netfilter: ipset: enable memory accounting for ipset allocations

Currently netadmin inside non-trusted container can quickly allocate whole node's memory via request of huge ipset hashtable. Other ipset-related memory allocations should be restricted too. v2: fixed typo ALLOC -> ACCOUNT Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: ipset: enable memory accounting for ipset allocations
Currently netadmin inside non-trusted container can quickly allocate whole node's memory via request of huge ipset hashtable. Other ipset-related memory allocations should be restricted too. v2: fixed typo ALLOC -> ACCOUNT Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
9446ab34 · Vasily Averin · Pablo Neira Ayuso · 82ec6630 · 9446ab34
隐藏空白更改
内联并排

Showing with 1 addition and 16 deletion

net/netfilter/ipset/ip_set_core.c net/netfilter/ipset/ip_set_core.c +1 -16

未找到文件。
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister);
 void *
 ip_set_alloc(size_t size)
 {
-	void *members = NULL;
-
-	if (size < KMALLOC_MAX_SIZE)
-		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
-	if (members) {
-		pr_debug("%p: allocated with kmalloc\n", members);
-		return members;
-	}
-
-	members = vzalloc(size);
-	if (!members)
-		return NULL;
-	pr_debug("%p: allocated with vmalloc\n", members);
-
-	return members;
+	return kvzalloc(size, GFP_KERNEL_ACCOUNT);
 }
 EXPORT_SYMBOL_GPL(ip_set_alloc);