netfilter: nf_tables: report use refcount overflow

JIRA: https://issues.redhat.com/browse/RHEL-1720
JIRA: https://issues.redhat.com/browse/RHEL-1721
Upstream Status: commit 1689f25

Conflicts: net/netfilter/nf_tables_api.c

Upstream switched tp KERNEL_ACCOUNT in
33758c8 ("memcg: enable accounting for nft objects").

Also, we lack
b9703ed ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
so we can drop the if/else part.

commit 1689f25
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Jun 28 16:24:27 2023 +0200

    netfilter: nf_tables: report use refcount overflow

    Overflow use refcount checks are not complete.

    Add helper function to deal with object reference counter tracking.
    Report -EMFILE in case UINT_MAX is reached.

    nft_use_dec() splats in case that reference counter underflows,
    which should not ever happen.

    Add nft_use_inc_restore() and nft_use_dec_restore() which are used
    to restore reference counter from error and abort paths.

    Use u32 in nft_flowtable and nft_object since helper functions cannot
    work on bitfields.

    Remove the few early incomplete checks now that the helper functions
    are in place and used to check for refcount overflow.

    Fixes: 9651851 ("netfilter: add nftables")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

include/net/netfilter/nf_tables.h

@@ -1145,6 +1145,29 @@ int __nft_release_basechain(struct nft_ctx *ctx);
 
 unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
 
+static inline bool nft_use_inc(u32 *use)
+{
+	if (*use == UINT_MAX)
+		return false;
+
+	(*use)++;
+
+	return true;
+}
+
+static inline void nft_use_dec(u32 *use)
+{
+	WARN_ON_ONCE((*use)-- == 0);
+}
+
+/* For error and abort path: restore use counter to previous state. */
+static inline void nft_use_inc_restore(u32 *use)
+{
+	WARN_ON_ONCE(!nft_use_inc(use));
+}
+
+#define nft_use_dec_restore	nft_use_dec
+
 /**
  *	struct nft_table - nf_tables table
  *
@@ -1228,8 +1251,8 @@ struct nft_object {
 	struct list_head		list;
 	struct rhlist_head		rhlhead;
 	struct nft_object_hash_key	key;
-	u32				genmask:2,
-					use:30;
+	u32				genmask:2;
+	u32				use;
 	u64				handle;
 	u16				udlen;
 	u8				*udata;
@@ -1331,8 +1354,8 @@ struct nft_flowtable {
 	char				*name;
 	int				hooknum;
 	int				ops_len;
-	u32				genmask:2,
-					use:30;
+	u32				genmask:2;
+	u32				use;
 	u64				handle;
 	/* runtime data below here */
 	struct list_head		hook_list ____cacheline_aligned;