Re: [PATCH v2 net-next 8/9] net: dsa: netc: add bridge mode support

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Traffic blackhole when a port leaves a bridge due to missing `.port_fast_age` implementation.
- [High] Lockless TOCTOU race on `dp->bridge` in `netc_vlan_unaware_pvid()` causes a NULL pointer dereference.
--

commit 742a1b1728b1f9a1a99ef531550382edaead0751
Author: Wei Fang <wei.fang@nxp.com>

net: dsa: netc: add bridge mode support

Wire up the port_bridge_join, port_bridge_leave and port_vlan_filtering
DSA callbacks to support both VLAN-unaware and VLAN-aware bridge modes.

> diff --git a/drivers/net/dsa/netc/netc_main.c b/drivers/net/dsa/netc/netc_main.c
> index a97121dda237a..5b58ce06beb88 100644
> --- a/drivers/net/dsa/netc/netc_main.c
> +++ b/drivers/net/dsa/netc/netc_main.c
> @@ -1507,17 +1540,57 @@ static int netc_port_max_mtu(struct dsa_switch *ds, int port)
[ ... ]
> +static u16 netc_vlan_unaware_pvid(struct dsa_switch *ds,
> +				  const struct net_device *br_ndev)
> +{
> +	struct dsa_port *dp;
> +	int br_num = -1;
> +
> +	if (!br_ndev)
> +		return NETC_STANDALONE_PVID;
> +
> +	dsa_switch_for_each_available_port(dp, ds) {
> +		if (dsa_port_bridge_dev_get(dp) == br_ndev) {
> +			br_num = dp->bridge->num;
> +			break;
> +		}
> +	}

[Severity: High]
Could this lockless access to dp->bridge result in a NULL pointer dereference?

Because netc_port_fdb_add() and netc_port_fdb_del() are called from the DSA
workqueue without holding rtnl_lock(), this might race with another port
being removed from the bridge (which sets dp->bridge to NULL).

Is this loop necessary since the bridge number is already provided directly
in the struct dsa_db argument (db.bridge.num) passed to the FDB callbacks?

[ ... ]
> @@ -2009,8 +2285,11 @@ static const struct dsa_switch_ops netc_switch_ops = {
>  	.port_mdb_add			= netc_port_mdb_add,
>  	.port_mdb_del			= netc_port_mdb_del,
>  	.port_set_host_flood		= netc_port_set_host_flood,
> +	.port_vlan_filtering		= netc_port_vlan_filtering,
>  	.port_vlan_add			= netc_port_vlan_add,
>  	.port_vlan_del			= netc_port_vlan_del,
> +	.port_bridge_join		= netc_port_bridge_join,
> +	.port_bridge_leave		= netc_port_bridge_leave,
>  	.get_pause_stats		= netc_port_get_pause_stats,

[Severity: High]
Will the lack of a .port_fast_age callback cause a traffic blackhole when a
port leaves a bridge?

Without this callback, the hardware FDB table retains dynamically learned
MAC entries pointing to the departing port. At the same time,
netc_port_bridge_leave() removes the egress rules. Traffic would be routed
to the departed port and dropped at egress until the FDB entries naturally
age out.

I see this is fixed later in the patch series in the commit "net: dsa:
netc: implement dynamic FDB entry ageing", but I wanted to mention it as
it breaks forwarding temporarily during the series.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602072313.3162120-1-wei.fang@oss.nxp.com?part=8