From patchwork Tue Aug 24 17:15:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladimir Oltean X-Patchwork-Id: 502166 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01F42C432BE for ; Tue, 24 Aug 2021 17:20:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D810D61373 for ; Tue, 24 Aug 2021 17:20:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239432AbhHXRV2 (ORCPT ); Tue, 24 Aug 2021 13:21:28 -0400 Received: from mail-eopbgr10078.outbound.protection.outlook.com ([40.107.1.78]:63518 "EHLO EUR02-HE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S240545AbhHXRT0 (ORCPT ); Tue, 24 Aug 2021 13:19:26 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cUAj00IUpMw3a9x8HhWatXJ1uZwej8BcP5IpKQE+kpLKvjFu2r71pK2AT6r1wrgOqAOTBFQaRTxoXKkS6ZWnziWZzq9ACUMa0Cqp6DozUlTiScVU7WPe/oolCgfpUF47Ag3wG6l5B5/3aB0WazmkWRoY9KWFe9nChhDI18rwfBkBcYqIWoMuHD4nxH7tg6XjMZGQ/IqYO5bALce1tx7hJuNRZl3EZVlPdPSh2Txca18w7Y0Pt1neFIDgspwZ0UwXx41u1VA6ZY60lR93ENtnjqHJWm1DGyF/qafhL8lG/eZliubdLYwUrdmz/zMYKHyLL779q4piCmgJrh6skrrjWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IVdVifAX8/YsxoyMLDBUD5Vd5xPvl4miaMK4/EuZ08E=; b=Rb8aOKhfkFLx32K/pNOrPrTXpR8CkbHbdSIl1+/u3mSPedVluVuACGHnv7WhmBMTagBxBkABYk3+D5lL4tDGV+uewxvIuTVW/EBhjGUG4S2c3d3Hp/vXowIUj8UkOGaN1SdyLNU2CuJFY+IzY+zC4tqqHzy/1LmYTd1WT6QAa9wlLlab+PE1DDCIZUiTWht6mXKreK9rI50XybNnNaKjImIAu01aPvqTTPqQQKdRSKoC1XXAOXzxI9641uoxMn50gSW2sFR9v79Qz9Bae6Kkg6Z6cCO5gdc9agm1kQ3NoLTnj6cVQQKVAqQ6TYA0ObR+n4i2kpHw4Lf3BAZ82rpwww== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IVdVifAX8/YsxoyMLDBUD5Vd5xPvl4miaMK4/EuZ08E=; b=m7iGsYYoJ+jyVObcF0asJ6u/5f40pq/aipRHojQNUEOnO293CoOg+gzq6wA7Cekz5FvOvzv6apfoXgeQw1RE4tK8CC6nMXqEIj6xK6goxGeqDMqK7gVMnIAsq1IXc6bxrOjDi5taJnZzz8s1zimNTRzQuNUZkwQv1YUNlBq4zbY= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=nxp.com; Received: from VI1PR04MB5136.eurprd04.prod.outlook.com (2603:10a6:803:55::19) by VI1PR04MB4222.eurprd04.prod.outlook.com (2603:10a6:803:46::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19; Tue, 24 Aug 2021 17:18:08 +0000 Received: from VI1PR04MB5136.eurprd04.prod.outlook.com ([fe80::109:1995:3e6b:5bd0]) by VI1PR04MB5136.eurprd04.prod.outlook.com ([fe80::109:1995:3e6b:5bd0%2]) with mapi id 15.20.4436.025; Tue, 24 Aug 2021 17:18:08 +0000 From: Vladimir Oltean To: netdev@vger.kernel.org Cc: Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean Subject: [PATCH net-next 1/3] net: dsa: sja1105: prevent tag_8021q VLANs from being received on user ports Date: Tue, 24 Aug 2021 20:15:00 +0300 Message-Id: <20210824171502.4122088-2-vladimir.oltean@nxp.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210824171502.4122088-1-vladimir.oltean@nxp.com> References: <20210824171502.4122088-1-vladimir.oltean@nxp.com> X-ClientProxiedBy: AM9P195CA0024.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:21f::29) To VI1PR04MB5136.eurprd04.prod.outlook.com (2603:10a6:803:55::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (188.25.144.60) by AM9P195CA0024.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:21f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Tue, 24 Aug 2021 17:18:07 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0d606ba7-1dda-40b8-b941-08d967232475 X-MS-TrafficTypeDiagnostic: VI1PR04MB4222: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TGmKzle3a0+txtu5JgtqLHxFVqoqj1fIDFzRXxTYyrcVVA13SrGP/eFekx/cAWS4+Q2BEs7jT3rmNIF8LAjWC1l+VihCFo43IlOzwqfQm9/3PxRgXSTgPCuxHdHaVUL0zhfYzjsvpqaNh4EtDmy0YpT6Mlb/72QXnDjjdLbxy6mFNcK+T+1skEBQKDqja4kdnQj8LTUG4XBRoOmWIR5fSReBXtqBwe1daZiGJlCK0Oi9ixJwNYti9i5nW9hYtrEsVEV3j1KugEhkrPW2PTJ+Q4oiRRuoDrE0+Cz8G2s6rQJfDCkkNCAmC9RQMFTjjW0omfu5xQMd5CCaItRp3x5G25VN1dUoFNW2sG7PGmn+UCfL7ZeRH1pSWnYf1MPr763OkgBAJwg+6l98D/IPaAETbrVRwOTIAeGIgoQOtKv2t9ARdiINKHjuLSqr/w1ABohhLErtFtSUlXVLkk4rNirBxicB3UrB7DsVcKfDDZz/R0kSAdq+FoO5Y8a8SZ8329gwWXFSFyu/cHcnbKf7F01yrcK/SUqE2jeWnENk6RVNTyx9ONr6OSaBsw15arAXZc+XGfZ923swEj7iTORsvudMf77cB0IEYsKdVEB9WNVie6jzbG3zDaoxriF45damaAOvvRthKnfgQ8L48wlfklwbAoqn+X4yZPBbQHUzrMm+tJeMaHcl8PB4jxXXMYv9Z6KZWXWklowU7GGTaOwR8kEPcA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR04MB5136.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(136003)(376002)(366004)(346002)(6486002)(66476007)(36756003)(6506007)(478600001)(66556008)(6666004)(2906002)(52116002)(86362001)(66946007)(44832011)(6512007)(26005)(83380400001)(2616005)(956004)(186003)(38350700002)(38100700002)(6916009)(4326008)(316002)(54906003)(1076003)(8936002)(8676002)(5660300002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ybxlKYCE3WHtwRBQz4RgjBo0phe4T5d9yfTm4VZSsokk6an6zPGr3pwEM2ajwIhMVmzQ6Jo3piUWhY2I8JnXJhSAIFmk1AZvIRy98OTBum/zUEcT1djNuqzlHcgMS8DByoxoYhX3ZwYMzCa4oLyjuLvMIB9pZZmIVtnGU1Hnx5lKcvQVMqOs8SrFgdEd57RMWTl8Vi9Iz8ZZhF22Z1MMBKGedWq2NjuTtc8rd+goJJOoVWYRMp8vwxObWpCeCcJe8CUjLIvup4/uYGuuMlOF/whXFpMUFNGxatjc62rLiG5SFgPpSJLCWEkk00/p4f6xoDHCCdw0QWBeJdxdIHqYsaPOoQJ4uvi8uQYAF0/eAR4qXqiRvcUy7fUSpo1wjvF9ME5igYTX02gQJ83Fsc/qn0tVc66Ns9dCz5SM6GjzGZMGkYQ6kRRMy05ysoxgWqQxfViCTsG6xCwOTzSunZikKnVYzONarqBK2c96ftkhiWjJtDjmTVe2wVcF/smIfL4fezb9r4+er8oJzz6aJl/S9hdncMk3mrTE31h3MvjMFVwX0Zd6PcE4HhWrzpL3lD19CSO3GqRSNA3opYkfCKU/peml4shyklFWROs1rWx0RtPsJC2wIhYcQZYR6GcxKwg/BcPOXY4r8ca3Ug86ISFsKpKvWloHJDdbsmJ27ZQ1SV4pfyAP0QVtZ+h2CD43EwBpQgdzeoTpzLBbBU53apGpSxIHW5+sHoLkqSW3EzO+Zqgp6G3zh0k9u1wxM8dEWSONO4EQ0tvJeb9yZiTdG8sQAHXdCN4n+X2TQgfi4w7bYRYZtIgcYHtYd3tVqzwS2kE32WgmGBU8OvCcyJ6qSNj90OuY+uVcKkAm/W3xD+++BwsUYWcPqt4R1/abQwbvCd/wDuozcCgRiYvr6o9lWf+5ch+A4bU5iT1P2aFlTxTQis8KqgD7EUPPwtt3yAV2q+QcMl5Whxghxmnb9eIQsZHSXZn/N8MIT7NWB9JDICswdGjHGgOl+Nt8v7AS6Lry6j0IIimIz0zsGRBcd1AHcxwclwgrgVsvTiHPEdvnCmiejRrBGzGHcyXV8iGKs5w7bqNnDvIdUe0UsUeNDyZNqLZirH4256nePkCqXvQJotfQQ/ZhuAs3+Td1zPrLlrkNtwKrmQ4CTQwf2n7jRGi8tMsqZBqt/E5h38c7C6OQF/VkTYdoYo8gIOT+XLsCbDH0DJwOeYpL+qv9zjPwmVdXgMBpupJAFoUcIvj1f0UTYUHtb/IirgBP6ChNQBYzC/gpCZ549C+qDEdLnfRKNoYsxHVHXpxlOkDN7x0scvEF7+0ofkekJGc9RKR6D7qJrrgBHapt X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0d606ba7-1dda-40b8-b941-08d967232475 X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB5136.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2021 17:18:08.4486 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MkRIeuL5DRkmueeXa3s1Qe6zVVsPdpNym/i2cJ/SbKKvo4mdrOVgQQDpR9zI9ihnSEiIuhhRxDCBVgSAPDDa7Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB4222 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Currently it is possible for an attacker to craft packets with a fake DSA tag and send them to us, and our user ports will accept them and preserve that VLAN when transmitting towards the CPU. Then the tagger will be misled into thinking that the packets came on a different port than they really came on. Up until recently there wasn't a good option to prevent this from happening. In SJA1105P and later, the MAC Configuration Table introduced two options called: - DRPSITAG: Drop Single Inner Tagged Frames - DRPSOTAG: Drop Single Outer Tagged Frames Because the sja1105 driver classifies all VLANs as "outer VLANs" (S-Tags), it would be in principle possible to enable the DRPSOTAG bit on ports using tag_8021q, and drop on ingress all packets which have a VLAN tag. When the switch is VLAN-unaware, this works, because it uses a custom TPID of 0xdadb, so any "tagged" packets received on a user port are probably a spoofing attempt. But when the switch overall is VLAN-aware, and some ports are standalone (therefore they use tag_8021q), the TPID is 0x8100, and the port can receive a mix of untagged and VLAN-tagged packets. The untagged ones will be classified to the tag_8021q pvid, and the tagged ones to the VLAN ID from the packet header. Yes, it is true that since commit 4fbc08bd3665 ("net: dsa: sja1105: deny 8021q uppers on ports") we no longer support this mixed mode, but that is a temporary limitation which will eventually be lifted. It would be nice to not introduce one more restriction via DRPSOTAG, which would make the standalone ports of a VLAN-aware switch drop genuinely VLAN-tagged packets. Also, the DRPSOTAG bit is not available on the first generation of switches (SJA1105E, SJA1105T). So since one of the key features of this driver is compatibility across switch generations, this makes it an even less desirable approach. The breakthrough comes from commit bef0746cf4cc ("net: dsa: sja1105: make sure untagged packets are dropped on ingress ports with no pvid"), where it became obvious that untagged packets are not dropped even if the ingress port is not in the VMEMB_PORT vector of that port's pvid. However, VLAN-tagged packets are subject to VLAN ingress checking/dropping. This means that instead of using the catch-all DRPSOTAG bit introduced in SJA1105P, we can drop tagged packets on a per-VLAN basis, and this is already compatible with SJA1105E/T. This patch adds an "allowed_ingress" argument to sja1105_vlan_add(), and we call it with "false" for tag_8021q VLANs on user ports. The tag_8021q VLANs still need to be allowed, of course, on ingress to DSA ports and CPU ports. We also need to refine the drop_untagged check in sja1105_commit_pvid to make it not freak out about this new configuration. Currently it will try to keep the configuration consistent between untagged and pvid-tagged packets, so if the pvid of a port is 1 but VLAN 1 is not in VMEMB_PORT, packets tagged with VID 1 will behave the same as untagged packets, and be dropped. This behavior is what we want for ports under a VLAN-aware bridge, but for the ports with a tag_8021q pvid, we want untagged packets to be accepted, but packets tagged with a header recognized by the switch as a tag_8021q VLAN to be dropped. So only restrict the drop_untagged check to apply to the bridge_pvid, not to the tag_8021q_pvid. Signed-off-by: Vladimir Oltean --- drivers/net/dsa/sja1105/sja1105_main.c | 37 ++++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c index 05ba65042b5f..6be9fed50ed5 100644 --- a/drivers/net/dsa/sja1105/sja1105_main.c +++ b/drivers/net/dsa/sja1105/sja1105_main.c @@ -120,12 +120,21 @@ static int sja1105_commit_pvid(struct dsa_switch *ds, int port) if (rc) return rc; - vlan = priv->static_config.tables[BLK_IDX_VLAN_LOOKUP].entries; + /* Only force dropping of untagged packets when the port is under a + * VLAN-aware bridge. When the tag_8021q pvid is used, we are + * deliberately removing the RX VLAN from the port's VMEMB_PORT list, + * to prevent DSA tag spoofing from the link partner. Untagged packets + * are the only ones that should be received with tag_8021q, so + * definitely don't drop them. + */ + if (pvid == priv->bridge_pvid[port]) { + vlan = priv->static_config.tables[BLK_IDX_VLAN_LOOKUP].entries; - match = sja1105_is_vlan_configured(priv, pvid); + match = sja1105_is_vlan_configured(priv, pvid); - if (match < 0 || !(vlan[match].vmemb_port & BIT(port))) - drop_untagged = true; + if (match < 0 || !(vlan[match].vmemb_port & BIT(port))) + drop_untagged = true; + } return sja1105_drop_untagged(ds, port, drop_untagged); } @@ -2343,7 +2352,7 @@ int sja1105_vlan_filtering(struct dsa_switch *ds, int port, bool enabled, } static int sja1105_vlan_add(struct sja1105_private *priv, int port, u16 vid, - u16 flags) + u16 flags, bool allowed_ingress) { struct sja1105_vlan_lookup_entry *vlan; struct sja1105_table *table; @@ -2365,7 +2374,12 @@ static int sja1105_vlan_add(struct sja1105_private *priv, int port, u16 vid, vlan[match].type_entry = SJA1110_VLAN_D_TAG; vlan[match].vlanid = vid; vlan[match].vlan_bc |= BIT(port); - vlan[match].vmemb_port |= BIT(port); + + if (allowed_ingress) + vlan[match].vmemb_port |= BIT(port); + else + vlan[match].vmemb_port &= ~BIT(port); + if (flags & BRIDGE_VLAN_INFO_UNTAGGED) vlan[match].tag_port &= ~BIT(port); else @@ -2437,7 +2451,7 @@ static int sja1105_bridge_vlan_add(struct dsa_switch *ds, int port, if (dsa_is_cpu_port(ds, port) || dsa_is_dsa_port(ds, port)) flags = 0; - rc = sja1105_vlan_add(priv, port, vlan->vid, flags); + rc = sja1105_vlan_add(priv, port, vlan->vid, flags, true); if (rc) return rc; @@ -2467,9 +2481,16 @@ static int sja1105_dsa_8021q_vlan_add(struct dsa_switch *ds, int port, u16 vid, u16 flags) { struct sja1105_private *priv = ds->priv; + bool allowed_ingress = true; int rc; - rc = sja1105_vlan_add(priv, port, vid, flags); + /* Prevent attackers from trying to inject a DSA tag from + * the outside world. + */ + if (dsa_is_user_port(ds, port)) + allowed_ingress = false; + + rc = sja1105_vlan_add(priv, port, vid, flags, allowed_ingress); if (rc) return rc; From patchwork Tue Aug 24 17:15:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladimir Oltean X-Patchwork-Id: 502165 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1B96C4320A for ; Tue, 24 Aug 2021 17:21:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AE2AF61506 for ; Tue, 24 Aug 2021 17:21:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238870AbhHXRWb (ORCPT ); Tue, 24 Aug 2021 13:22:31 -0400 Received: from mail-eopbgr10043.outbound.protection.outlook.com ([40.107.1.43]:11494 "EHLO EUR02-HE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S240156AbhHXRU3 (ORCPT ); Tue, 24 Aug 2021 13:20:29 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=boKb34qFCPEGh1Dm5cgHHC3mJdd+TaNol9x3EGOST88i/gOqcUvzggRHK6ZG0pLZUYWjdM2YmBNPb2zE8B2qgHJMDdsKmkw1VXFszXh6sjAPGRvXfduw1F2tUVpnN7l9AnxvPq0GbRdLgxQ4+FBfOkHcTOhvx0GgN77C46Ll7qJnGm8BaiUGeek2WPo6T+lVS+L+XibKfBSoP6cNV8NG/kZnB+ljM+CZrxhdnT5m5oPFVVZFoicnjfsRrG0LqqsdeMvpbbtv0kq3qwDRyNRcASRvNTVXMAdNlCJ07E9OGgT6GAXN/QqI0NVXwASzKYhK+lg17XbOsu/vNhI48E5e8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jwDfFCyy6ghlTIUTr4LksXmDoj3fZF8r+tUbLm+jQ5M=; b=dAe9kHSQkSqaNGxeabBAjg0PtVWccZB7aLrILVMCEw9/Ekh+1pnUwsrm30OKyaFtb1pBAjv7m+nyivP0o4xIWCX8zGmEUvlrQ74GWdPMnojo24SEo7TaMXY+hfSQkaboo+KvSr8Lb+Iieilnx/PieZEQcS111aBaReHdn9CCmd680wb1xBZpWsEahFYyuwZ+aKEllm6cGjW5go0LBfOi/IlZ3URylVtSC7nfGlR2gwT79JMWmOn8aX0Q9zYsU/A7dD59QXv+iq/60x3vywu6UbTDd/jv3l0XsrWQZ1JuwkScM/CsQuGxKvcVOL3k+HWqASTDoJiFErfbdBv82fKuQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jwDfFCyy6ghlTIUTr4LksXmDoj3fZF8r+tUbLm+jQ5M=; b=TbzGkshanr+ZI7nkD6zy7Sr9F1NDqdbLruY9auCLJFWEgVcVkdvedzcZi9JObPnQfIPRtNFCOWGgBWh/uh03J4+iFAAc+6gTZrxdnXYzl15Cqv0QvLeuCK0Js8as/sOz9XYVN1RSPIPZfKhpryyQUcKn4qzw68Rg04ZbPZhMzCk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=nxp.com; Received: from VI1PR04MB5136.eurprd04.prod.outlook.com (2603:10a6:803:55::19) by VI1PR04MB4222.eurprd04.prod.outlook.com (2603:10a6:803:46::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19; Tue, 24 Aug 2021 17:18:10 +0000 Received: from VI1PR04MB5136.eurprd04.prod.outlook.com ([fe80::109:1995:3e6b:5bd0]) by VI1PR04MB5136.eurprd04.prod.outlook.com ([fe80::109:1995:3e6b:5bd0%2]) with mapi id 15.20.4436.025; Tue, 24 Aug 2021 17:18:10 +0000 From: Vladimir Oltean To: netdev@vger.kernel.org Cc: Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean Subject: [PATCH net-next 3/3] net: dsa: tag_sja1105: stop asking the sja1105 driver in sja1105_xmit_tpid Date: Tue, 24 Aug 2021 20:15:02 +0300 Message-Id: <20210824171502.4122088-4-vladimir.oltean@nxp.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210824171502.4122088-1-vladimir.oltean@nxp.com> References: <20210824171502.4122088-1-vladimir.oltean@nxp.com> X-ClientProxiedBy: AM9P195CA0024.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:21f::29) To VI1PR04MB5136.eurprd04.prod.outlook.com (2603:10a6:803:55::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (188.25.144.60) by AM9P195CA0024.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:21f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Tue, 24 Aug 2021 17:18:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 50145e67-afed-4997-e5aa-08d967232592 X-MS-TrafficTypeDiagnostic: VI1PR04MB4222: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: V6U+tSrcgm1FdQCB2WFonxnrY6775MbH+Qi/yShUelYJtXS5+ehmqIBH7XFH91jG8umbCwNqIx1Rjeva0OCxK59O7x2SK+UJgP0dS/GyJKEuVCbLx1pwJS688rgkTUePg8ojEkEmyEzMsZHVq9VX5xhToZzCe6hopaZz3llgSBx9/0DIe72OhLjQvOJNtCOtxkx1Bct6ZmiUtecZMS6swKGGljpU9l8P3dMctOXsyn/dH9VJgFUNSXV33We/Wi9ULcjepj+VhRBoIbtmB2xNJ1WzuJn6BpcDrX4AhsD7xQ7cvgwtegqCfTqpubhQsSOF8MiHwPd7Xau8lIBwDzmHOpc+NpVWUybJqidwfbL9NoxIfEsEf/ZZNHAJuxjEEJ/MRwFvzOy6UZZ0pZUzErAXc27RER+IhMb91zqn6DBENUpZC2HhC+nlG9o68A5skP7QFVlIoiCGX5EuWgeP7rUkT6FTgc3qPPSSBWgQjCe081A8mGgxTOKyhPil0xcdPlv2zU5E8tQGnf/gIbZzkZsL1pkVcibKlqgT0VU9ldFSnGZ1XKaqPlN1OhOOYnrrfHV36UhnmjknHHGzZtESCZHvQmFrFanqsGNSInFVyhHsU1X1oJNzYuIlTyaXK9gMawqkpq5vmIF0E6ZRLWnvSyIImdaoMO7JHra8AsCoZtwzmJmCj/LTWTG1u9Mb7HaLE8fcWBveVEfh1rO06XySBTYBlw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR04MB5136.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(136003)(376002)(366004)(346002)(6486002)(66476007)(36756003)(6506007)(478600001)(66556008)(6666004)(2906002)(52116002)(86362001)(66946007)(44832011)(6512007)(26005)(83380400001)(2616005)(956004)(186003)(38350700002)(38100700002)(6916009)(4326008)(316002)(54906003)(1076003)(8936002)(8676002)(5660300002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: r6lORRASFuzdoYquyy9Fod1j9Rzrxbi56dlDYYZ0zBKeYEbV8wdCIlCsP2tNkGZClGVFCyhV2ZPtrg0Lq3LxNJm7USoO0HhGEBbSNSlc3A6B8pavFPrtCWNao6DrWHyBa72KC9868PoR+z8cGcFPXS+OmzwL1mC0atyvyKKsS6dtSgsPuQ2QqKXOIKrw812VaLgjZK2seAAozA59dRAr6Zj7U3wAOV2ajRwtlFcC2JlRb/apBcvn2ez0VVuNcloH8DufHVYuReGlUhsKxuVYME0zmvWx3avIQltKVsEXu7aiUN6V92NZQLzttFrD0Zq6Pvj4oMMgJmwDEfFgP6jCotm8kFeQkegD4fZyuRQxsqeseA2ab9uBEsNmzyST0j1RXdJW/5cLBea+Is0kc8Zm3+Z4nXswfodBD+WGkqGAJCrkbX7ad+hfOxhZ2RvSj3YT1Vh4ZBhXre21qio0nAdxFCjUeQQfhrynh31kRptFbZYtLIXIIng4vD/pFMG2RALqRFng5WaCGf81dYQiGUNAfG9XgQjnF1YPrYHR3HAiPuTPOKbZDuEUaDQXwyOb3HlFokNPc8NKwnnYqyviTxEz7L2/TiOxkO3elxT+8dlyRJBna5jsorF4XUDvdV3YiRK1I4WN4HMsjtwAxqWigOxyNX6MnqfEIwTZfVKWsVZ11BIqYlPlZ3iCtgWHEitG7Ind6Y2KLcNiCfoKnU+NYrtz3wYIWIfwNKXr4dgtJ2Hobaw8W9IWfavN+HYU5Wsf5mpb6/COzgjtEBdTRV+L8LOzxgNNI8BQIDwX6OFuxWG5lAXSTTB8cPExO4OTbaU2t7ubfDky1tEnX6eSOT6yI0xq/Y8tddCDl0ooJQqKgrupZBhNYIFa3zh2j4xUXwLGymBixVGLUK0P3NNmqXFs1nWU1oRV0xtWtqpCJWcAkl5U6rdOw61aJE9Y2d2Jl3yw6l7vXLjWvSRunrWLO5RO5q5/7g/5UC6NOtO/lBZz9wx74cPbXI8xZng3My2/dH0zdJFMzmjqHSBc3nXRkO2QDwDZByYF2eBDJDM0q1k2oUx686RI6ECXfGWpqRybDWnBEVY10h0MXd7ZEzZkMn0mQhCtMRu3hlT856d+b4aKLAkQJAJ2bI2GapUd2rhZa/5U5GeTxGoNr+Sut8rNKb2PCTTVs9gQDryp1BGqrogiak7/8cvXaU63F+AkEnN6Zysv0sEb25XZRizUNRez2LoFtQCxjVFc9x2eAUGOL/ab+O5/bf1ziO6vBB+Fxzfiqmu/VISgGxSG/AeVIbOkl8O/+02sbWVk1dD+xq1QXn2mpVlZqtpCGrMrEHFtoDfNqEm7jUYP X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 50145e67-afed-4997-e5aa-08d967232592 X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB5136.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2021 17:18:10.2865 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: g7FhaQTjkeyW2NU6V4J/4umggh5Ds3TApJwdrANsdV1i6b3ER2+CQXSZcGhH8ANz+Y0gFCu0zB59HI/BxwxXng== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB4222 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Introduced in commit 38b5beeae7a4 ("net: dsa: sja1105: prepare tagger for handling DSA tags and VLAN simultaneously"), the sja1105_xmit_tpid function solved quite a different problem than our needs are now. Then, we used best-effort VLAN filtering and we were using the xmit_tpid to tunnel packets coming from an 8021q upper through the TX VLAN allocated by tag_8021q to that egress port. The need for a different VLAN protocol depending on switch revision came from the fact that this in itself was more of a hack to trick the hardware into accepting tunneled VLANs in the first place. Right now, we deny 8021q uppers (see sja1105_prechangeupper). Even if we supported them again, we would not do that using the same method of {tunneling the VLAN on egress, retagging the VLAN on ingress} that we had in the best-effort VLAN filtering mode. It seems rather simpler that we just allocate a VLAN in the VLAN table that is simply not used by the bridge at all, or by any other port. Anyway, I have 2 gripes with the current sja1105_xmit_tpid: 1. When sending packets on behalf of a VLAN-aware bridge (with the new TX forwarding offload framework) plus untagged (with the tag_8021q VLAN added by the tagger) packets, we can see that on SJA1105P/Q/R/S and later (which have a qinq_tpid of ETH_P_8021AD), some packets sent through the DSA master have a VLAN protocol of 0x8100 and others of 0x88a8. This is strange and there is no reason for it now. If we have a bridge and are therefore forced to send using that bridge's TPID, we can as well blend with that bridge's VLAN protocol for all packets. 2. The sja1105_xmit_tpid introduces a dependency on the sja1105 driver, because it looks inside dp->priv. It is desirable to keep as much separation between taggers and switch drivers as possible. Now it doesn't do that anymore. Signed-off-by: Vladimir Oltean --- drivers/net/dsa/sja1105/sja1105.h | 6 ---- drivers/net/dsa/sja1105/sja1105_main.c | 10 ------- drivers/net/dsa/sja1105/sja1105_spi.c | 10 ------- include/linux/dsa/sja1105.h | 1 - net/dsa/tag_sja1105.c | 38 +++++++++++++++++++++++--- 5 files changed, 34 insertions(+), 31 deletions(-) diff --git a/drivers/net/dsa/sja1105/sja1105.h b/drivers/net/dsa/sja1105/sja1105.h index 2e899c9f036d..5e5d24e7c02b 100644 --- a/drivers/net/dsa/sja1105/sja1105.h +++ b/drivers/net/dsa/sja1105/sja1105.h @@ -115,12 +115,6 @@ struct sja1105_info { const struct sja1105_dynamic_table_ops *dyn_ops; const struct sja1105_table_ops *static_ops; const struct sja1105_regs *regs; - /* Both E/T and P/Q/R/S have quirks when it comes to popping the S-Tag - * from double-tagged frames. E/T will pop it only when it's equal to - * TPID from the General Parameters Table, while P/Q/R/S will only - * pop it when it's equal to TPID2. - */ - u16 qinq_tpid; bool can_limit_mcast_flood; int (*reset_cmd)(struct dsa_switch *ds); int (*setup_rgmii_delay)(const void *ctx, int port); diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c index 976f06462223..2f8cc6686c38 100644 --- a/drivers/net/dsa/sja1105/sja1105_main.c +++ b/drivers/net/dsa/sja1105/sja1105_main.c @@ -2295,15 +2295,6 @@ int sja1105_vlan_filtering(struct dsa_switch *ds, int port, bool enabled, tpid2 = ETH_P_SJA1105; } - for (port = 0; port < ds->num_ports; port++) { - struct sja1105_port *sp = &priv->ports[port]; - - if (enabled) - sp->xmit_tpid = priv->info->qinq_tpid; - else - sp->xmit_tpid = ETH_P_SJA1105; - } - if (priv->vlan_aware == enabled) return 0; @@ -2988,7 +2979,6 @@ static int sja1105_setup_ports(struct sja1105_private *priv) } sp->xmit_worker = worker; skb_queue_head_init(&sp->xmit_queue); - sp->xmit_tpid = ETH_P_SJA1105; } return 0; diff --git a/drivers/net/dsa/sja1105/sja1105_spi.c b/drivers/net/dsa/sja1105/sja1105_spi.c index 08cc5dbf2fa6..d60a530d0272 100644 --- a/drivers/net/dsa/sja1105/sja1105_spi.c +++ b/drivers/net/dsa/sja1105/sja1105_spi.c @@ -575,7 +575,6 @@ const struct sja1105_info sja1105e_info = { .part_no = SJA1105ET_PART_NO, .static_ops = sja1105e_table_ops, .dyn_ops = sja1105et_dyn_ops, - .qinq_tpid = ETH_P_8021Q, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = false, .ptp_ts_bits = 24, @@ -608,7 +607,6 @@ const struct sja1105_info sja1105t_info = { .part_no = SJA1105ET_PART_NO, .static_ops = sja1105t_table_ops, .dyn_ops = sja1105et_dyn_ops, - .qinq_tpid = ETH_P_8021Q, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = false, .ptp_ts_bits = 24, @@ -641,7 +639,6 @@ const struct sja1105_info sja1105p_info = { .part_no = SJA1105P_PART_NO, .static_ops = sja1105p_table_ops, .dyn_ops = sja1105pqrs_dyn_ops, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = true, .ptp_ts_bits = 32, @@ -675,7 +672,6 @@ const struct sja1105_info sja1105q_info = { .part_no = SJA1105Q_PART_NO, .static_ops = sja1105q_table_ops, .dyn_ops = sja1105pqrs_dyn_ops, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = true, .ptp_ts_bits = 32, @@ -709,7 +705,6 @@ const struct sja1105_info sja1105r_info = { .part_no = SJA1105R_PART_NO, .static_ops = sja1105r_table_ops, .dyn_ops = sja1105pqrs_dyn_ops, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = true, .ptp_ts_bits = 32, @@ -747,7 +742,6 @@ const struct sja1105_info sja1105s_info = { .static_ops = sja1105s_table_ops, .dyn_ops = sja1105pqrs_dyn_ops, .regs = &sja1105pqrs_regs, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1105, .can_limit_mcast_flood = true, .ptp_ts_bits = 32, @@ -784,7 +778,6 @@ const struct sja1105_info sja1110a_info = { .static_ops = sja1110_table_ops, .dyn_ops = sja1110_dyn_ops, .regs = &sja1110_regs, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1110, .can_limit_mcast_flood = true, .multiple_cascade_ports = true, @@ -835,7 +828,6 @@ const struct sja1105_info sja1110b_info = { .static_ops = sja1110_table_ops, .dyn_ops = sja1110_dyn_ops, .regs = &sja1110_regs, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1110, .can_limit_mcast_flood = true, .multiple_cascade_ports = true, @@ -886,7 +878,6 @@ const struct sja1105_info sja1110c_info = { .static_ops = sja1110_table_ops, .dyn_ops = sja1110_dyn_ops, .regs = &sja1110_regs, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1110, .can_limit_mcast_flood = true, .multiple_cascade_ports = true, @@ -937,7 +928,6 @@ const struct sja1105_info sja1110d_info = { .static_ops = sja1110_table_ops, .dyn_ops = sja1110_dyn_ops, .regs = &sja1110_regs, - .qinq_tpid = ETH_P_8021AD, .tag_proto = DSA_TAG_PROTO_SJA1110, .can_limit_mcast_flood = true, .multiple_cascade_ports = true, diff --git a/include/linux/dsa/sja1105.h b/include/linux/dsa/sja1105.h index 8c5601f1c979..171106202fe5 100644 --- a/include/linux/dsa/sja1105.h +++ b/include/linux/dsa/sja1105.h @@ -67,7 +67,6 @@ struct sja1105_port { struct sja1105_tagger_data *data; struct dsa_port *dp; bool hwts_tx_en; - u16 xmit_tpid; }; enum sja1110_meta_tstamp { diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c index a49308fbd19f..c054f48541c8 100644 --- a/net/dsa/tag_sja1105.c +++ b/net/dsa/tag_sja1105.c @@ -133,14 +133,44 @@ static struct sk_buff *sja1105_defer_xmit(struct dsa_port *dp, return NULL; } +/* Send VLAN tags with a TPID that blends in with whatever VLAN protocol a + * bridge spanning ports of this switch might have. + */ static u16 sja1105_xmit_tpid(struct dsa_port *dp) { - struct sja1105_port *sp = dp->priv; + struct dsa_switch *ds = dp->ds; + struct dsa_port *other_dp; + u16 proto; + + /* Since VLAN awareness is global, then if this port is VLAN-unaware, + * all ports are. Use the VLAN-unaware TPID used for tag_8021q. + */ + if (!dsa_port_is_vlan_filtering(dp)) + return ETH_P_SJA1105; + + /* Port is VLAN-aware, so there is a bridge somewhere (a single one, + * we're sure about that). It may not be on this port though, so we + * need to find it. + */ + list_for_each_entry(other_dp, &ds->dst->ports, list) { + if (other_dp->ds != ds) + continue; + + if (!other_dp->bridge_dev) + continue; + + /* Error is returned only if CONFIG_BRIDGE_VLAN_FILTERING, + * which seems pointless to handle, as our port cannot become + * VLAN-aware in that case. + */ + br_vlan_get_proto(other_dp->bridge_dev, &proto); + + return proto; + } - if (unlikely(!dsa_port_is_sja1105(dp))) - return ETH_P_8021Q; + WARN_ONCE(1, "Port is VLAN-aware but cannot find associated bridge!\n"); - return sp->xmit_tpid; + return ETH_P_SJA1105; } static struct sk_buff *sja1105_imprecise_xmit(struct sk_buff *skb,