Ping. On Wed, Sep 19, 2018 at 7:13 PM Eugene Syromyatnikov <evgsyr@xxxxxxxxx> wrote: > > Signed-off-by: Eugene Syromyatnikov <evgsyr@xxxxxxxxx> > --- > man2/getrlimit.2 | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 215 insertions(+) > > diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 > index b0adfb2..9f51e0e 100644 > --- a/man2/getrlimit.2 > +++ b/man2/getrlimit.2 > @@ -252,6 +252,221 @@ memory that could be locked by a privileged process. > Since Linux 2.6.9, no limits are placed on the amount of memory > that a privileged process may lock, and this limit instead governs > the amount of memory that an unprivileged process may lock. > +.B CAP_IPC_LOCK > +capability is required for ignoring > +.BR RLIMIT_LOCKED . > +.\" arch/ia64/kernel/perfmon.c:pfm_smpl_buffer_alloc() > +.IP > +Command > +.B PFM_CREATE_CONTEXT > +of IA-64-specific > +.BR perfmonctl (2) > +system call checks sampling buffer size against > +.B RLIMIT_MEMLOCK > +limit; this check is done regardless of privileges. > +.\" f8626985c7c2485c423ce9f448028f81535b0ecc > +.\" https://lca2015.linux.org.au/slides/110/lca2015.pdf > +.\" https://www.linux-kvm.org/images/0/02/01x10a-VFIOonSPAPR.pdf > +.IP > +Pages managed with > +.BR mmap "(2) and " unmap (2) > +system calls on a file descriptor returned by > +.BR KVM_CREATE_SPAPR_TCE_64 " or " KVM_CREATE_SPAPR_TCE > +KVM > +.BR ioctl (2) > +commands, > +.BR VFIO_IOMMU_ENABLE , > +.BR VFIO_IOMMU_SPAPR_TCE_CREATE ", " VFIO_IOMMU_SPAPR_TCE_REMOVE , > +.BR VFIO_IOMMU_MAP_DMA ", and " VFIO_IOMMU_UNMAP_DMA > +SPAPR (Server POWER Architecture platform requirements) TCE VFIO IOMMU driver > +.RI ( vfio_iommu_spapr_tce ) > +.BR ioctl (2) > +commands of a VFIO character device file > +.RI ( /dev/vfio/vfio ), > +and > +.BR VFIO_IOMMU_MAP_DMA " and " VFIO_IOMMU_UNMAP_DMA > +generic VFIO IOMMU driver > +.RI ( vfio_iommu_type1 ) > +.BR ioctl (2) > +commands of VFIO character device file > +.RI ( /dev/vfio/vfio ), > +are counted towards > +.B RLIMIT_MEMLOCK > +resource limit of the calling process (using the same counter as for > +.BR mlock (2) > +and others). > +The check is ignored if > +.B CAP_IPC_LOCK > +is present. > +See > +.IR Documentation/powerpc/pci_iov_resource_on_powernv.txt , > +.I Documentation/vfio.txt > +(section "PPC64 sPAPR implementation note"), and > +.I Documentation/kvm/api.txt > +(section "KVM_CREATE_SPAPR_TCE") in the Linux kernel source tree for details. > +.\" https://lwn.net/Articles/716165/ > +.\" https://lwn.net/Articles/728158/ > +.IP > +Pages pinned with > +.BR KVM_MEMORY_ENCRYPT_REG_REGION " (when AMD SVM is used for virtualisation)," > +.BR KVM_SEV_LAUNCH_UPDATE_DATA , > +.BR KVM_SEV_DBG_DECRYPT ", " KVM_SEV_DBG_ENCRYPT ", and " KVM_SEV_LAUNCH_SECRET > +KVM > +.BR ioctl (2) > +commands (that are part of Secure Encrypted Virtualisation API, > +specific to AMD x86 processors), while employ independent per-VM counter, > +are compared against > +.B RLIMIT_MEMLOCK > +resource limit of the calling process. > +The check is ignored if > +.B CAP_IPC_LOCK > +is present. > +See > +.I Documentation/x86/amd-memory-encryption.txt > +and > +.I Documentation/virtual/kvm/amd-memory-encryption.rst > +files in the Linux kernel source tree for details. > +.\" drivers/fpga/dfl-afu-main.c:afu_dma_adjust_locked_vm() > +.IP > +Pages mapped with > +.B DFL_FPGA_PORT_DMA_MAP > +and unmapped with > +.B DFL_FPGA_PORT_DMA_UNMAP > +FPGA Accelerated Unit function driver > +.RI ( dfl-afu ) > +.BR ioctl (2) > +commands, are counted towards > +.B RLIMIT_MEMLOCK > +resource limit of the calling process (using the same counter as for > +.BR mlock (2) > +and others). > +The check is ignored if > +.B CAP_IPC_LOCK > +is present. > +See > +.I Documentation/fpga/dfl.txt > +file in the Linux kernel source tree for details. > +.\" drivers/infiniband/hw/hfi1/file_ops.c:hfi1_file_ioctl() > +.\" - struct hfi1_filedata initialisation > +.\" drivers/infiniband/hw/hfi1/file_ops.c:hfi1_write_iter() > +.\" - call hfi1_user_sdma_process_request, pass fd > +.\" drivers/infiniband/hw/hfi1/user_sdma.c:hfi1_user_sdma_process_request() > +.\" drivers/infiniband/hw/hfi1/user_sdma.c:pin_vector_pages() > +.\" drivers/infiniband/hw/hfi1/user_sdma.c:pin_sdma_pages() > +.\" drivers/infiniband/hw/hfi1/user_pages.c:hfi1_can_pin_pages() > +.\" https://www.spinics.net/lists/linux-rdma/msg34451.html > +.\" Pinning: > +.\" bc3e53f682d93df677dbd5006a404722b3adfe18 > +.IP > +Pages occupied by data written to an Omni-Path character device file > +.RI ( hfi1 > +driver), as well as pages occupied by buffers managed via > +.BR HFI1_IOCTL_TID_UPDATE " and " HFI1_IOCTL_TID_FREE > +.BR ioctl (2) > +commands, are pinned, and counted (independently of locked pages, > +since Linux 3.2) towards > +.B RLIMIT_MEMLOCK > +resource limit of the process that opened file descriptor and compared against > +.B RLIMIT_MEMLOCK > +of the calling process. > +The check is ignored if the calling process has > +.B CAP_IPC_LOCK > +capability. > +.\" drivers/infiniband/core/umem.c:ib_umem_get() > +.\" drivers/infiniband/hw/qib/qib_user_pages.c:__qib_get_user_pages() > +.\" - accounting is incorrect (num_pages is compared and not > +.\" num_pages + current->mm->pinned_vm) > +.\" drivers/infiniband/hw/usnic/usnic_uiom.c:usnic_uiom_get_pages() > +.IP > +User space pages that are used for IB RDMA send/receive, are pinned and, thus, > +are counted (independently of locked pages since Linux 3.2) towards > +.B RLIMIT_MEMLOCK > +resource limit of the calling process. > +The check is ignored if > +.B CAP_IPC_LOCK > +is present. > +.\" drivers/misc/mic/scif/scif_rma.c:__scif_check_inc_pinned_vm() > +.\" drivers/misc/mic/scif/scif_rma.c:__scif_pin_pages() > +.\" drivers/misc/mic/scif/scif_dma.c:scif_register_temp() > +.\" drivers/misc/mic/scif/scif_dma.c:scif_rma_copy() > +.\" drivers/misc/mic/scif/scif_dma.c:{v,}{readfrom,writeto}() > +.\" drivers/misc/mic/scif/scif_fd.c:scif_fdioctl() > +.IP > +Pages occupied by buffers supplied to > +.BR SCIF_READFROM ", " SCIF_WRITETO ", " SCIF_VREADFROM ", and " SCIF_VWRITETO > +Intel Many Integrated Cores (MIC) Symmetric Communications Interface (SCIF) > +character device file > +.RI ( /dev/scif ) > +.BR ioctl (2) > +commands, are pinned, and counted (independently of locked pages) towards > +.B RLIMIT_MEMLOCK > +resource limit of the calling process. > +The check is ignored if the calling process has > +.B CAP_IPC_LOCK > +capability. > +.\" kernel/bpf/syscall.c:bpf_charge_memlock() > +.\" kernel/bpf/syscall.c:__bpf_prog_charge() > +.\" aaac3ba95e4c8b496d22f68bd1bc01cfbf525eca > +.IP > +Memory, allocated for > +.BR bpf (2) > +maps, programs, and local storage for programs that attached to cgroups, > +is counted on a per-user basis and compared against > +.B RLIMIT_MEMLOCK > +resource limit of the calling process. > +The check is not skipped if > +.B CAP_IPC_LOCK > +capability is present. > +.\" kernel/events/core.c:perf_mmap() > +.\" bc3e53f682d93df677dbd5006a404722b3adfe18 > +.IP > +Memory, belonging to mappings returned by > +.BR mmap (2) > +calls on a descriptor, returned by a > +.BR perf_event_open (2) > +syscall, is counted on a per-user basis > +(using the same counter as for > +.BR bpf (2) > +memory accounting), and the amount over > +.I kernel/perf_event_mlock_kb > +sysctl value multiplied by a number of online CPUs > +is counted towards per-process pinned memory > +(the same counter as for IB RDMA, OP, and SCIF), > +and is compared against > +.B RLIMIT_MEMLOCK > +resource limit of the calling process. > +The check is skipped if > +.B CAP_IPC_LOCK > +capability is present or > +.I kernel/perf_event_paranoid > +is set to a value less than 0. > +.\" net/core/skbuff.c:mm_account_pinned_pages() > +.\" a91dbff551a6f1865b68fa82b654591490b59901 > +.IP > +Pages, occupied by buffers, used as source for zero-copy sending of data > +via \fBAF_TCP\fP or \fBAF_RDS\fP (with TCP as a transport) sockets is performed > +(for that, > +.B MSG_ZEROCOPY > +should be set for a message > +and transmission should be performed via a socket with > +.B SOCK_ZEROCOPY > +socket option enabled), or mappings configured via > +.B XDP_UMEM_REG > +socket option of an > +.B AF_XDP > +socket, are counted on per-user basis (along with > +.BR bpf (2) > +and per mappings) and compared against > +.B RLIMIT_MEMLOCK > +resource limie of the calling process. > +The check is not skipped if > +.B CAP_IPC_LOCK > +capability is present. > +See > +.I Documentation/networking/msg_zerocopy.rst > +and > +.I Documentation/networking/rds.txt > +files in the Linux kernel source tree for details. > .TP > .BR RLIMIT_MSGQUEUE " (since Linux 2.6.8)" > This is a limit on the number of bytes that can be allocated > -- > 2.1.4 > -- Eugene Syromyatnikov mailto:evgsyr@xxxxxxxxx xmpp:esyr@jabber.{ru|org}
