* [PATCH] ipset: enable memory accounting for ipset allocations
@ 2020-09-25 5:55 Vasily Averin
2020-09-25 7:53 ` kernel test robot
2020-09-25 9:13 ` [PATCH] " kernel test robot
0 siblings, 2 replies; 5+ messages in thread
From: Vasily Averin @ 2020-09-25 5:55 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller
Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
net/netfilter/ipset/ip_set_core.c | 17 +----------------
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 920b7c4..e9fe34a 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ static struct ip_set_net *ip_set_pernet(struct net *net)
void *
ip_set_alloc(size_t size)
{
- void *members = NULL;
-
- if (size < KMALLOC_MAX_SIZE)
- members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
- if (members) {
- pr_debug("%p: allocated with kmalloc\n", members);
- return members;
- }
-
- members = vzalloc(size);
- if (!members)
- return NULL;
- pr_debug("%p: allocated with vmalloc\n", members);
-
- return members;
+ return kvzalloc(size, GFP_KERNEL_ALLOC);
}
EXPORT_SYMBOL_GPL(ip_set_alloc);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] ipset: enable memory accounting for ipset allocations
2020-09-25 5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
@ 2020-09-25 7:53 ` kernel test robot
2020-09-25 8:56 ` [PATCH v2] " Vasily Averin
2020-09-25 9:13 ` [PATCH] " kernel test robot
1 sibling, 1 reply; 5+ messages in thread
From: kernel test robot @ 2020-09-25 7:53 UTC (permalink / raw)
To: Vasily Averin, Pablo Neira Ayuso
Cc: kbuild-all, netfilter-devel, Jozsef Kadlecsik, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 2477 bytes --]
Hi Vasily,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=xtensa
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All error/warnings (new ones prefixed by >>):
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
253 | return kvzalloc(size, GFP_KERNEL_ALLOC);
| ^~~~~~~~~~~~~~~~
| GFP_KERNEL_ACCOUNT
net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
>> net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
254 | }
| ^
vim +253 net/netfilter/ipset/ip_set_core.c
248
249 /* Utility functions */
250 void *
251 ip_set_alloc(size_t size)
252 {
> 253 return kvzalloc(size, GFP_KERNEL_ALLOC);
> 254 }
255 EXPORT_SYMBOL_GPL(ip_set_alloc);
256
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 65077 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] ipset: enable memory accounting for ipset allocations
2020-09-25 7:53 ` kernel test robot
@ 2020-09-25 8:56 ` Vasily Averin
2020-10-04 19:09 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Vasily Averin @ 2020-09-25 8:56 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller
Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.
v2: fixed typo ALLOC -> ACCOUNT
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
net/netfilter/ipset/ip_set_core.c | 17 +----------------
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 920b7c4..6f35832 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ static struct ip_set_net *ip_set_pernet(struct net *net)
void *
ip_set_alloc(size_t size)
{
- void *members = NULL;
-
- if (size < KMALLOC_MAX_SIZE)
- members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
- if (members) {
- pr_debug("%p: allocated with kmalloc\n", members);
- return members;
- }
-
- members = vzalloc(size);
- if (!members)
- return NULL;
- pr_debug("%p: allocated with vmalloc\n", members);
-
- return members;
+ return kvzalloc(size, GFP_KERNEL_ACCOUNT);
}
EXPORT_SYMBOL_GPL(ip_set_alloc);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] ipset: enable memory accounting for ipset allocations
2020-09-25 5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
2020-09-25 7:53 ` kernel test robot
@ 2020-09-25 9:13 ` kernel test robot
1 sibling, 0 replies; 5+ messages in thread
From: kernel test robot @ 2020-09-25 9:13 UTC (permalink / raw)
To: Vasily Averin, Pablo Neira Ayuso
Cc: kbuild-all, netfilter-devel, Jozsef Kadlecsik, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 3515 bytes --]
Hi Vasily,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on nf-next/master ipvs/master v5.9-rc6 next-20200924]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: x86_64-rhel (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce (this is a W=1 build):
# https://github.com/0day-ci/linux/commit/828ea197585b5e87760b3d5615b52919ab9a3b10
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Vasily-Averin/ipset-enable-memory-accounting-for-ipset-allocations/20200925-135627
git checkout 828ea197585b5e87760b3d5615b52919ab9a3b10
# save the attached .config to linux build tree
make W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_alloc':
>> net/netfilter/ipset/ip_set_core.c:253:24: error: 'GFP_KERNEL_ALLOC' undeclared (first use in this function); did you mean 'GFP_KERNEL_ACCOUNT'?
253 | return kvzalloc(size, GFP_KERNEL_ALLOC);
| ^~~~~~~~~~~~~~~~
| GFP_KERNEL_ACCOUNT
net/netfilter/ipset/ip_set_core.c:253:24: note: each undeclared identifier is reported only once for each function it appears in
net/netfilter/ipset/ip_set_core.c:254:1: warning: control reaches end of non-void function [-Wreturn-type]
254 | }
| ^
--
>> drivers/gpu/drm/vmwgfx/ttm_object.c:60: error: Cannot parse struct or union!
drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'mem_glob' not described in 'ttm_object_device'
drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'ops' not described in 'ttm_object_device'
drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dmabuf_release' not described in 'ttm_object_device'
drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'dma_buf_size' not described in 'ttm_object_device'
drivers/gpu/drm/vmwgfx/ttm_object.c:98: warning: Function parameter or member 'idr' not described in 'ttm_object_device'
drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'rcu_head' not described in 'ttm_ref_object'
drivers/gpu/drm/vmwgfx/ttm_object.c:129: warning: Function parameter or member 'tfile' not described in 'ttm_ref_object'
drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Function parameter or member 'dmabuf' not described in 'get_dma_buf_unless_doomed'
drivers/gpu/drm/vmwgfx/ttm_object.c:583: warning: Excess function parameter 'dma_buf' description in 'get_dma_buf_unless_doomed'
vim +253 net/netfilter/ipset/ip_set_core.c
248
249 /* Utility functions */
250 void *
251 ip_set_alloc(size_t size)
252 {
> 253 return kvzalloc(size, GFP_KERNEL_ALLOC);
254 }
255 EXPORT_SYMBOL_GPL(ip_set_alloc);
256
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45585 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ipset: enable memory accounting for ipset allocations
2020-09-25 8:56 ` [PATCH v2] " Vasily Averin
@ 2020-10-04 19:09 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-04 19:09 UTC (permalink / raw)
To: Vasily Averin
Cc: netfilter-devel, Jozsef Kadlecsik, Florian Westphal, David S. Miller
On Fri, Sep 25, 2020 at 11:56:02AM +0300, Vasily Averin wrote:
> Currently netadmin inside non-trusted container can quickly allocate
> whole node's memory via request of huge ipset hashtable.
> Other ipset-related memory allocations should be restricted too.
Applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-10-04 19:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-25 5:55 [PATCH] ipset: enable memory accounting for ipset allocations Vasily Averin
2020-09-25 7:53 ` kernel test robot
2020-09-25 8:56 ` [PATCH v2] " Vasily Averin
2020-10-04 19:09 ` Pablo Neira Ayuso
2020-09-25 9:13 ` [PATCH] " kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).