[PATCH] devlink: fix refcount leak in devlink_nl_reload_doit()

Next message: Quentin Strydom: "[PATCH 6/9] staging: rtl8723bs: hal: fix whitespace in rtl8723b_cmd.c"
Previous message: Bui Quang Minh: "Re: [PATCH net-next v2 1/2] virtio_net: xsk: fix race in rx wake up"
Next in thread: Jiri Pirko: "Re: [PATCH] devlink: fix refcount leak in devlink_nl_reload_doit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 12:35:12 EST

When devlink_nl_reload_doit() is asked to change network namespace
(via DEVLINK_ATTR_NETNS_*) but the reload action is not
DEVLINK_RELOAD_ACTION_DRIVER_REINIT, it calls devlink_netns_get()
which acquires a reference on the destination net namespace. Then,
after detecting that namespace change is only supported for reinit
action, it returns -EOPNOTSUPP without releasing the reference, thus
leaking the net namespace.

Fix the leak by releasing the reference with put_net() before
returning the error, for example by adding it directly on that error
path. A cleaner alternative is to introduce a common cleanup label
that performs the put_net() if the pointer is non-NULL.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 2edd92570441 ("devlink: don't allow to change net namespace for FW_ACTIVATE reload action")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
net/devlink/dev.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/devlink/dev.c b/net/devlink/dev.c
index 57b2b8f03543..fd5633fa88ec 100644
--- a/net/devlink/dev.c
+++ b/net/devlink/dev.c
@@ -578,6 +578,7 @@ int devlink_nl_reload_doit(struct sk_buff *skb, struct genl_info *info)
action != DEVLINK_RELOAD_ACTION_DRIVER_REINIT) {
NL_SET_ERR_MSG_MOD(info->extack,
"Changing namespace is only supported for reinit action");
+ put_net(dest_net);
return -EOPNOTSUPP;
}
}
--
2.50.1 (Apple Git-155)