From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Alexandre Knecht <knecht.alexandre@gmail.com>,
Ido Schimmel <idosch@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 37/72] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
Date: Thu, 15 Jan 2026 17:48:47 +0100 [thread overview]
Message-ID: <20260115164144.839580675@linuxfoundation.org> (raw)
In-Reply-To: <20260115164143.482647486@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Knecht <knecht.alexandre@gmail.com>
[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ]
When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is
incorrectly stripped from frames during egress processing.
br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN
from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also
moves any "next" VLAN from the payload into hwaccel:
/* move next vlan tag to hw accel tag */
__skb_vlan_pop(skb, &vlan_tci);
__vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
For QinQ frames where the C-VLAN sits in the payload, this moves it to
hwaccel where it gets lost during VXLAN encapsulation.
Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only
the hwaccel S-VLAN and leaves the payload untouched.
This path is only taken when vlan_tunnel is enabled and tunnel_info
is configured, so 802.1Q bridges are unaffected.
Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN
preserved in VXLAN payload via tcpdump.
Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
Signed-off-by: Alexandre Knecht <knecht.alexandre@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_vlan_tunnel.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c
index 6399a8a69d076..0f03572d89d09 100644
--- a/net/bridge/br_vlan_tunnel.c
+++ b/net/bridge/br_vlan_tunnel.c
@@ -187,7 +187,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
{
struct metadata_dst *tunnel_dst;
__be64 tunnel_id;
- int err;
if (!vlan)
return 0;
@@ -197,9 +196,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
return 0;
skb_dst_drop(skb);
- err = skb_vlan_pop(skb);
- if (err)
- return err;
+ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN
+ * from payload to hwaccel after clearing S-VLAN. We only need to
+ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for
+ * correct VXLAN encapsulation. This is also correct for 802.1Q
+ * where no C-VLAN exists in payload.
+ */
+ __vlan_hwaccel_clear_tag(skb);
tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst);
if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst))
--
2.51.0
next prev parent reply other threads:[~2026-01-15 17:11 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 16:48 [PATCH 6.1 00/72] 6.1.161-rc1 review Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 01/72] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 02/72] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 03/72] btrfs: always detect conflicting inodes when logging inode refs Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 04/72] mei: me: add nova lake point S DID Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 05/72] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 06/72] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 07/72] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 08/72] gpio: rockchip: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 09/72] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 10/72] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 11/72] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 12/72] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 13/72] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 14/72] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 15/72] ext4: introduce ITAIL helper Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 16/72] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 17/72] net: Add locking to protect skb->dev access in ip_output Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 18/72] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 19/72] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 20/72] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 21/72] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 22/72] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 23/72] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 24/72] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 25/72] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 26/72] smb/client: fix NT_STATUS_NO_DATA_DETECTED value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 27/72] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 28/72] scsi: ufs: core: Fix EH failure after W-LUN resume error Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 29/72] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 30/72] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 31/72] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 32/72] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 33/72] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 34/72] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 35/72] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 36/72] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
2026-01-15 16:48 ` Greg Kroah-Hartman [this message]
2026-01-15 16:48 ` [PATCH 6.1 38/72] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 39/72] inet: ping: Fix icmp out counting Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 40/72] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 41/72] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 42/72] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 43/72] net: wwan: iosm: Fix memory leak in ipc_mux_deinit() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 44/72] eth: bnxt: move and rename reset helpers Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 45/72] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 46/72] net: fix memory leak in skb_segment_list for GRO packets Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 47/72] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 48/72] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 49/72] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 50/72] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 51/72] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 52/72] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 53/72] mm/pagewalk: add walk_page_range_vma() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 54/72] ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 55/72] ALSA: ac97bus: Use guard() for mutex locks Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 56/72] ALSA: ac97: fix a double free in snd_ac97_controller_register() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 57/72] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 58/72] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 59/72] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 60/72] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 61/72] bpf: Fix an issue in bpf_prog_test_run_xdp when page size greater than 4K Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 62/72] bpf: Make variables in bpf_prog_test_run_xdp less confusing Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 63/72] bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 64/72] bpf, test_run: Subtract size of xdp_frame from allowed metadata size Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 65/72] bpf: Fix reference count leak in bpf_prog_test_run_xdp() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 66/72] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 67/72] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 68/72] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 69/72] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 70/72] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 71/72] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 72/72] bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path Greg Kroah-Hartman
2026-01-15 19:15 ` [PATCH 6.1 00/72] 6.1.161-rc1 review Brett A C Sheffield
2026-01-15 19:36 ` Slade Watkins
2026-01-15 22:14 ` Florian Fainelli
2026-01-16 7:55 ` Francesco Dolcini
2026-01-16 9:14 ` Peter Schneider
2026-01-16 10:22 ` Ron Economos
2026-01-16 10:33 ` Jon Hunter
2026-01-16 15:39 ` Mark Brown
2026-01-16 17:44 ` Hardik Garg
2026-01-16 19:28 ` Shuah Khan
2026-01-17 14:35 ` Miguel Ojeda
2026-01-19 11:10 ` Jeffrin Thalakkottoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115164144.839580675@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idosch@nvidia.com \
--cc=knecht.alexandre@gmail.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=razor@blackwall.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.