[Devel] [PATCH rh7] memcg: do not allow to disable oom from inside a container
Kirill Tkhai
ktkhai at odin.com
Fri Sep 11 06:27:46 PDT 2015
On 11.09.2015 15:21, Vladimir Davydov wrote:
> It is possible to disable oom killer inside a memory cgroup by writing 1
> to memory.oom_control. If a process inside such a cgroup hits the memory
> limit and is unable to reclaim anything, it will wait until more memory
> becomes available.
>
> This operation shouldn't be allowed inside container, because (a)
> disabling oom in a cgroup disables it in all its ascendants and (b) it
> is impossible to stop a container if there is a process waiting for
> memory instead of invoking oom killer (freezer will never be able to
> freeze it).
>
> Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
> ---
> mm/memcontrol.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 2b87dbc5c0cd..8747792d69b2 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -5913,6 +5913,9 @@ static int mem_cgroup_oom_control_write(struct cgroup *cgrp,
> if (!cgrp->parent || !((val == 0) || (val == 1)))
> return -EINVAL;
>
> + if (!ve_is_super(get_exec_env()) && val != 0)
> + return -EACCES;
> +
> memcg->oom_kill_disable = val;
> if (!val)
> memcg_oom_recover(memcg);
>
More information about the Devel
mailing list