lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 31 Aug 2020 10:43:57 +0900
From:   Toshiaki Makita <>
To:     Rustam Kovhaev <>
Subject: Re: [PATCH] veth: fix memory leak in veth_newlink()

On 2020/08/31 9:51, Rustam Kovhaev wrote:
> On Mon, Aug 31, 2020 at 09:16:32AM +0900, Toshiaki Makita wrote:
>> On 2020/08/30 22:13, Rustam Kovhaev wrote:
>>> when register_netdevice(dev) fails we should check whether struct
>>> veth_rq has been allocated via ndo_init callback and free it, because,
>>> depending on the code path, register_netdevice() might not call
>>> priv_destructor() callback
>> AFAICS, register_netdevice() always goto err_uninit and calls priv_destructor()
>> on failure after ndo_init() succeeded.
>> So I could not find such a code path.
>> Would you elaborate on it?
> in net/core/dev.c:9863, where register_netdevice() calls rollback_registered(),
> which does not call priv_destructor(), then register_netdevice() returns error
> net/core/dev.c:9884

Thank you, now I see the code path.
But then all devices which allocate something in ndo_init() and free them in
priv_destructor() are affected? E.g. loopback and ifb seem to do such thing.
Why not calling priv_destructor() after invocation of rollback_registered()?
It looks weird that only that path does not call priv_destructor().

Toshiaki Makita

Powered by blists - more mailing lists