Commit
79240f3f6d76 ("wifi: nl80211: re-check wiphy netns in
nl80211_prepare_wdev_dump() continuation") fixed one dumpit path that
looked the wiphy up by index on a later call without confirming it was
still in the caller's netns. Two more dumpit paths have the same gap.
nl80211_testmode_dump() and nl80211_prepare_vendor_dump() both keep the
wiphy index in cb->args[] and look it up again on later calls, through
cfg80211_rdev_by_wiphy_idx() and wiphy_idx_to_wiphy(). The first call
binds to the caller's netns. A later call does not check it again. In
between, the wiphy can move to another netns via
NL80211_CMD_SET_WIPHY_NETNS.
Add the same net_eq() check to both. On a mismatch, return -ENODEV and
the dump ends.
No mainline driver registers .testmode_dump or
wiphy_vendor_command.dumpit, so these paths are not reachable today.
Drivers outside the tree can register either.
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260527133358.2853238-1-maoyixie.tju@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
err = -ENOENT;
goto out_err;
}
+
+ /*
+ * The wiphy may have moved netns between dumpit
+ * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so
+ * re-check that it still matches the caller's netns.
+ */
+ if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk))) {
+ err = -ENODEV;
+ goto out_err;
+ }
} else {
attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
if (!attrbuf) {
if (!wiphy)
return -ENODEV;
+
+ /*
+ * The wiphy may have moved netns between dumpit
+ * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so
+ * re-check that it still matches the caller's netns.
+ */
+ if (!net_eq(wiphy_net(wiphy), sock_net(skb->sk)))
+ return -ENODEV;
+
*rdev = wiphy_to_rdev(wiphy);
*wdev = NULL;
projects / thirdparty / kernel / linux.git / commitdiff
