From nobody Mon Dec  1 22:03:42 2025
Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com
 [209.85.218.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44660303A37
	for <linux-kernel@vger.kernel.org>; Mon,  1 Dec 2025 10:28:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764584932; cv=none;
 b=c516UYGHgkyauom9YJFMiPqppbilgbp7JxjQIRcma6dDsCX+QX8xk91+I0hdMPFyW7kfGpR0dIBIX0lokh+ik44Fk1SHSVArFj8FBY0KryHY4hecUGKt6ZO9kw3Q6FSiryMKP6m627cIwspZy8TV2jn8RvmIai9sVeUG404O8jM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764584932; c=relaxed/simple;
	bh=a3FBgtBNu3mvlspy/DoRDK+WbOfe+joC26J0DWtMtFk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=OByjNvylPWfxGp0E6vtRnfq/ppqPlom5cQyOUn8BhDnQxHcmBusXOwd8ucg8MHllLqCsOKtitnruePBf5gF0q60oxjQCEv2O9DNxozo21uBMWGb6i6HUoZXt6536DRSwX99LebC6mXhlHM0sCuqkurKq+Xvhdl+1jaCkoWvrkzE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=iX7nVxrr; arc=none smtp.client-ip=209.85.218.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="iX7nVxrr"
Received: by mail-ej1-f53.google.com with SMTP id
 a640c23a62f3a-b7697e8b01aso785923466b.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 01 Dec 2025 02:28:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764584928; x=1765189728;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VzbSHnmLm2HKogqw9fcglsbW3IjBMhBVe0507gsTSHg=;
        b=iX7nVxrryiboy6afSVSpifeP4vJJFMlC2PoJv3sDadPIqBOJlfZb9ode7dBzSpA7iD
         KG5hKaIr074C+mFO6+aVsYycSOjqojVGbB4WqhpdB0skaVeX1CJ38NqqXARVCHROv29C
         VUZouHzcpJMY54QkSuKN/9ubvN9S3pz0g7hakEBOluMcoVe4lMsWu0XxXQz45lFGCXlb
         NTI1+Ux9xWV/Ens8nOopHJmQJ3aJRMOqtkZAPSOVBkZacbO/WlbstBA490mW8DTW5W2o
         PYQ/6UatEZMxr/w9741kXIVwbknVU1EkDYzA44kPmbHBwLrk1UR95dcPDtmFUhhJu4LJ
         2SPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764584928; x=1765189728;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=VzbSHnmLm2HKogqw9fcglsbW3IjBMhBVe0507gsTSHg=;
        b=Mn7Kvvn36w7nzzdvRgWjilOpZ2D+zJ6XsYnqGhj1ftuS8xSuiDPu1ZMyG6AKI4wyW3
         AvysFTy3GB0YHaCKZcvrGYCkyMGoTzForFqv0vbvQt/SJWyYjHbTS9/dhLhAedlcibfJ
         auLwWOT3BvGXbJKgw7XEcSxTBWzpH/DTGAlstzZOxOiDqNpe1NV3Ik3Ig5HKHu4FczPC
         zHCr0scrQXqRq3oaaPsf+nLoI3mFJUTMyLQFGDgR++0i2oPo1hCvGu5vfXUMYYhoBsOA
         Bql76LZfv5flwPs6to9eXiow3B8Q97itW0wemUB1/nl+dWbebG4CzWM4VWK06xvMutKt
         Gl4w==
X-Forwarded-Encrypted: i=1;
 AJvYcCXm2HUHtllQepclmjpGYSRPMAFTDJxX8tR8YZzfgsggEIQD9Esvj2+iCPv07qe2SpQ7V5I23IW8TTIJkSE=@vger.kernel.org
X-Gm-Message-State: AOJu0YyAgLrJ/GvxcwWK239RuuppNjbfq4wrsOdWf/wZ07qhX7WHkwg4
	Nk4Mbh7hffnPKdKWm3Vz72+WYQXi7CNomh35js/1n3wC3CugYztmMEVA
X-Gm-Gg: ASbGncveON0d7xNm5RterCA8o0A3TV25S1QVcxMqRdeQk7x1p2bXW5G1slBOrwSB8iY
	76LlKeQRFPbPlp0mzIAdIaL0x7MehFQZk0GCBK1Ic8hBLekIkXFIPOv/z4qn0Z24cSlsgSb7iLA
	H49TvvByZsEp77nQZF1x2xuj3FzuxgKethYtNoKEuQYczDOoAH99ey2UpSCT5m24oXLzJCGgfz7
	oKC5wQpiK6hr0AnKrOutwn3hCPxwPnvJFpSZ+Bnq4Mek/dgqV8OGh+pihXhur5JjFrkGXrh951v
	YuRkgrbUfXVzWhqZQWfKK6w490mokC4SD0vCIh9aEtV7p4J64NXAClh9RMYXt7M9bNkXCV2DK2J
	a7K4ChMcyd3dQ4RxZ2ai86VHLkHVQPD29waugXI5szdcKEyjlAdWv1Zzfh8QLBtj5m81xRApT+3
	PqAZstrKIiE3mLPkI+noAJPKBWqzTHhCZoGyas+XoZwdzuhy0NM8RD3HLfzhJXWwTfYcg=
X-Google-Smtp-Source: 
 AGHT+IE7v6ceIh3pd4soCp8xqz/i5/FM9hHMZS3MRN9QRptYtUlF/PiDHzWEl0q3hZieNC6J05UC8Q==
X-Received: by 2002:a17:907:97d6:b0:b73:8f33:eed3 with SMTP id
 a640c23a62f3a-b76715afc72mr4333301466b.26.1764584927957;
        Mon, 01 Dec 2025 02:28:47 -0800 (PST)
Received: from localhost (dslb-002-205-018-238.002.205.pools.vodafone-ip.de.
 [2.205.18.238])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-647509896d1sm12520131a12.0.2025.12.01.02.28.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Dec 2025 02:28:47 -0800 (PST)
From: Jonas Gorski <jonas.gorski@gmail.com>
To: Andrew Lunn <andrew@lunn.ch>,
	Vladimir Oltean <olteanv@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Shuah Khan <shuah@kernel.org>,
	Florian Fainelli <f.fainelli@gmail.com>
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org
Subject: [PATCH RFC/RFT net-next v2 1/5] net: dsa: deny bridge VLAN with
 existing 8021q upper on any port
Date: Mon,  1 Dec 2025 11:28:13 +0100
Message-ID: <20251201102817.301552-2-jonas.gorski@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251201102817.301552-1-jonas.gorski@gmail.com>
References: <20251201102817.301552-1-jonas.gorski@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Currently adding a bridge vlan to a port only checks for an 8021q upper
of that vlan on the port, but does not check for matching 8021q uppers
on other ports.

This leads to the possibility of configuring shared vlans on ports after
adding uppers.

E.g. adding the upper after configuring the vlan would be rejected

$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ bridge vlan add dev swp2 vid 100
$ ip link add swp1.100 link swp1 type vlan id 100
RTNETLINK answers: Resource busy

But the other way around would currently be accepted:

$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ ip link add swp1.100 link swp1 type vlan id 100
$ bridge vlan add dev swp2 vid 100
$ bridge vlan
port              vlan-id
swp2              1 PVID Egress Untagged
                  100
swp1              1 PVID Egress Untagged
br0               1 PVID Egress Untagged

Fix this by checking all members of the bridge for a matching vlan
upper, and not the port itself.

After:

$ ip link add br0 type bridge vlan filtering 1
$ ip link set swp1 master br0
$ ip link set swp2 master br0
$ ip link add swp1.100 link swp1 type vlan id 100
$ bridge vlan add dev swp2 vid 100
RTNETLINK answers: Resource busy

Fixes: 1ce39f0ee8da ("net: dsa: convert denying bridge VLAN with existing 8=
021q upper to PRECHANGEUPPER")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
---
v1 -> v2:
* no changes

 net/dsa/user.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/net/dsa/user.c b/net/dsa/user.c
index f59d66f0975d..fa1fe0f1493a 100644
--- a/net/dsa/user.c
+++ b/net/dsa/user.c
@@ -653,21 +653,30 @@ static int dsa_user_port_attr_set(struct net_device *=
dev, const void *ctx,
=20
 /* Must be called under rcu_read_lock() */
 static int
-dsa_user_vlan_check_for_8021q_uppers(struct net_device *user,
+dsa_user_vlan_check_for_8021q_uppers(struct dsa_port *dp,
 				     const struct switchdev_obj_port_vlan *vlan)
 {
-	struct net_device *upper_dev;
-	struct list_head *iter;
+	struct dsa_switch *ds =3D dp->ds;
+	struct dsa_port *other_dp;
=20
-	netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
-		u16 vid;
+	dsa_switch_for_each_user_port(other_dp, ds) {
+		struct net_device *user =3D other_dp->user;
+		struct net_device *upper_dev;
+		struct list_head *iter;
=20
-		if (!is_vlan_dev(upper_dev))
+		if (!dsa_port_bridge_same(dp, other_dp))
 			continue;
=20
-		vid =3D vlan_dev_vlan_id(upper_dev);
-		if (vid =3D=3D vlan->vid)
-			return -EBUSY;
+		netdev_for_each_upper_dev_rcu(user, upper_dev, iter) {
+			u16 vid;
+
+			if (!is_vlan_dev(upper_dev))
+				continue;
+
+			vid =3D vlan_dev_vlan_id(upper_dev);
+			if (vid =3D=3D vlan->vid)
+				return -EBUSY;
+		}
 	}
=20
 	return 0;
@@ -693,11 +702,11 @@ static int dsa_user_vlan_add(struct net_device *dev,
 	 */
 	if (br_vlan_enabled(dsa_port_bridge_dev_get(dp))) {
 		rcu_read_lock();
-		err =3D dsa_user_vlan_check_for_8021q_uppers(dev, vlan);
+		err =3D dsa_user_vlan_check_for_8021q_uppers(dp, vlan);
 		rcu_read_unlock();
 		if (err) {
 			NL_SET_ERR_MSG_MOD(extack,
-					   "Port already has a VLAN upper with this VID");
+					   "This VLAN already has an upper configured on a bridge port");
 			return err;
 		}
 	}
--=20
2.43.0