[Devel] [PATCH RHEL7 COMMIT] memcg: do not allow to disable oom from inside a container
Vladimir Davydov
vdavydov at virtuozzo.com
Thu Sep 24 02:19:58 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.9
------>
commit c7b3128bcc73dc46ba739ceb2e8f1b2354b43130
Author: Vladimir Davydov <vdavydov at parallels.com>
Date: Thu Sep 24 13:19:58 2015 +0400
memcg: do not allow to disable oom from inside a container
It is possible to disable oom killer inside a memory cgroup by writing 1
to memory.oom_control. If a process inside such a cgroup hits the memory
limit and is unable to reclaim anything, it will wait until more memory
becomes available.
This operation shouldn't be allowed inside container, because (a)
disabling oom in a cgroup disables it in all its ascendants and (b) it
is impossible to stop a container if there is a process waiting for
memory instead of invoking oom killer (freezer will never be able to
freeze it).
Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
---
mm/memcontrol.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 0c617c32d7fa..00cc66db5052 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6014,6 +6014,9 @@ static int mem_cgroup_oom_control_write(struct cgroup *cgrp,
if (!cgrp->parent || !((val == 0) || (val == 1)))
return -EINVAL;
+ if (!ve_is_super(get_exec_env()) && val != 0)
+ return -EACCES;
+
memcg->oom_kill_disable = val;
if (!val)
memcg_oom_recover(memcg);
More information about the Devel
mailing list