[Devel] [PATCH RHEL COMMIT] ve/mm: allow container's root to ignore mlock limit

Konstantin Khorenko khorenko at virtuozzo.com
Thu Sep 30 17:44:03 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit e04546dced23b1038d1959b7f93acc2c437173c7
Author: Andrey Ryabinin <ryabinin.a.a at gmail.com>
Date:   Thu Sep 30 17:44:03 2021 +0300

    ve/mm: allow container's root to ignore mlock limit
    
    Global root is allowed to exceed memlock limit, so this should be
    allowed for container's root too.
    capable() works only for global root, so use ve_capable() instead.
    
    https://jira.sw.ru/browse/PSBM-41405
    
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
    Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
    
    (cherry-picked from vz8 commit 174101c13a3c ("ve/mm: allow container's
    root to ignore mlock limit"))
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 mm/mlock.c  | 10 +++++-----
 mm/mmap.c   |  4 ++--
 mm/mremap.c |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 16d2ee160d43..9d1cda216d71 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -31,7 +31,7 @@ bool can_do_mlock(void)
 {
 	if (rlimit(RLIMIT_MEMLOCK) != 0)
 		return true;
-	if (capable(CAP_IPC_LOCK))
+	if (ve_capable(CAP_IPC_LOCK))
 		return true;
 	return false;
 }
@@ -666,7 +666,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
 		return -EINTR;
 
 	locked += current->mm->locked_vm;
-	if ((locked > lock_limit) && (!capable(CAP_IPC_LOCK))) {
+	if ((locked > lock_limit) && (!ve_capable(CAP_IPC_LOCK))) {
 		/*
 		 * It is possible that the regions requested intersect with
 		 * previously mlocked areas, that part area in "mm->locked_vm"
@@ -678,7 +678,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
 	}
 
 	/* check against resource limits */
-	if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
+	if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK))
 		error = apply_vma_lock_flags(start, len, flags);
 
 	mmap_write_unlock(current->mm);
@@ -792,7 +792,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
 
 	ret = -ENOMEM;
 	if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
-	    capable(CAP_IPC_LOCK))
+	    ve_capable(CAP_IPC_LOCK))
 		ret = apply_mlockall_flags(flags);
 	mmap_write_unlock(current->mm);
 	if (!ret && (flags & MCL_CURRENT))
@@ -832,7 +832,7 @@ int user_shm_lock(size_t size, struct ucounts *ucounts)
 	spin_lock(&shmlock_user_lock);
 	memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 
-	if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) {
+	if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !ve_capable(CAP_IPC_LOCK)) {
 		dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked);
 		goto out;
 	}
diff --git a/mm/mmap.c b/mm/mmap.c
index ca54d36d203a..5bdc752b840d 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1363,7 +1363,7 @@ int mlock_future_check(struct mm_struct *mm, unsigned long flags,
 		locked += mm->locked_vm;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		lock_limit >>= PAGE_SHIFT;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return -EAGAIN;
 	}
 	return 0;
@@ -2377,7 +2377,7 @@ static int acct_stack_growth(struct vm_area_struct *vma,
 		locked = mm->locked_vm + grow;
 		limit = rlimit(RLIMIT_MEMLOCK);
 		limit >>= PAGE_SHIFT;
-		if (locked > limit && !capable(CAP_IPC_LOCK))
+		if (locked > limit && !ve_capable(CAP_IPC_LOCK))
 			return -ENOMEM;
 	}
 
diff --git a/mm/mremap.c b/mm/mremap.c
index 5989d3990020..6282065a0259 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -760,7 +760,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
 		locked = mm->locked_vm << PAGE_SHIFT;
 		lock_limit = rlimit(RLIMIT_MEMLOCK);
 		locked += new_len - old_len;
-		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
+		if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK))
 			return ERR_PTR(-EAGAIN);
 	}
 


More information about the Devel mailing list