[Devel] [PATCH vz9 09/16] ve/mm: allow container's root to ignore mlock limit

Wed Sep 29 10:00:10 MSK 2021

From: Andrey Ryabinin <aryabinin at virtuozzo.com>

Global root is allowed to exceed memlock limit, so this should be
allowed for container's root too.
capable() works only for global root, so use ve_capable() instead.

https://jira.sw.ru/browse/PSBM-41405

Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>

(cherry-picked from vz8 commit 174101c13a3c ("ve/mm: allow container's
root to ignore mlock limit"))

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 mm/mlock.c  | 10 +++++-----
 mm/mmap.c   |  4 ++--
 mm/mremap.c |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 16d2ee160d43..9d1cda216d71 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -31,7 +31,7 @@ bool can_do_mlock(void)
 {
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return true;
-	if (capable(CAP_IPC_LOCK))
+	if (ve_capable(CAP_IPC_LOCK))
 		return true;
 	return false;
 }
@@ -666,7 +666,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
 		return -EINTR;
 
 	locked += current->mm->locked_vm;
-	if ((locked > lock_limit) && (!capable(CAP_IPC_LOCK))) {
+	if ((locked > lock_limit) && (!ve_capable(CAP_IPC_LOCK))) {
 		/*
 		 * It is possible that the regions requested intersect with
 		 * previously mlocked areas, that part area in "mm->locked_vm"
@@ -678,7 +678,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
 	}
 
 	/* check against resource limits */
-	if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
+	if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK))
 		error = apply_vma_lock_flags(start, len, flags);
 
 	mmap_write_unlock(current->mm);
@@ -792,7 +792,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
 
 	ret = -ENOMEM;
 	if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
-	    capable(CAP_IPC_LOCK))
+	    ve_capable(CAP_IPC_LOCK))
 		ret = apply_mlockall_flags(flags);
 	mmap_write_unlock(current->mm);
 	if (!ret && (flags & MCL_CURRENT))
@@ -832,7 +832,7 @@ int user_shm_lock(size_t size, struct ucounts *ucounts)
 	spin_lock(&shmlock_user_lock);
 	memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 
-	if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) {
+	if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !ve_capable(CAP_IPC_LOCK)) {
 		dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 		goto out;
 	}
diff --git a/mm/mmap.c b/mm/mmap.c
index ca54d36d203a..5bdc752b840d 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1363,7 +1363,7 @@ int mlock_future_check(struct mm_struct *mm, unsigned long flags,
 		locked += mm->locked_vm;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		lock_limit >>= PAGE_SHIFT;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return -EAGAIN;
 	}
 	return 0;
@@ -2377,7 +2377,7 @@ static int acct_stack_growth(struct vm_area_struct *vma,
 		locked = mm->locked_vm + grow;
 		limit = rlimit(RLIMIT_MEMLOCK);
 		limit >>= PAGE_SHIFT;
-		if (locked > limit && !capable(CAP_IPC_LOCK))
+		if (locked > limit && !ve_capable(CAP_IPC_LOCK))
 			return -ENOMEM;
 	}
 
diff --git a/mm/mremap.c b/mm/mremap.c
index 5989d3990020..6282065a0259 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -760,7 +760,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
 		locked = mm->locked_vm << PAGE_SHIFT;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		locked += new_len - old_len;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return ERR_PTR(-EAGAIN);
 	}
 
-- 
2.30.2

