netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

jira VULN-4961
cve CVE-2024-27019
commit-author Ziyang Xuan <[email protected]>
commit d78d867
upstream-diff The cherry-pick tried to pull in extra cruft not
part of the upstream patch.  I have resolved the conflicts in
favor of the 4.18.0-553.16.1 tagged code.

nft_unregister_obj() can concurrent with __nft_obj_type_get(),
and there is not any protection when iterate over nf_tables_objects
list in __nft_obj_type_get(). Therefore, there is potential data-race
of nf_tables_objects list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_objects
list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
nft_obj_type_get() to protect the entire type query process.

Fixes: e500924 ("netfilter: nf_tables: add stateful objects")
	Signed-off-by: Ziyang Xuan <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit d78d867)
	Signed-off-by: Greg Rose <[email protected]>

Conflicts:
	net/netfilter/nf_tables_api.c

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -6137,7 +6137,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
 {
 	const struct nft_object_type *type;
 
-	list_for_each_entry(type, &nf_tables_objects, list) {
+	list_for_each_entry_rcu(type, &nf_tables_objects, list) {
 		if (objtype == type->type)
 			return type;
 	}
@@ -6149,9 +6149,13 @@ nft_obj_type_get(struct net *net, u32 objtype)
 {
 	const struct nft_object_type *type;
 
+	rcu_read_lock();
 	type = __nft_obj_type_get(objtype);
-	if (type != NULL && try_module_get(type->owner))
+	if (type != NULL && try_module_get(type->owner)) {
+		rcu_read_unlock();
 		return type;
+	}
+	rcu_read_unlock();
 
 	lockdep_nfnl_nft_mutex_not_held();
 #ifdef CONFIG_MODULES