From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 420912F0689; Fri, 2 Jan 2026 11:42:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767354122; cv=none; b=gLQL9v66whz0gpIGbYMNinYZ2/zSqKompOjLU5mdVcxq2DqBOCk7yLaXSd4JtSP5NIMU7JfGOGmjeWt4JgophDxYhVeZfdxNTFuaICcpa6JHRvP8smaSQT/vcAEd9ZT/tIOYKKYH1ANJj0nH2AIK9RkUzzQRJM08Mf+4jnka6fU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767354122; c=relaxed/simple; bh=YXa+YBZOkUS4oe4eq9yP2Y/u9jZTEjTECfnoW5zy3n0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jBlTB7N/yh8JPUyXs0dNnm9Hb2Y4NohIxqeB6A+L5eKsmcrEvN6ym0BpewpBTBaueBh806ev2vclFgovyoPQi5vAEG5rBWtMdIN+0eNLV1Xp7AugiAlJo4lLxIwYCJ9hZt3rZlxzUjQ9gUMU3RoVpEov3kmHqkBRn76I3GkGQp0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id 48FFB602F8; Fri, 02 Jan 2026 12:41:59 +0100 (CET) From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net 5/6] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Date: Fri, 2 Jan 2026 12:41:27 +0100 Message-ID: <20260102114128.7007-6-fw@strlen.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260102114128.7007-1-fw@strlen.de> References: <20260102114128.7007-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Zilin Guan In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to the err_release_rule label without freeing the allocated flow, leading to a memory leak. Fix this by adding a new label err_destroy_flow and jumping to it when nft_use_inc() fails. This ensures that the flow is properly released in this error case. Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") Signed-off-by: Zilin Guan Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 618af6e90773..729a92781a1a 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4439,7 +4439,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, if (!nft_use_inc(&chain->use)) { err = -EMFILE; - goto err_release_rule; + goto err_destroy_flow; } if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { @@ -4489,6 +4489,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, err_destroy_flow_rule: nft_use_dec_restore(&chain->use); +err_destroy_flow: if (flow) nft_flow_rule_destroy(flow); err_release_rule: -- 2.51.2