[PATCH nft 0/2] netfilter: fix nf_ct_expect_alloc() reference leaks

[PATCH nft 0/2] netfilter: fix nf_ct_expect_alloc() reference leaks

[Li Xiasong]

this series fixes two nf_ct_expect_alloc() reference leaks in netfilter.

Patch 1 fixes an error path leak in SIP REGISTER handling:
when helper lookup fails after expectation allocation, the function
returns without dropping the local reference.

Patch 2 fixes a leak in nft_ct expectation object evaluation:
the local reference obtained from nf_ct_expect_alloc() is never put
after nf_ct_expect_related(), regardless of success or failure.

Li Xiasong (2):
  netfilter: nf_conntrack_sip: fix missing expect put in REGISTER path
  netfilter: nft_ct: fix missing expect put in obj eval

 net/netfilter/nf_conntrack_sip.c | 4 +++-
 net/netfilter/nft_ct.c           | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

-- 
2.34.1

[PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect put in REGISTER path

[Li Xiasong]

process_register_request() allocates an expectation, but the !helper
error path returns NF_DROP without nf_ct_expect_put(exp).

Add the missing put to balance nf_ct_expect_alloc() on this path.

Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
 net/netfilter/nf_conntrack_sip.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1eb55907d470..a895bc836e1b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1377,8 +1377,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
 		saddr = &ct->tuplehash[!dir].tuple.src.u3;
 
 	helper = rcu_dereference(nfct_help(ct)->helper);
-	if (!helper)
+	if (!helper) {
+		nf_ct_expect_put(exp);
 		return NF_DROP;
+	}
 
 	nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
 			  saddr, &daddr, proto, NULL, &port);
-- 
2.34.1

[PATCH nft 2/2] netfilter: nft_ct: fix missing expect put in obj eval

[Li Xiasong]

nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.

Add nf_ct_expect_put(exp) before return to balance allocation.

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
 net/netfilter/nft_ct.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 60ee8d932fcb..fa2cc556331c 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1334,6 +1334,8 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
 
 	if (nf_ct_expect_related(exp, 0) != 0)
 		regs->verdict.code = NF_DROP;
+
+	nf_ct_expect_put(exp);
 }
 
 static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
-- 
2.34.1

Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect put in REGISTER path

[Florian Westphal]

Li Xiasong <lixiasong1@huawei.com> wrote:
> process_register_request() allocates an expectation, but the !helper
> error path returns NF_DROP without nf_ct_expect_put(exp).
> 
> Add the missing put to balance nf_ct_expect_alloc() on this path.
> 
> Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
> Cc: stable@vger.kernel.org
> Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
> ---
>  net/netfilter/nf_conntrack_sip.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
> index 1eb55907d470..a895bc836e1b 100644
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -1377,8 +1377,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
>  		saddr = &ct->tuplehash[!dir].tuple.src.u3;
>  
>  	helper = rcu_dereference(nfct_help(ct)->helper);
> -	if (!helper)
> +	if (!helper) {
> +		nf_ct_expect_put(exp);
>  		return NF_DROP;
> +	}

I think it would be simpler to move the rcu defer to before
exp allocation instead.

Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect put in REGISTER path

[Pablo Neira Ayuso]

On Wed, May 06, 2026 at 03:33:12PM +0200, Florian Westphal wrote:
> Li Xiasong <lixiasong1@huawei.com> wrote:
> > process_register_request() allocates an expectation, but the !helper
> > error path returns NF_DROP without nf_ct_expect_put(exp).
> > 
> > Add the missing put to balance nf_ct_expect_alloc() on this path.
> > 
> > Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
> > ---
> >  net/netfilter/nf_conntrack_sip.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
> > index 1eb55907d470..a895bc836e1b 100644
> > --- a/net/netfilter/nf_conntrack_sip.c
> > +++ b/net/netfilter/nf_conntrack_sip.c
> > @@ -1377,8 +1377,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
> >  		saddr = &ct->tuplehash[!dir].tuple.src.u3;
> >  
> >  	helper = rcu_dereference(nfct_help(ct)->helper);
> > -	if (!helper)
> > +	if (!helper) {
> > +		nf_ct_expect_put(exp);
> >  		return NF_DROP;
> > +	}
> 
> I think it would be simpler to move the rcu defer to before
> exp allocation instead.

Agreed.