netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path

jira VULN-597
subsystem-sync netfilter:nf_tables 4.18.0-534
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 6a33d8b
upstream-diff There's a lot of fuzz and code differences - resolved in
favor of the 534 release code.

Netlink event path is missing a synchronization point with GC
transactions. Add GC sequence number update to netns release path and
netlink event path, any GC transaction losing race will be discarded.

Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 6a33d8b)
	Signed-off-by: Greg Rose <g.v.rose@ciq.com>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -8136,10 +8136,27 @@ static void nft_set_commit_update(struct list_head *set_update_list)
 	}
 }
 
+static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
+{
+	unsigned int gc_seq;
+
+	/* Bump gc counter, it becomes odd, this is the busy mark. */
+	gc_seq = READ_ONCE(nft_net->gc_seq);
+	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
+
+	return gc_seq;
+}
+
+static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
+{
+	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
+}
+
 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
 	struct nft_trans *trans, *next;
+	unsigned int base_seq, gc_seq;
 	LIST_HEAD(set_update_list);
 	struct nft_trans_elem *te;
 	struct nft_chain *chain;
@@ -8195,6 +8212,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 
 	WRITE_ONCE(net->nft.base_seq, base_seq);
 
+	gc_seq = nft_gc_seq_begin(nft_net);
+
 	/* step 3. Start new generation, rules_gen_X now in use. */
 	net->nft.gencursor = nft_gencursor_next(net);
 
@@ -8351,6 +8370,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 	nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
 	nf_tables_commit_audit_log(&adl, net->nft.base_seq);
 
+	nft_gc_seq_end(nft_net, gc_seq);
 	nf_tables_commit_release(net);
 
 	return 0;
@@ -8498,7 +8518,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 				break;
 			}
 			te = (struct nft_trans_elem *)trans->data;
-			te->set->ops->remove(net, te->set, &te->elem);
+			nft_setelem_remove(net, te->set, &te->elem);
 			atomic_dec(&te->set->nelems);
 
 			if (te->set->ops->abort &&
@@ -9221,15 +9241,20 @@ static void __net_exit nf_tables_pre_exit_net(struct net *net)
 static void __net_exit nf_tables_exit_net(struct net *net)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
+	unsigned int gc_seq;
 
 	mutex_lock(&net->nft_commit_mutex);
 
+	gc_seq = nft_gc_seq_begin(nft_net);
+
 	if (!list_empty(&net->nft.commit_list) ||
-	    !list_empty(&net->nft_module_list))
-		__nf_tables_abort(net, NFNL_ABORT_NONE);
+            !list_empty(&net->nft_module_list))
+                __nf_tables_abort(net, NFNL_ABORT_NONE);
 
 	__nft_release_tables(net);
 
+	nft_gc_seq_end(nft_net, gc_seq);
+
 	mutex_unlock(&net->nft_commit_mutex);
 	WARN_ON_ONCE(!list_empty(&net->nft.tables));
 	WARN_ON_ONCE(!list_empty(&net->nft_module_list));