netfilter: nf_tables: GC transaction race with abort path

Abort path is missing a synchronization point with GC transactions. Add GC sequence number hence any GC transaction losing race will be discarded. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-08-18 02:13:52 +0300
committer: Florian Westphal <fw@strlen.de> 2023-08-23 17:10:01 +0300
commit: 720344340fb9be2765bbaab7b292ece0a4570eae (patch)
tree: 304c4725b51056a3ebfb28ff5759ec88da2f25fc /net
parent: 2c9f0293280e258606e54ed2b96fa71498432eae (diff)
download: linux-720344340fb9be2765bbaab7b292ece0a4570eae.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d299e7aa1b96..a255456efae4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10337,8 +10337,12 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 			   enum nfnl_abort_action action)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
-	int ret = __nf_tables_abort(net, action);
+	unsigned int gc_seq;
+	int ret;
 
+	gc_seq = nft_gc_seq_begin(nft_net);
+	ret = __nf_tables_abort(net, action);
+	nft_gc_seq_end(nft_net, gc_seq);
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-08-18 02:13:52 +0300
committer	Florian Westphal <fw@strlen.de>	2023-08-23 17:10:01 +0300
commit	720344340fb9be2765bbaab7b292ece0a4570eae (patch)
tree	304c4725b51056a3ebfb28ff5759ec88da2f25fc /net
parent	2c9f0293280e258606e54ed2b96fa71498432eae (diff)
download	linux-720344340fb9be2765bbaab7b292ece0a4570eae.tar.xz