netfilter: nf_tables: flush pending destroy work before netlink notifier

JIRA: https://issues.redhat.com/browse/RHEL-1720
JIRA: https://issues.redhat.com/browse/RHEL-1721
Upstream Status: commit 2c9f029

commit 2c9f029
Author: Pablo Neira Ayuso <[email protected]>
Date:   Fri Aug 18 01:13:31 2023 +0200

    netfilter: nf_tables: flush pending destroy work before netlink notifier

    Destroy work waits for the RCU grace period then it releases the objects
    with no mutex held. All releases objects follow this path for
    transactions, therefore, order is guaranteed and references to top-level
    objects in the hierarchy remain valid.

    However, netlink notifier might interfer with pending destroy work.
    rcu_barrier() is not correct because objects are not release via RCU
    callback. Flush destroy work before releasing objects from netlink
    notifier path.

    Fixes: d4bc827 ("netfilter: nf_tables: netlink notifier might race to release objects")
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>

Signed-off-by: Florian Westphal <[email protected]>

Author: fw-strlen

net/netfilter/nf_tables_api.c

@@ -10709,7 +10709,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
 	gc_seq = nft_gc_seq_begin(nft_net);
 
 	if (!list_empty(&nf_tables_destroy_list))
-		rcu_barrier();
+		nf_tables_trans_destroy_flush_work();
 again:
 	list_for_each_entry(table, &nft_net->tables, list) {
 		if (nft_table_has_owner(table) &&