* [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation
2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
@ 2026-05-07 14:04 ` Li Xiasong
2026-05-07 14:04 ` [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval Li Xiasong
2026-05-07 18:16 ` [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Florian Westphal
2 siblings, 0 replies; 4+ messages in thread
From: Li Xiasong @ 2026-05-07 14:04 UTC (permalink / raw)
To: netfilter-devel
Cc: stable, Pablo Neira Ayuso, Florian Westphal, Phil Sutter,
coreteam, yuehaibing, zhangchangzhong, weiyongjun1
process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.
Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.
Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
net/netfilter/nf_conntrack_sip.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1eb55907d470..58fce6242f89 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1366,6 +1366,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
goto store_cseq;
}
+ helper = rcu_dereference(nfct_help(ct)->helper);
+ if (!helper)
+ return NF_DROP;
+
exp = nf_ct_expect_alloc(ct);
if (!exp) {
nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1376,10 +1380,6 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
if (sip_direct_signalling)
saddr = &ct->tuplehash[!dir].tuple.src.u3;
- helper = rcu_dereference(nfct_help(ct)->helper);
- if (!helper)
- return NF_DROP;
-
nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
saddr, &daddr, proto, NULL, &port);
exp->timeout.expires = sip_timeout * HZ;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH nft v2 2/2] netfilter: nft_ct: fix missing expect put in obj eval
2026-05-07 14:04 [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Li Xiasong
2026-05-07 14:04 ` [PATCH nft v2 1/2] netfilter: nf_conntrack_sip: get helper before allocating expectation Li Xiasong
@ 2026-05-07 14:04 ` Li Xiasong
2026-05-07 18:16 ` [PATCH nft v2 0/2] netfilter: fix expectation reference leaks Florian Westphal
2 siblings, 0 replies; 4+ messages in thread
From: Li Xiasong @ 2026-05-07 14:04 UTC (permalink / raw)
To: netfilter-devel
Cc: stable, Pablo Neira Ayuso, Florian Westphal, Phil Sutter,
coreteam, yuehaibing, zhangchangzhong, weiyongjun1
nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.
Add nf_ct_expect_put(exp) before return to balance allocation.
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
---
net/netfilter/nft_ct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 60ee8d932fcb..fa2cc556331c 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1334,6 +1334,8 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
if (nf_ct_expect_related(exp, 0) != 0)
regs->verdict.code = NF_DROP;
+
+ nf_ct_expect_put(exp);
}
static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread