[PATCH] ipset: enable memory accounting for ipset allocations

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ipset: enable memory accounting for ipset allocations
@ 2020-09-25  5:55 Vasily Averin
  2020-09-25  7:53   ` kernel test robot
  2020-09-25  9:13   ` kernel test robot
  0 siblings, 2 replies; 7+ messages in thread
From: Vasily Averin @ 2020-09-25  5:55 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller

Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
 net/netfilter/ipset/ip_set_core.c | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 920b7c4..e9fe34a 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ static struct ip_set_net *ip_set_pernet(struct net *net)
 void *
 ip_set_alloc(size_t size)
 {
-	void *members = NULL;
-
-	if (size < KMALLOC_MAX_SIZE)
-		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
-	if (members) {
-		pr_debug("%p: allocated with kmalloc\n", members);
-		return members;
-	}
-
-	members = vzalloc(size);
-	if (!members)
-		return NULL;
-	pr_debug("%p: allocated with vmalloc\n", members);
-
-	return members;
+	return kvzalloc(size, GFP_KERNEL_ALLOC);
 }
 EXPORT_SYMBOL_GPL(ip_set_alloc);
 
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] ipset: enable memory accounting for ipset allocations
  2020-09-25  5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
@ 2020-09-25  7:53   ` kernel test robot
  2020-09-25  9:13   ` kernel test robot
  1 sibling, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-09-25  7:53 UTC (permalink / raw)
  To: Vasily Averin, Pablo Neira Ayuso
  Cc: kbuild-all, netfilter-devel, Jozsef Kadlecsik, Florian Westphal

[-- Attachment #1: Type: text/plain, Size: 2477 bytes --]

Hi Vasily,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
        git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=xtensa 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All error/warnings (new ones prefixed by >>):

   net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
     253 |  return kvzalloc(size, GFP_KERNEL_ALLOC);
         |                        ^~~~~~~~~~~~~~~~
         |                        GFP_KERNEL_ACCOUNT
   net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
>> net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
     254 | }
         | ^

vim +253 net/netfilter/ipset/ip_set_core.c

   248	
   249	/* Utility functions */
   250	void *
   251	ip_set_alloc(size_t size)
   252	{
 > 253		return kvzalloc(size, GFP_KERNEL_ALLOC);
 > 254	}
   255	EXPORT_SYMBOL_GPL(ip_set_alloc);
   256	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 65077 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] ipset: enable memory accounting for ipset allocations
@ 2020-09-25  7:53   ` kernel test robot
  0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-09-25  7:53 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 2533 bytes --]

Hi Vasily,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
        git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=xtensa 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All error/warnings (new ones prefixed by >>):

   net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
     253 |  return kvzalloc(size, GFP_KERNEL_ALLOC);
         |                        ^~~~~~~~~~~~~~~~
         |                        GFP_KERNEL_ACCOUNT
   net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
>> net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
     254 | }
         | ^

vim +253 net/netfilter/ipset/ip_set_core.c

   248	
   249	/* Utility functions */
   250	void *
   251	ip_set_alloc(size_t size)
   252	{
 > 253		return kvzalloc(size, GFP_KERNEL_ALLOC);
 > 254	}
   255	EXPORT_SYMBOL_GPL(ip_set_alloc);
   256	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 65077 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2] ipset: enable memory accounting for ipset allocations
  2020-09-25  7:53   ` kernel test robot
  (?)
@ 2020-09-25  8:56   ` Vasily Averin
  2020-10-04 19:09     ` Pablo Neira Ayuso
  -1 siblings, 1 reply; 7+ messages in thread
From: Vasily Averin @ 2020-09-25  8:56 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller

Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.

v2: fixed typo ALLOC -> ACCOUNT

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
 net/netfilter/ipset/ip_set_core.c | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 920b7c4..6f35832 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ static struct ip_set_net *ip_set_pernet(struct net *net)
 void *
 ip_set_alloc(size_t size)
 {
-	void *members = NULL;
-
-	if (size < KMALLOC_MAX_SIZE)
-		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
-	if (members) {
-		pr_debug("%p: allocated with kmalloc\n", members);
-		return members;
-	}
-
-	members = vzalloc(size);
-	if (!members)
-		return NULL;
-	pr_debug("%p: allocated with vmalloc\n", members);
-
-	return members;
+	return kvzalloc(size, GFP_KERNEL_ACCOUNT);
 }
 EXPORT_SYMBOL_GPL(ip_set_alloc);
 
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] ipset: enable memory accounting for ipset allocations
  2020-09-25  8:56   ` [PATCH v2] " Vasily Averin
@ 2020-10-04 19:09     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-04 19:09 UTC (permalink / raw)
  To: Vasily Averin
  Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller

On Fri, Sep 25, 2020 at 11:56:02AM +0300, Vasily Averin wrote:
> Currently netadmin inside non-trusted container can quickly allocate
> whole node's memory via request of huge ipset hashtable.
> Other ipset-related memory allocations should be restricted too.

Applied, thanks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] ipset: enable memory accounting for ipset allocations
  2020-09-25  5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
@ 2020-09-25  9:13   ` kernel test robot
  2020-09-25  9:13   ` kernel test robot
  1 sibling, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-09-25  9:13 UTC (permalink / raw)
  To: Vasily Averin, Pablo Neira Ayuso
  Cc: kbuild-all, netfilter-devel, Jozsef Kadlecsik, Florian Westphal

[-- Attachment #1: Type: text/plain, Size: 3515 bytes --]

Hi Vasily,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: x86_64-rhel (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
        git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
        # save the attached .config to linux build tree
        make W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
     253 |  return kvzalloc(size, GFP_KERNEL_ALLOC);
         |                        ^~~~~~~~~~~~~~~~
         |                        GFP_KERNEL_ACCOUNT
   net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
   net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
     254 | }
         | ^
--
>> drivers/gpu/drm/vmwgfx/ttm_object.c:60: error: Cannot parse struct or union!
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'mem_glob' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'ops' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dmabuf_release' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dma_buf_size' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'idr' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'rcu_head' not described in 'ttm_ref_object'
   drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'tfile' not described in 'ttm_ref_object'
   drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Function parameter or member 'dmabuf' not described in 'get_dma_buf_unless_doomed'
   drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Excess function parameter 'dma_buf' description in 'get_dma_buf_unless_doomed'

vim +253 net/netfilter/ipset/ip_set_core.c

   248	
   249	/* Utility functions */
   250	void *
   251	ip_set_alloc(size_t size)
   252	{
 > 253		return kvzalloc(size, GFP_KERNEL_ALLOC);
   254	}
   255	EXPORT_SYMBOL_GPL(ip_set_alloc);
   256	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45585 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] ipset: enable memory accounting for ipset allocations
@ 2020-09-25  9:13   ` kernel test robot
  0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-09-25  9:13 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 3580 bytes --]

Hi Vasily,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: x86_64-rhel (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
        git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
        # save the attached .config to linux build tree
        make W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
     253 |  return kvzalloc(size, GFP_KERNEL_ALLOC);
         |                        ^~~~~~~~~~~~~~~~
         |                        GFP_KERNEL_ACCOUNT
   net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
   net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
     254 | }
         | ^
--
>> drivers/gpu/drm/vmwgfx/ttm_object.c:60: error: Cannot parse struct or union!
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'mem_glob' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'ops' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dmabuf_release' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dma_buf_size' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'idr' not described in 'ttm_object_device'
   drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'rcu_head' not described in 'ttm_ref_object'
   drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'tfile' not described in 'ttm_ref_object'
   drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Function parameter or member 'dmabuf' not described in 'get_dma_buf_unless_doomed'
   drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Excess function parameter 'dma_buf' description in 'get_dma_buf_unless_doomed'

vim +253 net/netfilter/ipset/ip_set_core.c

   248	
   249	/* Utility functions */
   250	void *
   251	ip_set_alloc(size_t size)
   252	{
 > 253		return kvzalloc(size, GFP_KERNEL_ALLOC);
   254	}
   255	EXPORT_SYMBOL_GPL(ip_set_alloc);
   256	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 45585 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-10-04 19:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-25  5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
2020-09-25  7:53 ` kernel test robot
2020-09-25  7:53   ` kernel test robot
2020-09-25  8:56   ` [PATCH v2] " Vasily Averin
2020-10-04 19:09     ` Pablo Neira Ayuso
2020-09-25  9:13 ` [PATCH] " kernel test robot
2020-09-25  9:13   ` kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.