From nobody Mon Mar 23 19:52:28 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1773399029; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CkKQFQ6cSqG+ePM8YtkF49+4fQRAyhoiGFim1wAAkW2Nhirvf1xXzWhx2uQIwQqPq27SQfXHQwpq3iZ2Nw1B5QN4SFK3PHbxyv0oZs7EhpXcHQ66T2cV3kZMp4FskIxlVZmkJdtWkE4M4+RLEFG4AR4/+gYCzQIJ/vL7KvvItUM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773399029;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=cCc6Rsu6njgY2i55JlN7uSjh8xb1A//upegbhHr/ukE=;
	b=B0cRAc22FUb2176L/s76dZLlhDjNkyp73B0M8/477OKHWSTlIaCY8yRewm9TGCAn1oc7ZiD+gH+oD5W+/InZf5if2B2sC7pyVQ00MrlFBc/Q1LCawJYcaTyjzoxp75e4I4u4ZU6ofLXjOBbKlMPwQI1JVBpHBPI81rXxgixefnE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1773399029271964.4638745328245;
 Fri, 13 Mar 2026 03:50:29 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1253520.1549721 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1w105g-0006NB-TE; Fri, 13 Mar 2026 10:50:00 +0000
Received: by outflank-mailman (output) from mailman id 1253520.1549721;
 Fri, 13 Mar 2026 10:50:00 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1w105g-0006N4-Pd; Fri, 13 Mar 2026 10:50:00 +0000
Received: by outflank-mailman (input) for mailman id 1253520;
 Fri, 13 Mar 2026 10:49:58 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=RFGv=BN=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1w105e-0006Mw-RL
 for xen-devel@lists.xenproject.org; Fri, 13 Mar 2026 10:49:58 +0000
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com
 [2a00:1450:4864:20::32d])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 60422c07-1eca-11f1-b164-2bf370ae4941;
 Fri, 13 Mar 2026 11:49:57 +0100 (CET)
Received: by mail-wm1-x32d.google.com with SMTP id
 5b1f17b1804b1-4853f2826f7so19617025e9.1
 for <xen-devel@lists.xenproject.org>; Fri, 13 Mar 2026 03:49:57 -0700 (PDT)
Received: from localhost.localdomain (host-92-22-18-152.as13285.net.
 [92.22.18.152]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48541b7f255sm306357955e9.12.2026.03.13.03.49.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 13 Mar 2026 03:49:56 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 60422c07-1eca-11f1-b164-2bf370ae4941
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1773398997; x=1774003797;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=cCc6Rsu6njgY2i55JlN7uSjh8xb1A//upegbhHr/ukE=;
        b=nfPQYh3wQq/FCQ2gJ3ufnV940l5eBNezWNlPRQ5Et1Lhw+8lkaPp17ljjG4+uOuQy4
         4jMCt57/SiTlFQyVVrVR/FopPAvNoCIUm4QJiuqPKY+D4+43oZNEH0KxUeAmgSAeF1qg
         cXWsaXPNIIYNo54KW9lcZaT+xIYdyx8pGIlAs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773398997; x=1774003797;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cCc6Rsu6njgY2i55JlN7uSjh8xb1A//upegbhHr/ukE=;
        b=RFJFcTQ2VpDnak8nfVQkXJ7wmIdtQJxnUXvgXRaVCpJ0KbrGGw+xiy+VbE+G6Kr7GE
         8BCAXrHz1TfybmxPtAvqWgubfMbOTnE5OHIFp3wWT67x8q05C8bLE1rYUjkQ7dhB1ELT
         BiLebrSc1o2UxK+lVnvjyJlg3oiZG0d9AMScuyftodMTmkZSXuKaaxSGkQ0YmFjFyW8d
         rpXQTAhqsU17v169n241ksnlRTl7+RTpzbWdF613C/o5IvMDvZNdGfjI+UKiZ1kZRMP8
         l0YP96gaZAjKxieizrgk2CE13JKa0dET1zjVoSjqkGHFcJj7atlGh0AOvZZWovdwPDfW
         YMcA==
X-Gm-Message-State: AOJu0Yz6Lm9z+HsEk5eyGcsRpaWN0qBu7+WGdVWnYyBAdXSdCL1ImV2u
	Hzlc3VTDQUX+vDdWkhmwyPpiHfnI57zq3aB0u6diHx5bWPij+S1SamrlDNd710lVjKeNF5Ebk9y
	99kYG
X-Gm-Gg: ATEYQzwAY7EFKn15ffqpr+Ga/HXpzxfreRyRMWf+eYUV1xai07ZthVoMOJzf7FqvvBF
	leASEd7LCjOQxyg4900ixGdSOnP1Md7rVeb1EJMcouKPfyB3Y9tDh5HQ5EvqK8UekwejnZRARPT
	lFxRCk4xv/Rea6AjyGEz5d37pVaGfwWz40AWdEInVAR9UfEmSaQXtAfFGMjh488A2hljPd20r2p
	ztvWy5RMmrNOWT8Ho1DfSZibs9jGm4QlTNKaukglrb1/eJqxJIEskEl76ZGs0cl4zFvoDgZq6lG
	SG+1E+uz1uL1BhEA601buKOmJFhwMdsjVHyxEdIultkx4g3nt7aUUt8Yr7MwHvdQApJAdck8lR1
	q8pkCP7/P1b+8IpE04AnOkynoxGoqQPC4WyVPM3gnj4IMjQFpMJC+rXSsF74mSY+iZu7YBIU+KZ
	kMJPnB73lW/R9RGwno756dMccAs1U42wB0RNRjjIl23debQFRfrKwVCNo6OGDJKKZd3Si2M9c=
X-Received: by 2002:a05:600c:45d5:b0:485:4535:73d with SMTP id
 5b1f17b1804b1-485566cfb8amr43531425e9.2.1773398996418;
        Fri, 13 Mar 2026 03:49:56 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH] x86/mce: Fix buggy error path in cpu_bank_alloc() leading to
 UAF
Date: Fri, 13 Mar 2026 10:49:54 +0000
Message-Id: <20260313104954.590855-1-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1773399031450158500

When cleaning up from a mcabanks_alloc() failure, the memory is freed but
stale pointers are left in the percpu variables.

Use cpu_bank_free() which is idempotent and behaves correctly.

Fixes: 2e6c8f182c9c ("x86: distinguish CPU offlining from CPU removal")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>

2e6c8f182c9c updated the success path but missed the associated error path.

Prior to that, the paths were at least consistent since their introduction =
in
commit 78c579426fb5 ("x86/MCE: Implement clearbank callback for AMD").
---
 xen/arch/x86/cpu/mcheck/mce.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c
index 9a91807cfb33..684871b216a4 100644
--- a/xen/arch/x86/cpu/mcheck/mce.c
+++ b/xen/arch/x86/cpu/mcheck/mce.c
@@ -694,8 +694,7 @@ static int cpu_bank_alloc(unsigned int cpu)
=20
     if ( !poll || !clr )
     {
-        mcabanks_free(poll);
-        mcabanks_free(clr);
+        cpu_bank_free(cpu);
         return -ENOMEM;
     }
=20
--=20
2.39.5