[PATCH] devlink: fix refcount leak in devlink_nl_reload_doit()

[PATCH] devlink: fix refcount leak in devlink_nl_reload_doit()

[WenTao Liang]

When devlink_nl_reload_doit() is asked to change network namespace
(via DEVLINK_ATTR_NETNS_*) but the reload action is not
DEVLINK_RELOAD_ACTION_DRIVER_REINIT, it calls devlink_netns_get()
which acquires a reference on the destination net namespace. Then,
after detecting that namespace change is only supported for reinit
action, it returns -EOPNOTSUPP without releasing the reference, thus
leaking the net namespace.

Fix the leak by releasing the reference with put_net() before
returning the error, for example by adding it directly on that error
path. A cleaner alternative is to introduce a common cleanup label
that performs the put_net() if the pointer is non-NULL.

Cc: stable@vger.kernel.org
Fixes: 2edd92570441 ("devlink: don't allow to change net namespace for FW_ACTIVATE reload action")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 net/devlink/dev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/devlink/dev.c b/net/devlink/dev.c
index 57b2b8f03543..fd5633fa88ec 100644
--- a/net/devlink/dev.c
+++ b/net/devlink/dev.c
@@ -578,6 +578,7 @@ int devlink_nl_reload_doit(struct sk_buff *skb, struct genl_info *info)
 		    action != DEVLINK_RELOAD_ACTION_DRIVER_REINIT) {
 			NL_SET_ERR_MSG_MOD(info->extack,
 					   "Changing namespace is only supported for reinit action");
+			put_net(dest_net);
 			return -EOPNOTSUPP;
 		}
 	}
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] devlink: fix refcount leak in devlink_nl_reload_doit()

[Jiri Pirko]

Thu, Jun 11, 2026 at 06:25:57PM +0200, vulab@iscas.ac.cn wrote:
>When devlink_nl_reload_doit() is asked to change network namespace
>(via DEVLINK_ATTR_NETNS_*) but the reload action is not
>DEVLINK_RELOAD_ACTION_DRIVER_REINIT, it calls devlink_netns_get()
>which acquires a reference on the destination net namespace. Then,
>after detecting that namespace change is only supported for reinit
>action, it returns -EOPNOTSUPP without releasing the reference, thus
>leaking the net namespace.
>
>Fix the leak by releasing the reference with put_net() before
>returning the error, for example by adding it directly on that error
>path. A cleaner alternative is to introduce a common cleanup label
>that performs the put_net() if the pointer is non-NULL.

This para is very odd. Your AI is probably providing you 2 alternatives.
Please adjust. Fix looks fine to me as is.


>
>Cc: stable@vger.kernel.org

No need to cc that, afaik.


>Fixes: 2edd92570441 ("devlink: don't allow to change net namespace for FW_ACTIVATE reload action")
>Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
>---
> net/devlink/dev.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/net/devlink/dev.c b/net/devlink/dev.c
>index 57b2b8f03543..fd5633fa88ec 100644
>--- a/net/devlink/dev.c
>+++ b/net/devlink/dev.c
>@@ -578,6 +578,7 @@ int devlink_nl_reload_doit(struct sk_buff *skb, struct genl_info *info)
> 		    action != DEVLINK_RELOAD_ACTION_DRIVER_REINIT) {
> 			NL_SET_ERR_MSG_MOD(info->extack,
> 					   "Changing namespace is only supported for reinit action");
>+			put_net(dest_net);
> 			return -EOPNOTSUPP;
> 		}
> 	}
>-- 
>2.50.1 (Apple Git-155)
>