From: Maoyi Xie Date: Wed, 27 May 2026 13:33:58 +0000 (+0800) Subject: wifi: nl80211: re-check wiphy netns in testmode and vendor dump continuations X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f681502c79173a79c3de16be274eca83e8fd8d3f;p=thirdparty%2Flinux.git wifi: nl80211: re-check wiphy netns in testmode and vendor dump continuations Commit 79240f3f6d76 ("wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation") fixed one dumpit path that looked the wiphy up by index on a later call without confirming it was still in the caller's netns. Two more dumpit paths have the same gap. nl80211_testmode_dump() and nl80211_prepare_vendor_dump() both keep the wiphy index in cb->args[] and look it up again on later calls, through cfg80211_rdev_by_wiphy_idx() and wiphy_idx_to_wiphy(). The first call binds to the caller's netns. A later call does not check it again. In between, the wiphy can move to another netns via NL80211_CMD_SET_WIPHY_NETNS. Add the same net_eq() check to both. On a mismatch, return -ENODEV and the dump ends. No mainline driver registers .testmode_dump or wiphy_vendor_command.dumpit, so these paths are not reachable today. Drivers outside the tree can register either. Signed-off-by: Maoyi Xie Link: https://patch.msgid.link/20260527133358.2853238-1-maoyixie.tju@gmail.com Signed-off-by: Johannes Berg --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index c272a2fbad03f..cdb5e9b77143d 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -13730,6 +13730,16 @@ static int nl80211_testmode_dump(struct sk_buff *skb, err = -ENOENT; goto out_err; } + + /* + * The wiphy may have moved netns between dumpit + * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so + * re-check that it still matches the caller's netns. + */ + if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk))) { + err = -ENODEV; + goto out_err; + } } else { attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR); if (!attrbuf) { @@ -17771,6 +17781,15 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, if (!wiphy) return -ENODEV; + + /* + * The wiphy may have moved netns between dumpit + * invocations (via NL80211_CMD_SET_WIPHY_NETNS), so + * re-check that it still matches the caller's netns. + */ + if (!net_eq(wiphy_net(wiphy), sock_net(skb->sk))) + return -ENODEV; + *rdev = wiphy_to_rdev(wiphy); *wdev = NULL;