vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file()

migf->filp is accessed after migf has been freed. Save the error
value before calling kfree() to prevent use-after-free.

Fixes: 1f5556ec8b9e ("vfio/xe: Add device specific vfio_pci driver variant for Intel graphics")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Link: https://lore.kernel.org/r/20251225151349.360870-1-alperyasinak1@gmail.com
Signed-off-by: Alex Williamson <alex@shazbot.org>

diff --git a/drivers/vfio/pci/xe/main.c b/drivers/vfio/pci/xe/main.c
index 719ab46..2a5eb92 100644 (file)
--- a/drivers/vfio/pci/xe/main.c
+++ b/drivers/vfio/pci/xe/main.c
@@ -250,6 +250,7 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev,
        struct xe_vfio_pci_migration_file *migf;
        const struct file_operations *fops;
        int flags;
+       int ret;
 
        migf = kzalloc(sizeof(*migf), GFP_KERNEL_ACCOUNT);
        if (!migf)
@@ -259,8 +260,9 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *xe_vdev,
        flags = type == XE_VFIO_FILE_SAVE ? O_RDONLY : O_WRONLY;
        migf->filp = anon_inode_getfile("xe_vfio_mig", fops, migf, flags);
        if (IS_ERR(migf->filp)) {
+               ret = PTR_ERR(migf->filp);
                kfree(migf);
-               return ERR_CAST(migf->filp);
+               return ERR_PTR(ret);
        }
 
        mutex_init(&migf->lock);