munmap(2)

Signature

#include <sys/mman.h>

int munmap(void * addr, size_t length);

addr

Page-aligned start address of the range to unmap.

length

Size of the range in bytes. Rounded up to a multiple of the page size.

Description

munmap() removes the mappings for the address range [addr, addr+length). Subsequent references to addresses in this range generate SIGSEGV. The kernel rounds length up to a multiple of the page size; addr must already be page-aligned. It is legal — and common — to unmap part of a larger mmap region: the kernel splits the underlying VMA accordingly. It is also legal to unmap a range that contains no mappings (the call succeeds and does nothing). On process exit, all mappings are automatically removed; explicit munmap() is for long-running processes that want to release memory promptly, JITs that throw away generated code, or sandboxes that need to enforce W^X by unmapping writable copies after copying to executable pages.

Architecture mapping

Kernel history

Introduced in Linux 1.0.

1. 1.0

   munmap() has been part of Linux since 1.0 with classic POSIX semantics.

seccomp & containers

seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);

strace example

$ strace -e mmap,munmap cat /etc/hostname > /dev/null
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8c4f3000
munmap(0x7f3a8c4f3000, 4096) = 0

Security & observability

munmap() rarely appears in attacks directly, but JIT-spray and shellcode-loader code patterns include mmap(PROT_RWX) → write → mprotect(PROT_RX) → execute, and the cleanup munmap() at the end. Detection focuses on the mmap+mprotect step, not the munmap. eBPF tracepoint sys_enter_munmap is available but typically not used in production monitoring — too noisy and too late to be actionable.

Errors

EINVAL

addr is not page-aligned, length is zero, or the range overflows the process's address space.