Re: [PATCH] veth: fix memory leak in veth_newlink()

From: David Miller
Date: Tue Sep 01 2020 - 16:01:36 EST

Next message: Jens Axboe: "Re: [PATCH] io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work()"
Previous message: Kees Cook: "Re: [PATCH v2 0/7] set clang minimum version to 10.0.1"
Next in thread: Rustam Kovhaev: "Re: [PATCH] veth: fix memory leak in veth_newlink()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Rustam Kovhaev <rkovhaev@xxxxxxxxx>
Date: Sun, 30 Aug 2020 06:13:36 -0700

> when register_netdevice(dev) fails we should check whether struct
> veth_rq has been allocated via ndo_init callback and free it, because,
> depending on the code path, register_netdevice() might not call
> priv_destructor() callback
>
> Reported-and-tested-by: syzbot+59ef240dd8f0ed7598a8@xxxxxxxxxxxxxxxxxxxxxxxxx
> Link: https://syzkaller.appspot.com/bug?extid=59ef240dd8f0ed7598a8
> Signed-off-by: Rustam Kovhaev <rkovhaev@xxxxxxxxx>

I think I agree with Toshiaki here. There is no reason why the
rollback_registered() path of register_netdevice() should behave
differently from the normal control flow.

Any code path that invokes ->ndo_uninit() should probably also
invoke the priv destructor.

The question is why does the err_uninit: label of register_netdevice
behave differently from rollback_registered()? If there is a reason,
it should be documented in a comment or similar. If it is wrong,
it should be corrected.

Next message: Jens Axboe: "Re: [PATCH] io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work()"
Previous message: Kees Cook: "Re: [PATCH v2 0/7] set clang minimum version to 10.0.1"
Next in thread: Rustam Kovhaev: "Re: [PATCH] veth: fix memory leak in veth_newlink()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]