netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path

jira VUlN-597
subsystem-sync netfilter:nf_tables 4.18.0-511
commit-author Pablo Neira Ayuso <[email protected]>
commit 6a33d8b
upstream-diff Due to previous code syncronizations much of this code was
already present.  However, as the folks at netfilter are wont to do,
they mixed in space removing formatting changes with a patch that had
nothing to do with fixing formatting.  :(
Branch 8_10 used as the source of truth.

Netlink event path is missing a synchronization point with GC
transactions. Add GC sequence number update to netns release path and
netlink event path, any GC transaction losing race will be discarded.

Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
	Signed-off-by: Florian Westphal <[email protected]>
(cherry picked from commit 6a33d8b)
	Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -8139,18 +8139,18 @@ static void nft_set_commit_update(struct list_head *set_update_list)
 
 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
 {
-        unsigned int gc_seq;
+	unsigned int gc_seq;
 
-        /* Bump gc counter, it becomes odd, this is the busy mark. */
-        gc_seq = READ_ONCE(nft_net->gc_seq);
-        WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
+	/* Bump gc counter, it becomes odd, this is the busy mark. */
+	gc_seq = READ_ONCE(nft_net->gc_seq);
+	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
 
-        return gc_seq;
+	return gc_seq;
 }
 
 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
 {
-        WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
+	WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
 }
 
 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
@@ -8600,8 +8600,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 	int ret;
 
 	gc_seq = nft_gc_seq_begin(nft_net);
-        ret = __nf_tables_abort(net, action);
-        nft_gc_seq_end(nft_net, gc_seq);
+	ret = __nf_tables_abort(net, action);
+	nft_gc_seq_end(nft_net, gc_seq);
 	mutex_unlock(&net->nft_commit_mutex);
 
 	return ret;
@@ -9254,17 +9254,17 @@ static void __net_exit nf_tables_exit_net(struct net *net)
 	gc_seq = nft_gc_seq_begin(nft_net);
 
 	if (!list_empty(&net->nft.commit_list) ||
-	    !list_empty(&net->nft_module_list))
-		__nf_tables_abort(net, NFNL_ABORT_NONE);
+            !list_empty(&net->nft_module_list))
+                __nf_tables_abort(net, NFNL_ABORT_NONE);
 
 	__nft_release_tables(net);
 
 	nft_gc_seq_end(nft_net, gc_seq);
 
 	mutex_unlock(&net->nft_commit_mutex);
-	WARN_ON_ONCE(!list_empty(&net->nft.tables));
-	WARN_ON_ONCE(!list_empty(&net->nft_module_list));
-	WARN_ON_ONCE(!list_empty(&net->nft_notify_list));
+        WARN_ON_ONCE(!list_empty(&net->nft.tables));
+        WARN_ON_ONCE(!list_empty(&net->nft_module_list));
+        WARN_ON_ONCE(!list_empty(&net->nft_notify_list));
 }
 
 static void nf_tables_exit_batch(struct list_head *net_exit_list)