diff --git a/kernel/syscall/syscall.c b/kernel/syscall/syscall.c
index b0d2be78..af79fda9 100644
--- a/kernel/syscall/syscall.c
+++ b/kernel/syscall/syscall.c
@@ -361,12 +361,12 @@ uint64_t sys_brk(struct pt_regs *regs)
 
     if ((int64_t)regs->r8 == -1)
     {
-        kdebug("get brk_start=%#018lx", current_pcb->mm->brk_start);
+        // kdebug("get brk_start=%#018lx", current_pcb->mm->brk_start);
         return current_pcb->mm->brk_start;
     }
     if ((int64_t)regs->r8 == -2)
     {
-        kdebug("get brk_end=%#018lx", current_pcb->mm->brk_end);
+        // kdebug("get brk_end=%#018lx", current_pcb->mm->brk_end);
         return current_pcb->mm->brk_end;
     }
     if (new_brk > current_pcb->addr_limit) // 堆地址空间超过限制
@@ -409,8 +409,6 @@ void do_syscall_int(struct pt_regs *regs, unsigned long error_code)
 {
     
     ul ret = system_call_table[regs->rax](regs);
-    if(regs->rax == SYS_BRK)
-        kdebug("brk ret=%#018lx", ret);
     regs->rax = ret; // 返回码
 }
 
diff --git a/user/init.c b/user/init.c
index 06ea1647..d0a11bc3 100644
--- a/user/init.c
+++ b/user/init.c
@@ -32,9 +32,31 @@ int main()
     put_string(buf, COLOR_YELLOW, COLOR_BLACK);
     close(fd);
     */
-    char *p = malloc(100);
-    *p = 'a';
-    printf("p=%lld\t*p=%c\n", (uint64_t)p, *p);
+
+    void *ptr[256] = {0};
+    for (int k = 0; k < 2; ++k)
+    {
+        printf("try to malloc 256*16K=4MB\n");
+        uint64_t js = 0;
+        for (int i = 0; i < 256; ++i)
+        {
+            ptr[i] = malloc(4096 * 4);
+            js += *(uint64_t *)((uint64_t)(ptr[i]) - sizeof(uint64_t));
+            if (*(uint64_t *)((uint64_t)(ptr[i]) - sizeof(uint64_t)) > 0x4008)
+                printf("[%d] start_addr = %#018lx, len = %#010lx\n", (uint64_t)(ptr[i]) - 8, *(uint64_t *)((uint64_t)(ptr[i]) - sizeof(uint64_t)));
+        }
+        printf("ptr[0]->len=%lld\n", *(uint64_t *)((uint64_t)ptr[0] - sizeof(uint64_t)));
+        printf("ptr[1]->len=%lld\n", *(uint64_t *)((uint64_t)ptr[1] - sizeof(uint64_t)));
+        // printf("ptr[24]->len=%lld\n", *(uint64_t*)((uint64_t)ptr[24] - sizeof(uint64_t)));
+        printf("alloc done. total used: %lld bytes\n", js);
+        printf("try to free...\n");
+        for (int i = 0; i < 256; ++i)
+        {
+            free(ptr[i]);
+        }
+        printf("free done!\n");
+    }
+
     // *p = 'a';
     /*
     pid_t p = fork();
diff --git a/user/libs/libc/malloc.c b/user/libs/libc/malloc.c
index 6c2d0335..2eba34c7 100644
--- a/user/libs/libc/malloc.c
+++ b/user/libs/libc/malloc.c
@@ -57,10 +57,10 @@ static malloc_mem_chunk_t *malloc_query_free_chunk_bf(uint64_t size)
     }
     malloc_mem_chunk_t *ptr = malloc_free_list;
     malloc_mem_chunk_t *best = NULL;
-    printf("query size=%d", size);
+    // printf("query size=%d", size);
     while (ptr != NULL)
     {
-        printf("ptr->length=%#010lx\n", ptr->length);
+        // printf("ptr->length=%#010lx\n", ptr->length);
         if (ptr->length == size)
         {
             best = ptr;
@@ -69,18 +69,14 @@ static malloc_mem_chunk_t *malloc_query_free_chunk_bf(uint64_t size)
 
         if (ptr->length > size)
         {
-            printf("676767\n");
             if (best == NULL)
                 best = ptr;
             else if (best->length > ptr->length)
                 best = ptr;
-            printf("6rdf\n");
         }
-        printf("ptr->next=%#018lx\n", ptr->next);
         ptr = ptr->next;
     }
 
-    printf("return best=%#018lx\n", (uint64_t)best);
     return best;
 }
 
@@ -275,7 +271,7 @@ void *malloc(ssize_t size)
     }
 found:;
 
-    printf("ck = %#018lx\n", (uint64_t)ck);
+    // printf("ck = %#018lx\n", (uint64_t)ck);
     if (ck == NULL)
         return (void *)-ENOMEM;
     // 分配空闲块
@@ -296,12 +292,12 @@ found:;
         malloc_mem_chunk_t *new_ck = (malloc_mem_chunk_t *)(((uint64_t)ck) + size);
         new_ck->length = ck->length - size;
         new_ck->prev = new_ck->next = NULL;
-        printf("new_ck=%#018lx, new_ck->length=%#010lx\n", (uint64_t)new_ck, new_ck->length);
+        // printf("new_ck=%#018lx, new_ck->length=%#010lx\n", (uint64_t)new_ck, new_ck->length);
         ck->length = size;
         malloc_insert_free_list(new_ck);
     }
 
-    printf("ck=%lld\n", (uint64_t)ck);
+    // printf("ck=%lld\n", (uint64_t)ck);
     // 此时链表结点的指针的空间被分配出去
     return (void *)((uint64_t)ck + sizeof(uint64_t));
 }
@@ -313,4 +309,8 @@ found:;
  */
 void free(void *ptr)
 {
+    // 找到结点（此时prev和next都处于未初始化的状态）
+    malloc_mem_chunk_t * ck = (malloc_mem_chunk_t *)((uint64_t)ptr-sizeof(uint64_t));
+    // printf("free(): addr = %#018lx\t len=%#018lx\n", (uint64_t)ck, ck->length);
+    malloc_insert_free_list(ck);
 }
diff --git a/user/libs/libc/unistd.c b/user/libs/libc/unistd.c
index 11f1ffea..ff5bc813 100644
--- a/user/libs/libc/unistd.c
+++ b/user/libs/libc/unistd.c
@@ -85,7 +85,7 @@ pid_t vfork(void)
 uint64_t brk(uint64_t end_brk)
 {
     uint64_t x = (uint64_t)syscall_invoke(SYS_BRK, (uint64_t)end_brk, 0, 0, 0, 0, 0, 0, 0);
-    printf("brk():  end_brk=%#018lx x=%#018lx", (uint64_t)end_brk, x);
+    // printf("brk():  end_brk=%#018lx x=%#018lx", (uint64_t)end_brk, x);
     return x;
 }