[{"id":3687078,"web_url":"http://patchwork.ozlabs.org/comment/3687078/","msgid":"<aftDGCXcI45PdHQc@strlen.de>","list_archive_url":null,"date":"2026-05-06T13:33:12","subject":"Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect\n put in REGISTER path","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Li Xiasong <lixiasong1@huawei.com> wrote:\n> process_register_request() allocates an expectation, but the !helper\n> error path returns NF_DROP without nf_ct_expect_put(exp).\n> \n> Add the missing put to balance nf_ct_expect_alloc() on this path.\n> \n> Fixes: e14575fa7529 (\"netfilter: nf_conntrack: use rcu accessors where needed\")\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Li Xiasong <lixiasong1@huawei.com>\n> ---\n>  net/netfilter/nf_conntrack_sip.c | 4 +++-\n>  1 file changed, 3 insertions(+), 1 deletion(-)\n> \n> diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c\n> index 1eb55907d470..a895bc836e1b 100644\n> --- a/net/netfilter/nf_conntrack_sip.c\n> +++ b/net/netfilter/nf_conntrack_sip.c\n> @@ -1377,8 +1377,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,\n>  \t\tsaddr = &ct->tuplehash[!dir].tuple.src.u3;\n>  \n>  \thelper = rcu_dereference(nfct_help(ct)->helper);\n> -\tif (!helper)\n> +\tif (!helper) {\n> +\t\tnf_ct_expect_put(exp);\n>  \t\treturn NF_DROP;\n> +\t}\n\nI think it would be simpler to move the rcu defer to before\nexp allocation instead.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12464-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12464-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9bxQ4RJYz1yJq\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 23:35:54 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id CAE663020D7D\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  6 May 2026 13:33:19 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0B63947884A;\n\tWed,  6 May 2026 13:33:19 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id A6AE2477E27;\n\tWed,  6 May 2026 13:33:15 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 41F6D605F3; Wed, 06 May 2026 15:33:13 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778074398; cv=none;\n b=kvXVaTmxGjKswDMbTnkwsWKUlEeJhlKQC4kfkvkTOXCtAV7FWnuC/mCJuK7fb/uXMb7FOYtaa465UM/G6//LTOVSY4LSp1KEjRCn8mkt79ENv7pIOSy1yzrWQK1CMTC21aH3ihcHi1x3apWiIG4+NqGn6wjVuEayB4LlnI4BFrA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778074398; c=relaxed/simple;\n\tbh=W1DFYoi6sjGC3+Gfijj1/NkkzbGt4m6uC5ESu7JaEDo=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=mGbVVz3odDmYQx8SRR/OLAk5K6miOsqHs1O16B0oDDcMVR+7LwKAdOk/bzRnka6bIXBPhKKfUtJqHB+Hkq/Gjl6TdcLKC4xFLODgt5YDAHsT3Uneh03J/TnoO9dh8q03twEhFgu05VrXlt7GuK44MplYtkJF+wFIQpbnfpyS8/U=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Wed, 6 May 2026 15:33:12 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Li Xiasong <lixiasong1@huawei.com>","Cc":"netfilter-devel@vger.kernel.org, stable@vger.kernel.org,\n\tPablo Neira Ayuso <pablo@netfilter.org>, Phil Sutter <phil@nwl.cc>,\n\tcoreteam@netfilter.org, yuehaibing@huawei.com,\n\tzhangchangzhong@huawei.com, weiyongjun1@huawei.com","Subject":"Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect\n put in REGISTER path","Message-ID":"<aftDGCXcI45PdHQc@strlen.de>","References":"<20260506121618.578443-1-lixiasong1@huawei.com>\n <20260506121618.578443-2-lixiasong1@huawei.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260506121618.578443-2-lixiasong1@huawei.com>"}},{"id":3687159,"web_url":"http://patchwork.ozlabs.org/comment/3687159/","msgid":"<aftVK8KkCzQrsiAD@chamomile>","list_archive_url":null,"date":"2026-05-06T14:50:19","subject":"Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect\n put in REGISTER path","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, May 06, 2026 at 03:33:12PM +0200, Florian Westphal wrote:\n> Li Xiasong <lixiasong1@huawei.com> wrote:\n> > process_register_request() allocates an expectation, but the !helper\n> > error path returns NF_DROP without nf_ct_expect_put(exp).\n> > \n> > Add the missing put to balance nf_ct_expect_alloc() on this path.\n> > \n> > Fixes: e14575fa7529 (\"netfilter: nf_conntrack: use rcu accessors where needed\")\n> > Cc: stable@vger.kernel.org\n> > Signed-off-by: Li Xiasong <lixiasong1@huawei.com>\n> > ---\n> >  net/netfilter/nf_conntrack_sip.c | 4 +++-\n> >  1 file changed, 3 insertions(+), 1 deletion(-)\n> > \n> > diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c\n> > index 1eb55907d470..a895bc836e1b 100644\n> > --- a/net/netfilter/nf_conntrack_sip.c\n> > +++ b/net/netfilter/nf_conntrack_sip.c\n> > @@ -1377,8 +1377,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,\n> >  \t\tsaddr = &ct->tuplehash[!dir].tuple.src.u3;\n> >  \n> >  \thelper = rcu_dereference(nfct_help(ct)->helper);\n> > -\tif (!helper)\n> > +\tif (!helper) {\n> > +\t\tnf_ct_expect_put(exp);\n> >  \t\treturn NF_DROP;\n> > +\t}\n> \n> I think it would be simpler to move the rcu defer to before\n> exp allocation instead.\n\nAgreed.","headers":{"Return-Path":"\n <netfilter-devel+bounces-12465-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=Yh0tpHbN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12465-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"Yh0tpHbN\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9dvC5Hmlz1yJq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 07 May 2026 01:04:07 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 5AE31306C114\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  6 May 2026 14:50:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 2E64043D517;\n\tWed,  6 May 2026 14:50:33 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id DE5E83ED136;\n\tWed,  6 May 2026 14:50:29 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 330D5600B9;\n\tWed,  6 May 2026 16:50:22 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778079032; cv=none;\n b=KNViahMTZVEOPkLWv+VGoj1htB8U1Q5naqs7xnBbRiqcbzgQvHyQJotQLHmqcoyfsepyuCUPDEZRR+Q2Gus3SRtYlJoymhqXQDo1kPCM/McT4pLfwSs5jGXcZLrcIDD200r8WNh3brtP6nhWK9p8V5HNTHvX+TGbCzkPCii224k=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778079032; c=relaxed/simple;\n\tbh=W+9Ru/IuhnHtcQ/oRl0JM8hKC7zwPnW0F4Cm8mhy0AQ=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=srOZvYcUe28Y2HwaarnkiEDEimujIgFo8LcJc1N1nYtbD20vp6ciEb9I6UCchYCSdQshZxzuj4HKyK+ZRq+xkEAZwGz/3ZqQTohaKUO13GS9Ktb5GNo/86zjIMJXJqLwchpTIVj+lIgSCAE2ybzl7dOKA2YLO7d1gRa9ByxGk2k=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=Yh0tpHbN; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1778079022;\n\tbh=PczqAw9xXZ3Qvz9x7qOo46E3XhPTFDgKNAs0QUzEXig=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=Yh0tpHbNHFcf/rdQwcLJcIjz2hbd0kCJTj4EO/rO/1nUf52FsE+GiYXO8tSCFD83H\n\t rTEQzq0bq/ZW2lAkrR7KqAcuwBGBjq3Uw4B/THTGkt9Yb9ivw0InHZZYamPGNllDC1\n\t DmqIXS+nivUJNm9J/EUVQpFM3qWXrgd5z4VqnmG86iZPyOyzBpYvWJ/VvUnQupLOGP\n\t fjfTO6EzxnE1c7vX74zoZDLV1ncX8rILLrYabnNfPrXnQigZ+9DGhlr/0IROD7DNJ9\n\t SaCcOVj/1RNAUjUfpuptsH0ciZSfh9HkjMy8uaiEwjvdvJN3sjey3frb23TDA1LiDy\n\t arRf1kl/dK/xg==","Date":"Wed, 6 May 2026 16:50:19 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"Li Xiasong <lixiasong1@huawei.com>, netfilter-devel@vger.kernel.org,\n\tstable@vger.kernel.org, Phil Sutter <phil@nwl.cc>,\n\tcoreteam@netfilter.org, yuehaibing@huawei.com,\n\tzhangchangzhong@huawei.com, weiyongjun1@huawei.com","Subject":"Re: [PATCH nft 1/2] netfilter: nf_conntrack_sip: fix missing expect\n put in REGISTER path","Message-ID":"<aftVK8KkCzQrsiAD@chamomile>","References":"<20260506121618.578443-1-lixiasong1@huawei.com>\n <20260506121618.578443-2-lixiasong1@huawei.com>\n <aftDGCXcI45PdHQc@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<aftDGCXcI45PdHQc@strlen.de>"}}]