From: Alper Ak <alperyasinak1@gmail.com>
Date: Thu, 25 Dec 2025 15:13:49 +0000 (+0300)
Subject: vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acf44a2361b8d6356b71a970ab016065b5123b0e;p=thirdparty%2Flinux.git

vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file()

migf->filp is accessed after migf has been freed. Save the error
value before calling kfree() to prevent use-after-free.

Fixes: 1f5556ec8b9e ("vfio/xe: Add device specific vfio_pci driver variant for Intel graphics")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Link: https://lore.kernel.org/r/20251225151349.360870-1-alperyasinak1@gmail.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
---

diff --git a/drivers/vfio/pci/xe/main.c b/drivers/vfio/pci/xe/main.c
index 719ab4660085..2a5eb9260ec7 100644
--- a/drivers/vfio/pci/xe/main.c
+++ b/drivers/vfio/pci/xe/main.c
@@ -250,6 +250,7 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev,
 	struct xe_vfio_pci_migration_file *migf;
 	const struct file_operations *fops;
 	int flags;
+	int ret;
 
 	migf = kzalloc(sizeof(*migf), GFP_KERNEL_ACCOUNT);
 	if (!migf)
@@ -259,8 +260,9 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev,
 	flags = type == XE_VFIO_FILE_SAVE ? O_RDONLY : O_WRONLY;
 	migf->filp = anon_inode_getfile("xe_vfio_mig", fops, migf, flags);
 	if (IS_ERR(migf->filp)) {
+		ret = PTR_ERR(migf->filp);
 		kfree(migf);
-		return ERR_CAST(migf->filp);
+		return ERR_PTR(ret);
 	}
 
 	mutex_init(&migf->lock);