From nobody Mon Feb  9 05:59:25 2026
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com
 [209.85.218.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0D2F337BA6
	for <linux-kernel@vger.kernel.org>; Mon, 10 Nov 2025 21:45:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1762811123; cv=none;
 b=oO01zXKrRoYbaOpGpqQ4YcX8TALdLMR0D5esEd5eBUHpe8zw/CWSOmbJ/b2OKuYDZnbbzHfofUa6GBBthWL46nPqNtauBRX1WmXTm2cWGUNCcN6n/YqWXye1xT0jFapAgw0+7EpdqkVdFAnlx+0sVEtyZoYNFwE5wLrmrJ8llgE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1762811123; c=relaxed/simple;
	bh=w8tUjMrod+NxWocX37Ssa+027kG45dXf54w7jwYksSA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=dOA26ytvsecJTbpwYiN5MHM1MClZCv1Zwwb+qdfkC+inQQZNgDv6Tgds+mhNZ9xBjy5qmIIYpBQcrNOM8PLu/TQwrrnQ39L0EuyNPdk/O0CedbdCfZu0PBQIlXMeSZnHsBjD5d/dBF6fwgcau2GIg/ChhccYXTW+d3tKGTxw3ys=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=PyVPY69Z; arc=none smtp.client-ip=209.85.218.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="PyVPY69Z"
Received: by mail-ej1-f54.google.com with SMTP id
 a640c23a62f3a-b72e43405e2so37064566b.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 10 Nov 2025 13:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1762811120; x=1763415920;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ysp/qagZkvMXUd9HzXpEknh2ZcUQT5LP/QY/YxZSToE=;
        b=PyVPY69ZCuCnF4lBmuVQ1bkQWitC+2ZPoABvfxoAYyyd3x3HJe9D2pyl7tAWUz5wFH
         f8gQ7FDM7hxvg5Zi8qwUo4rYrRQNOHvQIghL0GmYuFNuovoWVucC0Ml9JUkghBlGwD5I
         YHkRkbFhKIY7yjb1Y5Sj8ryVFcz502i34WT+5v6vKI14Wj2mNI5Y2g3lALsfJPMWJCOy
         GE325tZJPylNc6WvYZ+f56L+uehCtQRJ/q8cgELsCqNx8X5TdtYtxm3Iy/2gjXH83X3H
         RV7au06JdFwzJg4ONQWKgsrvSMocTQ9O4No2gVZf6jQgKpFzzzXMSys15p0J6zyk57gr
         Oc5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762811120; x=1763415920;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Ysp/qagZkvMXUd9HzXpEknh2ZcUQT5LP/QY/YxZSToE=;
        b=kx/zk/lb09yoga6I3Rulhr3X7QNu49I28wzyRncLGCQexheRJMxNiUeLVl2UZ3x5iw
         hC1hDGwmf4qVvjhwEMlmpXlOEwVN+L/uJKSzEffHYm8DDWdmU1AeUvgoysbQKWafvTJW
         lSX/wCUuMNnUDoK8rqIiJ8ITg/SyQUD3T/YnTX/mtYDpyFIdtrgoNU/rVOHITuET+dv/
         Cvd3gGZ1xQUPP1jZRz96hfvysHpCjkhBvgGQoyUaAT6unKCfIzo2OS/KurbYpf2vLaXy
         8vFoxODae7Ds3uWC7dhS/a6LzszLMuKoB6r/LCroiuEszpvwxSP7Xy0h5YqnMBfqm0Pa
         akzw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW85iqEt+XYmKqxXKAg1/hqopsg5CN6Lj9dptld+goz3/NuyR0GiJG5Uy1A5TBSE8mpwDFbyXmG1iSJGSk=@vger.kernel.org
X-Gm-Message-State: AOJu0YwWDt6aN1wpnK1jW2yA0bU2zm3EyA0Wpn02utLiUwq0Xmx3mBCV
	lGxLU4NcJoz1bUBcfzeRTViI9FZ4JA0A37ekOjP8YRlnjn9+rq5lC1CJ
X-Gm-Gg: ASbGncsqxw0Ts1DS/ilvOEVcIFrPqfDECbfo96LUloaLl/JBbLgDISmZheREQQz1ufk
	1Qc27Epg22MNg2+L0BGgs4t4BqIp4WkY2CeQNV6fzSoUtDaXHBKbxuLXbqA4nTVJVNF0FTHv2ns
	3GNv4nZi9hTJxni3v8Y6F1kBmcwkfegg9XEflAmzyKKaonjmUscZorVpGUYSTEhKbvt898zuWtb
	mUD5Ap9DqJMCoEvibyQ+5CN5gPzZVVw3WD/llNb6myXCMTsrPtPBie0NG6Vc5HvUmPXKnDSPLjk
	vVJ6v9GHMcs3+smkG97sGaIrqPq5pWPgLzhocLR0LmNJHNoXGnW+A9apXvxRecqAEpQfgyWX71Y
	a2PEjzej4gNuRpgmJDOIrJz/sm3KAjDqfZPPeQUln7JUUhTeYANaj6cK0ZsoDOKse4tkgyHxhF6
	2g0DWj1AdtpjXc3a4koalsSOZWcCFYPZONBWw/p9XFa0UBGf25LJOvLNH+
X-Google-Smtp-Source: 
 AGHT+IH8183W3yRA3AVXbVExZKH9s5MO4/1/56KjZdmHqYG52tHaQAanioLg7jwkN+w4uh1I1H509g==
X-Received: by 2002:a17:906:f586:b0:b72:f82c:a628 with SMTP id
 a640c23a62f3a-b731d37484dmr81219866b.27.1762811119675;
        Mon, 10 Nov 2025 13:45:19 -0800 (PST)
Received: from localhost (dslb-002-205-018-238.002.205.pools.vodafone-ip.de.
 [2.205.18.238])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b73108b0937sm266556666b.3.2025.11.10.13.45.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 10 Nov 2025 13:45:18 -0800 (PST)
From: Jonas Gorski <jonas.gorski@gmail.com>
To: Andrew Lunn <andrew@lunn.ch>,
	Vladimir Oltean <olteanv@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Florian Fainelli <f.fainelli@gmail.com>
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH RFC net-next 3/3] net: dsa: deny 8021q uppers on vlan unaware
 bridged ports
Date: Mon, 10 Nov 2025 22:44:43 +0100
Message-ID: <20251110214443.342103-4-jonas.gorski@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251110214443.342103-1-jonas.gorski@gmail.com>
References: <20251110214443.342103-1-jonas.gorski@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Documentation/networking/switchdev.rst says:

- with VLAN filtering turned off, the bridge will process all ingress
  traffic for the port, except for the traffic tagged with a VLAN ID
  destined for a VLAN upper.

But there is currently no way to configure this in dsa. The vlan upper
will trigger a vlan add to the driver, but it is the same message as a
newly configured bridge VLAN.

Therefore traffic tagged with the VID will continue to be forwarded to
other ports, and therefore we cannot support VLAN uppers on ports of a
VLAN unaware bridges.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
---
 net/dsa/port.c | 23 ++++-------------------
 net/dsa/user.c | 38 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/net/dsa/port.c b/net/dsa/port.c
index 082573ae6864..d7746885f7e0 100644
--- a/net/dsa/port.c
+++ b/net/dsa/port.c
@@ -728,35 +728,20 @@ static bool dsa_port_can_apply_vlan_filtering(struct =
dsa_port *dp,
 {
 	struct dsa_switch *ds =3D dp->ds;
 	struct dsa_port *other_dp;
-	int err;
=20
-	/* VLAN awareness was off, so the question is "can we turn it on".
+	/* VLAN awareness was on, so the question is "can we turn it off".
 	 * We may have had 8021q uppers, those need to go. Make sure we don't
 	 * enter an inconsistent state: deny changing the VLAN awareness state
 	 * as long as we have 8021q uppers.
 	 */
-	if (vlan_filtering && dsa_port_is_user(dp)) {
-		struct net_device *br =3D dsa_port_bridge_dev_get(dp);
+	if (!vlan_filtering && dsa_port_is_user(dp)) {
 		struct net_device *upper_dev, *user =3D dp->user;
 		struct list_head *iter;
=20
 		netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
-			struct bridge_vlan_info br_info;
-			u16 vid;
-
-			if (!is_vlan_dev(upper_dev))
-				continue;
-
-			vid =3D vlan_dev_vlan_id(upper_dev);
-
-			/* br_vlan_get_info() returns -EINVAL or -ENOENT if the
-			 * device, respectively the VID is not found, returning
-			 * 0 means success, which is a failure for us here.
-			 */
-			err =3D br_vlan_get_info(br, vid, &br_info);
-			if (err =3D=3D 0) {
+			if (is_vlan_dev(upper_dev)) {
 				NL_SET_ERR_MSG_MOD(extack,
-						   "Must first remove VLAN uppers having VIDs also present in bridge=
");
+						   "Must first remove VLAN uppers from bridged ports");
 				return false;
 			}
 		}
diff --git a/net/dsa/user.c b/net/dsa/user.c
index e8c6452780b0..35265829aa90 100644
--- a/net/dsa/user.c
+++ b/net/dsa/user.c
@@ -3156,6 +3156,30 @@ dsa_prevent_bridging_8021q_upper(struct net_device *=
dev,
 	return NOTIFY_DONE;
 }
=20
+/* Must be called under rcu_read_lock() */
+static int
+dsa_user_vlan_check_for_any_8021q_uppers(struct dsa_port *dp)
+{
+	struct dsa_switch *ds =3D dp->ds;
+	struct dsa_port *other_dp;
+
+	dsa_switch_for_each_user_port(other_dp, ds) {
+		struct net_device *user =3D other_dp->user;
+		struct net_device *upper_dev;
+		struct list_head *iter;
+
+		if (!dsa_port_bridge_same(dp, other_dp))
+			continue;
+
+		netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
+			if (is_vlan_dev(upper_dev))
+				return -EBUSY;
+		}
+	}
+
+	return 0;
+}
+
 static int
 dsa_user_check_8021q_upper(struct net_device *dev,
 			   struct netdev_notifier_changeupper_info *info)
@@ -3167,10 +3191,22 @@ dsa_user_check_8021q_upper(struct net_device *dev,
 	int err =3D NOTIFY_DONE;
 	u16 vid;
=20
-	if (!br || !br_vlan_enabled(br))
+	if (!br)
 		return NOTIFY_DONE;
=20
 	extack =3D netdev_notifier_info_to_extack(&info->info);
+
+	if (!br_vlan_enabled(br)) {
+		rcu_read_lock();
+		err =3D dsa_user_vlan_check_for_any_8021q_uppers(dp);
+		rcu_read_unlock();
+		if (err) {
+			NL_SET_ERR_MSG_MOD(extack,
+					   "VLAN uppers not supported with non filtering bridges");
+			return notifier_from_errno(err);
+		}
+	}
+
 	vid =3D vlan_dev_vlan_id(info->upper_dev);
=20
 	/* br_vlan_get_info() returns -EINVAL or -ENOENT if the
--=20
2.43.0