From: Andrey Ryabinin <aryabi...@virtuozzo.com> Global root is allowed to exceed memlock limit, so this should be allowed for container's root too. capable() works only for global root, so use ve_capable() instead.
https://jira.sw.ru/browse/PSBM-41405 Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com> Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com> Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com> (cherry-picked from vz8 commit 174101c13a3c ("ve/mm: allow container's root to ignore mlock limit")) Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- mm/mlock.c | 10 +++++----- mm/mmap.c | 4 ++-- mm/mremap.c | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/mm/mlock.c b/mm/mlock.c index 16d2ee160d43..9d1cda216d71 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -31,7 +31,7 @@ bool can_do_mlock(void) { if (rlimit(RLIMIT_MEMLOCK) != 0) return true; - if (capable(CAP_IPC_LOCK)) + if (ve_capable(CAP_IPC_LOCK)) return true; return false; } @@ -666,7 +666,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla return -EINTR; locked += current->mm->locked_vm; - if ((locked > lock_limit) && (!capable(CAP_IPC_LOCK))) { + if ((locked > lock_limit) && (!ve_capable(CAP_IPC_LOCK))) { /* * It is possible that the regions requested intersect with * previously mlocked areas, that part area in "mm->locked_vm" @@ -678,7 +678,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla } /* check against resource limits */ - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) + if ((locked <= lock_limit) || ve_capable(CAP_IPC_LOCK)) error = apply_vma_lock_flags(start, len, flags); mmap_write_unlock(current->mm); @@ -792,7 +792,7 @@ SYSCALL_DEFINE1(mlockall, int, flags) ret = -ENOMEM; if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) || - capable(CAP_IPC_LOCK)) + ve_capable(CAP_IPC_LOCK)) ret = apply_mlockall_flags(flags); mmap_write_unlock(current->mm); if (!ret && (flags & MCL_CURRENT)) @@ -832,7 +832,7 @@ int user_shm_lock(size_t size, struct ucounts *ucounts) spin_lock(&shmlock_user_lock); memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); - if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { + if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !ve_capable(CAP_IPC_LOCK)) { dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); goto out; } diff --git a/mm/mmap.c b/mm/mmap.c index ca54d36d203a..5bdc752b840d 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1363,7 +1363,7 @@ int mlock_future_check(struct mm_struct *mm, unsigned long flags, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; - if (locked > lock_limit && !capable(CAP_IPC_LOCK)) + if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK)) return -EAGAIN; } return 0; @@ -2377,7 +2377,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, locked = mm->locked_vm + grow; limit = rlimit(RLIMIT_MEMLOCK); limit >>= PAGE_SHIFT; - if (locked > limit && !capable(CAP_IPC_LOCK)) + if (locked > limit && !ve_capable(CAP_IPC_LOCK)) return -ENOMEM; } diff --git a/mm/mremap.c b/mm/mremap.c index 5989d3990020..6282065a0259 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -760,7 +760,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, locked = mm->locked_vm << PAGE_SHIFT; lock_limit = rlimit(RLIMIT_MEMLOCK); locked += new_len - old_len; - if (locked > lock_limit && !capable(CAP_IPC_LOCK)) + if (locked > lock_limit && !ve_capable(CAP_IPC_LOCK)) return ERR_PTR(-EAGAIN); } -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
