Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2001326pxk; Tue, 1 Sep 2020 13:03:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLjDKM+ReDc7FXhjZuEry//HXM/WRqx1ZfX937zDsWhA6lslPEMyWBPorLWk/35Hqcnq/t X-Received: by 2002:a17:906:c108:: with SMTP id do8mr3362570ejc.88.1598990603416; Tue, 01 Sep 2020 13:03:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598990603; cv=none; d=google.com; s=arc-20160816; b=oAsN7MeT3jeZ4M85XTPNtZi+upgpTqE4V5Bf28j3qrrJyyKKuYtmgTK2ZMlUDVuSO5 LguTDqkW9gfKmmgy3v9b9XX4jwe3cl6VmLa9m0GfKcqQkYc0S5lL94nmIOc+ArULHvi0 Q0gs+Dsto8R9m1/ctvU/sdDvjJpAw6Glz5qFgaos6BEmUBHZVo48uB8hpRd/ds/yS7/U R1524INkZP+qIWt5j/RqkAxCWD9evKZJKljGkqMieJh0n7GqPYVBuJBx/4boQPMM5qGh x6q4xzpKTtH4rwGYSuz5xrhox07rK7iHHD5rK/4o4JES3jJlFfmX9rR32xqKxrlViAa3 syww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=HOA4c/Sy1M1sy2ZBwhWD2PaZnSuGDI7cAJBVFjtDWb8=; b=Fs+Yr72ytqIq1c5+6RlpGxlGD9QQAU2r9JPZACrfLiURyM64QuTWuzZMNU6gQeyoa6 /R5YEDKKw1jmv6WKnX7YhpDzOLc6kkdC1efoU6AMihrlP4n8bR4XWYEFbY82itqvzoKG i/MT6o6B9tIveQZdn3VcAlwVVFPHwg51RKAn960v+kbDcDZn88yMMdvY9zb6e9b5w/Nv 0/dnFPZbK8xuBmZgwVxFvEQUSvDPlPzQTA8FC7sgfEOI4ZP0wV29vUtHby2SKfbxhIxl WxNIFeq9DjSQiTO3fbnXPZTQgjgju8cSI/l8AJg/QyxAdsjI9HrDOWCa9NX9VgBs2tpf pyYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si1328147ejz.589.2020.09.01.13.02.52; Tue, 01 Sep 2020 13:03:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732774AbgIAUBf (ORCPT + 99 others); Tue, 1 Sep 2020 16:01:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732069AbgIAUBd (ORCPT ); Tue, 1 Sep 2020 16:01:33 -0400 Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59757C061244; Tue, 1 Sep 2020 13:01:33 -0700 (PDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id C708B13649A5A; Tue, 1 Sep 2020 12:44:43 -0700 (PDT) Date: Tue, 01 Sep 2020 13:01:27 -0700 (PDT) Message-Id: <20200901.130127.236989626732311083.davem@davemloft.net> To: rkovhaev@gmail.com Cc: kuba@kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org Subject: Re: [PATCH] veth: fix memory leak in veth_newlink() From: David Miller In-Reply-To: <20200830131336.275844-1-rkovhaev@gmail.com> References: <20200830131336.275844-1-rkovhaev@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [2620:137:e000::1:9]); Tue, 01 Sep 2020 12:44:44 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rustam Kovhaev Date: Sun, 30 Aug 2020 06:13:36 -0700 > when register_netdevice(dev) fails we should check whether struct > veth_rq has been allocated via ndo_init callback and free it, because, > depending on the code path, register_netdevice() might not call > priv_destructor() callback > > Reported-and-tested-by: syzbot+59ef240dd8f0ed7598a8@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=59ef240dd8f0ed7598a8 > Signed-off-by: Rustam Kovhaev I think I agree with Toshiaki here. There is no reason why the rollback_registered() path of register_netdevice() should behave differently from the normal control flow. Any code path that invokes ->ndo_uninit() should probably also invoke the priv destructor. The question is why does the err_uninit: label of register_netdevice behave differently from rollback_registered()? If there is a reason, it should be documented in a comment or similar. If it is wrong, it should be corrected.