From nobody Sun Feb 8 15:30:47 2026 Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4F832F6187 for ; Thu, 25 Dec 2025 15:14:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766675668; cv=none; b=DUlGwyL75tAPszckGdHYhn9mhs+fIC6hhKQ7gPAjvEirYEfqnQmMSqY46keDCLCQpkOLm/7REtBuReOfQDU6DB0/NzVwCgy75TheciVfYZemx1DpaLrO0Ox0wC6brsYodJr5XP9NpxJ+dTc70Q2fxhvI73xbcda1Va4WNobi78I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766675668; c=relaxed/simple; bh=zrRepONqIcsuxD2qRt8uUb3Hu7HQL9DjDNsFfLzb3qk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TUnjMbbTlm6jMc9xOPgdNMa4XfsNNg9nwJfZTZXiXNkwFG9jBngSnnHM+WPIkU3d84R8akS/cGuo1Q5ykcXY7R6MKUDclx8yaYHMo+faWziAg6XpCJxwK0XVWHfkN5Qugm+AZAB4DI5g/80ymB9QjxHRcA9Zhj9Ptr91/2ydZUE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YgD6Jq8z; arc=none smtp.client-ip=209.85.167.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YgD6Jq8z" Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-598f81d090cso7136907e87.2 for ; Thu, 25 Dec 2025 07:14:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766675665; x=1767280465; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=CRsUoCK6ChAGV/EtS0TA3rEDcBe8J8WItk/OJdEL24A=; b=YgD6Jq8zrZsqpF4NOMl9jQEFwBAX8+3884k+WtluPtpk68qzYZ2Az9nw9tg9DyBz+E 1RDn20zK1sJx6+gH4Ge9TiJ4HhTOsHfo1QXLzZRpvjLFTfdZIIVSr0a/JNr8m+7c8TcK 1hSTOnGUT6AeF1PKwEd442wVOm6qnQlrIw1YYk6/7SxVP818lELy5II5F80EYnDhimcE ipbCe8nB4ZN0nuECE64Eh3f++o/CulBBwGR38kMwX6U5LhW/CtTcehd5V/aB9bdXmFv6 4azVHQw1Mr0Chcu+gKWqAJgJI3wzdmpIlwsytXPCt5bMTr2KnesdKIuIPf8wAWjafxju XJVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766675665; x=1767280465; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CRsUoCK6ChAGV/EtS0TA3rEDcBe8J8WItk/OJdEL24A=; b=Pnk1mvoIqD5NqY33ql0sAOBhBARcGBjaQSNh2gIUnzS8ERRveDv2Mle35pW9GTeZGb +2eobA07uAgnWEOuerdMyXF8Bw8b+xqttL1r3Bfo7kLqfLFqmMfG9SE/5DC2l2JGw6YA +5pk5zccovI42DwZ+zGvOuqAEpYbNPHROERxiUGj04xjO3UxBt0fbyj4AAQVnKXDv1HH iLAX4KvAI3UpdmRwDMT1TleALJ7jS91Tpq39wUam5ZliQzORcAb5JHQ4KqYpXTwwC1+k oUNzcoduyvm5smW15zP3ezVDyVJNPCjQHOsfC6t/ZZu7BZqKDXz6ZKvRkDf0v6IgJ3CI 3Rhw== X-Forwarded-Encrypted: i=1; AJvYcCVn5zkSCe8usilF+VsJjAhT3HxjUeGzuFzXnHzzUXKFCTrIB5SZCNKNifYFjIoQHlpB8BXOJ1Lot8sqssk=@vger.kernel.org X-Gm-Message-State: AOJu0Yy97FAHBZCtfk7LbeSpi79vZP0CvLs27lhA7Z5nvqbbAYK68sYW MwD/YCPUA2363FU5HyR5dZ1CHhizI+fuXRTwhBYUBi/bKzDL5PxFI4Va X-Gm-Gg: AY/fxX7C432bMMWzV6NpyrqS67+K20rymA2nAwYQimmT/9ohGty6CT1P5nxVgFy53/B XptlHB1VgMclacD/SAQnkW05nBfsS1s9iWmi5bRXZLrrndgBw6EuDL2BcUGi2e/12WmlrwD6eI2 tjzaaBMRVjg5HkhIXvWn9wgk0e24AczlE8BWWSLWS203nBavYLI41E4ZxRbTSrwtK183ZhbEBlN eUgLv8kS5ccL07j5AsHj2USv74Aix8QocPfRyz6BlCw0VsXrwQCmHQxZSq0Asod8WrcQy4JMk+V G0Nhv/vpSl1WFcQQbJp9G2cQ8PmwwXz0/nb6jVSKVi4U0BpgB2bMIRYl9DjP/WTmXGVC5N0ezCc dgZxL4wdwH1gfW2dSu6mrXBSrIKfwTD/8Kg1rhG9gEv0uev4W6gofGNBl6LrMhiVgQklyFLNv6z y/SrrRYeHgHXhxPRQ08iYQhB+oxdKZPNvalXrb X-Google-Smtp-Source: AGHT+IG3fUB1OsaIHa7q7zKQFUnyBJ8l/j3vz64gfQ66ecODeQkSk6h74hXbYooIM/aC2AokrIX88g== X-Received: by 2002:ac2:4e0a:0:b0:594:2db8:312b with SMTP id 2adb3069b0e04-59a17cff3c1mr6593946e87.7.1766675664468; Thu, 25 Dec 2025 07:14:24 -0800 (PST) Received: from localhost.localdomain ([176.33.67.19]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-59a186203eesm5866402e87.77.2025.12.25.07.14.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 07:14:23 -0800 (PST) From: Alper Ak To: michal.winiarski@intel.com Cc: Alper Ak , Jason Gunthorpe , Yishai Hadas , Shameer Kolothum , Kevin Tian , Alex Williamson , =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= , Rodrigo Vivi , kvm@vger.kernel.org, intel-xe@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file() Date: Thu, 25 Dec 2025 18:13:49 +0300 Message-ID: <20251225151349.360870-1-alperyasinak1@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" migf->filp is accessed after migf has been freed. Save the error value before calling kfree() to prevent use-after-free. Fixes: 1f5556ec8b9e ("vfio/xe: Add device specific vfio_pci driver variant = for Intel graphics") Signed-off-by: Alper Ak --- drivers/vfio/pci/xe/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/xe/main.c b/drivers/vfio/pci/xe/main.c index 0156b53c678b..8e1595e00e18 100644 --- a/drivers/vfio/pci/xe/main.c +++ b/drivers/vfio/pci/xe/main.c @@ -250,6 +250,7 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *= xe_vdev, struct xe_vfio_pci_migration_file *migf; const struct file_operations *fops; int flags; + int ret; =20 migf =3D kzalloc(sizeof(*migf), GFP_KERNEL_ACCOUNT); if (!migf) @@ -259,8 +260,9 @@ xe_vfio_pci_alloc_file(struct xe_vfio_pci_core_device *= xe_vdev, flags =3D type =3D=3D XE_VFIO_FILE_SAVE ? O_RDONLY : O_WRONLY; migf->filp =3D anon_inode_getfile("xe_vfio_mig", fops, migf, flags); if (IS_ERR(migf->filp)) { + ret =3D PTR_ERR(migf->filp); kfree(migf); - return ERR_CAST(migf->filp); + return ERR_PTR(ret); } =20 mutex_init(&migf->lock); --=20 2.43.0