[Devel] [PATCH RHEL COMMIT] memcg: do not allow to disable oom from inside a container
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Sep 24 15:04:53 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 5d8b22e0fc94539f8fb20f25422a45c0ab9a4dc6
Author: Vladimir Davydov <vdavydov.dev at gmail.com>
Date: Fri Sep 24 15:04:53 2021 +0300
memcg: do not allow to disable oom from inside a container
It is possible to disable oom killer inside a memory cgroup by writing 1
to memory.oom_control. If a process inside such a cgroup hits the memory
limit and is unable to reclaim anything, it will wait until more memory
becomes available.
This operation shouldn't be allowed inside container, because (a)
disabling oom in a cgroup disables it in all its ascendants and (b) it
is impossible to stop a container if there is a process waiting for
memory instead of invoking oom killer (freezer will never be able to
freeze it).
Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
(cherry picked from vz8 commit 98e3cf14f11d2896d1f22ff2952a90cea2f458bc)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
mm/memcontrol.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index ae6de65f4597..aa75ae23a319 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -52,6 +52,7 @@
#include <linux/sort.h>
#include <linux/fs.h>
#include <linux/seq_file.h>
+#include <linux/ve_proto.h>
#include <linux/vmpressure.h>
#include <linux/mm_inline.h>
#include <linux/swap_cgroup.h>
@@ -4509,6 +4510,9 @@ static int mem_cgroup_oom_control_write(struct cgroup_subsys_state *css,
if (mem_cgroup_is_root(memcg) || !((val == 0) || (val == 1)))
return -EINVAL;
+ if (!ve_is_super(get_exec_env()) && val != 0)
+ return -EACCES;
+
memcg->oom_kill_disable = val;
if (!val)
memcg_oom_recover(memcg);
More information about the Devel
mailing list