From: Maoyi Xie <maoyixie.tju@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Maoyi Xie <maoyixie.tju@gmail.com>
Subject: [PATCH wireless-next] wifi: nl80211: re-check wiphy netns in testmode and vendor dump continuations
Date: Wed, 27 May 2026 21:33:58 +0800 [thread overview]
Message-ID: <20260527133358.2853238-1-maoyixie.tju@gmail.com> (raw)
Commit 79240f3f6d76 ("wifi: nl80211: re-check wiphy netns in
nl80211_prepare_wdev_dump() continuation") fixed one dumpit path that
looked the wiphy up by index on a later call without confirming it was
still in the caller's netns. Two more dumpit paths have the same gap.
nl80211_testmode_dump() and nl80211_prepare_vendor_dump() both keep the
wiphy index in cb->args[] and look it up again on later calls, through
cfg80211_rdev_by_wiphy_idx() and wiphy_idx_to_wiphy(). The first call
binds to the caller's netns. A later call does not check it again. In
between, the wiphy can move to another netns via
NL80211_CMD_SET_WIPHY_NETNS.
Add the same net_eq() check to both. On a mismatch, return -ENODEV and
the dump ends.
No mainline driver registers .testmode_dump or
wiphy_vendor_command.dumpit, so these paths are not reachable today.
Drivers outside the tree can register either.
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
net/wireless/nl80211.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f334cdef8958..d462e0b784ad 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13420,6 +13420,16 @@ static int nl80211_testmode_dump(struct sk_buff *skb,
err = -ENOENT;
goto out_err;
}
+
+ /*
+ * The wiphy may have moved netns between dumpit
+ * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so
+ * re-check that it still matches the caller's netns.
+ */
+ if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk))) {
+ err = -ENODEV;
+ goto out_err;
+ }
} else {
attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
if (!attrbuf) {
@@ -17382,6 +17392,15 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
if (!wiphy)
return -ENODEV;
+
+ /*
+ * The wiphy may have moved netns between dumpit
+ * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so
+ * re-check that it still matches the caller's netns.
+ */
+ if (!net_eq(wiphy_net(wiphy), sock_net(skb->sk)))
+ return -ENODEV;
+
*rdev = wiphy_to_rdev(wiphy);
*wdev = NULL;
--
2.34.1
reply other threads:[~2026-05-27 13:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527133358.2853238-1-maoyixie.tju@gmail.com \
--to=maoyixie.tju@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox