bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

stable inclusion
from stable-v6.6.54
commit 790c630ab0e7d7aba6d186581d4627c09fce60f3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJ9
CVE: CVE-2024-47675

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=790c630ab0e7d7aba6d186581d4627c09fce60f3

--------------------------------

commit 5fe6e308abaea082c20fbf2aa5df8e14495622cf upstream.

If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
error_free label and frees the array of bpf_uprobe's without calling
bpf_uprobe_unregister().

This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
without removing it from the uprobe->consumers list.

Fixes: 89ae89f5 ("bpf: Add multi uprobe link")
Closes: https://lore.kernel.org/all/000000000000382d39061f59f2dd@google.com/


Reported-by:  <syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Tested-by:  <syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240813152524.GA7292@redhat.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Pu Lehui <pulehui@huawei.com>