On Tue, Sep 01, 2020 at 01:01:27PM -0700, David Miller wrote:

From: Rustam Kovhaev <redacted>
Date: Sun, 30 Aug 2020 06:13:36 -0700

quoted

when register_netdevice(dev) fails we should check whether struct
veth_rq has been allocated via ndo_init callback and free it, because,
depending on the code path, register_netdevice() might not call
priv_destructor() callback

Reported-and-tested-by: syzbot+59ef240dd8f0ed7598a8@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=59ef240dd8f0ed7598a8
Signed-off-by: Rustam Kovhaev <redacted>

I think I agree with Toshiaki here.  There is no reason why the
rollback_registered() path of register_netdevice() should behave
differently from the normal control flow.

Any code path that invokes ->ndo_uninit() should probably also
invoke the priv destructor.

hi David, thank you for the review!

The question is why does the err_uninit: label of register_netdevice
behave differently from rollback_registered()?  If there is a reason,
it should be documented in a comment or similar.  If it is wrong,
it should be corrected.

good question, that i do not know, i'll review it