Re: [Devel] [PATCH RH7] ipset: enable memory accounting for ipset memory allocations

Evgenii Shatokhin Wed, 23 Sep 2020 10:42:10 -0700

On 23.09.2020 15:54, Vasily Averin wrote:

currently root inside non-trusted network namespace can consume
all node's memory for ipset hashtable.


https://jira.sw.ru/browse/PSBM-108091
Signed-off-by: Vasily Averin <v...@virtuozzo.com>
---
  net/netfilter/ipset/ip_set_core.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)


Thanks for the fix!

Do we need something like this in VZ8 as well?


diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index 6b93a8978cb2..0fb19b95b507 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -251,14 +251,14 @@ ip_set_alloc(size_t size)
        void *members = NULL;

if (size < KMALLOC_MAX_SIZE)

-               members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+               members = kzalloc(size, GFP_KERNEL_ACCOUNT | __GFP_NOWARN);

if (members) {

                pr_debug("%p: allocated with kmalloc\n", members);
                return members;
        }

- members = vzalloc(size);

+       members = vzalloc_account(size);
        if (!members)
                return NULL;
        pr_debug("%p: allocated with vmalloc\n", members);


_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH RH7] ipset: enable memory accounting for ipset memory allocations

Reply via email to