xgene_allocate_domains() will call irq_domain_remove() to free
msi->inner_domain on failure. However, its caller, xgene_msi_probe(),
will also call irq_domain_remove() through xgene_msi_remove() on the
same failure, which may lead to a use-after-free. Set the freed pointer
to NULL to fix this issue.
Fixes: dcd19de36775 ("PCI: xgene: Add APM X-Gene v1 PCIe MSI/MSIX termination driver")
Signed-off-by: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
---
drivers/pci/controller/pci-xgene-msi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c
index 3ce38dfd0d29..c0192c5ff0f3 100644
--- a/drivers/pci/controller/pci-xgene-msi.c
+++ b/drivers/pci/controller/pci-xgene-msi.c
@@ -253,6 +253,7 @@ static int xgene_allocate_domains(struct xgene_msi *msi)
if (!msi->msi_domain) {
irq_domain_remove(msi->inner_domain);
+ msi->inner_domain = NULL;
return -ENOMEM;
}
--
2.17.1
