The same could be said for cpusets if users use that for memory isolation.
This should panic in mem_cgroup_out_of_memory() and the documentation
should be added to Documentation/sysctl/vm.txt.
The memory controller also has some protection in the pagefault oom
handler that seems like it could be made more general: instead of checking
for mem_cgroup_oom_called(), I'd rather do a tasklist scan to check for
already oom killed task (checking for the TIF_MEMDIE bit) and check all
zones for ZONE_OOM_LOCKED. If no oom killed tasks are found and no zones
are locked, we can check sysctl_panic_on_oom and invoke the system-wide
oom.
The oom notifier would be at a higher level than the oom killer, the oom
killer's job is simply to kill a task when it is called. So for these
particular cases, you would never even call into out_of_memory() to panic
the machine in the first place. Hopefully, the oom notifier can be made
to be more generic as its own cgroup rather than only being used by memcg,
but if such a userspace notifier would defer to the kernel oom killer, it
should panic when panic_on_oom == 2 is selected regardless of whether it
is constrained or not. Thus, we can keep the sysctl_panic_on_oom logic in
the oom killer (both in out_of_memory() and mem_cgroup_out_of_memory())
without risk of unnecessarily panic whenever an oom notifier or
freeze_at_oom setting intercepts the condition.
--
