netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention

jira VULN-430
cve CVE-2023-4244
commit-author Pablo Neira Ayuso <[email protected]>
commit 96b3330

rbtree GC does not modify the datastructure, instead it collects expired
elements and it enqueues a GC transaction. Use a read spinlock instead
to avoid data contention while GC worker is running.

Fixes: f6c383b ("netfilter: nf_tables: adapt set backend to use GC transaction API")
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 96b3330)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

net/netfilter/nft_set_rbtree.c

@@ -622,8 +622,7 @@ static void nft_rbtree_gc(struct work_struct *work)
 	if (!gc)
 		goto done;
 
-	write_lock_bh(&priv->lock);
-	write_seqcount_begin(&priv->count);
+	read_lock_bh(&priv->lock);
 	for (node = rb_first(&priv->root); node != NULL; node = rb_next(node)) {
 
 		/* Ruleset has been updated, try later. */
@@ -673,8 +672,7 @@ static void nft_rbtree_gc(struct work_struct *work)
 	gc = nft_trans_gc_catchall_async(gc, gc_seq);
 
 try_later:
-	write_seqcount_end(&priv->count);
-	write_unlock_bh(&priv->lock);
+	read_unlock_bh(&priv->lock);
 
 	if (gc)
 		nft_trans_gc_queue_async_done(gc);