[SRU][F/J][PATCH 0/1] netfilter: nf_tables: Fix EBUSY on deleting unreferenced chain

[Ian Whitfield]

BugLink: https://bugs.launchpad.net/bugs/2089699

SRU Justification

[Impact]
Our backport of upstream commit e79b47a8615d introduced a bug in the
reference counting of chains in nf_tables that resulted in some valid
chain deletion transactions to fail with the error "Error: Could not
process rule: Device or resource busy". This bug is not present in
the upstream stable backport to linux-6.6.y, commit 164936b2fc88.

[Fix]
This patch modifies our backport to match commit
164936b2fc88883341fe7a2d9c42b69020e5cafd in linux-6.6.y
Or in the case of Focal, match it as closely as possible.

[Test Case]
Execute the customer-provided reproducer at least 3 times. The
reproducer is a series of nft commands derived from the Kubernetes
project's test suite which could reproduce this bug reliably.
Completing an end-to-end Kubernetes conformance test would also
effectively test this fix.

[Regression Potential]
Because this retroactively changes the contents of a backport, it could
introduce unexpected regressions in netfilter, although the change is
minor and fairly contained to specific nft set operations. This patch
additionally brings us closer to upstream stable, which generally
indicates improved reliability.

[Other]
Later kernels (v6.8+) were able to cleanly cherry-pick the CVE patch
and are therefore not affected by this bug.

Ian Whitfield (1):
  UBUNTU: SAUCE: netfilter: nf_tables: Fix EBUSY on deleting
    unreferenced chain

 net/netfilter/nf_tables_api.c  | 10 +++++-----
 net/netfilter/nft_set_pipapo.c |  1 -
 2 files changed, 5 insertions(+), 6 deletions(-)

-- 
2.43.0