Re: [PATCH] pidns: limit the nesting depth of pid namespaces

From: Andrey Wagin
Date: Thu Oct 25 2012 - 11:02:10 EST


2012/10/24 Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>:
> On Wed, 24 Oct 2012 09:38:57 +0400
> Andrey Wagin <avagin@xxxxxxxxx> wrote:
>
>> >
>> > I think that returning -ENOMEM in response to an excessive nesting
>> > attempt is misleading - the system *didn't* run out of memory. EINVAL
>> > is better?
>>
>> I chose ENOMEM by analogy with max_pid. When a new PID can not be
>> allocated, ENOMEM is returned too.
>
> I don't know what this means - please be carefully specific when
> identifying kernel code.

Sorry.

>
> If you're referring to kernel/pid.c:alloc_pid() then -ENOMEM is
> appropriate there, because a failure *is* caused by memory allocation
> failure.

I'm referring to alloc_pidmap().
For example I set pid_max to 500 and try to create more than 500 processes.

[pid 345] clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f8721716a10) = -1 ENOMEM (Cannot allocate memory)

Actually I'm agree with EINVAL and a patch is attached to this message.

Thanks.
>
> But ENOMEM isn't appropriate for nesting-depth-exceeded - we shouldn't
> tell the user "you ran out of memory" when he didn't! -EINVAL isn't
> really appropriate either ("Invalid argument") but it has become a
> general you-screwed-up catchall and seems to me to be the most
> appropriate errno we have available.
>

Attachment: 0001-pidns-limit-the-nesting-depth-of-pid-namespaces-v2.patch
Description: Binary data