lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aWmo9elLCfyb96VR@snowbird>
Date: Thu, 15 Jan 2026 18:56:53 -0800
From: Dennis Zhou <dennis@...nel.org>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Chris Mason <clm@...a.com>, Tejun Heo <tj@...nel.org>,
	Christoph Lameter <cl@...ux.com>, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Subject: Re: [PATCH] percpu: add basic double free check

Hi Andrew,

On Thu, Jan 15, 2026 at 03:13:28PM -0800, Andrew Morton wrote:
> On Wed, 14 Jan 2026 04:22:00 -0800 Chris Mason <clm@...a.com> wrote:
> 
> > On Fri, 19 Dec 2025 16:27:37 -0800 Dennis Zhou <dennis@...nel.org> wrote:
> > 
> > > This adds a basic double free check by validating the first bit of the
> > > allocation in alloc_map and bound_map are set. If the alloc_map bit is
> > > not set, then this means the area is currently unallocated. If the
> > > bound_map bit is not set, then we are not freeing from the beginning of
> > > the allocation.
> > 
> > Hi Dennis,
> > 
> > I ran mm-new through the AI review prompts, and this one was flagged:
> 
> So good.
> 
> > If nr_alloc is underreported due to this bug, the buffer may be undersized
> > for the actual number of allocations tracked in alloc_map, which
> > chunk_map_stats() iterates based on the actual bitmap contents.
> 
> That's pretty serious, although unlikely to occur.  I'll drop this
> version of the patch, thanks.
> 

It's a good catch by AI, I fixed it in v2 [1].

My thoughts are this is really to serve developers. It's not really a
recoverable error because if the pointer is re-allocated before the
double free, then you'll only find out in the future when the new owner
tries to free memory that it doesn't own. An even more contrived case is
the pages get freed out from under it and then the new owner seg faults.

Thanks,
Dennis


[1] https://lore.kernel.org/lkml/20260116023216.14515-1-dennis@kernel.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ