Index: sys/vm/vm_map.c =================================================================== --- sys/vm/vm_map.c +++ sys/vm/vm_map.c @@ -1498,7 +1498,7 @@ vm_size_t length, vm_offset_t max_addr, int find_space, vm_prot_t prot, vm_prot_t max, int cow) { - vm_offset_t alignment, initial_addr, start; + vm_offset_t alignment, initial_addr, prev_start, start; int result; KASSERT((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 || @@ -1515,6 +1515,7 @@ initial_addr = *addr; vm_map_lock(map); again: + result = KERN_SUCCESS; start = initial_addr; do { if (find_space != VMFS_NO_SPACE) { @@ -1542,9 +1543,14 @@ } break; } - + if (*addr < start || *addr + length < *addr || + *addr + length < length) { + vm_map_unlock(map); + return (KERN_NO_SPACE); + } start = *addr; } + MPASS(result == KERN_SUCCESS || prev_start < start); if ((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) != 0) { result = vm_map_stack_locked(map, start, length, sgrowsiz, prot, max, cow); @@ -1552,6 +1558,7 @@ result = vm_map_insert(map, object, offset, start, start + length, prot, max, cow); } + prev_start = start; } while (result == KERN_NO_SPACE && find_space != VMFS_NO_SPACE && find_space != VMFS_ANY_SPACE); vm_map_unlock(map);