netfilter: ipset: enable memory accounting for ipset allocations
Currently netadmin inside non-trusted container can quickly allocate whole node's memory via request of huge ipset hashtable. Other ipset-related memory allocations should be restricted too. v2: fixed typo ALLOC -> ACCOUNT Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Vasily Averin
Pablo Neira Ayuso
parent
82ec6630f9
commit
9446ab34ac
@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister);
|
|||||||
void *
|
void *
|
||||||
ip_set_alloc(size_t size)
|
ip_set_alloc(size_t size)
|
||||||
{
|
{
|
||||||
void *members = NULL;
|
return kvzalloc(size, GFP_KERNEL_ACCOUNT);
|
||||||
|
|
||||||
if (size < KMALLOC_MAX_SIZE)
|
|
||||||
members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
|
|
||||||
|
|
||||||
if (members) {
|
|
||||||
pr_debug("%p: allocated with kmalloc\n", members);
|
|
||||||
return members;
|
|
||||||
}
|
|
||||||
|
|
||||||
members = vzalloc(size);
|
|
||||||
if (!members)
|
|
||||||
return NULL;
|
|
||||||
pr_debug("%p: allocated with vmalloc\n", members);
|
|
||||||
|
|
||||||
return members;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(ip_set_alloc);
|
EXPORT_SYMBOL_GPL(ip_set_alloc);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user