CVE-2022-49837

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory leaks in __checkfunccall

kmemleak reports this issue:

unreferenced object 0xffff88817139d000 (size 2048): comm "testprogs", pid 33246, jiffies 4307381979 (age 45851.820s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000045f075f0>] kmalloctrace+0x27/0xa0 [<0000000098b7c90a>] __checkfunccall+0x316/0x1230 [<00000000b4c3c403>] checkhelpercall+0x172e/0x4700 [<00000000aa3875b7>] docheck+0x21d8/0x45e0 [<000000001147357b>] docheckcommon+0x767/0xaf0 [<00000000b5a595b4>] bpfcheck+0x43e3/0x5bc0 [<0000000011e391b1>] bpfprogload+0xf26/0x1940 [<0000000007f765c0>] __sys_bpf+0xd2c/0x3650 [<00000000839815d6>] __x64sysbpf+0x75/0xc0 [<00000000946ee250>] dosyscall64+0x3b/0x90 [<0000000000506b7f>] entrySYSCALL64afterhwframe+0x63/0xcd

The root case here is: In function preparefuncexit(), the callee is not released in the abnormal scenario after "state->curframe--;". To fix, move "state->curframe--;" to the very bottom of the function, right when we free callee and reset frame[] pointer to NULL, as Andrii suggested.

In addition, function __checkfunccall() has a similar problem. In the abnormal scenario before "state->curframe++;", the callee also should be released by freefuncstate().