tcp buffer limitation: per-cgroup limit

This patch uses the "tcp.limit_in_bytes" field of the kmem_cgroup to
effectively control the amount of kernel memory pinned by a cgroup.

This value is ignored in the root cgroup, and in all others,
caps the value specified by the admin in the net namespaces'
view of tcp_sysctl_mem.

If namespaces are being used, the admin is allowed to set a
value bigger than cgroup's maximum, the same way it is allowed
to set pretty much unlimited values in a real box.

Signed-off-by: Glauber Costa <glommer@parallels.com>
Reviewed-by: Hiroyouki Kamezawa <kamezawa.hiroyu@jp.fujitsu.com>
CC: David S. Miller <davem@davemloft.net>
CC: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 14 insertions, 0 deletions

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index bbd67abcb51d..fe9bf915676c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -24,6 +24,7 @@
 #include <net/cipso_ipv4.h>
 #include <net/inet_frag.h>
 #include <net/ping.h>
+#include <net/tcp_memcontrol.h>
 
 static int zero;
 static int tcp_retr1_max = 255;
@@ -182,6 +183,9 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
         int ret;
         unsigned long vec[3];
         struct net *net = current->nsproxy->net_ns;
+#ifdef CONFIG_CGROUP_MEM_RES_CTLR_KMEM
+        struct mem_cgroup *memcg;
+#endif
 
         ctl_table tmp = {
                 .data = &vec,
@@ -198,6 +202,16 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
         if (ret)
                 return ret;
 
+#ifdef CONFIG_CGROUP_MEM_RES_CTLR_KMEM
+        rcu_read_lock();
+        memcg = mem_cgroup_from_task(current);
+
+        tcp_prot_mem(memcg, vec[0], 0);
+        tcp_prot_mem(memcg, vec[1], 1);
+        tcp_prot_mem(memcg, vec[2], 2);
+        rcu_read_unlock();
+#endif
+
         net->ipv4.sysctl_tcp_mem[0] = vec[0];
         net->ipv4.sysctl_tcp_mem[1] = vec[1];
         net->ipv4.sysctl_tcp_mem[2] = vec[2];