netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout

jira VULN-836
cve CVE-2024-26643
commit-author Pablo Neira Ayuso <[email protected]>
commit 552705a

While the rhashtable set gc runs asynchronously, a race allows it to
collect elements from anonymous sets with timeouts while it is being
released from the commit path.

Mingi Cho originally reported this issue in a different path in 6.1.x
with a pipapo set with low timeouts which is not possible upstream since
7395dfa ("netfilter: nf_tables: use timestamp to check for set
element timeout").

Fix this by setting on the dead flag for anonymous sets to skip async gc
in this case.

According to 08e4c8c ("netfilter: nf_tables: mark newset as dead on
transaction abort"), Florian plans to accelerate abort path by releasing
objects via workqueue, therefore, this sets on the dead flag for abort
path too.

	Cc: [email protected]
Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
	Reported-by: Mingi Cho <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 552705a)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

net/netfilter/nf_tables_api.c

@@ -5105,6 +5105,7 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
 
 	if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
 		list_del_rcu(&set->list);
+		set->dead = 1;
 		if (event)
 			nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
 					     GFP_KERNEL);