Bug in vmalloc?

Neil Booth (NeilB@earthling.net)
Mon, 05 Oct 1998 00:04:52 +0900


I'm new to Linux and the kernel, and decided to start understanding the
kernel by understanding memory handling. This evening I was looking
through "vmalloc.c" from the 2.1.123 release. As I'm new to this, I'm
reluctant to say I've found a bug, particularly in such a used piece of
code as "vmalloc", but the more I look at it the more convinced I get.

void * vmalloc(unsigned long size)
size = PAGE_ALIGN(size);
area = get_vm_area(size);
if (vmalloc_area_pages(VMALLOC_VMADDR(addr), size))

calls both get_vm_area and vmalloc_area_pages with the page-aligned
"size" variable.

But, the vm_struct has it's size member variable set to the original
size plus PAGE_SIZE in the get_vm_area routine:-

struct vm_struct * get_vm_area(unsigned long size)
area->size = size + PAGE_SIZE;

Moreover, vfree calls vmfree_area_pages with this larger size:-

void vfree(void * addr)
vmfree_area_pages(VMALLOC_VMADDR(tmp->addr), tmp->size);

Thus, to me, it seems that vmfree_area_pages and vmalloc_area_pages are
being called with different "size" arguments (vfree getting one extra
page), which could lead to incorrect clearing of the extra page table
entry which might be being used elsewhere.

Right or wrong?


Pile up the benefits that accrue from studying by
the light of fireflies reflected on the snow...

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/