[PATCH v2 net 0/2] net: vlan: fix skb_panic bug in vlan_dev_hard_header()

[PATCH v2 net 0/2] net: vlan: fix skb_panic bug in vlan_dev_hard_header()

[Chen Zhen]

This series fix a skb_panic bug in vlan_dev_hard_header().

If a vlan device with reorder_hdr off is created without hw offload
feature, but up with hw offload on, the ndisc skb has no enough
room for vlan hdr in vlan_dev_hard_header() and finally panic.

The first patch fixes the bug itself by also setting header_ops of
vlan dev when offload feature is toggled. The second patch adds a
regression test for this bug.

---
v1 -> v2:
- Address format issues of commit message
- Add a selftest to catch re-occurrence of this issue as suggested by Jakub
- v1: https://lore.kernel.org/all/20251231035419.23422-1-chenzhen126@huawei.com/

Chen Zhen (2):
  net: vlan: set header_ops to match hard_header_len when hw offload is
    toggled
  selftests: vlan: add test for turn on hw offload with reorder_hdr off

 net/8021q/vlan.c                              |  5 +---
 net/8021q/vlan.h                              |  3 ++
 net/8021q/vlan_dev.c                          | 22 +++++++++-----
 tools/testing/selftests/net/Makefile          |  1 +
 .../testing/selftests/net/vlan_hw_offload.sh  | 30 +++++++++++++++++++
 5 files changed, 49 insertions(+), 12 deletions(-)
 create mode 100755 tools/testing/selftests/net/vlan_hw_offload.sh

-- 
2.33.0

[PATCH v2 net 1/2] net: vlan: set header_ops to match hard_header_len when hw offload is toggled

[Chen Zhen]

When tx-vlan-hw-insert is toggled to on, vlan device hard_header_len
will be reduced to dev->hard_header_len since commit 029f5fc31cdb
("8021q: set hard_header_len when VLAN offload features are toggled"),
but the header_ops remains unchanged, ndisc skb will be allocated
with this len and filled in vlan hdr in vlan_dev_hard_header(), but
with reorder_hdr off, the skb room is not enough so it triggers
skb_panic() as below:

skbuff: skb_under_panic: text:ffffffffa0535126 len:90 put:14
 head:ffff916c04232ec0 data:ffff916c04232ebe tail:0x58 end:0x180 dev:veth0.10
------------[ cut here ]------------
 kernel BUG at net/core/skbuff.c:197!
 <TASK>
  skb_push+0x39/0x40 net/core/skbuff.c:207
  eth_header+0x26/0xb0 net/ethernet/eth.c:90
  vlan_dev_hard_header+0x58/0x130 net/8021q/vlan_dev.c:85 [8021q]
  neigh_connected_output+0xae/0x100 net/core/neighbour.c:1589
  ip6_finish_output2+0x2cc/0x650 net/ipv6/ip6_output.c:213
  ip6_finish_output+0x27/0xd0 net/ipv6/ip6_output.c:246
  ndisc_send_skb+0x1d0/0x370 net/ipv6/ndisc.c:516
  ndisc_send_ns+0x5a/0xb0 net/ipv6/ndisc.c:672
  addrconf_dad_work+0x2b5/0x380 net/ipv6/addrconf.c:4258
  process_one_work+0x17f/0x320 kernel/workqueue.c:2743

Fix this by also setting header_ops of vlan dev when offload feature
is toggled.

Fixes: 029f5fc31cdb ("8021q: set hard_header_len when VLAN offload features are toggled")
Signed-off-by: Chen Zhen <chenzhen126@huawei.com>
---
 net/8021q/vlan.c     |  5 +----
 net/8021q/vlan.h     |  3 +++
 net/8021q/vlan_dev.c | 22 ++++++++++++++--------
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 2b74ed56eb16..84b3a3f67996 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -323,10 +323,7 @@ static void vlan_transfer_features(struct net_device *dev,
 
 	netif_inherit_tso_max(vlandev, dev);
 
-	if (vlan_hw_offload_capable(dev->features, vlan->vlan_proto))
-		vlandev->hard_header_len = dev->hard_header_len;
-	else
-		vlandev->hard_header_len = dev->hard_header_len + VLAN_HLEN;
+	vlan_dev_set_header_attributes(dev, vlandev, vlan->vlan_proto);
 
 #if IS_ENABLED(CONFIG_FCOE)
 	vlandev->fcoe_ddp_xid = dev->fcoe_ddp_xid;
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index c7ffe591d593..1d837814e061 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -143,6 +143,9 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack);
 void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
 bool vlan_dev_inherit_address(struct net_device *dev,
 			      struct net_device *real_dev);
+void vlan_dev_set_header_attributes(struct net_device *dev,
+				    struct net_device *vlan_dev,
+				    __be16 proto);
 
 static inline u32 vlan_get_ingress_priority(struct net_device *dev,
 					    u16 vlan_tci)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index fbf296137b09..1fe171748711 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -519,6 +519,19 @@ static const struct device_type vlan_type = {
 
 static const struct net_device_ops vlan_netdev_ops;
 
+void vlan_dev_set_header_attributes(struct net_device *dev,
+				    struct net_device *vlan_dev,
+				    __be16 proto)
+{
+	if (vlan_hw_offload_capable(dev->features, proto)) {
+		vlan_dev->header_ops      = &vlan_passthru_header_ops;
+		vlan_dev->hard_header_len = dev->hard_header_len;
+	} else {
+		vlan_dev->header_ops      = &vlan_header_ops;
+		vlan_dev->hard_header_len = dev->hard_header_len + VLAN_HLEN;
+	}
+}
+
 static int vlan_dev_init(struct net_device *dev)
 {
 	struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
@@ -572,14 +585,7 @@ static int vlan_dev_init(struct net_device *dev)
 #endif
 
 	dev->needed_headroom = real_dev->needed_headroom;
-	if (vlan_hw_offload_capable(real_dev->features, vlan->vlan_proto)) {
-		dev->header_ops      = &vlan_passthru_header_ops;
-		dev->hard_header_len = real_dev->hard_header_len;
-	} else {
-		dev->header_ops      = &vlan_header_ops;
-		dev->hard_header_len = real_dev->hard_header_len + VLAN_HLEN;
-	}
-
+	vlan_dev_set_header_attributes(real_dev, dev, vlan->vlan_proto);
 	dev->netdev_ops = &vlan_netdev_ops;
 
 	SET_NETDEV_DEVTYPE(dev, &vlan_type);
-- 
2.33.0

[PATCH v2 net 2/2] selftests: vlan: add test for turn on hw offload with reorder_hdr off

[Chen Zhen]

If vlan dev was created with reorder_hdr off and hw offload both
off but up with hw offload on, it will trigger a skb_panic bug in
vlan_dev_hard_header().

Add a test to automatically catch re-occurrence of the issue.

Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Chen Zhen <chenzhen126@huawei.com>
---
 tools/testing/selftests/net/Makefile          |  1 +
 .../testing/selftests/net/vlan_hw_offload.sh  | 30 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 tools/testing/selftests/net/vlan_hw_offload.sh

diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile
index b66ba04f19d9..8b50448a01cd 100644
--- a/tools/testing/selftests/net/Makefile
+++ b/tools/testing/selftests/net/Makefile
@@ -113,6 +113,7 @@ TEST_PROGS := \
 	veth.sh \
 	vlan_bridge_binding.sh \
 	vlan_hw_filter.sh \
+	vlan_hw_offload.sh \
 	vrf-xfrm-tests.sh \
 	vrf_route_leaking.sh \
 	vrf_strict_mode_test.sh \
diff --git a/tools/testing/selftests/net/vlan_hw_offload.sh b/tools/testing/selftests/net/vlan_hw_offload.sh
new file mode 100755
index 000000000000..5c49cc2525f2
--- /dev/null
+++ b/tools/testing/selftests/net/vlan_hw_offload.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+setup() {
+	ip link add veth0 type veth peer name veth1
+	ip link set veth0 up
+	ip link set veth1 up
+}
+
+cleanup() {
+	ip link delete veth0 2>/dev/null
+}
+
+#turn on hw offload and set up vlan dev with reorder_hdr off
+test_vlan_hw_offload_toggle_crash() {
+	ethtool -K veth0 tx-vlan-hw-insert off
+	ip link add link veth0 name veth0.10 type vlan id 10 reorder_hdr off
+	ethtool -K veth0 tx-vlan-hw-insert on
+
+	# set up vlan dev and it will trigger ndisc
+	ip link set veth0.10 up
+	ip -6 route show dev veth0.10
+}
+
+trap cleanup EXIT
+
+setup
+test_vlan_hw_offload_toggle_crash
+
+exit 0
-- 
2.33.0

Re: [PATCH v2 net 2/2] selftests: vlan: add test for turn on hw offload with reorder_hdr off

[Simon Horman]

On Wed, Jan 07, 2026 at 11:34:23AM +0800, Chen Zhen wrote:
> If vlan dev was created with reorder_hdr off and hw offload both
> off but up with hw offload on, it will trigger a skb_panic bug in
> vlan_dev_hard_header().
> 
> Add a test to automatically catch re-occurrence of the issue.
> 
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Chen Zhen <chenzhen126@huawei.com>

Shellcheck warns that cleanup is never invoked.

  SC2329 (info): This function is never invoked. Check usage (or ignored if invoked indirectly).

But is only true if only direct invocations are taken into
account (which I assume is what shellcheck does).
cleanup is actually called on exit as it has been
registered to do so by trap.

In order to keep shellcheck quiet I'd recommend adding the following
to vlan_hw_offload.sh.

#shellcheck disable=SC2329

...