Commit d077e811 authored Dec 24, 2025 by Zilin Guan Committed by Florian Westphal Jan 02, 2026

netfilter: nf_tables: fix memory leak in nf_tables_newrule()



In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to
the err_release_rule label without freeing the allocated flow, leading
to a memory leak.

Fix this by adding a new label err_destroy_flow and jumping to it when
nft_use_inc() fails. This ensures that the flow is properly released
in this error case.

Fixes: 1689f259 ("netfilter: nf_tables: report use refcount overflow")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>

parent 2bafeb8d

net/netfilter/nf_tables_api.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -4439,7 +4439,7 @@ static int nf_tables_newrule(struct sk_buff skb, const struct nfnl_info info,

		if (!nft_use_inc(&chain->use)) {
		err = -EMFILE;
		goto err_release_rule;
		goto err_destroy_flow;
		}

		if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
		@@ -4489,6 +4489,7 @@ static int nf_tables_newrule(struct sk_buff skb, const struct nfnl_info info,

		err_destroy_flow_rule:
		nft_use_dec_restore(&chain->use);
		err_destroy_flow:
		if (flow)
		nft_flow_rule_destroy(flow);
		err_release_rule: