Re: [PATCH 2/2] drivers/base/memory: fix memory block reference leak in poison accounting
From: Miaohe Lin
Date: Mon Apr 27 2026 - 05:17:52 EST
On 2026/4/26 22:44, Muchun Song wrote:
> memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory
> block via find_memory_block_by_id(), which acquires a reference to the
> memory block device.
>
> Both helpers use the returned memory block without dropping that
> reference, leaking the device reference on each successful lookup. Drop
> the reference after updating nr_hwpoison.
>
> Fixes: 5033091de814 ("mm/hwpoison: introduce per-memory_block hwpoison counter")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx>
This patch looks good to me with one question below:
Reviewed-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>
> ---
> drivers/base/memory.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/base/memory.c b/drivers/base/memory.c
> index f806a683b767..6981b55d582a 100644
> --- a/drivers/base/memory.c
> +++ b/drivers/base/memory.c
> @@ -1230,8 +1230,10 @@ void memblk_nr_poison_inc(unsigned long pfn)
> const unsigned long block_id = pfn_to_block_id(pfn);
> struct memory_block *mem = find_memory_block_by_id(block_id);
>
> - if (mem)
> + if (mem) {
> atomic_long_inc(&mem->nr_hwpoison);
> + put_device(&mem->dev);
Comment above find_memory_block_by_id says it's called under device_hotplug_lock.
/*
* A reference for the returned memory block device is acquired.
*
* Called under device_hotplug_lock.
*/
struct memory_block *find_memory_block_by_id(unsigned long block_id)
But device_hotplug_lock is missing here. Should we add it?
Thanks.
.