irqchip/gic-v3-its: Prevent double free on error

jira LE-1907
cve CVE-2024-35847
Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10
commit-author Guanrui Huang <[email protected]>
commit c26591a

The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.

Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().

[ tglx: Massaged change log ]

Fixes: 7d75bbb ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
	Signed-off-by: Guanrui Huang <[email protected]>
	Signed-off-by: Thomas Gleixner <[email protected]>
	Reviewed-by: Marc Zyngier <[email protected]>
	Reviewed-by: Zenghui Yu <[email protected]>
	Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
(cherry picked from commit c26591a)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

drivers/irqchip/irq-gic-v3-its.c

@@ -4500,13 +4500,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
 		set_bit(i, bitmap);
 	}
 
-	if (err) {
-		if (i > 0)
-			its_vpe_irq_domain_free(domain, virq, i);
-
-		its_lpi_free(bitmap, base, nr_ids);
-		its_free_prop_table(vprop_page);
-	}
+	if (err)
+		its_vpe_irq_domain_free(domain, virq, i);
 
 	return err;
 }