Linux Kernel Virtual Memory Management: Process Virtual Address Space and Allocation

With the development of CPU technology, most mobile devices, PCs, and servers now use 64-bit CPUs. However, regarding Linux kernel virtual memory management, many still hold the outdated concept of 3:1 user-space to kernel-space virtual memory ratio, leading to misunderstandings when solving memory-related issues.

This article introduces virtual memory allocation/release, page fault handling, memory compression/reclamation, and memory allocators. This chapter focuses on process virtual memory layout and the virtual memory allocation/release process, based on android-8.1, kernel-4.9, and ARM64 architecture.

Virtual Address Space Distribution

Theoretically, 64-bit addresses support accessing [0, 2(64-1)], but actual applications don't use such large address spaces. ARM64 chips support maximum 48-bit address space. In Android, the virtual address space is divided into two parts: non-canonical addresses in [0x00010000, 0xFFFF0000] divide the space into user-space (low) and kernel-space (high).

32-bit process user-space is [0x0, 0x00FFFF_FFFF] (4GB), while 64-bit process user-space depends on CONFIG_ARM64_VA_BITS. If set to 48-bit, it can reach 256TB, but most Android devices use 39-bit, giving 512GB maximum virtual address space.

Address Concepts

Physical Address : Actual memory storage addresses corresponding to physical RAM.

Linear Address : Address formed by segment base + offset, converted to physical address through MMU when paging is enabled.

Logical Address : Address seen by CPU during process execution, essentially the segment offset in linear address.

Linux uses a unified segment with base address 0 for all user-space processes, making logical addresses equal to linear addresses. Each process has different Page Global Directory (PGD), ensuring isolation.

Memory Allocation System Calls

brk : Traditional system call for heap memory, expanding/contracting the data segment's highest address (_edata).

mmap : Creates memory mappings in the area between heap and stack (Memory Mapping Segment). Supports anonymous and file mappings. In Android's libc, malloc uses brk for sizes ≤128KB and mmap for larger allocations.

Memory Allocators

Direct system calls face fragmentation and performance issues. Allocators like ptmalloc, tcmalloc, jemalloc, and scudo solve this by caching memory chunks. Android uses jemalloc or scudo by default.

Key Data Structures

struct mm_struct : Describes a task's virtual address space, including stack, heap ranges. Each process has one mm shared by all threads.

struct vm_area_struct (vma) : Manages each allocated virtual memory region with start/end addresses and access permissions. All vmas are managed via both linked list and red-black tree for efficient traversal and lookup.

Memory Mapping Layout

Traditional Layout : mmap region grows bottom-up, mmap_base = TASK_SIZE/4. Heap growth limited by mmap_base.

New Layout : mmap region grows top-down, mmap_base = STACK_TOP - STACK_GAP. Both support address space layout randomization (ASLR).

Key Functions

arch_pick_mmap_layout : Sets up mmap layout based on configuration.

get_unmapped_area : Finds free virtual memory region satisfying allocation request.

unmapped_area / unmapped_area_topdown : Implements low-to-high and high-to-low memory allocation using red-black tree traversal.