[PATCH v2 0/2] wifi: nl80211: tighten netns handling in SET_WIPHY_NETNS and dump continuation

From: Maoyi Xie

Date: Mon May 04 2026 - 09:54:53 EST

This series addresses two related namespace handling gaps in
nl80211 that came up during a recent inquiry on the list. Both
follow the netdev convention.

Patch 1/2: NL80211_CMD_SET_WIPHY_NETNS uses GENL_UNS_ADMIN_PERM,
which only checks CAP_NET_ADMIN over the source netns. The target
netns selected via NL80211_ATTR_NETNS_FD or NL80211_ATTR_PID is
not checked. Mirror the rtnetlink convention spelled out by
rtnl_get_net_ns_capable() and require ns_capable(target_net->user_ns,
CAP_NET_ADMIN) on the resolved target netns. Reachable from an
unprivileged user namespace whenever the caller already holds a
WIPHY_FLAG_NETNS_OK wiphy in their own netns (mac80211_hwsim, or
an admin-delegated container scenario). PoC reproduces on a KASAN
VM with mac80211_hwsim and shows the call now returns -EPERM.

Patch 2/2: nl80211_prepare_wdev_dump() validates the wdev's netns
on the first dumpit invocation but not on subsequent ones, where
it looks up the wiphy by global index. If the wiphy moves netns
between dumpit invocations (via SET_WIPHY_NETNS), the dump silently
keeps copying BSS list contents from the wiphy's new netns into
the caller's netns. Add a net_eq() check on the continuation path
so the dump terminates cleanly. This is mostly a clarity-and-convention
fix. Combined with 1/2 it also closes the path by which an
unprivileged-userns caller could trigger the race themselves.

Changes since v1:
Patch 2/2: trimmed the comment per Johannes's review. The
comment now describes the invariant being protected (wiphy
may move between dumpit invocations) rather than referencing
other dump callers as motivation.
Patch 1/2: unchanged.

Maoyi Xie (2):
wifi: nl80211: require CAP_NET_ADMIN over the target netns in
SET_WIPHY_NETNS
wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump()
continuation

net/wireless/nl80211.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)


base-commit: 65493f27a6008bf84bd11bd41c5e1ea6b0bf3c3d
--
2.34.1