Memory · Section 2
madvise(2)
Give the kernel hints about how a memory region will be used so it can manage page caching, prefetch, and reclaim accordingly.
Signature
#include <sys/mman.h>
int madvise(void * addr, size_t length, int advice);- addr
- Page-aligned start of the region.
- length
- Length in bytes, rounded up to page size.
- advice
- One MADV_* constant. The behaviour varies dramatically across constants — some are no-ops on certain kernels, some affect process semantics permanently.
Description
madvise() tells the kernel how the calling process expects to use the memory range [addr, addr+length) — advice is one of the MADV_* constants. Some advice is purely advisory (MADV_RANDOM disables readahead, MADV_SEQUENTIAL enables aggressive readahead, MADV_WILLNEED triggers prefetch); some is destructive (MADV_DONTNEED tells the kernel it can drop the pages — they reread as zero for anonymous mappings or refault from the file for file-backed); some is policy (MADV_HUGEPAGE/NOHUGEPAGE for transparent huge-page placement, MADV_DONTDUMP/DODUMP for core-dump inclusion, MADV_WIPEONFORK to zero the region in children, MADV_COLD/PAGEOUT to proactively age and reclaim). madvise() returns 0 on success and -1 with errno on failure. Most advice is page-aligned; the kernel rounds up.
Architecture mapping
| Architecture | Number | ABI | Entry point |
|---|---|---|---|
| x86 (i386) | 219 | i386 | sys_madvise |
| x64 (x86_64) | 28 | common | sys_madvise |
| ARM64 (aarch64) | 233 | — | sys_madvise |
Kernel history
Introduced in Linux 2.4.0.
2.4.0
madvise() shipped in 2.4 with the basic POSIX advice set (NORMAL, RANDOM, SEQUENTIAL, WILLNEED).
2.6.16
MADV_DONTNEED was made canonical and reliable for anonymous mappings — earlier kernel versions had subtle semantics; 2.6.16 standardised the 'pages reread as zero' guarantee.
4.5
MADV_FREE added — a lazy version of MADV_DONTNEED that avoids unconditionally zeroing memory. Major performance win for allocators.
5.4
MADV_COLD and MADV_PAGEOUT added so userspace can drive memory reclaim. Used by Android and some Linux memory-pressure daemons.
5.10
process_madvise() was introduced — apply madvise to another process by pidfd. Used by memory-pressure managers (oomd, dbus-broker on systemd) to age cold pages in other processes.
seccomp & containers
Docker default profile
Allowed
Podman default profile
Allowed
madvise() is on every default profile and effectively un-blockable — every glibc malloc-arena and every JIT uses it. The only meaningful argument-level filtering would be on advice — denying MADV_HWPOISON (which requires CAP_SYS_ADMIN anyway). The rest of the advice set is safe.
libseccomp
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0);strace example
$ strace -e madvise bash -c 'true'
madvise(0x7f4c0a3c5000, 8192, MADV_DONTNEED) = 0
madvise(0x7f4c0a3c7000, 16384, MADV_DONTNEED) = 0madvise() in strace decodes advice symbolically. The MADV_DONTNEED call rate is a direct proxy for malloc churn; jemalloc-using processes emit dozens per second. -e madvise filters.
Security & observability
madvise() is a defender's helper rather than an attacker's tool — MADV_DONTDUMP and MADV_WIPEONFORK are standard hardening for processes that hold secrets (TLS sessions, key material). The notable exception was CVE-2020-29371 where MADV_HWPOISON allowed unprivileged use-after-free in some configurations; patched long ago. eBPF tracepoint sys_enter_madvise is very high-rate and rarely worth monitoring in production. For container security, MADV_HUGEPAGE on JIT regions is benign and expected; MADV_DODUMP on a region that previously had DONTDUMP is suspicious.
Errors
- EACCES
- MADV_REMOVE on a non-shared mapping or a read-only fd.
- EAGAIN
- —
- EBADF
- —
- EINVAL
- addr or length not page-aligned, advice invalid for this region, or unsupported on this kernel.
- EIO
- —
- ENOMEM
- Internal allocation failed, or the range covers unmapped regions.
- EPERM
- MADV_HWPOISON or similar privileged advice without CAP_SYS_ADMIN.
Flags
- MADV_NORMAL
- 0
- —
- MADV_RANDOM
- 1
- —
- MADV_SEQUENTIAL
- 2
- —
- MADV_WILLNEED
- 3
- —
- MADV_DONTNEED
- 4
- Tell the kernel the pages are not needed soon. For anonymous mappings: pages are dropped and reread as zero. For file-backed: pages are dropped and reread from disk. Used by allocators (jemalloc, tcmalloc) to return memory to the system without unmapping.
- MADV_FREE
- 8
- Like DONTNEED but lazy: pages may or may not be reclaimed; if the process touches them before reclaim, the contents are preserved. Cheaper than DONTNEED. Added in 4.5.
- MADV_REMOVE
- 9
- —
- MADV_DONTFORK
- 10
- —
- MADV_HUGEPAGE
- 14
- Hint that this region is a candidate for transparent huge pages (2 MiB). Useful for large arrays in databases and JITs.
- MADV_NOHUGEPAGE
- 15
- —
- MADV_DONTDUMP
- 16
- Exclude the region from core dumps. Standard hardening for memory containing secrets (keyrings, password buffers).
- MADV_DODUMP
- 17
- —
- MADV_WIPEONFORK
- 18
- After fork(), the child sees zeros instead of the parent's contents in this region. Used by OpenSSL for sensitive buffers to avoid leaking via post-fork memory inspection.
- MADV_COLD
- 20
- —
- MADV_PAGEOUT
- 21
- Aggressively page out the region (Linux 5.4+). Used by userspace memory pressure managers.