Comment 1 for bug 656285

Look through linux-user/syscall.c; looks like the flaw is more in do_brk itself. Invocations of do_brk *appear* to all assume that it's basically brk like in it's behaviour- -1 on failure, else a non-negative value of what the size now is. So... your patch is breaking away from proper behaviour, and won't handle when the pre-existing brk is greater than the requested (purely due to binding it to limit).

Looking at that code, it looks like ret should be tracked on success, since that is the actual size (in the case of larger than requested). Further, looks like the issue is probably in do_brk itself; when it fails, exempting the alpha case, it returns the unmodified target_brk... which likely isn't going to by the code flow.