Currently, the return value of device_rename() is not acted upon.
To avoid an inconsistent state in case of failure, roll back the changes
made before the device_rename() call.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 04600794958f ("cfg80211: support sysfs namespaces")
Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
---
net/wireless/core.c | 47 +++++++++++++++++++++++++--------------------
1 file changed, 26 insertions(+), 21 deletions(-)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 9e6b31903121..e4d353ec9436 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -169,27 +169,17 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,
wdev->netdev->netns_immutable = true;
}
- if (err) {
- /* failed -- clean up to old netns */
- net = wiphy_net(&rdev->wiphy);
-
- list_for_each_entry_continue_reverse(wdev,
- &rdev->wiphy.wdev_list,
- list) {
- if (!wdev->netdev)
- continue;
- wdev->netdev->netns_immutable = false;
- err = dev_change_net_namespace(wdev->netdev, net,
- "wlan%d");
- WARN_ON(err);
- wdev->netdev->netns_immutable = true;
- }
-
- return err;
- }
+ if (err)
+ goto errout;
guard(wiphy)(&rdev->wiphy);
+ err = device_rename(&rdev->wiphy.dev, dev_name(&rdev->wiphy.dev));
+ WARN_ON(err);
+
+ if (err)
+ goto errout;
+
list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
if (!wdev->netdev)
continue;
@@ -200,9 +190,6 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,
wiphy_net_set(&rdev->wiphy, net);
- err = device_rename(&rdev->wiphy.dev, dev_name(&rdev->wiphy.dev));
- WARN_ON(err);
-
nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
@@ -212,6 +199,24 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,
}
return 0;
+
+errout:
+ /* failed -- clean up to old netns */
+ net = wiphy_net(&rdev->wiphy);
+
+ list_for_each_entry_continue_reverse(wdev,
+ &rdev->wiphy.wdev_list,
+ list) {
+ if (!wdev->netdev)
+ continue;
+ wdev->netdev->netns_immutable = false;
+ err = dev_change_net_namespace(wdev->netdev, net,
+ "wlan%d");
+ WARN_ON(err);
+ wdev->netdev->netns_immutable = true;
+ }
+
+ return err;
}
static void cfg80211_rfkill_poll(struct rfkill *rfkill, void *data)
--
2.39.5On Mon, 2025-04-07 at 15:53 +0300, Ivan Abramov wrote: > Currently, the return value of device_rename() is not acted upon. > > To avoid an inconsistent state in case of failure, roll back the changes > made before the device_rename() call. This kind of seems complicated for something that ought to not happen ... And also (+netdev), what do we do in case this is called from cfg80211_pernet_exit() - leak the whole network namespace because we couldn't allocate memory for the name? That seems counterproductive. I'm really not convinced of this whole patchset. johannes
From: Johannes Berg <johannes@sipsolutions.net>
Date: Wed, 23 Apr 2025 17:44:45 +0200
> On Mon, 2025-04-07 at 15:53 +0300, Ivan Abramov wrote:
> > Currently, the return value of device_rename() is not acted upon.
> >
> > To avoid an inconsistent state in case of failure, roll back the changes
> > made before the device_rename() call.
>
> This kind of seems complicated for something that ought to not happen
> ...
>
> And also (+netdev), what do we do in case this is called from
> cfg80211_pernet_exit() - leak the whole network namespace because we
> couldn't allocate memory for the name? That seems counterproductive.
default_device_exit_net() does BUG() in such a case, it doens't
assume -ENOMEM as we are freeing memory in the netns dismantle.
static void __net_exit default_device_exit_net(struct net *net)
{
...
for_each_netdev_safe(net, dev, aux) {
...
err = dev_change_net_namespace(dev, &init_net, fb_name);
if (err) {
pr_emerg("%s: failed to move %s to init_net: %d\n",
__func__, dev->name, err);
BUG();
}
}
}
© 2016 - 2026 Red Hat, Inc.