Commit 03a2cc17 authored Apr 28, 2026 by Muchun Song Committed by Andrew Morton May 13, 2026

drivers/base/memory: fix memory block reference leak in poison accounting

memblk_nr_poison_inc() and memblk_nr_poison_sub() look up a memory block
via find_memory_block_by_id(), which acquires a reference to the memory
block device.

Both helpers use the returned memory block without dropping that
reference, leaking the device reference on each successful lookup.  Drop
the reference after updating nr_hwpoison.

Link: https://lore.kernel.org/20260428085219.1316047-3-songmuchun@bytedance.com


Fixes: 5033091d ("mm/hwpoison: introduce per-memory_block hwpoison counter")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Huang, Ying" <huang.ying.caritas@gmail.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 93866f55

drivers/base/memory.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -1230,8 +1230,10 @@ void memblk_nr_poison_inc(unsigned long pfn)
		const unsigned long block_id = pfn_to_block_id(pfn);
		struct memory_block *mem = find_memory_block_by_id(block_id);

		if (mem)
		if (mem) {
		atomic_long_inc(&mem->nr_hwpoison);
		put_device(&mem->dev);
		}
		}

		void memblk_nr_poison_sub(unsigned long pfn, long i)
		@@ -1239,8 +1241,10 @@ void memblk_nr_poison_sub(unsigned long pfn, long i)
		const unsigned long block_id = pfn_to_block_id(pfn);
		struct memory_block *mem = find_memory_block_by_id(block_id);

		if (mem)
		if (mem) {
		atomic_long_sub(i, &mem->nr_hwpoison);
		put_device(&mem->dev);
		}
		}

		static unsigned long memblk_nr_poison(struct memory_block *mem)