netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

jira VULN-4905
cve CVE-2024-26925
commit-author Pablo Neira Ayuso <[email protected]>
commit 0d459e2
upstream-diff - Red Hat has not backported this fix to Rocky 8.10, or
at least not in our current Rocky 8.10 branch.  There was some fuzz and
offsets in around the commit that caused a minor conflict.

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

	Cc: [email protected]
Fixes: 7203443 ("netfilter: nf_tables: GC transaction race with abort path")
	Reported-by: Kuan-Ting Chen <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 0d459e2)
	Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -8615,11 +8615,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 		nf_tables_abort_release(trans);
 	}
 
-	if (action == NFNL_ABORT_AUTOLOAD)
-		nf_tables_module_autoload(net);
-	else
-		nf_tables_module_autoload_cleanup(net);
-
 	return 0;
 }
 
@@ -8640,6 +8635,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 	nft_gc_seq_end(nft_net, gc_seq);
 	mutex_unlock(&net->nft_commit_mutex);
 
+	/* module autoload needs to happen after GC sequence update because it
+	 * temporarily releases and grabs mutex again.
+	 */
+	if (action == NFNL_ABORT_AUTOLOAD)
+		nf_tables_module_autoload(net);
+	else
+		nf_tables_module_autoload_cleanup(net);
+
 	return ret;
 }