@bp is a local variable, calling mce_threshold_remove_device() when threshold_create_bank() fails will not free the @bp. Note that mce_threshold_remove_device() frees the @bp only if it's already stored in the @threshold_banks per-CPU variable.
At that point, the @threshold_banks per-CPU variable is still NULL, so the mce_threshold_remove_device() will just be a no-op and the @bp is leaked.
Fix this by calling kfree() and early returning when we fail.
This bug is introduced by commit 6458de97fc15530b544 ("x86/mce/amd: Straighten CPU hotplug path") [1].
Link: https://lore.kernel.org/all/20200403161943.1458-6-bp@alien8.de [1]
Cc: Borislav Petkov bp@alien8.de Cc: Dave Hansen dave.hansen@linux.intel.com Cc: "H. Peter Anvin" hpa@zytor.com Cc: Ingo Molnar mingo@redhat.com Cc: Thomas Gleixner tglx@linutronix.de Cc: Tony Luck tony.luck@intel.com Fixes: 6458de97fc15530b54477c4e2b70af653e8ac3d9 ("x86/mce/amd: Straighten CPU hotplug path") Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Ammar Faizi ammarfaizi2@gnuweeb.org --- arch/x86/kernel/cpu/mce/amd.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c index 9f4b508886dd..75d019dfe8d6 100644 --- a/arch/x86/kernel/cpu/mce/amd.c +++ b/arch/x86/kernel/cpu/mce/amd.c @@ -1350,15 +1350,14 @@ int mce_threshold_create_device(unsigned int cpu) if (!(this_cpu_read(bank_map) & (1 << bank))) continue; err = threshold_create_bank(bp, cpu, bank); - if (err) - goto out_err; + if (err) { + kfree(bp); + return err; + } } this_cpu_write(threshold_banks, bp);
if (thresholding_irq_en) mce_threshold_vector = amd_threshold_interrupt; return 0; -out_err: - mce_threshold_remove_device(cpu); - return err; }