Skip to content



mlock2 - Lock part of the calling process's memory into RAM.


The mlock2 system call is used to lock a region of memory in a calling process' virtual address space into RAM. This prevents the kernel from using the memory for other system purposes. The memory region's address and size are specified, as well as optional flags that modify the behavior of the call. mlock2 allows for a more fine-grained control of the memory lockout than mlock, including the ability to specify individual page frames. This system call is used to guarantee that a region is not swapped out, preventing latencies in execution due to paging. It is often used for sensitive operations like encryption and hashing, however due to the resource intensive nature of the system call it should be used sparingly.


  • addr:const void*[KU] - address of the starting memory region that should be locked.
  • len:size_t[K] - length of the memory region to be locked, in bytes. Must be a multiple of PAGE_SIZE.
  • flags:int[K] - optional flags that modify the behavior of the call, either MLOCK_ or MLOCK2_ flags can be specified.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobes + Uprobes.


Used to monitor when a process is trying to lock a region of memory.

Example Use case

mlock2 can be used in applications that need to prevent data from being swapped out of memory. This can be used when working with encryption algorithms such as AES that need to keep the key in a secure region of memory.


mlock2 can pose an issue in resource intensive applications, as it requires memory to be locked in RAM, reducing the amount of memory available for other tasks.

  • mmap2
  • munmap
  • mlockall

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.