From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7E0C1F7916 for ; Fri, 16 Jan 2026 02:56:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768532215; cv=none; b=dbqNTkR2RdP3XYBb0NZ1oFiTAH4iwvbCfThpwC4f49zXns7DCQ0kUjqoWVpp/eDrKdZy1UJ8devTKahGdsLhfuFY44rnvnRsxfNZdivt1HTvRSamdH7vr9yiFMXciXDcPttA1aPI7NJwu+RaTE3Y7OWj+WwSg8uBYrbXv0P+0sA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768532215; c=relaxed/simple; bh=XIQ/LMAxOLSbCnga9pI2EipPL632Vn+o0hlH5sLUIVA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=gh1FabW2hQUKXVugKcTa0gNg1jXHknIcIC7lKozxUw8W45pMUbmxtQReKYfjMcA/khgL1dWqnZYSYaVX5nniCosSLIz+GP1w06X05yB4T2Wm9DLLnvqOZ3PciVQfEEaAhuAJwOGITjsXEYmbSfPPXJpWeEFk8lVHyMko0DG03kg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RRlZmBcW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RRlZmBcW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 09BEEC116D0; Fri, 16 Jan 2026 02:56:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1768532215; bh=XIQ/LMAxOLSbCnga9pI2EipPL632Vn+o0hlH5sLUIVA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=RRlZmBcWP2NQcxLwAQ6897cyN9K3nOvz89Z+Zqt4rxkX/5ByQELlnxqe43/A+W+Vk zoX7uqyVUXDU3gj1/xXvN1fxro+n8qP7+sdme5AruuBgJlkOIuk9qyt3iyDAoxiIu/ pxTeJH1gZniYaYTQagl+8IuatfqHLN31OnkmMvsM9OvB+LXMTjgDqouQ6fjTVTLWBI yk6t98iFvBhquneN1hHWKowSxLJUn/JYeljYJa94UUbGZMqZ27PQ6u42f5HO8OpSQd BkdiaLdRWZtYtcS+3crUUtoFj4dHdgo6NTJEKRMg8KZqfjun6lGYRmxmtELlgE+gGB qQweIH1MikUpQ== Date: Thu, 15 Jan 2026 18:56:53 -0800 From: Dennis Zhou To: Andrew Morton Cc: Chris Mason , Tejun Heo , Christoph Lameter , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sebastian Andrzej Siewior Subject: Re: [PATCH] percpu: add basic double free check Message-ID: References: <20251220002737.84100-1-dennis@kernel.org> <20260114122209.1075584-1-clm@meta.com> <20260115151328.38cc7cf0d0b8bf97ee5b3791@linux-foundation.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260115151328.38cc7cf0d0b8bf97ee5b3791@linux-foundation.org> Hi Andrew, On Thu, Jan 15, 2026 at 03:13:28PM -0800, Andrew Morton wrote: > On Wed, 14 Jan 2026 04:22:00 -0800 Chris Mason wrote: > > > On Fri, 19 Dec 2025 16:27:37 -0800 Dennis Zhou wrote: > > > > > This adds a basic double free check by validating the first bit of the > > > allocation in alloc_map and bound_map are set. If the alloc_map bit is > > > not set, then this means the area is currently unallocated. If the > > > bound_map bit is not set, then we are not freeing from the beginning of > > > the allocation. > > > > Hi Dennis, > > > > I ran mm-new through the AI review prompts, and this one was flagged: > > So good. > > > If nr_alloc is underreported due to this bug, the buffer may be undersized > > for the actual number of allocations tracked in alloc_map, which > > chunk_map_stats() iterates based on the actual bitmap contents. > > That's pretty serious, although unlikely to occur. I'll drop this > version of the patch, thanks. > It's a good catch by AI, I fixed it in v2 [1]. My thoughts are this is really to serve developers. It's not really a recoverable error because if the pointer is re-allocated before the double free, then you'll only find out in the future when the new owner tries to free memory that it doesn't own. An even more contrived case is the pages get freed out from under it and then the new owner seg faults. Thanks, Dennis [1] https://lore.kernel.org/lkml/20260116023216.14515-1-dennis@kernel.org/