From nobody Sat Jun 13 17:03:11 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20703367F45 for ; Wed, 6 May 2026 06:49:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778050142; cv=none; b=QSu99QSYIqPD3iZQqFm0gYExnBDKPdn9t20+1lPlG+cMppaplLPIrt0r6nOKKvSRLKyqdoezPoxQA+v54JlVxgqsYzh3A/bwkZ6kB/F1usc1Kjc1sWR4OAx4pMQTTjyddNKstJwWgoX7x9ieFUzaqWEYHRDHScAogl9xpjDe3/I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778050142; c=relaxed/simple; bh=k+uzamRbo0nKKagULwVG/B+k3B3TJdppE8sMG29amlY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nECANjGQ2Fse3B9F4aw9wcup6lCpwcSoS2pHXWt1CBd0n6VGItPFUmd1sEyJ7WaN/wnLbmplpLEQKd3a61Bcplj98PJWRSY3PMtHyR48tQnAuhnd03eroS5QiT6oBvlSIe+9hVvzjFe94+aZxCPOij1vLOnNuLbxBfgW1aFaQbA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bA77DnCv; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bA77DnCv" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-83945063f70so294657b3a.0 for ; Tue, 05 May 2026 23:49:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778050140; x=1778654940; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SJykL2m6ICx+4XkwZ+Xgccbe84118vMdIZH0tGbTgkg=; b=bA77DnCvIpu8xf4L4kTcKw19u4hzKuxlU7yH4Cmk3Fc2AFi2Z0lG1zQCCJc7dWLa1Q Y90nvB++D0rI4AdNC7c5RTNQryxVLBDkX47DBRFRJ8a54dUUefLsGPKB6MWW/nb+VpSw mybJhw4bsXODYPWC8/Bm+4kZqBaoxfbmTdAnoSwPChWLfBmRekmUzxbrYeZHoELkRw11 I47+f8vq4viUwVuUqoinTmMCqhL4Fd+iqbNrSP39GFwaljERpZgJVBEnoEi+mgsRM3HQ L2kvN5N2E13m4bT/5Oe5d4TT62JdxfkBjZli5n8jSY2bEFNXhISUQDQzZlwS4Z+wJfDt IcaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778050140; x=1778654940; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SJykL2m6ICx+4XkwZ+Xgccbe84118vMdIZH0tGbTgkg=; b=fbkopUDsPa79u0uHgJWjA4o+T0v6xAfL8TS3Dj/kQuV3GDBFxHkS2pX0LNN0ocfbEG RwejZVniQfeoqlLXhWpA1ksUbQCCGLdqNfAz63X5ZtLclUQSJVcJdGtB/XTnEHEFbNB1 Kr7VFjsIvA40G7tzaYHRL2io931m5tHDDdo7JkNO0cUl58kWNtXkpFR0fYALXXF+VfjK WSN2uwUyrbbZFvppmkbgmDWOBeW8E/1wiNBIwrx/Qy7jicrIOLA5GdOBL2/Y2jWOLtw/ dagbCpRv1zva1jEaOSmSNKm+htdu69l8aHJD83Rjl0XkxgofK3pHVP1AIgD8KR9sO1dq y+7Q== X-Forwarded-Encrypted: i=1; AFNElJ9E6TwcKTgeqhHXcLN01CQyfroONJHCcXwitkW/wGrBIwWVKGb7QwBf//cnMfPy8xM7hAukmyldh12Fjik=@vger.kernel.org X-Gm-Message-State: AOJu0YyifmZ2eQtmYe03gFevIEAoxQVCJZGqd4A2Hiz2fsytvSh7ATg6 KN6xdSu/Ht3b0ugryXqi22K7THSn6/35uXVacpEnadavIVs4gkI3bxOr X-Gm-Gg: AeBDieu8rnPUwgasm/LpzQ87e3M8bnz+/41uCzbZ+jF1z6nRqerpf8MB1ycYPXQelc/ ESd12tY5V5+C6NJvQqoH0ExHS2mNJlsR5NBnO1ywyXD82Yfiq4/MlBLxmou2lS3H8nASYUVbK8o aO+XMJSzJW7OyZ1sW4Z6TRqJJ93nI/MrPKiiDWxpkPqbB/YFYT2SZJNUj7Dp+ZAu5sTYQrSXxfX a71vaqiQk5m1zw5gfaO2TaQuBlXnzUiSPBhESW67aoC720XKRMmB3JZ2NMav8gcziUyCMDAFDfM WYFMG/zBSN655zKJSzxiOEI0Tb1Af5MHNL2gjoG7JptHVhrcyxxxhR36TDk2eXwtfFBV2uuxhZW 3gykdrdkKr2g81B167ydI25q4+dPQs4V0L3RBTT4nUXgiKdM95Pqcx5kkOf31mLSXpN3+faY5bn RrIm9zRcFv77To4XxBdmrl1I0qIV1Z2VJTNEF4FEUKbrSnUCsDwVFmUM5eMmI= X-Received: by 2002:a05:6a00:300f:b0:82f:6d4a:df3e with SMTP id d2e1a72fcca58-83a543f60f9mr1650768b3a.5.1778050140495; Tue, 05 May 2026 23:49:00 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839681a9e33sm5136490b3a.50.2026.05.05.23.48.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 23:49:00 -0700 (PDT) From: Maoyi Xie To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Maoyi Xie Subject: [PATCH v3 1/2] wifi: nl80211: require CAP_NET_ADMIN over the target netns in SET_WIPHY_NETNS Date: Wed, 6 May 2026 14:48:53 +0800 Message-Id: <20260506064854.2207105-2-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260506064854.2207105-1-maoyixie.tju@gmail.com> References: <20260506064854.2207105-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Maoyi Xie NL80211_CMD_SET_WIPHY_NETNS dispatches with GENL_UNS_ADMIN_PERM, which verifies that the caller has CAP_NET_ADMIN over the user namespace owning the source netns (the netlink socket's netns). It does not verify that the caller has CAP_NET_ADMIN over the target netns selected by NL80211_ATTR_NETNS_FD or NL80211_ATTR_PID. This diverges from the convention enforced in net/core/rtnetlink.c::rtnl_get_net_ns_capable(): /* For now, the caller is required to have CAP_NET_ADMIN in * the user namespace owning the target net ns. */ if (!sk_ns_capable(sk, net->user_ns, CAP_NET_ADMIN)) return ERR_PTR(-EACCES); A user with CAP_NET_ADMIN in their own user namespace can therefore push a wiphy into an arbitrary netns (including init_net) over which they have no privilege. Reachable from an unprivileged user namespace as soon as the caller holds, in their own netns, a wiphy that has WIPHY_FLAG_NETNS_OK set (true for mac80211_hwsim and for any wiphy that an administrator has delegated into a container). Reproducer (mac80211_hwsim, KASAN VM): 1. As real root, modprobe mac80211_hwsim radios=3D1 in init_net. 2. fork(); child unshare(CLONE_NEWUSER | CLONE_NEWNET) and writes 0-mapped uid_map. 3. Real root migrates phyN into the child's netns via NL80211_CMD_SET_WIPHY_NETNS (legitimate admin step). 4. Child, with CAP_NET_ADMIN only in its own user_ns, sends NL80211_CMD_SET_WIPHY_NETNS targeting init_net's netns fd. 5. The kernel honours the request and the wiphy is moved back to init_net even though the caller has no privilege there. Mirror the rtnetlink convention by requiring ns_capable(net->user_ns, CAP_NET_ADMIN) on the resolved target netns before calling cfg80211_switch_netns(). Signed-off-by: Maoyi Xie --- net/wireless/nl80211.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 67088804d..db546dd93 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -13867,6 +13867,19 @@ static int nl80211_wiphy_netns(struct sk_buff *skb= , struct genl_info *info) if (IS_ERR(net)) return PTR_ERR(net); =20 + /* + * The caller already has CAP_NET_ADMIN over the source netns + * (enforced by GENL_UNS_ADMIN_PERM on the genl op). Mirror the + * convention used by net/core/rtnetlink.c::rtnl_get_net_ns_capable() + * and require CAP_NET_ADMIN over the target netns as well, so that + * a caller that is privileged in their own user namespace cannot + * push a wiphy into a netns where they have no privilege. + */ + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { + put_net(net); + return -EPERM; + } + err =3D 0; =20 /* check if anything to do */ --=20 2.34.1 From nobody Sat Jun 13 17:03:11 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22469368962 for ; Wed, 6 May 2026 06:49:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778050144; cv=none; b=fOeDGm29IMWOzo52rHbGVAuCrRn3b8eom0rHGpyod7GfcWABb1HKGZ+UEUPLhWjegPfuwdgeLm/Ra2rZu1VqZyoS+yY3PHQ5Bujm4oLajSe5I7QSKPWmaY5ElFqplOxqMY5x7hhWlnKXbIyx/5jQtJnnoh+dwCubRvJMkCagwvw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778050144; c=relaxed/simple; bh=ZdZ25Cwyc8EI9KIsO67eAsM12WkNodGogI80eVVD8ew=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=H5OtsBU7QIYYaiw/uq9khx5++J2YIVBzEuPSHKDHDcuhDUxeC7SSzgxRmYyYgURCdtJDQNRInyhu3Z+1m3BcJyjp32rKsX2cHI8FLoI3M0ZBVMuUlU/a3pRNF7dh7fvTrtaJIq+XtVyHFEIbWgW84caIsxrFaaKu68wxeWbUGuQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dES6HfGw; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dES6HfGw" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-82f9fdfc965so2779654b3a.1 for ; Tue, 05 May 2026 23:49:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778050142; x=1778654942; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Db185kstbdGF6yJwsHK4uxlvTdgmksgpvYFORZok+t4=; b=dES6HfGwfQ36pyjK51EavTdzdOy4JGt7atKkk8eSmKo8oEABGi2VwDQpNq0EdPNAJz 97meXtcF9p9zqEceK6wMP56vsBz9MIUbYo/qu/SUVfqbLR8CBOnunbgmPXaltezMd/aS EEDJ8TOgdLdyFfWBfAxgqE66EGUXX8LK5LVvrrR6pmIoenE11CtjLoXw9Vq4oLlFU44q 8OFGUicUMJZqVXRbzSlZSDT4OV991VzGne/QJfINCeHOm81aW98Hp5WepfHfPnGLiZAN ENp9P3GKdozh32R9wzF1UgrB5rG262NiUBFDeTPGG8Re1aCaL0Et8SFCfx3PM39CfT4y ex0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778050142; x=1778654942; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Db185kstbdGF6yJwsHK4uxlvTdgmksgpvYFORZok+t4=; b=qJyy4B4RnmzdFSDVt2cO9d4KirrKNobgdOiLYhXXfHUjTn7mm3dDlQ8KHIZgSJ12bj ozmvhE+AoYMt32+YHcg/3izirnnmkItmPlpiHMOjwiJDGYTPJr6cHQRZ1EZ2ByD5Y/uw e70RmsVBQNeCid8beVpPSbW65c3/7ylhIyfQipx2OCXD60xA9SnLLrxsY5/LPJNWT2Pc xW+DjJWaAnJqtl46YDRfq7iGQGaXRn7OUOvhQrZRWjbS9jq112hXsAHDnBMdhxKiDDEk D7qqeqeta9TJ6HS0+iVNy3yZ/CsOHpGj5h07BexjRmiI4xPt0hUpPVluclP3kP8K4I4y Sjww== X-Forwarded-Encrypted: i=1; AFNElJ+UwrZ4c8U41APY/DkLTLRQeSGq9K3zdIqlaLqv0WQ5Y9hgGqOfuHf4c9jNpwuieUhHYXpYtLV3+p8CsBM=@vger.kernel.org X-Gm-Message-State: AOJu0YzdPGm6tb6hY6yOrY9UavbvqlmSCsuifMapYQNhuNECZqWTKHBc hbZG+XKBlWNKPo/K+YrXr1mCogFZHbYx0KOtOBKI1okiwVFd887x4PrfjgQ0zw== X-Gm-Gg: AeBDieuHUVApQ3GizA3axHbRG0n5Yr6SYixkdWjqP2YkNGm3ihgcmCGQs6CnxOT0In6 scUtWYDk4MdMdmKj93uA2ud1cAnlSGvYGCa8VLrd1oWc7HpZene8psXFzn69qV27OyjvdDWjawf +aDy+gGbI/iGpv2roNdAWmMkndJ7HjbAVkTroAgvatYrDynZhNLC3gxOz7h4O3vKI1SNRL7Jhaz u/wA36uXZ6shdUAdKGs8ZDS5KPsfpyJO52cTnoo+V8O8MSdohq2vrKpj2qxqkC3CXw3MLPdi55j VUw/oxSeL3oI8c1lvcD15qaM7wZrTL75dvzKj9L3IyCtO9QzdUxwKazhH2hy43WzLMLmUVyii01 UCQg+Do/MdQbaMOoKkcoyH6gIfcMI+NvQBaratqlHwQCb44Zs8eokdm9KWADRK6PdYdfl/Y+HNP MewvcdL7u1OXTvtgo3QyyZhN0FM6LP7l24zAGebQMIFnyvo2RSDk8FWEG96kQ= X-Received: by 2002:a05:6a00:bd04:b0:835:4447:69cf with SMTP id d2e1a72fcca58-83a5d3874camr1966759b3a.27.1778050142340; Tue, 05 May 2026 23:49:02 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839681a9e33sm5136490b3a.50.2026.05.05.23.49.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 23:49:01 -0700 (PDT) From: Maoyi Xie To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Maoyi Xie Subject: [PATCH v3 2/2] wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation Date: Wed, 6 May 2026 14:48:54 +0800 Message-Id: <20260506064854.2207105-3-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260506064854.2207105-1-maoyixie.tju@gmail.com> References: <20260506064854.2207105-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Maoyi Xie NL80211_CMD_GET_SCAN is implemented as a multi-call dumpit. The first invocation of nl80211_prepare_wdev_dump() validates the requested wdev against the caller's netns via __cfg80211_wdev_from_attrs(). Subsequent invocations look up the same wiphy by global index via wiphy_idx_to_wiphy() and do not re-check that the wiphy is still in the caller's netns. If the wiphy is moved between dumpit invocations (via NL80211_CMD_SET_WIPHY_NETNS), the dump silently continues to copy BSS list contents from the wiphy's new netns into the caller's netns socket buffer. The other dump paths in nl80211.c (e.g. nl80211_dump_wiphy() and the parallel scheduled scan dump) already filter by net_eq(wiphy_net(...), sock_net(skb->sk)) on every iteration. Add the same filter to the continuation path. If the wiphy's netns no longer matches the caller's, return -ENODEV and the netlink dump machinery terminates the walk cleanly. This is most usefully fixed alongside the SET_WIPHY_NETNS target-cap hardening in patch 1/2, which closes the path by which an unprivileged-userns caller could trigger this race themselves. Signed-off-by: Maoyi Xie --- net/wireless/nl80211.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index db546dd93..f2c91a939 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -1276,6 +1276,16 @@ static int nl80211_prepare_wdev_dump(struct netlink_= callback *cb, rtnl_unlock(); return -ENODEV; } + /* + * The first invocation validated the wdev's netns against + * the caller via __cfg80211_wdev_from_attrs(). The wiphy + * may have moved netns between dumpit invocations (via + * NL80211_CMD_SET_WIPHY_NETNS), so re-check here. + */ + if (!net_eq(wiphy_net(wiphy), sock_net(cb->skb->sk))) { + rtnl_unlock(); + return -ENODEV; + } *rdev =3D wiphy_to_rdev(wiphy); *wdev =3D NULL; =20 --=20 2.34.1