Commit 9446ab34 authored by Vasily Averin's avatar Vasily Averin Committed by Pablo Neira Ayuso

netfilter: ipset: enable memory accounting for ipset allocations

Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.

v2: fixed typo ALLOC -> ACCOUNT
Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 82ec6630
...@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister); ...@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister);
void * void *
ip_set_alloc(size_t size) ip_set_alloc(size_t size)
{ {
void *members = NULL; return kvzalloc(size, GFP_KERNEL_ACCOUNT);
if (size < KMALLOC_MAX_SIZE)
members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
if (members) {
pr_debug("%p: allocated with kmalloc\n", members);
return members;
}
members = vzalloc(size);
if (!members)
return NULL;
pr_debug("%p: allocated with vmalloc\n", members);
return members;
} }
EXPORT_SYMBOL_GPL(ip_set_alloc); EXPORT_SYMBOL_GPL(ip_set_alloc);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment