netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP

jira VULN-34700
cve CVE-2023-42756
commit-author Jozsef Kadlecsik <[email protected]>
commit 7433b6d

Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP
in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a
wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it.

The race is caused by using the wrong reference counter, i.e. the ref counter instead
of ref_netlink.

Fixes: 24e2278 ("netfilter: ipset: Add schedule point in call_ad().")
	Reported-by: Kyle Zeng <[email protected]>
Closes: https://lore.kernel.org/netfilter-devel/ZPZqetxOmH+w%2Fmyc@westworld/#r
	Tested-by: Kyle Zeng <[email protected]>
	Signed-off-by: Jozsef Kadlecsik <[email protected]>
	Signed-off-by: Florian Westphal <[email protected]>
(cherry picked from commit 7433b6d)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

net/netfilter/ipset/ip_set_core.c

@@ -684,6 +684,14 @@ __ip_set_put(struct ip_set *set)
 /* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need
  * a separate reference counter
  */
+static void
+__ip_set_get_netlink(struct ip_set *set)
+{
+	write_lock_bh(&ip_set_ref_lock);
+	set->ref_netlink++;
+	write_unlock_bh(&ip_set_ref_lock);
+}
+
 static void
 __ip_set_put_netlink(struct ip_set *set)
 {
@@ -1699,11 +1707,11 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
 
 	do {
 		if (retried) {
-			__ip_set_get(set);
+			__ip_set_get_netlink(set);
 			nfnl_unlock(NFNL_SUBSYS_IPSET);
 			cond_resched();
 			nfnl_lock(NFNL_SUBSYS_IPSET);
-			__ip_set_put(set);
+			__ip_set_put_netlink(set);
 		}
 
 		ip_set_lock(set);