From acf44a2361b8d6356b71a970ab016065b5123b0e Mon Sep 17 00:00:00 2001 From: Alper Ak Date: Thu, 25 Dec 2025 18:13:49 +0300 Subject: [PATCH] vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file() migf->filp is accessed after migf has been freed. Save the error value before calling kfree() to prevent use-after-free. Fixes: 1f5556ec8b9e ("vfio/xe: Add device specific vfio_pci driver variant for Intel graphics") Signed-off-by: Alper Ak Link: https://lore.kernel.org/r/20251225151349.360870-1-alperyasinak1@gmail.com Signed-off-by: Alex Williamson --- drivers/vfio/pci/xe/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/xe/main.c b/drivers/vfio/pci/xe/main.c index 719ab46600856..2a5eb9260ec7b 100644 --- a/drivers/vfio/pci/xe/main.c +++ b/drivers/vfio/pci/xe/main.c @@ -250,6 +250,7 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev, struct xe_vfio_pci_migration_file *migf; const struct file_operations *fops; int flags; + int ret; migf = kzalloc(sizeof(*migf), GFP_KERNEL_ACCOUNT); if (!migf) @@ -259,8 +260,9 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev, flags = type == XE_VFIO_FILE_SAVE ? O_RDONLY : O_WRONLY; migf->filp = anon_inode_getfile("xe_vfio_mig", fops, migf, flags); if (IS_ERR(migf->filp)) { + ret = PTR_ERR(migf->filp); kfree(migf); - return ERR_CAST(migf->filp); + return ERR_PTR(ret); } mutex_init(&migf->lock); -- 2.47.3