Re: [PATCH 2/2] drivers/base/memory: fix memory block reference leak in poison accounting
From: David Hildenbrand (Arm)
Date: Mon Apr 27 2026 - 05:31:00 EST
On 4/27/26 11:16, Muchun Song wrote:
>
>
>> On Apr 27, 2026, at 17:13, Miaohe Lin <linmiaohe@xxxxxxxxxx> wrote:
>>
>> On 2026/4/26 22:44, Muchun Song wrote:
>>> memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory
>>> block via find_memory_block_by_id(), which acquires a reference to the
>>> memory block device.
>>>
>>> Both helpers use the returned memory block without dropping that
>>> reference, leaking the device reference on each successful lookup. Drop
>>> the reference after updating nr_hwpoison.
>>>
>>> Fixes: 5033091de814 ("mm/hwpoison: introduce per-memory_block hwpoison counter")
>>> Cc: stable@xxxxxxxxxxxxxxx
>>> Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx>
>>
>> This patch looks good to me with one question below:
>>
>> Reviewed-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>
>
> Thanks.
>
>>
>>> ---
>>> drivers/base/memory.c | 8 ++++++--
>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/base/memory.c b/drivers/base/memory.c
>>> index f806a683b767..6981b55d582a 100644
>>> --- a/drivers/base/memory.c
>>> +++ b/drivers/base/memory.c
>>> @@ -1230,8 +1230,10 @@ void memblk_nr_poison_inc(unsigned long pfn)
>>> const unsigned long block_id = pfn_to_block_id(pfn);
>>> struct memory_block *mem = find_memory_block_by_id(block_id);
>>>
>>> - if (mem)
>>> + if (mem) {
>>> atomic_long_inc(&mem->nr_hwpoison);
>>> + put_device(&mem->dev);
>>
>> Comment above find_memory_block_by_id says it's called under device_hotplug_lock.
>>
>> /*
>> * A reference for the returned memory block device is acquired.
>> *
>> * Called under device_hotplug_lock.
>> */
>> struct memory_block *find_memory_block_by_id(unsigned long block_id)
>>
>> But device_hotplug_lock is missing here. Should we add it?
>
> Yes. Otherwise mem can be freed concurrently.
I guess that is rather unlikely to happen, given that we just worked on online
memory. But sure, if we can take that lock there easily, then let's do that.
--
Cheers,
David