[Devel] [PATCH RH7] ipset: enable memory accounting for ipset memory allocations
Vasily Averin
vvs at virtuozzo.com
Wed Sep 23 17:36:03 MSK 2020
On 9/23/20 4:41 PM, Evgenii Shatokhin wrote:
> On 23.09.2020 15:54, Vasily Averin wrote:
>> currently root inside non-trusted network namespace can consume
>> all node's memory for ipset hashtable.
>>
>> https://jira.sw.ru/browse/PSBM-108091
>> Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
>> ---
>> net/netfilter/ipset/ip_set_core.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Thanks for the fix!
>
> Do we need something like this in VZ8 as well?
yes, both rh8 and mainline are affected too, I'm going to prepare patch for upstream.
>> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
>> index 6b93a8978cb2..0fb19b95b507 100644
>> --- a/net/netfilter/ipset/ip_set_core.c
>> +++ b/net/netfilter/ipset/ip_set_core.c
>> @@ -251,14 +251,14 @@ ip_set_alloc(size_t size)
>> void *members = NULL;
>> if (size < KMALLOC_MAX_SIZE)
>> - members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
>> + members = kzalloc(size, GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
>> if (members) {
>> pr_debug("%p: allocated with kmalloc\n", members);
>> return members;
>> }
>> - members = vzalloc(size);
>> + members = vzalloc_account(size);
>> if (!members)
>> return NULL;
>> pr_debug("%p: allocated with vmalloc\n", members);
>>
>
More information about the Devel
mailing list