From: Jonas Gorski <jonas.gorski@gmail.com>
To: Andrew Lunn <andrew@lunn.ch>, Vladimir Oltean <olteanv@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Florian Fainelli <f.fainelli@gmail.com>
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH RFC net-next 1/3] net: dsa: deny bridge VLAN with existing 8021q upper on any port
Date: Mon, 10 Nov 2025 22:44:41 +0100 [thread overview]
Message-ID: <20251110214443.342103-2-jonas.gorski@gmail.com> (raw)
In-Reply-To: <20251110214443.342103-1-jonas.gorski@gmail.com>
Currently adding a bridge vlan to a port only checks for an 8021q upper
of that vlan on the port, but does not check for matching 8021q uppers
on other ports.
This leads to the possibility of configuring shared vlans on ports after
adding uppers.
E.g. adding the upper after configuring the vlan would be rejected
$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ bridge vlan add dev swp2 vid 100
$ ip link add swp1.100 link swp1 type vlan id 100
RTNETLINK answers: Resource busy
But the other way around would currently be accepted:
$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ ip link add swp1.100 link swp1 type vlan id 100
$ bridge vlan add dev swp2 vid 100
$ bridge vlan
port vlan-id
swp2 1 PVID Egress Untagged
100
swp1 1 PVID Egress Untagged
br0 1 PVID Egress Untagged
Fix this by checking all members of the bridge for a matching vlan
upper, and not the port itself.
After:
$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ ip link add swp1.100 link swp1 type vlan id 100
$ bridge vlan add dev swp2 vid 100
RTNETLINK answers: Resource busy
Fixes: 1ce39f0ee8da ("net: dsa: convert denying bridge VLAN with existing 8021q upper to PRECHANGEUPPER")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
---
net/dsa/user.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/net/dsa/user.c b/net/dsa/user.c
index f59d66f0975d..fa1fe0f1493a 100644
--- a/net/dsa/user.c
+++ b/net/dsa/user.c
@@ -653,21 +653,30 @@ static int dsa_user_port_attr_set(struct net_device *dev, const void *ctx,
/* Must be called under rcu_read_lock() */
static int
-dsa_user_vlan_check_for_8021q_uppers(struct net_device *user,
+dsa_user_vlan_check_for_8021q_uppers(struct dsa_port *dp,
const struct switchdev_obj_port_vlan *vlan)
{
- struct net_device *upper_dev;
- struct list_head *iter;
+ struct dsa_switch *ds = dp->ds;
+ struct dsa_port *other_dp;
- netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
- u16 vid;
+ dsa_switch_for_each_user_port(other_dp, ds) {
+ struct net_device *user = other_dp->user;
+ struct net_device *upper_dev;
+ struct list_head *iter;
- if (!is_vlan_dev(upper_dev))
+ if (!dsa_port_bridge_same(dp, other_dp))
continue;
- vid = vlan_dev_vlan_id(upper_dev);
- if (vid == vlan->vid)
- return -EBUSY;
+ netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
+ u16 vid;
+
+ if (!is_vlan_dev(upper_dev))
+ continue;
+
+ vid = vlan_dev_vlan_id(upper_dev);
+ if (vid == vlan->vid)
+ return -EBUSY;
+ }
}
return 0;
@@ -693,11 +702,11 @@ static int dsa_user_vlan_add(struct net_device *dev,
*/
if (br_vlan_enabled(dsa_port_bridge_dev_get(dp))) {
rcu_read_lock();
- err = dsa_user_vlan_check_for_8021q_uppers(dev, vlan);
+ err = dsa_user_vlan_check_for_8021q_uppers(dp, vlan);
rcu_read_unlock();
if (err) {
NL_SET_ERR_MSG_MOD(extack,
- "Port already has a VLAN upper with this VID");
+ "This VLAN already has an upper configured on a bridge port");
return err;
}
}
--
2.43.0
next prev parent reply other threads:[~2025-11-10 21:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 21:44 [PATCH RFC net-next 0/3] net: dsa: deny unsupported 8021q uppers on bridge ports Jonas Gorski
2025-11-10 21:44 ` Jonas Gorski [this message]
2025-11-10 21:44 ` [PATCH RFC net-next 2/3] net: dsa: deny multiple 8021q uppers on bridged ports for the same VLAN Jonas Gorski
2025-11-10 21:44 ` [PATCH RFC net-next 3/3] net: dsa: deny 8021q uppers on vlan unaware bridged ports Jonas Gorski
2025-11-10 22:25 ` Vladimir Oltean
2025-11-11 10:06 ` Jonas Gorski
2025-11-11 11:56 ` Vladimir Oltean
2025-11-11 14:09 ` Jonas Gorski
2025-11-11 14:56 ` Vladimir Oltean
2025-11-10 23:01 ` [PATCH RFC net-next 0/3] net: dsa: deny unsupported 8021q uppers on bridge ports Vladimir Oltean
2025-11-11 9:53 ` Jonas Gorski
2025-11-11 10:29 ` Vladimir Oltean
2025-11-11 13:31 ` Jonas Gorski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251110214443.342103-2-jonas.gorski@gmail.com \
--to=jonas.gorski@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox