name_distributor_hdr {
# w0
	message_size		bytesize[tipc_name_distributor_msg, int32be:17]
	y			const[0, int32be:1]
	s			const[0, int32be:1]
	d			const[0, int32be:1]
	n			int32be:1
	hsize			bytesize4[parent, int32be:4]
	user			const[NAME_DISTRIBUTOR, int32be:4]
	ver			const[TIPC_VERSION, int32be:3]
# w1
	broadcast_acknowledge	int32be:16
	res			const[0, int32be:13]
	mtype			int32be:3[0:1]
# w2
	link_sequence		int32be:16
	link_acknowledge	int32be:16
# w3
	previous_node		int32be[0:4]
# w4
	originating_port	int32be[20000:20004]
# w5
	destination_port	int32be[20000:20004]
# w6
	originating_node	int32be[0:4]
# w7
	destination_node	int32be[0:4]
# w8
	res1			const[0, int32be]
# w9
	res2			const[0, int32be:23]
	m			int32be:1
	item_size		const[7, int32be:8]
}

tipc_name_publication {
	type		int32be
	lower_bound	int32be
	upper_bound	int32be
	reference	int32be
	key		int32be
	node		int32be
	scope		int32be:4
	res		int32be:28
} [size[28]]

tipc_importance = TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE, TIPC_HIGH_IMPORTANCE, TIPC_CRITICAL_IMPORTANCE
tipc_error = TIPC_OK, TIPC_ERR_NO_NAME, TIPC_ERR_NO_PORT, TIPC_ERR_NO_NODE, TIPC_ERR_OVERLOAD, TIPC_CONN_SHUTDOWN
tipc_scope = TIPC_CFG_SRV, TIPC_ZONE_SCOPE, TIPC_CLUSTER_SCOPE, TIPC_NODE_SCOPE
]

gemini-3-pro-preview

							input: 433877
							output: 905
							thoughts: 6097
						

**XDP, Bond0, and the Perils of Unions**

Okay, so I've been wrestling with this `syz_emit_ethernet` and `bond0` situation. The core idea is sound: `syz_emit_ethernet` blasts packets to `tun`, `tun` gets enslaved to `bond0`, and if `bond0` is an XDP master, it can redirect. The crash is likely due to the bond interface being down. My plan is to exploit the round-robin counter being NULL. The problem is creating the XDP program. I can't bind a socket because of `EDESTADDRREQ` and need to use `syz_emit_ethernet` or a `sendto`. `syz_emit_ethernet` works, it can emit to `tun`. I'm starting to think `bind` is not the way to go because of how syzkaller expects a union type.

I was trying to use a `sockaddr_ll` structure, but syzkaller keeps throwing these seemingly nonsensical errors. It expects a union, I provide the union. It doesn't seem to parse. This is the problem. It seems, to me, it's not the same union the kernel expects, or the union is not formatted the way it expects. At first I thought my usage of `sendto` and `sockaddr_ll` was flawed. But my main issue seems to be passing the values to `bind`.

So, I had the idea to use `ioctl$sock_SIOCGIFINDEX` to write the correct `ifindex` into a memory location. Then I could use `bind` and provide a pointer to that memory. This is still a good strategy, but syzkaller will STILL validate types. But syzkaller does not have a concept of "writing" the type.

I've got a great setup, so now I need to figure out what I'm sending to the XDP program. My biggest problem now is `bpf$PROG_LOAD`. I've been trying to load a BPF program but am getting tripped up by seemingly arbitrary union/non-union type mismatches, even when I *think* I'm providing valid arguments. I need to get this right. It looks like the issue I have is that the "pad" is a union. 
I have to provide something other than `0x0`. I should use `&AUTO`.
I need to keep the goal, crashing `bond0` by the bond's round-robin algorithm. I will use the `syz_emit_ethernet`, slave the `tun` device to the `bond0` device, make sure the `bond0` is down, and exploit the round-robin counter being NULL. The final step is to refine the syzkaller program to ensure that the BPF program actually loads.

wrong union arg for "eth_payload"
line #14:65: syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, <<<!!ERROR!!>>>@generic={0x800, ""}}, 0x0)

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'syz_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+syz_tun\x00', 9)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'syz_tun\x00', @ifru_flags=0x1})
syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, @generic={0x800, ""}}, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 441580
							output: 905
							thoughts: 122
						

**Debugging the Ethernet Payload**

Right, okay, so I was looking at that `eth_payload` structure and I initially thought it was a union, which was throwing me off. But I just realized it's actually a struct, not a union! That changes everything. That `eth2_packet` member is a direct part of the structure. With this information, I can see how to fix that emit call. I was on the right track, but I need to use the `{@generic={0x800, ""}}` syntax. Perfect, now let's correct this line.
```
syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, {@generic={0x800, ""}}}, 0x0)
```
Hopefully this will solve the issues I was seeing. Onward!

map[ReproSyz:r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r0, &(0x7f0000000040)='-bond0\x00', 7)
write(r0, &(0x7f0000000080)='+bond0\x00', 7)
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r1, &(0x7f0000000100)='0\x00', 2)
r2 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000140)={'syz_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+syz_tun\x00', 9)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'syz_tun\x00', @ifru_flags=0x1})
syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, {@generic={0x800, ""}}}, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 442830
							output: 42
							thoughts: 94
						

**Debugging a Persistent Network Issue**

Okay, it didn't crash – that's a good start. But I still need to understand *why* it didn't crash. My intuition says there's a problem, and the lack of a crash doesn't mean the problem is gone.

First, I need to verify that `syz_tun` was successfully enslaved to `bond0`. I'll start by checking the results of that `write` call: `write(r3, "+syz_tun\x00", 9)`.  Did that work as expected?

Wait, hold on a second... `syz_tun` is a `tun` device, right? Right. Okay, so now I'm thinking about the low-level functions that `tun` devices implement. The question is: does `tun` support the `ndo_set_mac_address` operation? That's what I really need to confirm. Let me just quickly check `tun_netdev_ops` to make sure it's doing the right thing.

map[ContextFile:drivers/net/tun.c IncludeLines:true Name:tun_netdev_ops]

map[SourceCode:1181:	static const struct net_device_ops tun_netdev_ops = {
1182:		.ndo_init		= tun_net_init,
1183:		.ndo_uninit		= tun_net_uninit,
1184:		.ndo_open		= tun_net_open,
1185:		.ndo_stop		= tun_net_close,
1186:		.ndo_start_xmit		= tun_net_xmit,
1187:		.ndo_fix_features	= tun_net_fix_features,
1188:		.ndo_select_queue	= tun_select_queue,
1189:		.ndo_set_rx_headroom	= tun_set_headroom,
1190:		.ndo_get_stats64	= tun_net_get_stats64,
1191:		.ndo_change_carrier	= tun_net_change_carrier,
1192:	};
 SourceFile:drivers/net/tun.c]

gemini-3-pro-preview

							input: 443475
							output: 20
							thoughts: 279
						

**Analyzing the Network Device Operations**

Okay, hold on a second! I was just about to assume something, but I need to double-check. The `tun_netdev_ops` structure... I was *certain* it had the `ndo_set_mac_address` function, but it absolutely does *not*. That's a crucial piece of information.

Now, let's see how `bond_enslave` handles this. I remember it has some checks. Ah, here it is:

```c
	if (!slave_ops->ndo_set_mac_address ||
	    slave_dev->type == ARPHRD_INFINIBAND) {
		slave_warn(bond_dev, slave_dev, "The slave device specified does not support setting the MAC address\n");
		if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
		    bond->params.fail_over_mac != BOND_FOM_ACTIVE) {
...
```

It prints a warning if `ndo_set_mac_address` is missing, which is expected. But the key is that it *doesn't* fail immediately unless we are in `ACTIVEBACKUP` mode, and the `fail_over_mac` parameter is set to a specific value. My bond mode is `ROUNDROBIN`, so that condition isn't met. It shouldn't be failing! Good.

Right, so that's handled, but I need to make sure I haven't missed anything else... What about `ndo_bpf` and `ndo_xdp_xmit`? Does `tun_netdev_ops` have those, too? Let me just quickly check that structure definition again... No, it doesn't. No `ndo_bpf` or `ndo_xdp_xmit`.

Hmm... Does the `tun` implementation have those? Specifically, `tun_xdp` and `tun_xdp_xmit`? Yes! Let's examine `drivers/net/tun.c` file and see if there is any `ndo_bpf` function.

map[Expression:ndo_bpf.*tun]

map[Output:drivers/net/tun.c=1265=static const struct net_device_ops tap_netdev_ops = {
--
drivers/net/tun.c-1277-	.ndo_set_rx_headroom	= tun_set_headroom,
drivers/net/tun.c:1278:	.ndo_bpf		= tun_xdp,
drivers/net/tun.c-1279-	.ndo_xdp_xmit		= tun_xdp_xmit,
]

gemini-3-pro-preview

							input: 444370
							output: 41
							thoughts: 376
						

**Debugging the XDP Crash**

Okay, so I'm on the hunt for why that `bond_enslave` operation didn't trigger the expected XDP crash. The first thing I thought was, "Ah, the device operations! `tap_netdev_ops` probably holds the key." And, it does! `tun_netdev_ops` doesn't, so that's a key distinction. I quickly realized `syz_tun` is a TUN device, or so I thought. Then I remembered `syz_emit_ethernet` sends packets to `syz_tun`. But *is* `syz_tun` a TUN or a TAP?

A quick check confirms Syzkaller actually creates `syz_tun` as a TAP device. Great, so it's using `tap_netdev_ops`. Therefore, it *should* have `ndo_bpf`, `ndo_xdp_xmit`, *and* `ndo_set_mac_address`. Yep, `tap_netdev_ops` definitely has `.ndo_set_mac_address = eth_mac_addr`. This means `bond_enslave` *should* succeed because it requires `ndo_set_mac_address`.

So, it should have succeeded, which is why it didn't crash. Why didn't it crash? Maybe `syz_emit_ethernet` isn't properly triggering the XDP program. I need to figure out if writing to the `/dev/net/tun` file descriptor that `syz_emit_ethernet` does triggers XDP at all. I need to check `tun_get_user` to figure out the behavior.

map[ContextFile:drivers/net/tun.c IncludeLines:true Name:tun_get_user]

map[SourceCode:1692:	/* Get packet from user space buffer */
1693:	static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
1694:				    void *msg_control, struct iov_iter *from,
1695:				    int noblock, bool more)
1696:	{
1697:		struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
1698:		struct sk_buff *skb;
1699:		size_t total_len = iov_iter_count(from);
1700:		size_t len = total_len, align = tun->align, linear;
1701:		struct virtio_net_hdr_v1_hash_tunnel hdr;
1702:		struct virtio_net_hdr *gso;
1703:		int good_linear;
1704:		int copylen;
1705:		int hdr_len = 0;
1706:		bool zerocopy = false;
1707:		int err;
1708:		u32 rxhash = 0;
1709:		int skb_xdp = 1;
1710:		bool frags = tun_napi_frags_enabled(tfile);
1711:		enum skb_drop_reason drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
1712:		netdev_features_t features = 0;
1713:	
1714:		/*
1715:		 * Keep it easy and always zero the whole buffer, even if the
1716:		 * tunnel-related field will be touched only when the feature
1717:		 * is enabled and the hdr size id compatible.
1718:		 */
1719:		memset(&hdr, 0, sizeof(hdr));
1720:		gso = (struct virtio_net_hdr *)&hdr;
1721:	
1722:		if (!(tun->flags & IFF_NO_PI)) {
1723:			if (len < sizeof(pi))
1724:				return -EINVAL;
1725:			len -= sizeof(pi);
1726:	
1727:			if (!copy_from_iter_full(&pi, sizeof(pi), from))
1728:				return -EFAULT;
1729:		}
1730:	
1731:		if (tun->flags & IFF_VNET_HDR) {
1732:			int vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz);
1733:	
1734:			features = tun_vnet_hdr_guest_features(vnet_hdr_sz);
1735:			hdr_len = __tun_vnet_hdr_get(vnet_hdr_sz, tun->flags,
1736:						     features, from, gso);
1737:			if (hdr_len < 0)
1738:				return hdr_len;
1739:	
1740:			len -= vnet_hdr_sz;
1741:		}
1742:	
1743:		if ((tun->flags & TUN_TYPE_MASK) == IFF_TAP) {
1744:			align += NET_IP_ALIGN;
1745:			if (unlikely(len < ETH_HLEN || (hdr_len && hdr_len < ETH_HLEN)))
1746:				return -EINVAL;
1747:		}
1748:	
1749:		good_linear = SKB_MAX_HEAD(align);
1750:	
1751:		if (msg_control) {
1752:			struct iov_iter i = *from;
1753:	
1754:			/* There are 256 bytes to be copied in skb, so there is
1755:			 * enough room for skb expand head in case it is used.
1756:			 * The rest of the buffer is mapped from userspace.
1757:			 */
1758:			copylen = min(hdr_len ? hdr_len : GOODCOPY_LEN, good_linear);
1759:			linear = copylen;
1760:			iov_iter_advance(&i, copylen);
1761:			if (iov_iter_npages(&i, INT_MAX) <= MAX_SKB_FRAGS)
1762:				zerocopy = true;
1763:		}
1764:	
1765:		if (!frags && tun_can_build_skb(tun, tfile, len, noblock, zerocopy)) {
1766:			/* For the packet that is not easy to be processed
1767:			 * (e.g gso or jumbo packet), we will do it at after
1768:			 * skb was created with generic XDP routine.
1769:			 */
1770:			skb = tun_build_skb(tun, tfile, from, gso, len, &skb_xdp);
1771:			err = PTR_ERR_OR_ZERO(skb);
1772:			if (err)
1773:				goto drop;
1774:			if (!skb)
1775:				return total_len;
1776:		} else {
1777:			if (!zerocopy) {
1778:				copylen = len;
1779:				linear = min(hdr_len, good_linear);
1780:			}
1781:	
1782:			if (frags) {
1783:				mutex_lock(&tfile->napi_mutex);
1784:				skb = tun_napi_alloc_frags(tfile, copylen, from);
1785:				/* tun_napi_alloc_frags() enforces a layout for the skb.
1786:				 * If zerocopy is enabled, then this layout will be
1787:				 * overwritten by zerocopy_sg_from_iter().
1788:				 */
1789:				zerocopy = false;
1790:			} else {
1791:				if (!linear)
1792:					linear = min_t(size_t, good_linear, copylen);
1793:	
1794:				skb = tun_alloc_skb(tfile, align, copylen, linear,
1795:						    noblock);
1796:			}
1797:	
1798:			err = PTR_ERR_OR_ZERO(skb);
1799:			if (err)
1800:				goto drop;
1801:	
1802:			if (zerocopy)
1803:				err = zerocopy_sg_from_iter(skb, from);
1804:			else
1805:				err = skb_copy_datagram_from_iter(skb, 0, from, len);
1806:	
1807:			if (err) {
1808:				err = -EFAULT;
1809:				drop_reason = SKB_DROP_REASON_SKB_UCOPY_FAULT;
1810:				goto drop;
1811:			}
1812:		}
1813:	
1814:		if (tun_vnet_hdr_tnl_to_skb(tun->flags, features, skb, &hdr)) {
1815:			atomic_long_inc(&tun->rx_frame_errors);
1816:			err = -EINVAL;
1817:			goto free_skb;
1818:		}
1819:	
1820:		switch (tun->flags & TUN_TYPE_MASK) {
1821:		case IFF_TUN:
1822:			if (tun->flags & IFF_NO_PI) {
1823:				u8 ip_version = skb->len ? (skb->data[0] >> 4) : 0;
1824:	
1825:				switch (ip_version) {
1826:				case 4:
1827:					pi.proto = htons(ETH_P_IP);
1828:					break;
1829:				case 6:
1830:					pi.proto = htons(ETH_P_IPV6);
1831:					break;
1832:				default:
1833:					err = -EINVAL;
1834:					goto drop;
1835:				}
1836:			}
1837:	
1838:			skb_reset_mac_header(skb);
1839:			skb->protocol = pi.proto;
1840:			skb->dev = tun->dev;
1841:			break;
1842:		case IFF_TAP:
1843:			if (frags && !pskb_may_pull(skb, ETH_HLEN)) {
1844:				err = -ENOMEM;
1845:				drop_reason = SKB_DROP_REASON_HDR_TRUNC;
1846:				goto drop;
1847:			}
1848:			skb->protocol = eth_type_trans(skb, tun->dev);
1849:			break;
1850:		}
1851:	
1852:		/* copy skb_ubuf_info for callback when skb has no error */
1853:		if (zerocopy) {
1854:			skb_zcopy_init(skb, msg_control);
1855:		} else if (msg_control) {
1856:			struct ubuf_info *uarg = msg_control;
1857:			uarg->ops->complete(NULL, uarg, false);
1858:		}
1859:	
1860:		skb_reset_network_header(skb);
1861:		skb_probe_transport_header(skb);
1862:		skb_record_rx_queue(skb, tfile->queue_index);
1863:	
1864:		if (skb_xdp) {
1865:			struct bpf_prog *xdp_prog;
1866:			int ret;
1867:	
1868:			local_bh_disable();
1869:			rcu_read_lock();
1870:			xdp_prog = rcu_dereference(tun->xdp_prog);
1871:			if (xdp_prog) {
1872:				ret = do_xdp_generic(xdp_prog, &skb);
1873:				if (ret != XDP_PASS) {
1874:					rcu_read_unlock();
1875:					local_bh_enable();
1876:					goto unlock_frags;
1877:				}
1878:	
1879:				if (frags && skb != tfile->napi.skb)
1880:					tfile->napi.skb = skb;
1881:			}
1882:			rcu_read_unlock();
1883:			local_bh_enable();
1884:		}
1885:	
1886:		/* Compute the costly rx hash only if needed for flow updates.
1887:		 * We may get a very small possibility of OOO during switching, not
1888:		 * worth to optimize.
1889:		 */
1890:		if (!rcu_access_pointer(tun->steering_prog) && tun->numqueues > 1 &&
1891:		    !tfile->detached)
1892:			rxhash = __skb_get_hash_symmetric(skb);
1893:	
1894:		rcu_read_lock();
1895:		if (unlikely(!(tun->dev->flags & IFF_UP))) {
1896:			err = -EIO;
1897:			rcu_read_unlock();
1898:			drop_reason = SKB_DROP_REASON_DEV_READY;
1899:			goto drop;
1900:		}
1901:	
1902:		if (frags) {
1903:			u32 headlen;
1904:	
1905:			/* Exercise flow dissector code path. */
1906:			skb_push(skb, ETH_HLEN);
1907:			headlen = eth_get_headlen(tun->dev, skb->data,
1908:						  skb_headlen(skb));
1909:	
1910:			if (unlikely(headlen > skb_headlen(skb))) {
1911:				WARN_ON_ONCE(1);
1912:				err = -ENOMEM;
1913:				dev_core_stats_rx_dropped_inc(tun->dev);
1914:	napi_busy:
1915:				napi_free_frags(&tfile->napi);
1916:				rcu_read_unlock();
1917:				mutex_unlock(&tfile->napi_mutex);
1918:				return err;
1919:			}
1920:	
1921:			if (likely(napi_schedule_prep(&tfile->napi))) {
1922:				local_bh_disable();
1923:				napi_gro_frags(&tfile->napi);
1924:				napi_complete(&tfile->napi);
1925:				local_bh_enable();
1926:			} else {
1927:				err = -EBUSY;
1928:				goto napi_busy;
1929:			}
1930:			mutex_unlock(&tfile->napi_mutex);
1931:		} else if (tfile->napi_enabled) {
1932:			struct sk_buff_head *queue = &tfile->sk.sk_write_queue;
1933:			int queue_len;
1934:	
1935:			spin_lock_bh(&queue->lock);
1936:	
1937:			if (unlikely(tfile->detached)) {
1938:				spin_unlock_bh(&queue->lock);
1939:				rcu_read_unlock();
1940:				err = -EBUSY;
1941:				goto free_skb;
1942:			}
1943:	
1944:			__skb_queue_tail(queue, skb);
1945:			queue_len = skb_queue_len(queue);
1946:			spin_unlock(&queue->lock);
1947:	
1948:			if (!more || queue_len > NAPI_POLL_WEIGHT)
1949:				napi_schedule(&tfile->napi);
1950:	
1951:			local_bh_enable();
1952:		} else if (!IS_ENABLED(CONFIG_4KSTACKS)) {
1953:			tun_rx_batched(tun, tfile, skb, more);
1954:		} else {
1955:			netif_rx(skb);
1956:		}
1957:		rcu_read_unlock();
1958:	
1959:		preempt_disable();
1960:		dev_sw_netstats_rx_add(tun->dev, len);
1961:		preempt_enable();
1962:	
1963:		if (rxhash)
1964:			tun_flow_update(tun, rxhash, tfile);
1965:	
1966:		return total_len;
1967:	
1968:	drop:
1969:		if (err != -EAGAIN)
1970:			dev_core_stats_rx_dropped_inc(tun->dev);
1971:	
1972:	free_skb:
1973:		if (!IS_ERR_OR_NULL(skb))
1974:			kfree_skb_reason(skb, drop_reason);
1975:	
1976:	unlock_frags:
1977:		if (frags) {
1978:			tfile->napi.skb = NULL;
1979:			mutex_unlock(&tfile->napi_mutex);
1980:		}
1981:	
1982:		return err ?: total_len;
1983:	}
 SourceFile:drivers/net/tun.c]

gemini-3-pro-preview

							input: 449610
							output: 42
							thoughts: 76
						

Here's my thought process, as if I were considering this code:

**XDP Flow - A Quick Mental Trace**

Okay, so I'm digging into this `tun_get_user` function... aha! It calls `do_xdp_generic` with an XDP program and the SKB. Now, that's interesting. `do_xdp_generic`... right, that's *GENERIC* XDP. That's a good starting point. I need to understand what happens in that function. My brain is starting to map this out. The next logical step is to see if `do_xdp_generic` triggers an `xdp_master_redirect`. It's possible I suppose, I'll need to confirm that. Let's dive into the guts of `do_xdp_generic` and see exactly what's going on.

map[ContextFile:net/core/dev.c IncludeLines:true Name:do_xdp_generic]

map[SourceCode:5584:	int do_xdp_generic(const struct bpf_prog *xdp_prog, struct sk_buff **pskb)
5585:	{
5586:		struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
5587:	
5588:		if (xdp_prog) {
5589:			struct xdp_buff xdp;
5590:			u32 act;
5591:			int err;
5592:	
5593:			bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
5594:			act = netif_receive_generic_xdp(pskb, &xdp, xdp_prog);
5595:			if (act != XDP_PASS) {
5596:				switch (act) {
5597:				case XDP_REDIRECT:
5598:					err = xdp_do_generic_redirect((*pskb)->dev, *pskb,
5599:								      &xdp, xdp_prog);
5600:					if (err)
5601:						goto out_redir;
5602:					break;
5603:				case XDP_TX:
5604:					generic_xdp_tx(*pskb, xdp_prog);
5605:					break;
5606:				}
5607:				bpf_net_ctx_clear(bpf_net_ctx);
5608:				return XDP_DROP;
5609:			}
5610:			bpf_net_ctx_clear(bpf_net_ctx);
5611:		}
5612:		return XDP_PASS;
5613:	out_redir:
5614:		bpf_net_ctx_clear(bpf_net_ctx);
5615:		kfree_skb_reason(*pskb, SKB_DROP_REASON_XDP);
5616:		return XDP_DROP;
5617:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 450490
							output: 45
							thoughts: 48
						

Okay, let me think this through.

**XDP Function Call Analysis**

Hmm, so `do_xdp_generic` is the entry point, and it's calling `netif_receive_generic_xdp`. That's the first step. Now, I need to trace this further. The real question is: does `netif_receive_generic_xdp` actually get around to calling `bpf_prog_run_xdp`? That's where the BPF magic happens, where the XDP program itself is executed. I need to confirm the call chain. Got to figure out if there's a direct or indirect path through that. This is crucial for understanding how the packet data interacts with the XDP program. It's the core of the whole process.

map[ContextFile:net/core/dev.c IncludeLines:true Name:netif_receive_generic_xdp]

map[SourceCode:5504:	static u32 netif_receive_generic_xdp(struct sk_buff **pskb,
5505:					     struct xdp_buff *xdp,
5506:					     const struct bpf_prog *xdp_prog)
5507:	{
5508:		struct sk_buff *skb = *pskb;
5509:		u32 mac_len, act = XDP_DROP;
5510:	
5511:		/* Reinjected packets coming from act_mirred or similar should
5512:		 * not get XDP generic processing.
5513:		 */
5514:		if (skb_is_redirected(skb))
5515:			return XDP_PASS;
5516:	
5517:		/* XDP packets must have sufficient headroom of XDP_PACKET_HEADROOM
5518:		 * bytes. This is the guarantee that also native XDP provides,
5519:		 * thus we need to do it here as well.
5520:		 */
5521:		mac_len = skb->data - skb_mac_header(skb);
5522:		__skb_push(skb, mac_len);
5523:	
5524:		if (skb_cloned(skb) || skb_is_nonlinear(skb) ||
5525:		    skb_headroom(skb) < XDP_PACKET_HEADROOM) {
5526:			if (netif_skb_check_for_xdp(pskb, xdp_prog))
5527:				goto do_drop;
5528:		}
5529:	
5530:		__skb_pull(*pskb, mac_len);
5531:	
5532:		act = bpf_prog_run_generic_xdp(*pskb, xdp, xdp_prog);
5533:		switch (act) {
5534:		case XDP_REDIRECT:
5535:		case XDP_TX:
5536:		case XDP_PASS:
5537:			break;
5538:		default:
5539:			bpf_warn_invalid_xdp_action((*pskb)->dev, xdp_prog, act);
5540:			fallthrough;
5541:		case XDP_ABORTED:
5542:			trace_xdp_exception((*pskb)->dev, xdp_prog, act);
5543:			fallthrough;
5544:		case XDP_DROP:
5545:		do_drop:
5546:			kfree_skb(*pskb);
5547:			break;
5548:		}
5549:	
5550:		return act;
5551:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 451527
							output: 47
							thoughts: 50
						

Okay, here's my interpretation of that thought process, tailored for an expert audience:

**XDP Program Execution Flow Inquiry**

Right, let me see... I'm looking at the XDP receive path. `netif_receive_generic_xdp` is the entry point, and my understanding is that it ultimately hands things off to `bpf_prog_run_generic_xdp`. Now, the crucial question here is the internal execution path *within* `bpf_prog_run_generic_xdp`. Specifically, does this function, as part of its normal operation, lead to a call to `xdp_master_redirect`? I'm trying to trace the potential for XDP program logic to directly influence packet redirection and the relationship between this generic runner, and the underlying redirection mechanisms. This is important for understanding the full scope of XDP programmability and the possible interaction between user-space and kernel space packet processing. I need to confirm whether `bpf_prog_run_generic_xdp` truly handles this type of redirect or if it's delegated elsewhere.

map[ContextFile:net/core/dev.c IncludeLines:true Name:bpf_prog_run_generic_xdp]

map[SourceCode:5376:	u32 bpf_prog_run_generic_xdp(struct sk_buff *skb, struct xdp_buff *xdp,
5377:				     const struct bpf_prog *xdp_prog)
5378:	{
5379:		void *orig_data, *orig_data_end, *hard_start;
5380:		struct netdev_rx_queue *rxqueue;
5381:		bool orig_bcast, orig_host;
5382:		u32 mac_len, frame_sz;
5383:		__be16 orig_eth_type;
5384:		struct ethhdr *eth;
5385:		u32 metalen, act;
5386:		int off;
5387:	
5388:		/* The XDP program wants to see the packet starting at the MAC
5389:		 * header.
5390:		 */
5391:		mac_len = skb->data - skb_mac_header(skb);
5392:		hard_start = skb->data - skb_headroom(skb);
5393:	
5394:		/* SKB "head" area always have tailroom for skb_shared_info */
5395:		frame_sz = (void *)skb_end_pointer(skb) - hard_start;
5396:		frame_sz += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
5397:	
5398:		rxqueue = netif_get_rxqueue(skb);
5399:		xdp_init_buff(xdp, frame_sz, &rxqueue->xdp_rxq);
5400:		xdp_prepare_buff(xdp, hard_start, skb_headroom(skb) - mac_len,
5401:				 skb_headlen(skb) + mac_len, true);
5402:		if (skb_is_nonlinear(skb)) {
5403:			skb_shinfo(skb)->xdp_frags_size = skb->data_len;
5404:			xdp_buff_set_frags_flag(xdp);
5405:		} else {
5406:			xdp_buff_clear_frags_flag(xdp);
5407:		}
5408:	
5409:		orig_data_end = xdp->data_end;
5410:		orig_data = xdp->data;
5411:		eth = (struct ethhdr *)xdp->data;
5412:		orig_host = ether_addr_equal_64bits(eth->h_dest, skb->dev->dev_addr);
5413:		orig_bcast = is_multicast_ether_addr_64bits(eth->h_dest);
5414:		orig_eth_type = eth->h_proto;
5415:	
5416:		act = bpf_prog_run_xdp(xdp_prog, xdp);
5417:	
5418:		/* check if bpf_xdp_adjust_head was used */
5419:		off = xdp->data - orig_data;
5420:		if (off) {
5421:			if (off > 0)
5422:				__skb_pull(skb, off);
5423:			else if (off < 0)
5424:				__skb_push(skb, -off);
5425:	
5426:			skb->mac_header += off;
5427:			skb_reset_network_header(skb);
5428:		}
5429:	
5430:		/* check if bpf_xdp_adjust_tail was used */
5431:		off = xdp->data_end - orig_data_end;
5432:		if (off != 0) {
5433:			skb_set_tail_pointer(skb, xdp->data_end - xdp->data);
5434:			skb->len += off; /* positive on grow, negative on shrink */
5435:		}
5436:	
5437:		/* XDP frag metadata (e.g. nr_frags) are updated in eBPF helpers
5438:		 * (e.g. bpf_xdp_adjust_tail), we need to update data_len here.
5439:		 */
5440:		if (xdp_buff_has_frags(xdp))
5441:			skb->data_len = skb_shinfo(skb)->xdp_frags_size;
5442:		else
5443:			skb->data_len = 0;
5444:	
5445:		/* check if XDP changed eth hdr such SKB needs update */
5446:		eth = (struct ethhdr *)xdp->data;
5447:		if ((orig_eth_type != eth->h_proto) ||
5448:		    (orig_host != ether_addr_equal_64bits(eth->h_dest,
5449:							  skb->dev->dev_addr)) ||
5450:		    (orig_bcast != is_multicast_ether_addr_64bits(eth->h_dest))) {
5451:			__skb_push(skb, ETH_HLEN);
5452:			skb->pkt_type = PACKET_HOST;
5453:			skb->protocol = eth_type_trans(skb, skb->dev);
5454:		}
5455:	
5456:		/* Redirect/Tx gives L2 packet, code that will reuse skb must __skb_pull
5457:		 * before calling us again on redirect path. We do not call do_redirect
5458:		 * as we leave that up to the caller.
5459:		 *
5460:		 * Caller is responsible for managing lifetime of skb (i.e. calling
5461:		 * kfree_skb in response to actions it cannot handle/XDP_DROP).
5462:		 */
5463:		switch (act) {
5464:		case XDP_REDIRECT:
5465:		case XDP_TX:
5466:			__skb_push(skb, mac_len);
5467:			break;
5468:		case XDP_PASS:
5469:			metalen = xdp->data - xdp->data_meta;
5470:			if (metalen)
5471:				skb_metadata_set(skb, metalen);
5472:			break;
5473:		}
5474:	
5475:		return act;
5476:	}
 SourceFile:net/core/dev.c]

gemini-3-pro-preview

							input: 453681
							output: 40
							thoughts: 1752
						

**XDP and Bonding: A Crash Course (Literally!)**

Okay, so I've been digging into this XDP interaction with bonded interfaces, and I think I've got it figured out. My initial thought process was: `bpf_prog_run_generic_xdp` calls `bpf_prog_run_xdp`, and that leads to `xdp_master_redirect`. This makes sense, because I know `bpf_prog_run_generic_xdp` initializes `xdp->rxq` using `rxqueue->xdp_rxq`. And `rxqueue` is determined by `netif_get_rxqueue(skb)`, which translates to `skb->dev->_rx + skb_get_rx_queue(skb)`. Therefore, `xdp->rxq->dev` is the same as `skb->dev`, and since `skb->dev` is `tun->dev`, the crucial question becomes: Is `tun->dev` a bond slave? And, yes, it is, because I explicitly enslaved it to `bond0`!

Consequently, `netif_is_bond_slave(xdp->rxq->dev)` should return true. This means `xdp_master_redirect` is definitely going to be called, which, in turn, invokes `bond_xdp_get_xmit_slave`. This, I predict, is where the whole thing crashes. I've seen it, I know it. It's a textbook case of bad interaction.

But, hang on, why didn't it crash in my previous run? I've got to retrace my steps. Okay, let's see what happened previously. I can see from the trace that I set up `bond0`, added `syz_tun` as a slave, loaded the XDP program, created the link, and then brought the `syz_tun` interface up with `ioctl$sock_ifreq`. And then there's the `syz_emit_ethernet` call.

Okay, so why didn't the crash happen? I'm betting that the packet never actually went out with `syz_emit_ethernet`. I wonder if this means the packet was simply dropped or never triggered the bpf program. Let's think, `syz_emit_ethernet` sends packets to `syz_tun`. But is `syz_tun` actually up? Wait, yes, I set it UP. `ioctl$sock_ifreq(r2, 0x8914, &(0x7f0000000340)={'syz_tun\x00', @ifru_flags=0x1})`.

Aha! `syz_emit_ethernet` writes to the `/dev/net/tun` file descriptor. So that triggers `tun_get_user`. This means `tun_get_user` calls `do_xdp_generic`!

```c
	if (skb_xdp) {
		struct bpf_prog *xdp_prog;
		int ret;

		local_bh_disable();
		rcu_read_lock();
		xdp_prog = rcu_dereference(tun->xdp_prog);
		if (xdp_prog) {
			ret = do_xdp_generic(xdp_prog, &skb);
```
But wait! Look at this, `xdp_prog = rcu_dereference(tun->xdp_prog)`. Is `tun->xdp_prog` actually set? Remember, I attached the XDP program to `bond0`, so it would've called `bond_xdp_set`. Then, `bond_xdp_set` called `dev_xdp_propagate(slave_dev, &xdp)`. That, in turn, invoked `slave_dev->netdev_ops->ndo_bpf(slave_dev, xdp)`. And for `syz_tun`, `ndo_bpf` is `tun_xdp`. I need to look closer at what `tun_xdp` does. So *that's* why it didn't crash.

map[ContextFile:drivers/net/tun.c IncludeLines:true Name:tun_xdp]

map[SourceCode:1156:	static int tun_xdp(struct net_device *dev, struct netdev_bpf *xdp)
1157:	{
1158:		switch (xdp->command) {
1159:		case XDP_SETUP_PROG:
1160:			return tun_xdp_set(dev, xdp->prog, xdp->extack);
1161:		default:
1162:			return -EINVAL;
1163:		}
1164:	}
 SourceFile:drivers/net/tun.c]

gemini-3-pro-preview

							input: 456559
							output: 42
							thoughts: 12
						

Okay, here's my attempt at summarizing that thought process, keeping in mind I'm speaking to a fellow expert:

**Investigating `tun_xdp_set`**

Alright, time to dive in. Let's start with a quick check on `tun_xdp_set`. We've been using it, so it's probably best to just run through the code and documentation to make sure we are not missing anything. I need to make sure I am comfortable with everything we have done.

map[ContextFile:drivers/net/tun.c IncludeLines:true Name:tun_xdp_set]

map[SourceCode:1126:	static int tun_xdp_set(struct net_device *dev, struct bpf_prog *prog,
1127:			       struct netlink_ext_ack *extack)
1128:	{
1129:		struct tun_struct *tun = netdev_priv(dev);
1130:		struct tun_file *tfile;
1131:		struct bpf_prog *old_prog;
1132:		int i;
1133:	
1134:		old_prog = rtnl_dereference(tun->xdp_prog);
1135:		rcu_assign_pointer(tun->xdp_prog, prog);
1136:		if (old_prog)
1137:			bpf_prog_put(old_prog);
1138:	
1139:		for (i = 0; i < tun->numqueues; i++) {
1140:			tfile = rtnl_dereference(tun->tfiles[i]);
1141:			if (prog)
1142:				sock_set_flag(&tfile->sk, SOCK_XDP);
1143:			else
1144:				sock_reset_flag(&tfile->sk, SOCK_XDP);
1145:		}
1146:		list_for_each_entry(tfile, &tun->disabled, next) {
1147:			if (prog)
1148:				sock_set_flag(&tfile->sk, SOCK_XDP);
1149:			else
1150:				sock_reset_flag(&tfile->sk, SOCK_XDP);
1151:		}
1152:	
1153:		return 0;
1154:	}
 SourceFile:drivers/net/tun.c]

gemini-3-pro-preview

							input: 457210
							output: 42
							thoughts: 932
						

**XDP, Bonds, and the Elusive Crash**

Okay, so `tun_xdp_set` is definitely setting `tun->xdp_prog`. That's good. Which means `tun->xdp_prog` *is* initialized. And, as I remember, `tun_get_user` then calls `do_xdp_generic` with that `xdp_prog` argument, passing in the skb. The nagging question that I need to resolve is whether the code path for redirect is actually being taken.

Right, `do_xdp_generic` is indeed the GENERIC XDP handler. But *does* it call `xdp_master_redirect`? Let's verify. Checking the code block... no, `do_xdp_generic` doesn't directly call `xdp_master_redirect`. It calls `netif_receive_generic_xdp`, which in turn then processes the returned action. It can call `xdp_do_generic_redirect` but not master redirect, which makes sense.

Aha! `xdp_master_redirect` is only called from `bpf_prog_run_xdp`. Let's confirm that. Digging into `bpf_prog_run_xdp`, there it is! And, if `act == XDP_TX` AND we have a bond slave, then `xdp_master_redirect` *is* called. This means that we end up calling `bond_xdp_get_xmit_slave`, which calls `bond_xdp_xmit_roundrobin_slave_get`. And *that* accesses `bond->rr_tx_counter`.

So, the critical path is definitely there. Now the next question: Why didn't it crash? The syzkaller code *should* be reaching this point, and I was expecting a null pointer dereference. Did the bonding device exist but it was UP somehow? Let's check the device state: I deleted and recreated `bond0`. When a bond is created, isn't it DOWN by default? Yes, it *is* down by default!

Okay, let's back up. Maybe `syz_emit_ethernet` isn't actually sending the packet to the `tun` device, even though it's writing to the file descriptor. Does `tun_get_user` get called? Yes. And does `tun_get_user` call `do_xdp_generic`? It does, but only if `skb_xdp` is 1! Now, that's interesting...

Wait a second. I remember that the `tun_build_skb` function might actually set `skb_xdp` to 0! I've been assuming that skb_xdp stays at 1, but I need to check. Going to check the code!

map[ContextFile:drivers/net/tun.c IncludeLines:true Name:tun_build_skb]

map[SourceCode:1596:	static struct sk_buff *tun_build_skb(struct tun_struct *tun,
1597:					     struct tun_file *tfile,
1598:					     struct iov_iter *from,
1599:					     struct virtio_net_hdr *hdr,
1600:					     int len, int *skb_xdp)
1601:	{
1602:		struct page_frag *alloc_frag = &current->task_frag;
1603:		struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
1604:		struct bpf_prog *xdp_prog;
1605:		int buflen = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1606:		char *buf;
1607:		size_t copied;
1608:		int pad = TUN_RX_PAD;
1609:		int metasize = 0;
1610:		int err = 0;
1611:	
1612:		rcu_read_lock();
1613:		xdp_prog = rcu_dereference(tun->xdp_prog);
1614:		if (xdp_prog)
1615:			pad += XDP_PACKET_HEADROOM;
1616:		buflen += SKB_DATA_ALIGN(len + pad);
1617:		rcu_read_unlock();
1618:	
1619:		alloc_frag->offset = ALIGN((u64)alloc_frag->offset, SMP_CACHE_BYTES);
1620:		if (unlikely(!skb_page_frag_refill(buflen, alloc_frag, GFP_KERNEL)))
1621:			return ERR_PTR(-ENOMEM);
1622:	
1623:		buf = (char *)page_address(alloc_frag->page) + alloc_frag->offset;
1624:		copied = copy_page_from_iter(alloc_frag->page,
1625:					     alloc_frag->offset + pad,
1626:					     len, from);
1627:		if (copied != len)
1628:			return ERR_PTR(-EFAULT);
1629:	
1630:		/* There's a small window that XDP may be set after the check
1631:		 * of xdp_prog above, this should be rare and for simplicity
1632:		 * we do XDP on skb in case the headroom is not enough.
1633:		 */
1634:		if (hdr->gso_type || !xdp_prog) {
1635:			*skb_xdp = 1;
1636:			return __tun_build_skb(tfile, alloc_frag, buf, buflen, len,
1637:					       pad, metasize);
1638:		}
1639:	
1640:		*skb_xdp = 0;
1641:	
1642:		local_bh_disable();
1643:		rcu_read_lock();
1644:		bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
1645:		xdp_prog = rcu_dereference(tun->xdp_prog);
1646:		if (xdp_prog) {
1647:			struct xdp_buff xdp;
1648:			u32 act;
1649:	
1650:			xdp_init_buff(&xdp, buflen, &tfile->xdp_rxq);
1651:			xdp_prepare_buff(&xdp, buf, pad, len, true);
1652:	
1653:			act = bpf_prog_run_xdp(xdp_prog, &xdp);
1654:			if (act == XDP_REDIRECT || act == XDP_TX) {
1655:				get_page(alloc_frag->page);
1656:				alloc_frag->offset += buflen;
1657:			}
1658:			err = tun_xdp_act(tun, xdp_prog, &xdp, act);
1659:			if (err < 0) {
1660:				if (act == XDP_REDIRECT || act == XDP_TX)
1661:					put_page(alloc_frag->page);
1662:				goto out;
1663:			}
1664:	
1665:			if (err == XDP_REDIRECT)
1666:				xdp_do_flush();
1667:			if (err != XDP_PASS)
1668:				goto out;
1669:	
1670:			pad = xdp.data - xdp.data_hard_start;
1671:			len = xdp.data_end - xdp.data;
1672:	
1673:			/* It is known that the xdp_buff was prepared with metadata
1674:			 * support, so the metasize will never be negative.
1675:			 */
1676:			metasize = xdp.data - xdp.data_meta;
1677:		}
1678:		bpf_net_ctx_clear(bpf_net_ctx);
1679:		rcu_read_unlock();
1680:		local_bh_enable();
1681:	
1682:		return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad,
1683:				       metasize);
1684:	
1685:	out:
1686:		bpf_net_ctx_clear(bpf_net_ctx);
1687:		rcu_read_unlock();
1688:		local_bh_enable();
1689:		return NULL;
1690:	}
 SourceFile:drivers/net/tun.c]

gemini-3-pro-preview

							input: 460403
							output: 928
							thoughts: 8106
						

**The XDP Crash Discovery**

Okay, so the `tun_build_skb` function seems to be the critical entry point, calling `bpf_prog_run_xdp` directly. And, crucially, it's using `&tfile->xdp_rxq`. I need to make sure this `xdp_rxq` is properly registered and available. The `tun_attach` call handles the registration, thankfully.

Now, because `bpf_prog_run_xdp` is called, this means that `xdp_master_redirect` is also called. The check for bond slaves is important:
```c
	if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) {
		if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev))
			act = xdp_master_redirect(xdp);
	}
```
If `xdp->rxq->dev` is a bond slave and  `bpf_master_redirect_enabled_key` is enabled, then `xdp_master_redirect` _will_ be called. Now I remember that `syz_tun` (the tun device) is enslaved to `bond0`. That makes `netif_is_bond_slave` TRUE. So `xdp_master_redirect` will be called.

This leads to `bond_xdp_get_xmit_slave`, which could crash!

But wait, if it didn't crash, perhaps `bpf_master_redirect_enabled_key` is not enabled? I recall that `bond_xdp_set` is called when I attach the XDP program to `bond0`. Let's check `bond_xdp_set`:
```c
	bond_for_each_slave(bond, slave, iter) {
		struct net_device *slave_dev = slave->dev;

		if (!slave_dev->netdev_ops->ndo_bpf ||
		    !slave_dev->netdev_ops->ndo_xdp_xmit) {
			SLAVE_NL_ERR(dev, slave_dev, extack,
				     "Slave device does not support XDP");
			err = -EOPNOTSUPP;
			goto err;
		}
```
The tun device, `syz_tun`, *should* have both `ndo_bpf` and `ndo_xdp_xmit` because it's a TAP device. This also means that `dev_xdp_propagate` is then called. That, in turn, calls `tun_xdp_set`. So `bond_xdp_set` *should* succeed, and therefore `bpf_master_redirect_enabled_key` *should* be incremented.

But wait, what if `syz_tun` is a TUN device? The key difference is how syzkaller creates it:  `syz_emit_ethernet` creates it on demand, and this implies it’s a TAP device, as it's created during setup. Yes, syzkaller does create `syz_tun` during setup, so it is a TAP device.

So, why didn't it crash? Hmm, maybe `bond0` was up? I recall deleting and recreating `bond0`. When `bond0` is created, it's down by default. So, after I set it to ROUNDROBIN mode, enslave `syz_tun`, and attach the XDP program, it should still be down. I set `syz_tun` up, but that doesn't make `bond0` up. `syz_emit_ethernet` writes to the `tunfd` (for `syz_tun`), which calls `tun_get_user` and then `bpf_prog_run_xdp`. That calls `xdp_master_redirect`, which calls `bond_xdp_get_xmit_slave`, which calls `bond_xdp_xmit_roundrobin_slave_get`. This accesses `bond->rr_tx_counter`. But, since `bond0` is down, that is `NULL`. **CRASH!**

It's not crashing because `tun_get_user` has a check:
```c
	rcu_read_lock();
	if (unlikely(!(tun->dev->flags & IFF_UP))) {
		err = -EIO;
		rcu_read_unlock();
		drop_reason = SKB_DROP_REASON_DEV_READY;
		goto drop;
	}
```
This check happens AFTER

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'syz_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+syz_tun\x00', 9)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'syz_tun\x00', @ifru_flags=0x1})
syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, {@generic={0x800, ""}}}, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 470487
							output: 928
							thoughts: 4495
						

**Analyzing the Unexpected Absence of a Crash: A Deep Dive into XDP and Bonding**

Okay, so the program didn't crash. That's not good, because based on my initial analysis, it *should* have crashed. Let's retrace the steps, starting from the point where the Ethernet packet is supposedly emitted and the XDP program is supposed to be redirecting it, and see where the logic breaks down.

The core of the problem seems to revolve around `xdp_master_redirect` and the `bond` device's state. `syz_emit_ethernet` is writing to `tunfd`, which corresponds to `syz_tun`, which is a TAP device, enslaved to `bond0`, and the `bond` device is configured to use the Round Robin mode. Inside `tun_get_user`, after IFF_UP check, the code calls `do_xdp_generic`. I know that at some point, `xdp_master_redirect` *should* be called, and if it's called, and the `bond0` device is down and it's accessing an uninitialized variable, that should result in a crash because of invalid memory access.

I see that `netif_receive_generic_xdp` calls `bpf_prog_run_generic_xdp` which calls `bpf_prog_run_xdp` which *does* call `xdp_master_redirect` . I know `xdp_master_redirect` should return `XDP_REDIRECT`. The chain of calls suggests `do_xdp_generic` will see `XDP_REDIRECT` and therefore should call `xdp_do_generic_redirect` to redirect packets.

So, if `xdp_master_redirect` is called, and the bond device is DOWN, there *should* be a crash. But there wasn't. Clearly, I'm missing something.

The crucial link is the `bond->rr_tx_counter`. If `bond0` is down, `bond->rr_tx_counter` is NULL. That's the pointer that causes the crash. But it's not crashing...

Okay, let's step back. I created `bond0` with `+bond0`. It *should* be DOWN by default. I haven't explicitly brought it UP. Did the syzkaller bring it up? I enslaved `syz_tun` to `bond0`. Did *that* succeed? I set `syz_tun` DOWN before enslaving. But syzkaller sets `syz_tun` up. Does `bond_enslave` succeed? If it were a TUN device, it wouldn't have `ndo_bpf` and `ndo_xdp_xmit`, so enslavement would succeed but `bond_xdp_set` would fail. I checked, and `syz_tun` is a TAP device. So, it *should* have `ndo_bpf` and `ndo_xdp_xmit`.

If it *has* those, then `bond_xdp_set` should succeed, meaning `bpf_master_redirect_enabled_key` *would* get incremented, so the crash should have happened. Let's make sure `bond_xdp_set` hasn't failed due to another reason by checking `bpf_xdp_link_attach`. I'm setting the bond to ROUNDROBIN mode. Was that successful? I used `write` to set the mode, using `"0"`. `bond_parse_option` will handle that, so the mode is ROUNDROBIN.

Wait, maybe `syz_emit_ethernet` didn't actually *send* the packet if `syz_tun` was down. I set `syz_tun` UP, so it should be sending the packet. But there's a check in `tun_get_user`! It checks `IFF_UP`, but after the packet has been built by `tun_build_skb`. So it should have reached the part where the XDP program is run even if it was down. And the `tun_can_build_skb` function seems fine. The `xdp_prog` in `tun_build_skb` could be NULL. The XDP program is attached by `bpf$BPF_LINK_CREATE_XDP` and takes arguments. `r4` is the BPF program FD. `r5` is the ifindex for `bond0`. I use `ioctl$sock_SIOCGIFINDEX` to find it. Now, what if `bpf$PROG_LOAD` failed? I check the arguments and it seems correct. Both the loadable program and the expected attach type look

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'syz_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+syz_tun\x00', 9)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'syz_tun\x00', @ifru_flags=0x1})
syz_emit_ethernet(0xe, &(0x7f0000000380)={@empty, @empty, @void, {@generic={0x800, ""}}}, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 476960
							output: 981
							thoughts: 6262
						

**The Case of the Non-Crashing Bonded XDP Program**

Okay, so the program *should* crash, but it's not. Time to dissect this step-by-step. First, a sanity check: I verify that the BPF program loaded successfully and the bond interface (`bond0`) exists, then I set the round-robin bonding mode, bring down the tun device, and enslave it to bond0.  Then I set up the XDP program on the bond, bring the tun device back up and send a packet. The BPF program returns `XDP_TX` so the packet gets sent.  Based on my knowledge, because I set the bond down after creating it, and it has no slaves, I expect a crash when the packet attempts to use an invalid `rr_tx_counter` pointer.

I check that the necessary functions are being called, and I confirm the conditions that SHOULD lead to the crash: `xdp_master_redirect` is called, it correctly identifies `syz_tun` as a bond slave, and `bond_xdp_get_xmit_slave` gets invoked. It checks for all possible bond slave selection scenarios, but in round-robin mode (which I have chosen), the crucial call is `bond_xdp_xmit_roundrobin_slave_get`. This function does indeed attempt to access `bond->rr_tx_counter` and I do not set the bond up! And `bond->rr_tx_counter` SHOULD be NULL in the round-robin mode!

I review the `tun_build_skb` function again, to make sure nothing prevents the packet from actually making it to `bpf_prog_run_xdp`. I ensure the device is being correctly identified as a bond slave and that the `bpf_master_redirect_enabled_key` is incremented.

Then it hits me: *bond0* is already up by default in syzkaller.

I had assumed that `+bond0` created a new *down* interface.  BUT it seems to rename bond0, it can't rename an *up* interface! Because the interface is UP, renaming to `nicvf0` *fails*.  Then when I write `+bond0`, it DOES NOT fail, because `bond0` already exists. Thus, the bonding setup works, but I am attempting to set the *existing* `bond0` as a slave. Because the device is UP by default, the crash does NOT happen because the counter IS allocated already! I need to ensure that the interface is DOWN to ensure the crash.

The solution is to add a `SIOCSIFFLAGS` call to set `bond0` DOWN *before* attempting the rename.  Then the interface will be DOWN, so the crash should happen.

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'syz_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+syz_tun\x00', 9)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'syz_tun\x00', @ifru_flags=0x1})
syz_emit_ethernet(0xe, &(0x7f00000003c0)={@empty, @empty, @void, {@generic={0x800, ""}}}, 0x0)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 484824
							output: 1065
							thoughts: 9740
						

**The Path to the Crash: A Syzkaller Journey**

Okay, so the initial program didn't crash. Time to dive deep. First, that `bond0` rename seemed to work; `nicvf0` is present in the device name list. And a *new* `bond0` was created. But wait, what if the `bonding` module isn't loaded? Syzkaller should load it, though, and `bond0` *does* exist. It can't be stuck in an unregister queue either, because I *renamed* bond0, so the new bond0 should create immediately! But *why* no crash?

Then, the `syz_tun` device. Is it actually a TAP device? I need to look at `executor/common_linux.h`. Yup, `syz_tun` is created with `IFF_TAP | IFF_NO_PI`. But wait... the `syz_emit_ethernet` function *always* prepends a `virtio_net_hdr`! Is this expected? Checking again, the `IFF_VNET_HDR` flag isn't set for the `tun` device. *That's* the issue. The kernel doesn't expect the header. So, the packet data is shifted. `eth_type_trans` sees zeros at the start, making the MAC header invalid. Then, `do_xdp_generic` is called!

But where is it called from? From `tun_build_skb`, and it calls `bpf_prog_run_xdp`. Now the XDP program. I loaded a simple "return XDP_TX" program. It doesn't read packet contents. So I *should* get `XDP_TX` from it regardless. *Why no crash then?*

Maybe `tun_build_skb` wasn't even called? `tun_can_build_skb` checks, and it *should* return true. `gso->gso_type` is 0. So it *should* proceed to `bpf_prog_run_xdp`.

The vital point: this is where the magic should happen. `bpf_prog_run_xdp` *does* call `xdp_master_redirect`, which calls `bond_xdp_get_xmit_slave`. *This* calls `bond->rr_tx_counter`, which is a per-CPU variable! A NULL pointer dereference *must* crash the kernel if `rr_tx_counter` is NULL.

But wait, why *wouldn't* it be NULL?

`rr_tx_counter` is allocated in `bond_open`. Is *that* called? My program does not set `bond0` UP. But Syzkaller *should* have done that already! When a bond device is created, it is DOWN! After I deleted and recreated the device, it stays down. So that’s where the error should come from, `rr_tx_counter` is null!

What if `xdp_master_redirect` is not called?`master` should not be null! `bond_netdev_ops` *has* `ndo_xdp_get_xmit_slave` defined. It should be called!

Wait...what about `syz_emit_ethernet`? Does it *fail*?  Maybe `writev` fails. Why? Because the device isn't opened. No. This function *opens* and creates `tunfd`, attaches `syz_tun`. But `syz_emit_ethernet` opens a new `/dev/net/tun` *each time*, so the first one from initialization is not used, so it is a local variable, not global. Is `xdp_rxq` correctly registered? Yes.

But wait. If I try to attach this new `tunfd`, it would fail due to `-EBUSY` because I already created a `syz_tun` device at init, which does not have `IFF_MULTI_QUEUE` and therefore cannot be re-used.

So, `syz_emit_ethernet` fails and *that* is why there is no crash. The key is to find another method to send packets!

So, `AF_PACKET` sockets? It should be possible to send data over a `sockaddr_ll` socket. That failed earlier, but the `sockaddr_ll` construction may be wrong. Maybe some syzkaller syntax confusion, specifically about `len` fields. It’s about the `sll_addr`, `halen` are omitted. I can just `sendto` without `bind`. I just need the correct structure of a `sockaddr_ll`!

Or

bad string value "my_tun\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", expect ["\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "lo\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "tunl0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "gretap0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip_vti0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6_vti0\x00\x00\x00\x00\x00\x00\x00\x00" "sit0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6tnl0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6gretap0\x00\x00\x00\x00\x00\x00" "bond0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dummy0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "rose0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "erspan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "bridge0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vcan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "team0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "syz_tun\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_bridge\x00" "veth1_to_bridge\x00" "veth0_to_bond\x00\x00\x00" "veth1_to_bond\x00\x00\x00" "veth0_to_team\x00\x00\x00" "veth1_to_team\x00\x00\x00" "bridge_slave_0\x00\x00" "bridge_slave_1\x00\x00" "bond_slave_0\x00\x00\x00\x00" "bond_slave_1\x00\x00\x00\x00" "team_slave_0\x00\x00\x00\x00" "team_slave_1\x00\x00\x00\x00" "syzkaller0\x00\x00\x00\x00\x00\x00" "syzkaller1\x00\x00\x00\x00\x00\x00" "veth0_to_hsr\x00\x00\x00\x00" "veth1_to_hsr\x00\x00\x00\x00" "hsr0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ip6erspan0\x00\x00\x00\x00\x00\x00" "vxcan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "caif0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "batadv0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_to_batadv\x00" "veth1_to_batadv\x00" "batadv_slave_0\x00\x00" "batadv_slave_1\x00\x00" "netdevsim0\x00\x00\x00\x00\x00\x00" "netpci0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "nicvf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "xfrm0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_virt_wifi\x00" "veth1_virt_wifi\x00" "virt_wifi0\x00\x00\x00\x00\x00\x00" "veth0_vlan\x00\x00\x00\x00\x00\x00" "veth1_vlan\x00\x00\x00\x00\x00\x00" "vlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "vlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan0\x00\x00\x00\x00\x00\x00\x00\x00" "macvlan1\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "ipvlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "veth0_macvtap\x00\x00\x00" "veth1_macvtap\x00\x00\x00" "macvtap0\x00\x00\x00\x00\x00\x00\x00\x00" "macsec0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "geneve1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wg2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "wlan1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "dvmrp1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg0\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pimreg1\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg\x00\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg0\x00\x00\x00\x00\x00\x00\x00\x00" "pim6reg1\x00\x00\x00\x00\x00\x00\x00\x00"]
line #8:63: ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f0000000180)={'my_tun\x00'<<<!!ERROR!!>>>, @ifru_flags=0x1002})

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f0000000180)={'my_tun\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000001c0)={'my_tun\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000200)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000240)='+my_tun\x00', 8)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x6, 0x2, &(0x7f00000002c0)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000300)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000340)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000380)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'my_tun\x00', @ifru_flags=0x1})
write(r8, &(0x7f0000000400)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 14)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 499842
							output: 1069
							thoughts: 370
						

**Device Name Shenanigans**

Okay, so I'm trying to figure out the right device name here. It looks like `my_tun` isn't available, and `syz_tun` is a no-go since it's already in use. `tunl0` is an IP tunnel, so that's not what I need, and `dummy0` is a dummy device, not suitable either. I'm thinking, I can use *any* name from `devnames` that isn't already created by syzkaller.

Hmm, let me consider what is currently free. `nicvf0` is related to `bond0`, and that is used for another rename. What about `netpci0`? Or how about `vcan0`?

Wait a second...I'm using `TUNSETIFF`. That *creates* a TUN/TAP device. So the name isn't really restricted. The routine I'm calling seems like it will take *any* name. Ah, but that's a risky assumption. `vcan0` is already created as a CAN device by syzkaller. If I try to use that with `TUNSETIFF` it might error with `EBUSY` or `EEXIST`.

I need to find a name from `devnames` that is truly *not* created by syzkaller. Let me see...I see `"nr0"`, `"rose0"`, `"erspan0"`, `"ip6erspan0"`, `"netpci0"`, `"dvmrp0"`, `"pimreg"`. Alright, I think `netpci0` is the best bet here. Let's go with that.

Okay, let's try calling `ioctl$TUNSETIFF` with `netpci0`. Let's test this!

wrong union arg for "tun_setiff_flags"
line #8:66: ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f0000000180)={'netpci0\x00', <<<!!ERROR!!>>>@ifru_flags=0x1002})

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f0000000180)={'netpci0\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000001c0)={'netpci0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000200)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000240)='+netpci0\x00', 8)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x6, 0x2, &(0x7f00000002c0)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000300)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000340)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000380)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'netpci0\x00', @ifru_flags=0x1})
write(r8, &(0x7f0000000400)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 14)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 501773
							output: 1064
							thoughts: 148
						

**Debugging the TUNSETIFF IOCTL Call**

Okay, so I see this `TUNSETIFF` call, and immediately the signature jumps out at me: it's expecting `ifreq_t[flags[tun_setiff_flags, int16]]`. I almost reflexively reached for `sys.txt` to double-check the definition of `TUNSETIFF`, but the error message itself gives me the crucial hint: `tun_setiff_flags`. Right, that's what I need to focus on.

The problem seems to be with the `flags` field of the `ifreq_t` structure. I need to make sure I'm passing the correct value here. The error likely means my current value isn't what the kernel is expecting. Hmm... given the context, a likely value seems to be `0x1002`, given the reference within the code.

Alright, let's just try supplying `0x1002` directly for the `flags`. It's a quick fix to test, and hopefully will resolve the issue and allow me to proceed. Time to see if this solves the problem!

call #6 openat: escaping filename "/dev/net/tun\x00"

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000140)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f0000000180)={'netpci0\x00', 0x1002})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000001c0)={'netpci0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000200)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000240)='+netpci0\x00', 8)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x6, 0x2, &(0x7f00000002c0)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000300)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000340)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000380)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'netpci0\x00', @ifru_flags=0x1})
write(r8, &(0x7f0000000400)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 14)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 503262
							output: 1231
							thoughts: 5154
						

**XDP Packet Injection via veth and Bond**

Okay, so the initial plan of using `openat` and `/dev/net/tun` looks like a dead end – escaping the sandbox directly via `syz_open_dev$tun` or similar doesn't seem viable with the current syzkaller setup. I quickly confirmed that `sys.txt` doesn't define a direct route to `openat$tun`. The `syz_emit_ethernet` call, which *does* open `/dev/net/tun`, presents another issue. It looks like the program fails because `syz_tun` is not multi-queue, and attempting to re-configure it within `syz_emit_ethernet` fails. That being said, I remember this could be a known issue in syzkaller.

Using `sendto` on an `AF_PACKET` socket to inject directly into `syz_tun`'s RX path sounds better! Although, I had issues with `sockaddr_ll` structures before. I know the `sockaddr_ll` struct has a `len` field that can be omitted from the struct, and it needs to be an array, which could lead to some type confusion. However, I got tripped up with `UnionType` because I was expecting a union as a field, when there really wasn't a 7th field. However, even if `sockaddr_ll` was correct, I wouldn't be able to easily reach the `tunfd`. I'd need to bypass the `bind` altogether.

However, I can't `write` to the `tunfd` directly to inject packets, because it's a local variable in the executor, and thus I can't access it. Furthermore, it's created as a non-multi-queue interface, so even with the file descriptor, this isn't possible. The whole purpose of `syz_emit_ethernet` is to send packets, and it's currently broken as-is.

So, let's look at `sendto` over an `AF_INET` socket, specifically UDP, to broadcast traffic to all interfaces. This *might* work, if the packet would be routed to `syz_tun`, but `syz_tun` won't trigger XDP programs. The real challenge is triggering XDP programs. The way to trigger XDP is with a RECEIVED packet on the interface that the XDP program is attached to! Since I don't have access to the `tunfd`, I can't write to it.

Then, I've got it! I can use `veth`! I can create a virtual ethernet pair where packets sent on one end are received on the other. This allows me to use `veth1` and `veth0`. By using `sendto` over `veth1`, I can send packets on `veth1`, and `veth0` will receive them. `veth0` will run the XDP program. I don't need `AF_PACKET` after all, I can use `AF_INET` and `sendto` a UDP packet directly. I can set the IP addresses so that packets are routed to `veth0`.

I can implement the following steps:
1.  Rename `bond0` to `nicvf0`.
2.  Create new `bond0`.
3.  Set `bond0` mode to `ROUNDROBIN`.
4.  Set `veth0` `DOWN`.
5.  Enslave `veth0` to `bond0`.
6.  Load XDP program.
7.  Attach XDP program to `bond0`.
8.  Set `veth0` `UP`.
9.  Set `veth1` `UP`.
10. Assign IP `10.0.0.1` to `veth0`.
11. Assign IP `10.0.0.2` to `veth1`.
12. Create UDP socket.
13. Bind UDP socket to `veth1`.
14. Send UDP packet to `10.0.0.1`.

Now, I can refine the syzkaller program to implement this strategy. I need to make sure the IP addresses are correct. I know that `private` in `ipv4_addr` is a `int32be[0xa010100:0xa010102]`, so I'll use those, translating the dotted decimal notation into the correct hex representation. I am setting the IP address of `veth0` to `10.1.1.1` and `veth1` to `10.1.1

data arg has bad value "hello"

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f00000003c0)={'veth0\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010101}})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f0000000400)={'veth1\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010102}})
r8 = socket$inet(0x2, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000440)='veth1\x00', 6)
sendto(r8, &(0x7f0000000480)="hello", 5, 0x0, &(0x7f00000004c0)=@in={0x2, 0x1234, @private=0xa010101}, 0x10)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 510694
							output: 1232
							thoughts: 130
						

**Fixing the `sendto` Call**

Okay, so I see the issue. The `sendto` function is expecting a buffer, specifically `buf buffer[in]`. My first instinct was to try sending either a hex string using something like `&(0x7f0000000480)="68656c6c6f"` or a raw string with `&(0x7f0000000480)='hello\x00'`. Then I remembered how the buffer parameter handles strings and realized there's a simpler solution. Since the buffer can accept strings within single quotes, as long as they are valid, `&(0x7f0000000480)='hello'` should work perfectly. That's it! Let's get this patched.

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f00000003c0)={'veth0\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010101}})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f0000000400)={'veth1\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010102}})
r8 = socket$inet(0x2, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000440)='veth1\x00', 6)
sendto(r8, &(0x7f0000000480)='hello', 5, 0x0, &(0x7f00000004c0)=@in={0x2, 0x1234, @private=0xa010101}, 0x10)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 512263
							output: 1285
							thoughts: 1849
						

**The Mystery of the Non-Crash and the Bonded Interface**

Okay, so I was expecting a crash, but it didn't happen! Time to dig. I was expecting `veth0` and `veth1` to be connected and the bond XDP code to be exercised. Syzkaller *should* create the `veth` pair. The code confirms that. And indeed, the code shows the `veth0` is enslaved to `bond0`. Now, even though `veth0` is enslaved, `veth` pairs *always* forward packets to each other, so the packet should still make it to `veth0`.

Next, I have to make sure the XDP path is running. I checked the code, and yes, `veth_xdp_rcv` *does* get called when there's an XDP program. `veth_xdp_rcv` is called from `veth_poll`, which in turn is scheduled by NAPI. I know when `veth1` sends, it calls `veth_xmit`, which calls `veth_forward_skb`, and it *should* call `veth_xdp_rcv_one` if XDP is enabled. `veth_forward_skb` confirms this behavior; it *does* call `veth_xdp_rcv_one` if the `xdp` flag is true. The code directly sets the `xdp` flag. The flow is there.

And if XDP is enabled, `veth_xdp_rcv_one` runs `bpf_prog_run_xdp`, which *should* redirect traffic and the critical code path in the bond driver should be executed. `bpf_prog_run_xdp` calls `xdp_master_redirect`, which calls `bond_xdp_get_xmit_slave`, which *accesses* `bond->rr_tx_counter`! Bingo! We *should* have a crash!

So why didn't it crash? Hmm... Maybe the `bpf_master_redirect_enabled_key` is not set? No, that *is* set in `bond_xdp_set`. Wait a minute, does `veth0` even support XDP? Let's check the device operations. Yes! It has `ndo_bpf` *and* `ndo_xdp_xmit`! So `bond_xdp_set` *should* succeed!

Aha! What if the bond interface doesn't exist? I renamed `bond0` to `nicvf0` but did that even work? If the interface is UP, it would fail with `EBUSY`. Syzkaller sets `bond0` UP during setup. The code confirms that. So when I try to rename `bond0` it *should* fail with `EBUSY`, and then when I tried to add `+bond0`, it *should* fail with `EEXIST`! This would mean `bond0` stays up, the counter is already allocated, and no crash!

Wait! I must set `bond0` DOWN *before* renaming it. In my program, I did not set it down! I need to add that `ioctl` to bring the interface down *before* I rename it.

Okay, let's fix the program! First, bring down `bond0`, *then* rename the interface. This *should* force the crash now!
```
r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
```

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f0000000400)={'veth0\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010101}})
ioctl$sock_ifreq(r0, 0x8916, &(0x7f0000000440)={'veth1\x00', @ifru_addrs=@in={0x2, 0x0, @private=0xa010102}})
r8 = socket$inet(0x2, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000480)='veth1\x00', 6)
sendto(r8, &(0x7f00000004c0)='hello', 5, 0x0, &(0x7f0000000500)=@in={0x2, 0x1234, @private=0xa010101}, 0x10)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 516401
							output: 1087
							thoughts: 6836
						

**The XDP-Bonding Conundrum: A Journey Through Kernel Internals**

Okay, so the crash isn't happening, and I *need* to figure out why. First, let's confirm the renaming of `bond0` to `nicvf0` was successful, ensuring we're working with the right interface. We're setting `bond0` down and then renaming it. I'm double-checking because, you know, syzkaller loves to play tricks! Next, I have to make sure `bond0` doesn't have any existing slaves before I start enslaving interfaces. Even though the kernel allows renaming with slaves, I need to know the state.

The syzkaller test environment *could* have enslaved `bond_slave_0` and `bond_slave_1` to `bond0`, but the code *doesn't* do that. The code just *names* those interfaces. This means `bond0` starts clean. I am then creating a *new* `bond0` and setting the mode to ROUNDROBIN. The key is in setting `veth0` DOWN, enslaving it to `bond0`, then attaching the XDP program. Then setting `veth0` UP.

Now, my attack is sending a UDP packet from `veth1` to `veth0`. The socket is bound to `veth1` using `SO_BINDTODEVICE`, so the packet *should* be routed through `veth1`. The destination is `10.1.1.1` (`veth0`). The kernel's routing *should* use the *bound* interface, so this should work. The packet is sent to `veth1`, and `veth0` is supposed to receive the packet, and then the XDP program on `veth0` will return `XDP_TX`, but it is not happening!

The `veth_xdp_rcv_one` function will run the XDP program, and the XDP program returns `XDP_TX`. This is *supposed* to trigger `xdp_master_redirect` *because* `bpf_master_redirect_enabled_key` is enabled after calling `bond_xdp_set`. It's enabled because I attached the XDP program to `bond0`. Also `veth0` *is* a bond slave. `xdp_master_redirect` is *supposed* to call `bond_xdp_get_xmit_slave` which *MUST* access `bond->rr_tx_counter`. But, I wasn't crashing, because, `bond0` *must* be UP!

But the checks I did show that `bond0` is DOWN! So it must be that the *veth0* must be UP *before* the packet is sent! The act of *enabling* `veth0` *doesn't* automatically enable `bond0`. Assigning an IP also doesn't enable `bond0`. The act of sending to the *IP* associated to `veth0` *will trigger the device*! However, the assigned IP to `veth0` *will not be there* as it is enslaved to `bond0`! So, the packet will go no where. ARP! The packet doesn't get sent because there is no ARP response.

I was trying to bypass ARP. `AF_PACKET` is the solution! The packet can be sent without knowing the IP address or any information for the destination host. I tried using `AF_PACKET` before. The `sockaddr_ll` was the problem. I had difficulty with `sll_halen`. If I let syzkaller auto-generate it (using `&AUTO`), I *should* omit the explicit value for `sll_halen`! I checked my previous attempt, but I didn't get that. The other issue is, the `sockaddr_storage` is a union, and when it is expecting a union, and I provide array, it fails.

`syz_emit_ethernet` is a way to send an Ethernet frame without ARP. However, I attempted `syz_emit_ethernet` before. The `syz_tun` device is a single queue, and fails during `TUNSETIFF`. The operation *always* fails. Therefore, I need a different approach to send the Ethernet frame. I *can* use `sendto` on an `AF_PACKET` socket. I need to bind to the interface, so I can send the Ethernet frame. This can be achieved with `sockaddr_ll`, and I can use `ioctl$sock_SIOCGIFINDEX` to write the interface index to memory, and then use that as `sockaddr_ll`. But

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f00000003c0)='veth1\x00', 6)
sendto(r8, &(0x7f0000000400)='hello', 5, 0x0, &(0x7f0000000440)=@in6={0xa, 0x1234, 0x0, @mcast1, 0x0}, 0x1c)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 525374
							output: 1087
							thoughts: 2386
						

**Debugging the Elusive Bond0 Crash**

Okay, so the crash still isn't happening. Time to methodically retrace my steps. First, the suspicion: maybe the multicast packet never even made it onto `veth0`?  I bound the socket to `veth1` and sent it to `ff01::1` (interface-local multicast), which *should* go out of `veth1`.  But interface-local means it probably *won't* be forwarded to `veth0`.  Aha! I need `ff02::1` (link-local), so let me check the `ipv6_addr` definitions in `socket.txt`. Yep, `@mcast2` is correctly defined as `ff02::1`.  Alright, change the sendto address to `@mcast2`.

Now, the XDP path... I remember `veth_xdp_rcv_one` gets called, as `veth_forward_skb` uses `veth_xdp_rcv_one` only if `rcv_xdp` is true which depends on the `rq->xdp_prog` being set.  When attaching the XDP program to `bond0`, `bond_xdp_set` propagates it to the slaves using `dev_xdp_propagate`, which ultimately calls `veth_xdp_set`. Inside,  `veth_xdp_set` *does* assign the XDP program to the receive queue's `xdp_prog` using `rcu_assign_pointer`.  So, that *should* be set.

But wait, what if `bpf_prog_run_xdp` returns `XDP_TX`?  That calls `xdp_master_redirect`, which *should* cause a redirect.  `veth_xdp_rcv_one` then handles the `XDP_REDIRECT`.  `xdp_master_redirect` in turn calls `bond_xdp_get_xmit_slave`, which calls `bond_xdp_xmit_roundrobin_slave_get`. This accesses `bond->rr_tx_counter` for round-robin mode.  If `bond0` is down, that counter *should* be NULL, leading to a crash! The crucial question is *why* didn't it crash?

Right, `bond0` is supposed to be *down* in my test setup, but could it have been somehow set up? I didn't set it UP explicitly.  `bond_xdp_get_xmit_slave` doesn't check if the bond is up.  *Nor* does `bond_xdp_xmit_roundrobin_slave_get`!  *Nor* does `bond_rr_gen_slave_id`!  So, the crash *should* occur if `bond->rr_tx_counter` is NULL.

So, where is this `rr_tx_counter` allocated?  Aha! It's allocated only in `bond_open`, inside a check for round-robin mode. Okay, is `bond_open` called when I *create* `bond0`? No, the `register_netdevice` call during bond creation doesn't call `ndo_open`. Is it called when enslaving the `veth0`? Nope, `bond_enslave` calls `dev_open` on the *slave*, not the master.  Wait... does syzkaller set `bond0` UP automatically?  Ah, yes, the initial test setup does, but I've deleted and recreated `bond0`. Syzkaller does not automatically set a newly created interface to the UP state.  

Then, does the `rr_tx_counter` get allocated somewhere else? Nope. I scanned the `bond_main.c` file again. So the `rr_tx_counter` *should* be NULL.

Then, wait! What if `packets_per_slave` is 0? That case uses `get_random_u32` and would *avoid* the counter access.  What's the default value of `packets_per_slave`? It's `1` by default.  Did I modify it? No!

Okay, new angle: maybe the packet wasn't even *sent*? I used `@mcast1` (ff01::1) which I'm now certain is wrong. Changing the sendto call to use `@mcast2` (ff02::1) seems the most likely solution now.

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f0000000080)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000100)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000140)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000180)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f00000001c0)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0x2, &(0x7f0000000240)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000340)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth1\x00', @ifru_flags=0x1})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f00000003c0)='veth1\x00', 6)
sendto(r8, &(0x7f0000000400)='hello', 5, 0x0, &(0x7f0000000440)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 529863
							output: 1140
							thoughts: 12962
						

**Debugging a Potential Kernel Crash in XDP Program Execution**

Okay, so I'm chasing a kernel crash related to an XDP program running on a veth pair within a bonding setup. No crash yet, and that's the problem. Here's what I've got so far:

*   I've confirmed the basic setup. UDP packets sent to `ff02::1` (multicast) from `veth1` should be received by `veth0`. The socket is bound to `veth1`, it's UP. The packets are going out and arriving at the peer. The XDP program is loaded and attached to the bond, and propagated to the veth slaves.
*   I'm verifying that the expected XDP code paths are being called. That the XDP program *should* be running when the packet arrives at `veth0`, but it is not causing a crash. `veth_xdp_rcv_one` is only called if `rq->xdp_prog` is set and the packet is processed by `veth_forward_skb` and it checks if `rcv_xdp` is true. `rcv_xdp` is true when `rq->xdp_prog` is set, and it *should* be. The veth device is up, and running.
*   The XDP program I'm loading should return `XDP_TX` which should lead to the `xdp_master_redirect` crash. `bpf_prog_run_xdp` is called, and the program should return `XDP_TX`. However, no crash.
*   I've tried different approaches to verify that this is true. By default, I use a BPF program with `BPF_ALU64` and `BPF_JMP` that returns `3`, and confirms `XDP_TX`.
*   I'm also double-checking that `bond_xdp_get_xmit_slave` which calls `bond_rr_gen_slave_id` is NOT reaching the per-cpu variable for round-robin mode that can cause a crash. Because the bond is created and the devices enslaved, this `rr_tx_counter` SHOULD not be NULL, because `bond0`'s state should have been created before the XDP runs. It should be properly allocated if the bond is UP and running.
*   A crucial step is that I'm setting `bond0` down, then renaming it to prevent it from auto-starting. Then re-enslaving `veth0` to bond0 before starting.

I've been looking very closely at why the crash isn't happening.

*   I am now checking if XDP is really being run when a packet comes to veth0. I am verifying this in the code. I am also making sure that `veth_xdp_rcv_one` gets called, by checking that the return value of `veth_forward_skb` is not `NET_RX_DROP`.
*   I've gone down the path of double-checking that the BPF program actually executes `xdp_master_redirect` using the `static_branch_unlikely` method. This requires that the return from the BPF program is `XDP_TX`. I've confirmed that the correct value of `0x3` is indeed passed to bpf_prog_run_xdp.
*   I am also making sure the code is not falling through because of the bond state. It must *not* be in a state where `rr_tx_counter` is NULL. I am ensuring that the correct sequence is followed so that the crash *must* happen when it reaches that pointer.

The remaining possibility is that there's a problem with the BPF program loading.

*   I am checking the `bpf_prog_load` error paths to make sure that the program is loaded successfully. I am verifying that the load, bind, and attachment sequences are all correct.
*   I've now reviewed the syzkaller documentation and code to ensure the `bpf_prog_load` is being called correctly. I've re-written my tests to try again with the right combination of arguments. This involves `expected_attach_type` and other flags in the struct. I am re-checking to ensure that these values are what the kernel expects them to be, and not what the debugger is telling me.

I will try again, but use the correct `bpf_prog_load` flags, now that the values have been verified.

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 544980
							output: 1141
							thoughts: 6023
						

**Debugging the Elusive XDP Crash**

Okay, here's the breakdown of my thought process in tackling this persistent XDP crash, or rather, the *lack* of a crash. First off, I'm stuck on why it's not crashing! We are debugging a bug and the program isn't behaving as expected. The critical path involves BPF program loading, attachment to a veth interface enslaved to a bond device, and then a redirect action from within the XDP program. So let’s review the key elements.

I started by methodically checking if `bpf$PROG_LOAD` succeeded. If it did, `r4` is valid, and we move forward. If it didn’t, I need to understand why. Initial thoughts centered on incorrect attach types or invalid BPF instructions or a licensing problem with the program. However, a trivial program (`r0 = 3; exit`) and the `GPL` license *should* be valid.

The packet flow has to be correct: a UDP packet sent from `veth1` to `ff02::1`. Does `veth0` receive it? The critical factor is whether `veth0` is running XDP, and that's triggered by `rcu_access_pointer(rq->xdp_prog)`. That, in turn, hinges on how the XDP program is propagated down to the veth interface from the bond. The device must be able to call `veth_xdp_rcv_one` with `xdp` set to true. My current setup suggests this chain: `bond_xdp_set` -> `dev_xdp_propagate` -> `veth_xdp` -> `veth_xdp_set`, and this, in turn, needs to set `rq->xdp_prog`.

Next, I reviewed the code. Crucially, `veth_enable_xdp` is called, which then sets the `rcu_assign_pointer` to the `rq->xdp_prog` *after* calling `veth_enable_xdp_range` and `__veth_napi_enable`. I also realized that `veth_enable_xdp` is called even when `veth0` is DOWN, which happens *before* attaching the XDP program. The critical point here is that even when down, the NAPI structures are still allocated, and I can then bring `veth0` UP, so that `veth_open` gets called, calling `veth_enable_xdp` again. However, if the device is DOWN, I suspect the page pool allocation can fail, though currently the code seems to handle this.

The question of why packets aren't being sent even when the XDP program is attached and the veth devices are "UP" is still an issue. If `veth0` is DOWN, `napi_already_on` is false, and I might be calling `__veth_napi_enable` or `__veth_napi_disable` in the wrong order, but the setup ensures the veth interface is UP *before* the XDP attachment. I also ensured both veth interfaces are UP.

Now, for the key question: is `bpf_prog_run_xdp` *actually* calling `xdp_master_redirect`? This function is enabled by the `bpf_master_redirect_enabled_key`. I confirmed that the bond is set up and that the program *should* be running `xdp_master_redirect`. Then, `xdp_master_redirect` has to look up `bond_xdp_get_xmit_slave`. This function, *if* `bond->rr_tx_counter` is null will lead to a crash. I checked when it is allocated, and the `bond_open` function is only called when the device is up. But, if `bond0` is down, there won't be a crash. Also, I realized that if `packets_per_slave` is `0`, a random value can be used.

I also checked other paths, if `veth_xdp_rcv_one` is actually called after `__dev_forward_skb` returns, because `rcv_xdp` is still true, and no errors occur.

The main suspect is the `bpf$PROG_LOAD` syscall, which I need to get right. If this fails, then `rq->xdp_prog` remains NULL, and the XDP program is not run. I verified the arguments and their sizes. The most likely source of error is the `expected_attach_type` argument or the structs. I realize, the reason the load is failing is that `expected_

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, 0x27, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 553194
							output: 1117
							thoughts: 5251
						

**Debugging the XDP Crash**

Okay, so the crash isn't happening, and that's the starting point of this investigation. Let's trace through the logic. First, verify that `bpf$PROG_LOAD_XDP` succeeded. If the file descriptor `r4` is valid, and the load succeeded. If not, what went wrong?  Initially, I thought `expected_attach_type` might be incorrect. However, a review of the `bpf_prog_load_check_attach` function quickly shows that for `BPF_PROG_TYPE_XDP`, `expected_attach_type` *must* be `0` when loading, not `0x27` which is `BPF_XDP`. So the issue is that syzkaller *forces* it to be `0x27`, meaning `bpf$PROG_LOAD_XDP` *always* fails. Therefore, I need to use `bpf$PROG_LOAD` and explicitly set `@xdp=0x0`.

I recall trying that earlier, and it *still* didn't crash. Therefore, the problem might be in the second parameter of `bpf$PROG_LOAD`. Let's look at `attach_prog_fd` inside `bpf_prog.txt`. It is of type `PROG_FD` which is the union of `btf_id` and `attach_prog_fd`. A look back at my previous run where `@void` was provided, showed the error `wrong union arg for "ifindex"`. Since `prog_ifindex` is *not* a union, then `btf_fd` and `attach_prog_fd` also aren't unions. Therefore, `0x0` is correct for all these values.

What if `bpf$PROG_LOAD` is failing due to the BPF program itself (`insns`)? I need to verify its validity. The instructions `@generic={0xb7, 0x0, 0x0, 0x0, 0x3}` followed by `@generic={0x95, 0x0, 0x0, 0x0, 0x0}` translates to `r0 = 3; exit`.  This is valid. To ensure there is not an instruction problem, I could try using `&AUTO` in `bpf$PROG_LOAD`, allowing syzkaller to generate a random program. The critical point is whether or not it returns `XDP_TX`. However, if the crash is due to `XDP_TX` from `bpf_prog_run_xdp` then any result that does *not* equal `XDP_TX` will *not* crash the system.

I've already tried `bpf$PROG_LOAD` with `&AUTO`, and it didn't crash. Therefore, the BPF program is NOT the problem.

Let's revisit how I'm handling `bpf$PROG_LOAD`. After loading the program, the return value of the function `r4` is used in `bpf$BPF_LINK_CREATE_XDP`. If `r4` is -1, then the link fails, which is probably why the XDP program isn't being attached. Could the failure be due to the sizes in the `prog` struct? I'll try setting all sizes in the struct to `0` and see if there is an error. However, `func_info_rec_size`, `line_info_rec_size`, and `core_relo_rec_size` are const values and can't be set to zero.

What about a bad pointer for `license` or `insns`? This should be a solved issue. The pointers should be valid.

Let's investigate the packet flow. Maybe the crash isn't happening because the packet isn't actually reaching the XDP program. `veth0` has to *receive* the packet. Is `veth1` up?  I'll set it up using `ioctl$sock_ifreq` with `IFF_UP`. Does this mean `veth0` will pick up the traffic?  The function `veth_open` calls `netif_carrier_on`. What about the MAC addresses? I'm sending to `ff02::1`.  Does `veth0` accept this multicast address? Yes, `veth` accepts all packets. Does `veth_xdp_rcv_one` run XDP? Yes. What about `bond0`? Is it up? If so, `rr_tx_counter` is allocated! Did I make it up previously? No.

What if `

call #7 openat: escaping filename "/dev/net/tun\x00"

map[ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x0})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000180)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f00000001c0)={'netpci0\x00', 0x1002})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000200)={'netpci0\x00', @ifru_flags=0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000240)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000280)='+netpci0\x00', 8)
r4 = bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0x6, 0x2, &(0x7f0000000300)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f0000000340)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000380)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000003c0)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000400)={'netpci0\x00', @ifru_flags=0x1})
write(r8, &(0x7f0000000440)='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00', 14)
]

map[ReproducedBugTitle: ReproducedCrashReport:]

gemini-3-pro-preview

							input: 560620
							output: 1185
							thoughts: 7067
						

**The XDP Deep Dive**

Okay, here's the breakdown of my thought process. I started with the classic sandbox escape idea using `/dev/net/tun` and `openat`. However, that direct route was blocked. So, I pivoted, thinking about obtaining a `tunfd` using `syz_open_dev$tun`, but syzkaller didn't have that definition.

Then, the focus shifted to `syz_emit_ethernet` as the only means to inject packets, but quickly hitting a roadblock. It consistently uses a `syz_tun` interface, preventing me from targeting another device.

With raw Ethernet frames in mind, `AF_PACKET` sockets came up. Tried `sendto` but struggled with `sockaddr_ll`. Then, I realized I could use `sendto` *without* bind, with `&AUTO` address. But that's a gamble since it could send to any address.

The next thought led to `AF_INET` sockets and `setsockopt` with `SO_BINDTODEVICE`, targeting `veth1`. The packets should go through bond0, if the XDP program redirects to veth0. When I reviewed the code, the XDP program uses bond0. The packet is processed. The issue is that bond0 is down. The program *should* crash, but doesn't.

I suspect that the bond0 is not down. Did I up it? No. Did syzkaller up it? No. When veth0 is up, does it mean bond0 is up? No. When I sent packets to ff02::1, does it reach veth0? Yes.
So I tried renaming bond0 and then re-creating it, ensuring the new bond0 isn't already created. Then I noticed the error. `bpf$BPF_LINK_CREATE_XDP` might fail when it doesn't have an xdp program, then it will not be redirected and it will not crash.

Then, I looked at the XDP BPF program. I was using `bpf$PROG_LOAD_XDP`. At first, I was confused with the number of expected parameters to the struct literal.
I tried to solve the errors for this call. Initially, I thought that the size passed to the call to the load bpf program was incorrect but it was not. Then, I realized that I was misinterpreting the number of fields to include in the call because of a missed `len` struct literal field. But that was not the case, since I am using `&(0x7f0000000200)={...}` I have to include the size of the structure. I eventually determined the correct struct.

Finally, I got the program loaded correctly. If it loads, it should work. So I went back to the theory of why it *should* crash. I'm focusing on the `bond_xdp_xmit_roundrobin_slave_get` function. The program *should* crash if `bond->rr_tx_counter` is NULL. I checked `bond_create` and `register_netdevice` that would be in charge of allocating this counter. Then, I checked if the configuration of the bond would produce a value of 0.

So it MUST crash if `rr_tx_counter` is NULL. I rechecked whether veth0 was actually enslaved. But I might be making `bond_enslave` fail. I might be doing something wrong with ioctl. I should set veth0 down, but not remove the broadcast and multicast flags. Then, I set it up again.

This is where I'm at. The hypothesis is that with this change, the crash should finally happen because I have accounted for *all* the variables that affect the outcome.

map[ReproOpts:{"procs": 1, "sandbox": "none", "fault": false, "threaded": false, "repeat": false} ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x1002})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1043})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1043})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)]

map[ReproOpts:{"procs": 1, "sandbox": "none", "fault": false, "threaded": false, "repeat": false} ReproSyz:r0 = socket$inet(0x2, 0x2, 0x0)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000000)={'bond0\x00', @ifru_flags=0x1002})
ioctl$sock_ifreq(r0, 0x8923, &(0x7f0000000040)={'bond0\x00', @ifru_names='nicvf0\x00'})
r1 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/net/bonding_masters\x00', 0x2, 0x0)
write(r1, &(0x7f00000000c0)='+bond0\x00', 7)
r2 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/net/bond0/bonding/mode\x00', 0x2, 0x0)
write(r2, &(0x7f0000000140)='0\x00', 2)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000180)={'veth0\x00', @ifru_flags=0x1002})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/class/net/bond0/bonding/slaves\x00', 0x2, 0x0)
write(r3, &(0x7f0000000200)='+veth0\x00', 7)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x2, &(0x7f0000000280)=@raw=[@generic={0xb7, 0x0, 0x0, 0x0, 0x3}, @generic={0x95, 0x0, 0x0, 0x0, 0x0}], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "", 0x0, @xdp=0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value=0x0}, 0x90)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bond0\x00', <r5=>0x0})
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r4, r5, 0x27, 0x0, @void}, 0x20)
ioctl$sock_ifreq(r0, 0x8914, &(0x7f0000000380)={'veth0\x00', @ifru_flags=0x1043})
ioctl$sock_ifreq(r0, 0x8914, &(0x7f00000003c0)={'veth1\x00', @ifru_flags=0x1043})
r8 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$SO_BINDTODEVICE(r8, 0x1, 0x19, &(0x7f0000000400)='veth1\x00', 6)
sendto(r8, &(0x7f0000000440)='hello', 5, 0x0, &(0x7f0000000480)=@in6={0xa, 0x1234, 0x0, @mcast2, 0x0}, 0x1c)]