lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260105162243.59e72816@kernel.org>
Date: Mon, 5 Jan 2026 16:22:43 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Chen Zhen <chenzhen126@...wei.com>
Cc: <davem@...emloft.net>, <edumazet@...gle.com>, <pabeni@...hat.com>,
 <horms@...nel.org>, <netdev@...r.kernel.org>,
 <linux-kernel@...r.kernel.org>, <huyizhen2@...wei.com>,
 <gaoxingwang1@...wei.com>
Subject: Re: [PATCH net] net: vlan: set header_ops to match hard_header_len
 when hw offload is toggled

On Wed, 31 Dec 2025 11:54:19 +0800 Chen Zhen wrote:
> skbuff: skb_under_panic: text:ffffffff95b33e66 len:90 put:14 head:ffff915ac1967440 data:ffff915ac196743e tail:0x58 end:0x180 dev:br0.10
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:197!
> Call Trace:
>  <TASK>
>  skb_push+0x39/0x40
>  eth_header+0x26/0xb0
>  vlan_dev_hard_header+0x58/0x130 [8021q]
>  neigh_connected_output+0xae/0x100
>  ip6_finish_output2+0x2cc/0x650
>  ? nf_hook_slow+0x41/0xc0
>  ip6_finish_output+0x27/0xd0
>  ndisc_send_skb+0x1d0/0x370
>  ? __pfx_dst_output+0x10/0x10
>  ndisc_send_ns+0x5a/0xb0
>  addrconf_dad_work+0x2b5/0x380
>  process_one_work+0x17f/0x320

Please run this stack trace thru script/decode_stacktrace
and you can cut off here, no need to include functions
below process_one_work, they are irrelevant.

>  worker_thread+0x26d/0x2f0
>  ? __pfx_worker_thread+0x10/0x10
>  kthread+0xcc/0x100
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork+0x30/0x50
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork_asm+0x1b/0x30
>  </TASK>
> 
> This bug can be easily reproduced by these steps:
> 
>  ip link add veth0 type veth peer name veth1
>  ip link set veth0 up
>  ip link set veth1 up
>  ethtool -K veth0 tx-vlan-hw-insert off
>  # vlandev.header_ops = vlan_header_ops, hard_header_len = 18(hard_header_len + VLAN_HLEN)
>  ip link add link veth0 name veth0.10 type vlan id 10 reorder_hdr off
>  ip addr add 192.168.10.1/24 dev veth0.10
>  ip link set veth0.10 up
>  # vlandev.hard_header_len = 14(hard_header_len)
>  ethtool -K veth0 tx-vlan-hw-insert on
>  # Panic!

Instead of putting this in the commit message please add a selftest
which will automatically catch re-occurrence of the issue.

> The reason is that when NETIF_F_HW_VLAN_CTAG_TX is off, vlandev.hard_header_len will be set to
> dev->hard_header_len since commit 029f5fc31cdb ("8021q: set hard_header_len when VLAN offload features
> are toggled"), but the header_ops remains unchanged. Then neigh_connected_output() will call
> vlan_dev_hard_header() and panic in skb_push() because reorder_hdr is off.

Please wrap commit messages at 70 columns.
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ