From fe02ebb480bcb1fa2d7eb06d7e31a8d86ad6a9a4 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Wed, 17 Jul 2019 16:31:49 +0800 Subject: [PATCH] cgroup: disable kernel memory accounting for all memory cgroups by default hulk inclusion category: bugfix bugzilla: 18665 CVE: NA ------------------- The kernel memory accounting for all memory cgroups is not stable now, it could lead kmem.usage refcount leak. It's used as a debug feature for now, so disable it by default. We can use the following command line to enable or disable it, cgroup.memory=kmem or cgroup.memory=kmem. Signed-off-by: Yang Yingliang Reviewed-by: Jing Xiangfeng Signed-off-by: Yang Yingliang --- Documentation/admin-guide/kernel-parameters.txt | 1 + Documentation/cgroup-v1/memory.txt | 6 +++--- mm/memcontrol.c | 6 ++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 1c73e5f51772..cac763936637 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -501,6 +501,7 @@ Format: nosocket -- Disable socket memory accounting. nokmem -- Disable kernel memory accounting. + kmem -- Enable kernel memory accounting. checkreqprot [SELINUX] Set initial checkreqprot flag value. Format: { "0" | "1" } diff --git a/Documentation/cgroup-v1/memory.txt b/Documentation/cgroup-v1/memory.txt index 3682e99234c2..7017b44f0bde 100644 --- a/Documentation/cgroup-v1/memory.txt +++ b/Documentation/cgroup-v1/memory.txt @@ -280,9 +280,9 @@ the amount of kernel memory used by the system. Kernel memory is fundamentally different than user memory, since it can't be swapped out, which makes it possible to DoS the system by consuming too much of this precious resource. -Kernel memory accounting is enabled for all memory cgroups by default. But -it can be disabled system-wide by passing cgroup.memory=nokmem to the kernel -at boot time. In this case, kernel memory will not be accounted at all. +Kernel memory accounting is disabled for all memory cgroups by default. But +it can be enabled system-wide by passing cgroup.memory=kmem to the kernel +at boot time. In this case, kernel memory will all be accounted. Kernel memory limits are not imposed for the root cgroup. Usage for the root cgroup may or may not be accounted. The memory used is accumulated into diff --git a/mm/memcontrol.c b/mm/memcontrol.c index d2a525a113a6..fdf0405897a3 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -84,8 +84,8 @@ struct mem_cgroup *root_mem_cgroup __read_mostly; /* Socket memory accounting disabled? */ static bool cgroup_memory_nosocket; -/* Kernel memory accounting disabled? */ -static bool cgroup_memory_nokmem; +/* Kernel memory accounting disabled */ +static bool cgroup_memory_nokmem = true; /* Whether the swap controller is active */ #ifdef CONFIG_MEMCG_SWAP @@ -6364,6 +6364,8 @@ static int __init cgroup_memory(char *s) cgroup_memory_nosocket = true; if (!strcmp(token, "nokmem")) cgroup_memory_nokmem = true; + else if (!strcmp(token, "kmem")) + cgroup_memory_nokmem = false; } return 0; } -- GitLab