Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp729683imm; Thu, 13 Sep 2018 06:57:15 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb1buALE4WemAv/RU34/aOCBeRqNFjIlUsmxonutnthKQ/aRw5rpEbokgWhTkxomgbB6Zrx X-Received: by 2002:a62:f610:: with SMTP id x16-v6mr7526679pfh.169.1536847035679; Thu, 13 Sep 2018 06:57:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536847035; cv=none; d=google.com; s=arc-20160816; b=PyuYxyueCjkpnJl2H/VeIjoix8pVRuTIr01dQPGBcKUqgM9ewmCnmz6gOBVq+znHKL a1ZSB9+wMLY/ClQVRowfegw+MWrPswZOcm+CVxlqP+w4mfJqS8kdiKJbf6UapvrwHz5Q Zh4ILjeQauFUurkCou+9ilHw7E6KMaBJx9zaPWEw/NSUBJiV10g+XLaYkaytEUiWjst+ /u64Jf5IsKHq8a6dq4xE5nUXBOuQVpPSQcyOLVdoBJDWN5YMkw9gI+ZkTKKpzbsdvDTs ZvmELqSDR4DVFKNFOKo3yHIs71FyockuVYXjbtTdmArbIRkdWrfXJAcrfEVjGzCifeqb SW+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=T0TnTdE1fDE3YdbXBHp2AC2gyE8I4JWpLQi0RPdRoLk=; b=d9fESjD16GFmwbZ/811HlGbXLkjIrh+9+k4FLaUqP0zGdulq3ozgGJePzJBHIb99w6 xpbHF2Pot6tWzkPh49cOde+ec0pHwvW+zGBVSurxY8FBvmyJMtubrlvtJHQzLxZKiRQJ n0Vi6oV/jUXpOoLqQjnuZNOR6KMwjmuCOPk9zHWs+dWN6wI6EaCQKjM+jX1P6GsiilK3 CLEckp06+5Z+I+YUbrwaTFAaSBrei+/DtcGHw2kNlY1O+vhDe/HRD1Pe7bPS1goalMcR nqnMeD0cGRAku4nQ/VI+o3c1osZS49kFLnKblPchJUd2uYhw2NS+fqtDAk7tiLFPo3Sj zdXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1-v6si4213715pfe.66.2018.09.13.06.57.01; Thu, 13 Sep 2018 06:57:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731417AbeIMTGU (ORCPT + 99 others); Thu, 13 Sep 2018 15:06:20 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:34202 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730337AbeIMTGT (ORCPT ); Thu, 13 Sep 2018 15:06:19 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A825CD10; Thu, 13 Sep 2018 13:56:42 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Georgi Nikolov , Vlastimil Babka , Florian Westphal , Michal Hocko , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.18 073/197] netfilter: x_tables: do not fail xt_alloc_table_info too easilly Date: Thu, 13 Sep 2018 15:30:22 +0200 Message-Id: <20180913131844.446697748@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180913131841.568116777@linuxfoundation.org> References: <20180913131841.568116777@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michal Hocko [ Upstream commit a148ce15375fc664ad64762c751c0c2aecb2cafe ] eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in xt_alloc_table_info()") has unintentionally fortified xt_alloc_table_info allocation when __GFP_RETRY has been dropped from the vmalloc fallback. Later on there was a syzbot report that this can lead to OOM killer invocations when tables are too large and 0537250fdc6c ("netfilter: x_tables: make allocation less aggressive") has been merged to restore the original behavior. Georgi Nikolov however noticed that he is not able to install his iptables anymore so this can be seen as a regression. The primary argument for 0537250fdc6c was that this allocation path shouldn't really trigger the OOM killer and kill innocent tasks. On the other hand the interface requires root and as such should allow what the admin asks for. Root inside a namespaces makes this more complicated because those might be not trusted in general. If they are not then such namespaces should be restricted anyway. Therefore drop the __GFP_NORETRY and replace it by __GFP_ACCOUNT to enfore memcg constrains on it. Fixes: 0537250fdc6c ("netfilter: x_tables: make allocation less aggressive") Reported-by: Georgi Nikolov Suggested-by: Vlastimil Babka Acked-by: Florian Westphal Signed-off-by: Michal Hocko Acked-by: Vlastimil Babka Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/x_tables.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1178,12 +1178,7 @@ struct xt_table_info *xt_alloc_table_inf if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE) return NULL; - /* __GFP_NORETRY is not fully supported by kvmalloc but it should - * work reasonably well if sz is too large and bail out rather - * than shoot all processes down before realizing there is nothing - * more to reclaim. - */ - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); + info = kvmalloc(sz, GFP_KERNEL_ACCOUNT); if (!info) return NULL;