netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

jira VULN-177697
cve CVE-2026-23231
commit-author Inseo An <y0un9sa@gmail.com>
commit 71e99ee

nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.

This creates two use-after-free conditions:

 1) Control-plane: nf_tables_dump_chains() traverses table->chains
    under rcu_read_lock(). A concurrent dump can still be walking
    the chain when the error path frees it.

 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
    installs the IPv4 hook before IPv6 registration fails.  Packets
    entering nft_do_chain() via the transient IPv4 hook can still be
    dereferencing chain->blob_gen_X when the error path frees the
    chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.

Fixes: 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain")
	Signed-off-by: Inseo An <y0un9sa@gmail.com>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 71e99ee)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>

Author: CIQ Kernel Automation

net/netfilter/nf_tables_api.c

@@ -2479,6 +2479,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 
 err_register_hook:
 	nft_chain_del(chain);
+	synchronize_rcu();
 err_chain_add:
 	nft_trans_destroy(trans);
 err_trans: