Skip to content
/linux-syscalls

Memory · Section 2

madvise(2)

Give the kernel hints about how a memory region will be used so it can manage page caching, prefetch, and reclaim accordingly.

Signature

#include <sys/mman.h>

int madvise(void * addr, size_t length, int advice);
addr
Page-aligned start of the region.
length
Length in bytes, rounded up to page size.
advice
One MADV_* constant. The behaviour varies dramatically across constants — some are no-ops on certain kernels, some affect process semantics permanently.

Description

madvise() tells the kernel how the calling process expects to use the memory range [addr, addr+length) — advice is one of the MADV_* constants. Some advice is purely advisory (MADV_RANDOM disables readahead, MADV_SEQUENTIAL enables aggressive readahead, MADV_WILLNEED triggers prefetch); some is destructive (MADV_DONTNEED tells the kernel it can drop the pages — they reread as zero for anonymous mappings or refault from the file for file-backed); some is policy (MADV_HUGEPAGE/NOHUGEPAGE for transparent huge-page placement, MADV_DONTDUMP/DODUMP for core-dump inclusion, MADV_WIPEONFORK to zero the region in children, MADV_COLD/PAGEOUT to proactively age and reclaim). madvise() returns 0 on success and -1 with errno on failure. Most advice is page-aligned; the kernel rounds up.

Architecture mapping

ArchitectureNumberABIEntry point
x86 (i386)219i386sys_madvise
x64 (x86_64)28commonsys_madvise
ARM64 (aarch64)233sys_madvise

Kernel history

Introduced in Linux 2.4.0.

  1. 2.4.0

    madvise() shipped in 2.4 with the basic POSIX advice set (NORMAL, RANDOM, SEQUENTIAL, WILLNEED).

  2. 2.6.16

    MADV_DONTNEED was made canonical and reliable for anonymous mappings — earlier kernel versions had subtle semantics; 2.6.16 standardised the 'pages reread as zero' guarantee.

  3. 4.5

    MADV_FREE added — a lazy version of MADV_DONTNEED that avoids unconditionally zeroing memory. Major performance win for allocators.

  4. 5.4

    MADV_COLD and MADV_PAGEOUT added so userspace can drive memory reclaim. Used by Android and some Linux memory-pressure daemons.

  5. 5.10

    process_madvise() was introduced — apply madvise to another process by pidfd. Used by memory-pressure managers (oomd, dbus-broker on systemd) to age cold pages in other processes.

seccomp & containers

Docker default profile

Allowed

Podman default profile

Allowed

madvise() is on every default profile and effectively un-blockable — every glibc malloc-arena and every JIT uses it. The only meaningful argument-level filtering would be on advice — denying MADV_HWPOISON (which requires CAP_SYS_ADMIN anyway). The rest of the advice set is safe.

libseccomp

seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0);

strace example

$ strace -e madvise bash -c 'true'
madvise(0x7f4c0a3c5000, 8192, MADV_DONTNEED) = 0
madvise(0x7f4c0a3c7000, 16384, MADV_DONTNEED) = 0

madvise() in strace decodes advice symbolically. The MADV_DONTNEED call rate is a direct proxy for malloc churn; jemalloc-using processes emit dozens per second. -e madvise filters.

Security & observability

madvise() is a defender's helper rather than an attacker's tool — MADV_DONTDUMP and MADV_WIPEONFORK are standard hardening for processes that hold secrets (TLS sessions, key material). The notable exception was CVE-2020-29371 where MADV_HWPOISON allowed unprivileged use-after-free in some configurations; patched long ago. eBPF tracepoint sys_enter_madvise is very high-rate and rarely worth monitoring in production. For container security, MADV_HUGEPAGE on JIT regions is benign and expected; MADV_DODUMP on a region that previously had DONTDUMP is suspicious.

Errors

EACCES
MADV_REMOVE on a non-shared mapping or a read-only fd.
EAGAIN
EBADF
EINVAL
addr or length not page-aligned, advice invalid for this region, or unsupported on this kernel.
EIO
ENOMEM
Internal allocation failed, or the range covers unmapped regions.
EPERM
MADV_HWPOISON or similar privileged advice without CAP_SYS_ADMIN.

Flags

MADV_NORMAL
0
MADV_RANDOM
1
MADV_SEQUENTIAL
2
MADV_WILLNEED
3
MADV_DONTNEED
4
Tell the kernel the pages are not needed soon. For anonymous mappings: pages are dropped and reread as zero. For file-backed: pages are dropped and reread from disk. Used by allocators (jemalloc, tcmalloc) to return memory to the system without unmapping.
MADV_FREE
8
Like DONTNEED but lazy: pages may or may not be reclaimed; if the process touches them before reclaim, the contents are preserved. Cheaper than DONTNEED. Added in 4.5.
MADV_REMOVE
9
MADV_DONTFORK
10
MADV_HUGEPAGE
14
Hint that this region is a candidate for transparent huge pages (2 MiB). Useful for large arrays in databases and JITs.
MADV_NOHUGEPAGE
15
MADV_DONTDUMP
16
Exclude the region from core dumps. Standard hardening for memory containing secrets (keyrings, password buffers).
MADV_DODUMP
17
MADV_WIPEONFORK
18
After fork(), the child sees zeros instead of the parent's contents in this region. Used by OpenSSL for sensitive buffers to avoid leaking via post-fork memory inspection.
MADV_COLD
20
MADV_PAGEOUT
21
Aggressively page out the region (Linux 5.4+). Used by userspace memory pressure managers.

Related syscalls