if (size + addr < (unsigned long) tmp->addr)
break;
in get_vm_area uses the original, smaller, size variable, and so could
"squeeze" the virtual area just before another one, and then upon
freeing mess up that following virtual area. This is probably quite
unlikely, and would explain why it hasn't been noticed yet.
I hope I'm right after posting this...
Neil.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/