[RH7] ipset: enable memory accounting for ipset memory allocations

Submitted by Vasily Averin on Sept. 23, 2020, 12:54 p.m.

Details

Message ID 473279cb-0e36-3bcf-4ceb-19d2ddba0d66@virtuozzo.com
State New
Series "ipset: enable memory accounting for ipset memory allocations"
Headers show

Commit Message

Vasily Averin Sept. 23, 2020, 12:54 p.m.
currently root inside non-trusted network namespace can consume
all node's memory for ipset hashtable.

https://jira.sw.ru/browse/PSBM-108091
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
 net/netfilter/ipset/ip_set_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 6b93a8978cb2..0fb19b95b507 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -251,14 +251,14 @@  ip_set_alloc(size_t size)
 	void *members = NULL;
 
 	if (size < KMALLOC_MAX_SIZE)
-		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+		members = kzalloc(size, GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
 
 	if (members) {
 		pr_debug("%p: allocated with kmalloc\n", members);
 		return members;
 	}
 
-	members = vzalloc(size);
+	members = vzalloc_account(size);
 	if (!members)
 		return NULL;
 	pr_debug("%p: allocated with vmalloc\n", members);

Comments

Evgenii Shatokhin Sept. 23, 2020, 1:41 p.m.
On 23.09.2020 15:54, Vasily Averin wrote:
> currently root inside non-trusted network namespace can consume
> all node's memory for ipset hashtable.
> 
> https://jira.sw.ru/browse/PSBM-108091
> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
> ---
>   net/netfilter/ipset/ip_set_core.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

Thanks for the fix!

Do we need something like this in VZ8 as well?

> 
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 6b93a8978cb2..0fb19b95b507 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -251,14 +251,14 @@ ip_set_alloc(size_t size)
>   	void *members = NULL;
>   
>   	if (size < KMALLOC_MAX_SIZE)
> -		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
> +		members = kzalloc(size, GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
>   
>   	if (members) {
>   		pr_debug("%p: allocated with kmalloc\n", members);
>   		return members;
>   	}
>   
> -	members = vzalloc(size);
> +	members = vzalloc_account(size);
>   	if (!members)
>   		return NULL;
>   	pr_debug("%p: allocated with vmalloc\n", members);
>
Vasily Averin Sept. 23, 2020, 2:36 p.m.
On 9/23/20 4:41 PM, Evgenii Shatokhin wrote:
> On 23.09.2020 15:54, Vasily Averin wrote:
>> currently root inside non-trusted network namespace can consume
>> all node's memory for ipset hashtable.
>>
>> https://jira.sw.ru/browse/PSBM-108091
>> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
>> ---
>>   net/netfilter/ipset/ip_set_core.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> Thanks for the fix!
> 
> Do we need something like this in VZ8 as well?

yes, both rh8 and mainline are affected too, I'm going to prepare patch for upstream.

>> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
>> index 6b93a8978cb2..0fb19b95b507 100644
>> --- a/net/netfilter/ipset/ip_set_core.c
>> +++ b/net/netfilter/ipset/ip_set_core.c
>> @@ -251,14 +251,14 @@ ip_set_alloc(size_t size)
>>       void *members = NULL;
>>         if (size < KMALLOC_MAX_SIZE)
>> -        members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
>> +        members = kzalloc(size, GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
>>         if (members) {
>>           pr_debug("%p: allocated with kmalloc\n", members);
>>           return members;
>>       }
>>   -    members = vzalloc(size);
>> +    members = vzalloc_account(size);
>>       if (!members)
>>           return NULL;
>>       pr_debug("%p: allocated with vmalloc\n", members);
>>
>