[PATCH nft v2 0/2] netfilter: fix expectation reference leaks

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH nft v2 0/2] netfilter: fix expectation reference leaks
@ 2026-05-07 14:04 Li Xiasong
  2026-05-07 14:04 ` [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation Li Xiasong
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Li Xiasong @ 2026-05-07 14:04 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, coreteam,
	yuehaibing, zhangchangzhong, weiyongjun1

this series fixes two expectation reference leaks in netfilter.

The first patch simplifies SIP REGISTER handling by validating helper
availability before expectation allocation, removing an early-return
leak path.

The second patch adds a missing nf_ct_expect_put() in nft_ct expectation
object evaluation to balance the allocation reference.

Changes in v2:
  - Patch 2/2: in process_register_request(), check helper before
    nf_ct_expect_alloc() as suggested.

Link to v1:
  - https://lore.kernel.org/netfilter-devel/20260506121618.578443-1-lixiasong1@huawei.com/

Li Xiasong (2):
  netfilter: nf_conntrack_sip: get helper before allocating expectation
  netfilter: nft_ct: fix missing expect put in obj eval

 net/netfilter/nf_conntrack_sip.c | 8 ++++----
 net/netfilter/nft_ct.c           | 2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

-- 
2.34.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation
  2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
@ 2026-05-07 14:04 ` Li Xiasong
  2026-05-07 14:04 ` [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval Li Xiasong
  2026-05-07 18:16 ` [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Florian Westphal
  2 siblings, 0 replies; 4+ messages in thread
From: Li Xiasong @ 2026-05-07 14:04 UTC (permalink / raw)
  To: netfilter-devel
  Cc: stable, Pablo Neira Ayuso, Florian Westphal, Phil Sutter,
	coreteam, yuehaibing, zhangchangzhong, weiyongjun1

process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.

Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.

Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
 net/netfilter/nf_conntrack_sip.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1eb55907d470..58fce6242f89 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1366,6 +1366,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
 		goto store_cseq;
 	}
 
+	helper = rcu_dereference(nfct_help(ct)->helper);
+	if (!helper)
+		return NF_DROP;
+
 	exp = nf_ct_expect_alloc(ct);
 	if (!exp) {
 		nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1376,10 +1380,6 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
 	if (sip_direct_signalling)
 		saddr = &ct->tuplehash[!dir].tuple.src.u3;
 
-	helper = rcu_dereference(nfct_help(ct)->helper);
-	if (!helper)
-		return NF_DROP;
-
 	nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
 			  saddr, &daddr, proto, NULL, &port);
 	exp->timeout.expires = sip_timeout * HZ;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval
  2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
  2026-05-07 14:04 ` [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation Li Xiasong
@ 2026-05-07 14:04 ` Li Xiasong
  2026-05-07 18:16 ` [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Florian Westphal
  2 siblings, 0 replies; 4+ messages in thread
From: Li Xiasong @ 2026-05-07 14:04 UTC (permalink / raw)
  To: netfilter-devel
  Cc: stable, Pablo Neira Ayuso, Florian Westphal, Phil Sutter,
	coreteam, yuehaibing, zhangchangzhong, weiyongjun1

nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.

Add nf_ct_expect_put(exp) before return to balance allocation.

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
 net/netfilter/nft_ct.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 60ee8d932fcb..fa2cc556331c 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1334,6 +1334,8 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
 
 	if (nf_ct_expect_related(exp, 0) != 0)
 		regs->verdict.code = NF_DROP;
+
+	nf_ct_expect_put(exp);
 }
 
 static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH nft v2 0/2] netfilter: fix expectation reference leaks
  2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
  2026-05-07 14:04 ` [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation Li Xiasong
  2026-05-07 14:04 ` [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval Li Xiasong
@ 2026-05-07 18:16 ` Florian Westphal
  2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2026-05-07 18:16 UTC (permalink / raw)
  To: Li Xiasong
  Cc: netfilter-devel, Pablo Neira Ayuso, Phil Sutter, coreteam,
	yuehaibing, zhangchangzhong, weiyongjun1

Li Xiasong <lixiasong1@huawei.com> wrote:
> this series fixes two expectation reference leaks in netfilter.

No need to resend, but [PATCH nft] means: 'this is nftables.git' (i.e.
userspace).  This should be [PATCH v2 nf].

> The first patch simplifies SIP REGISTER handling by validating helper
> availability before expectation allocation, removing an early-return
> leak path.
> 
> The second patch adds a missing nf_ct_expect_put() in nft_ct expectation
> object evaluation to balance the allocation reference.

Thanks for v2.  Reviewed-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-07 18:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
2026-05-07 14:04 ` [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation Li Xiasong
2026-05-07 14:04 ` [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval Li Xiasong
2026-05-07 18:16 ` [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Florian Westphal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.