Re: [PATCH 2/2] drivers/base/memory: fix memory block reference leak in poison accounting

[Muchun Song]

> On Apr 27, 2026, at 17:13, Miaohe Lin <linmiaohe@xxxxxxxxxx> wrote:
> 
> On 2026/4/26 22:44, Muchun Song wrote:
>> memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory
>> block via find_memory_block_by_id(), which acquires a reference to the
>> memory block device.
>> 
>> Both helpers use the returned memory block without dropping that
>> reference, leaking the device reference on each successful lookup. Drop
>> the reference after updating nr_hwpoison.
>> 
>> Fixes: 5033091de814 ("mm/hwpoison: introduce per-memory_block hwpoison counter")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx>
> 
> This patch looks good to me with one question below:
> 
> Reviewed-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>

Thanks.

> 
>> ---
>> drivers/base/memory.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>> 
>> diff --git a/drivers/base/memory.c b/drivers/base/memory.c
>> index f806a683b767..6981b55d582a 100644
>> --- a/drivers/base/memory.c
>> +++ b/drivers/base/memory.c
>> @@ -1230,8 +1230,10 @@ void memblk_nr_poison_inc(unsigned long pfn)
>> const unsigned long block_id = pfn_to_block_id(pfn);
>> struct memory_block *mem = find_memory_block_by_id(block_id);
>> 
>> - 	if (mem)
>> + 	if (mem) {
>> 		atomic_long_inc(&mem->nr_hwpoison);
>> + 		put_device(&mem->dev);
> 
> Comment above find_memory_block_by_id says it's called under device_hotplug_lock.
> 
> /*
> * A reference for the returned memory block device is acquired.
> *
> * Called under device_hotplug_lock.
> */
> struct memory_block *find_memory_block_by_id(unsigned long block_id)
> 
> But device_hotplug_lock is missing here. Should we add it?

Yes. Otherwise mem can be freed concurrently. sashiko.dev reported
the issue as well.

Thanks.

https://sashiko.dev/#/patchset/20260426144447.817722-1-songmuchun%40bytedance.com

> 
> Thanks.
> .