I run a Gentoo (hardened/amd64) and after some modifications to my system 
(updates, new kernel, new softwares) I decided to reboot it. After the 
reboot, X.org did not start, neither did Amarok.

After some investigations, I found that the X server could run with the nv 
driver but not with the nvidia driver, and Amarok crashed within a function 
in /usr/lib64/opengl/nvidia/lib/... 

A strace gave me : 

open("/dev/zero", O_RDWR)               = 3
mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|0x40, 3, 0) = -1 
EPERM (Operation not permitted)
mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = -1 EPERM 
(Operation not permitted)
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

With google, I found : 

http://mail-index.netbsd.org/tech-security/2004/06/24/0010.html
> Now that we have noexec permissions on pages (for some architectures),
> make the mapping of vnode backed pages with PROT_EXEC only be allowed
> on filesystems that were not mounted with noexec.  Otherwise,
> mmap/uvm_map/mprotect will return EPERM for the mapping operation.


So, I watched my /etc/fstab and found :
udev /dev tmpfs nosuid,noexec,size=16M 0 0

After I removed the noexec flag, all worked perfectly.

As said here : http://ou800doc.caldera.com/en/man/html.2/mmap.2.html
nvidia should use :

ptr = mmap(0, desired_size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);

because MAP_ANONYMOUS causes mmap to ignore the file descriptor argument and act as if it had been given one referring to /dev/zero.


Note :
I tried several versions of xorg (included the 7.0), several versions of the nvidia-driver, two versions of the kernel (2.6.13 and 2.6.14), and two versions of amaroK with the same result.


emerge info :
Portage 2.1_pre3-r1 (hardened/amd64, gcc-3.4.5, glibc-2.3.6-r2, 2.6.14-hardened-r3-poubi64-1 x86_64)
=================================================================
System uname: 2.6.14-hardened-r3-poubi64-1 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.0_pre14
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"
DISTDIR="/home/portage/distfiles"
FEATURES="autoaddcvs autoconfig buildpkg ccache collision-protect distlocks nostrip sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.UTF-8"
MAKEOPTS="-j2"
PKGDIR="/home/portage/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/var/portage"
PORTDIR_OVERLAY="/home/portage/overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X acl alsa berkdb caps crypt hardened ipv6 jpeg kde nls nptl nptlonly pam pic png readline ssl tcpd tiff unicode userlocales xinerama zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS