Re: [RFC 0/7] mm: dual-bitmap page allocator consistency checker

Next message: Andy Shevchenko: "Re: [PATCH] software node: provide wrappers around kobject_get/put()"
Previous message: Kees Cook: "Re: [PATCH] pstore/zone: Emit registration message as a single pr_info()"
In reply to: David Hildenbrand (Arm): "Re: [RFC 4/7] mm: add page consistency checker implementation"
Next in thread: Sasha Levin: "Re: [RFC 0/7] mm: dual-bitmap page allocator consistency checker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Matthew Wilcox

Date: Fri Apr 24 2026 - 11:34:30 EST

On Fri, Apr 24, 2026 at 10:00:49AM -0400, Sasha Levin wrote:
> corruption must be detected before it propagates. The dual-bitmap
> implements a way to protect from corruption coming from hardware or
> software - two complementary representations of page allocation state,
> allocated independently via memblock, where any single-bit fault in
> either bitmap is immediately detectable. Performance is secondary to
> correctness in this context. A safety mechanism must be simple enough
> to audit and certify, must fail deterministically (panic, not
> log-and-hope), and its correctness matters more than its throughput.
> The dual-bitmap adds two atomic bitops per alloc/free, but for
> safety-critical deployments this cost is acceptable because the
> alternative - undetected corruption propagating silently - violates
> the system's safety case. The static key ensures zero cost for kernels
> that don't need it.

But doubling the storage requirement in order to achieve merely detection
is significantly worse than state-of-the-art in 1950 (when Richard
Hamming invented Hamming codes). If we used a (7,3) code, we'd have
SECDED at a lower cost. Of course, there are far better codes available
than that today.