Coverity: nf_tables_commit(): USE_AFTER_FREE

[coverity-bot <keescook@xxxxxxxxxxxx>]

Hello!

This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20210331 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan

You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:

  None
    bb4052e57b5b ("audit: log nftables configuration change events once per table")

Coverity reported the following:

*** CID 1503581:    (USE_AFTER_FREE)
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);

Notes from a human:

This appears to be callable after potential calls to "nft_trans_destroy(trans);"



/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
/net/netfilter/nf_tables_api.c: 8257 in nf_tables_commit()
8251     							   NFT_MSG_DELFLOWTABLE);
8252     				nft_unregister_flowtable_net_hooks(net,
8253     						&nft_trans_flowtable(trans)->hook_list);
8254     			}
8255     			break;
8256     		}
vvv     CID 1503581:    (USE_AFTER_FREE)
vvv     Dereferencing freed pointer "trans".
8257     		nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8258     					       trans->msg_type);
8259     	}
8260
8261     	nft_commit_notify(net, NETLINK_CB(skb).portid);
8262     	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);

If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):

Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx>
Addresses-Coverity-ID: 1503581 ("USE_AFTER_FREE")
Fixes: bb4052e57b5b ("audit: log nftables configuration change events once per table")

Thanks for your attention!

-- 
Coverity-bot