Commit 79240f3f authored May 06, 2026 by Maoyi Xie Committed by Johannes Berg May 06, 2026

wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation

NL80211_CMD_GET_SCAN is implemented as a multi-call dumpit. The first
invocation of nl80211_prepare_wdev_dump() validates the requested wdev
against the caller's netns via __cfg80211_wdev_from_attrs(). Subsequent
invocations look up the same wiphy by its global index and do not check
that the wiphy is still in the caller's netns.

Add the same filter to the continuation path. If the wiphy's netns no
longer matches the caller's, return -ENODEV and the netlink dump
machinery terminates the walk cleanly.

Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Link: https://patch.msgid.link/20260506064854.2207105-3-maoyixie.tju@gmail.com

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 15994bb0

net/wireless/nl80211.c

+12 −0

Original line number	Diff line number	Diff line
		@@ -1276,6 +1276,18 @@ static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
		rtnl_unlock();
		return -ENODEV;
		}

		/*
		* The first invocation validated the wdev's netns against
		* the caller via __cfg80211_wdev_from_attrs(). The wiphy
		* may have moved netns between dumpit invocations (via
		* NL80211_CMD_SET_WIPHY_NETNS), so re-check here.
		*/
		if (!net_eq(wiphy_net(wiphy), sock_net(cb->skb->sk))) {
		rtnl_unlock();
		return -ENODEV;
		}

		*rdev = wiphy_to_rdev(wiphy);
		*wdev = NULL;