[Devel] [PATCH RHEL7 COMMIT] memcg: do not allow to disable oom from inside a container

Vladimir Davydov vdavydov at virtuozzo.com
Thu Sep 24 02:19:58 PDT 2015


The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.9
------>
commit c7b3128bcc73dc46ba739ceb2e8f1b2354b43130
Author: Vladimir Davydov <vdavydov at parallels.com>
Date:   Thu Sep 24 13:19:58 2015 +0400

    memcg: do not allow to disable oom from inside a container
    
    It is possible to disable oom killer inside a memory cgroup by writing 1
    to memory.oom_control. If a process inside such a cgroup hits the memory
    limit and is unable to reclaim anything, it will wait until more memory
    becomes available.
    
    This operation shouldn't be allowed inside container, because (a)
    disabling oom in a cgroup disables it in all its ascendants and (b) it
    is impossible to stop a container if there is a process waiting for
    memory instead of invoking oom killer (freezer will never be able to
    freeze it).
    
    Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
    Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
---
 mm/memcontrol.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 0c617c32d7fa..00cc66db5052 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6014,6 +6014,9 @@ static int mem_cgroup_oom_control_write(struct cgroup *cgrp,
 	if (!cgrp->parent || !((val == 0) || (val == 1)))
 		return -EINVAL;
 
+	if (!ve_is_super(get_exec_env()) && val != 0)
+		return -EACCES;
+
 	memcg->oom_kill_disable = val;
 	if (!val)
 		memcg_oom_recover(memcg);



More information about the Devel mailing list