Skip to content

process_mrelease

Intro

process_mrelease - allows releasing memory from mlock()/mlock2().

Description

process_mrelease is used to release homogeneous memory locked using mlock() or mlock2(). It accepts two parameters: pidfd of type int, which is the PID of the process whose memory is to be released, and flags of type unsigned int, which is used to set flags to determine the behaviour of the syscall. The advantage of using process_mrelease over mlock()/mlock2() is that it offers more fine-grained control; however, a drawback is that it can only be used on homogeneous memory.

Arguments

  • pidfd:int[K] - A file descriptor referring to the process whose memory is to be released.
  • flags:unsigned int[K] - Flags that can be used to alter the behaviour of the syscall. The flags must be provided as a bit mask, which can be ORed together.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_mrelease

Type

Tracepoint probes

Purpose

To monitor and trace a successful process mrelease call.

sys_process_mrelease

Type

Kprobe probes

Purpose

To monitor and trace the entry and exit of a process mrelease call.

Example Use Case

A use case for process_mrelease would be for memory locking applications. An application could monitor memory usage changes, and if a certain threshold is met, it could call process_mrelease to release any memory that was locked using mlock()/mlock2().

Issues

The only issue with process_mrelease is that it can only be used with homogeneous memory. If the memory locked was not homogeneous, the syscall will not succeed.

  • mlock()
  • munlock()
  • mlock2()

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.