FreeBSD has a "protect" command which does something similar to what this asks for – the man page [1] describes it:<p>"The protect command is used to mark processes as protected. The kernel does not kill protected processes when swap space is exhausted. [...] If you protect a runaway process that allocates all memory the system will deadlock."<p>[1] <a href="https://man.freebsd.org/cgi/man.cgi?query=protect&apropos=0&sektion=0&manpath=FreeBSD+15.0-STABLE&format=html" rel="nofollow">https://man.freebsd.org/cgi/man.cgi?query=protect&apropos=0&...</a>
It's 2026 and I still can't configure the OOM killer to kill firefox before anything else.
I looked into this, and actually, it seems like maybe you can? <a href="https://man7.org/linux/man-pages/man5/proc_pid_oom_score_adj.5.html" rel="nofollow">https://man7.org/linux/man-pages/man5/proc_pid_oom_score_adj...</a><p>So, in actuality, I think your assertion just taught us all something, because despite knowing that the OOM killer and that the Magic SysRq key[1] exists, I didn't know you could configure this as an input!<p>[1]: <a href="https://en.wikipedia.org/wiki/Magic_SysRq_key" rel="nofollow">https://en.wikipedia.org/wiki/Magic_SysRq_key</a>
I'm aware of it, but it's awkward to use in practice. You have to track down all the FF processes, each time you run it, and adjust all their scores.
I always wanted it to target java processes, as they were always the culprit. These days it's python, VSCode, and antigravity.
This. It's always browser running amok. I configured win+k shortcut key to: killall -9 chrome
It's not a panacea, but in my case setting browser.tabs.unloadOnLowMemory in about:config helped a bunch.
Maybe not in kernel, but running the earlyoom daemon will let you do exactly that in userspace.
I never pay for the OOF insurance, it seems like a waste of money and I've never met anyone that's had it happen.
I still remember following Andries’s “Linux kernel hacker’s hut” course he taught at the Eindhoven University of Technology (TU/e) back in 2010. Every week we’d get an assignment where we had to write exploits for commonly occurring security vulnerabilities (e.g., buffer overflows, bad printf format). It was one of the most enjoyable courses I ever followed. Thanks for that, Andries!
I confess, this is very funny and the underlying situation is a bit absurd, but it's unclear what point Brouwer is making by pointing out the absurdity.<p>There surely is something absurd about having to register specific processes as exempt from the OOM killer. But given that the OOM killer exists, and could kill xlock...how should that be fixed?
I read him as arguing that overcommit was a mistake. Of course, he doesn't answer any of the obvious follow-up questions, such as, does fork–exec copy all the process's memory and then immediately throw it away, or what. (One could argue that fork–exec was also a mistake, but it long predates Linux, so this doesn't answer the question of how Torvalds should have designed it.)
The point is that the OOM killer shouldn't exist and arguing about how to tweak it is addressing the wrong problem
But the second clause doesn't follow from the first!<p>I don't think Linux was plausibly going to remove the OOM killer in 2004 or later. So the right solution for Linux is very much to tweak it to be less painful.
I agree that that's the point he's making, but I don't see how that would work practically. His attitude is that malloc(1<<63) should immediately crash the system, every time? How is that better?
No, if a process allocates an infeasible amount, malloc fails and the process needs to deal with the failure (which is what already happens, "malloc doesn't fail on Linux" is only really true for smaller-than-page-size allocations). The point being made is that the system should account conservatively for all memory that can be used, not just the optimistic underestimate that overcommit enables (i.e. the plane should always carry enough fuel for contingencies, and landing with extra fuel is a good outcome).
I’d say, let the one who tried to allocate memory crash, and if you’re a critical process like xlock, use statically allocated memory and don’t alloc again.
Statically allocated memory can still OOM on access, due to overcommit and lazy page table population. What you really want is mlockall(2) (probably with MCL_CURRENT|MCL_ONFAULT followed by madvise with MADV_POPULATE_*)
> if you’re a critical process like xlock, use statically allocated memory and don’t alloc again.<p>This doesn't save you if someone other allocates and OOM killer chooses you as victim
This is only a viable answer when overcommit is disabled. The problem comes when overcommit is enabled and you find yourself in a position where many programs think they already have memory and yet there is none to give them. If you simply kill the first piece of code that encounters the end of available memory you might take down anything including the kernel itself.<p>Nothing like statically allocating memory can work when overcommit is enabled because the kernel is free to compress memory, page it out and etc. and then murder you the next time you try to perform any operation that it doesn't have the space for, no matter how safe and static your initialization was.<p>Note that overcommit is very useful in many cases including the ones where swap saves the stability of the system under conditions that would otherwise completely lock up or panic, so it's also not viable to just prevent it from being used.
OOM killer always felt like a band-aid on a severed artery to me. I've rarely seen a machine that got into OOM state really recover without a full reboot.
Why would a system break if you SIGKILL a process?<p>I’ve seen plenty of server log with OOM killing mariadb processes, and then being restarted automatically by systemd, often with no one noticing if not days later.<p>The thing that bogs down systems and often makes them unrecoverable is when a memory hungry process starts swapping. Good luck trying to SSH in. Swap is such a silly idea on servers - good to deal with pages no one accesses, catastrophic when you’re out of RAM and memory latencies suddenly become 4 or 5 orders of magnitude slower.
I’m not against taking down the kernel if the situation is that catastrophic. Better than killing the lock screen for sure.
Shouldn't desktop environments detect if a lock screen terminated abnormaly anyway? The OOM killer is just one of many possible causes.
IMO if the security of a system depends on the lock screen not crashing then the system is not very secure. Security protocols should never fail open like that; a lock screen should never simply be a layer on top of the authenticated desktop. Windows and macOS get this right. I believe Wayland display managers are also able to get this right (but I haven't checked).
Yes, Wayland should fix this. Granted, then you have a locked screen that the user may or may not be able to unlock, which is awkward if better.
The fact that xlock crashing unlocks an X11 session is, IMO, pathetic.
Especially in an era where RAM is so expensive, the obvious answer is to simply never use memory. If your data can't fit in the plethora of CPU registers at your disposal, your software is probably too complicated. /s
(2004)
Thanks. I was confused for a bit, given these days you can do<p><pre><code> echo "-1000" > /proc/<pid>/oom_score_adj
</code></pre>
to disable OOM killing for a process.<p><a href="https://github.com/torvalds/linux/blob/master/include/uapi/linux/oom.h" rel="nofollow">https://github.com/torvalds/linux/blob/master/include/uapi/l...</a>