netfilter: nf_tables: mark newset as dead on transaction abort

JIRA: https://issues.redhat.com/browse/RHEL-21443
Upstream Status: commit 08e4c8c

commit 08e4c8c
Author: Florian Westphal <[email protected]>
Date:   Mon Nov 27 11:00:37 2023 +0100

    netfilter: nf_tables: mark newset as dead on transaction abort

    If a transaction is aborted, we should mark the to-be-released NEWSET dead,
    just like commit path does for DEL and DESTROYSET commands.

    In both cases all remaining elements will be released via
    set->ops->destroy().

    The existing abort code does NOT post the actual release to the work queue.
    Also the entire __nf_tables_abort() function is wrapped in gc_seq
    begin/end pair.

    Therefore, async gc worker will never try to release the pending set
    elements, as gc sequence is always stale.

    It might be possible to speed up transaction aborts via work queue too,
    this would result in a race and a possible use-after-free.

    So fix this before it becomes an issue.

    Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>

Signed-off-by: Florian Westphal <[email protected]>

Author: fw-strlen

net/netfilter/nf_tables_api.c

@@ -10046,6 +10046,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 				nft_trans_destroy(trans);
 				break;
 			}
+			nft_trans_set(trans)->dead = 1;
 			list_del_rcu(&nft_trans_set(trans)->list);
 			break;
 		case NFT_MSG_DELSET: