CVE-2022-50168

In the Linux kernel, the following vulnerability has been resolved:

bpf, x86: fix freeing of not-finalized bpfprogpack

syzbot reported a few issues with bpfprogpack [1], [2]. This only happens with multiple subprogs. In jitsubprogs(), we first call bpfintjitcompile() on each sub program. And then, we call it on each sub program again. jitdata is not freed in the first call of bpfintjitcompile(). Similarly we don't call bpfjitbinarypackfinalize() in the first call of bpfintjit_compile().

If bpfintjitcompile() failed for one sub program, we will call bpfjitbinarypackfinalize() for this sub program. However, we don't have a chance to call it for other sub programs. Then we will hit "goto outfree" in jitsubprogs(), and call bpfjitfree on some subprograms that haven't got bpfjitbinarypack_finalize() yet.

At this point, bpfjitbinarypackfree() is called and the whole 2MB page is freed erroneously.

Fix this with a custom bpfjitfree() for x8664, which calls bpfjitbinarypackfinalize() if necessary. Also, with custom bpfjitfree(), bpfprogaux->usebpfprogpack is not needed any more, remove it.

[1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f [2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445