Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5280imu; Thu, 10 Jan 2019 16:40:30 -0800 (PST) X-Google-Smtp-Source: ALg8bN5SWLWJZ1cp0AE9pesZmO/eZ/AtiMh3IrqyxmmhEl8NhT98uEqcNG/iak92Gltq3TLI5Tqo X-Received: by 2002:a17:902:2f03:: with SMTP id s3mr12245092plb.277.1547167230405; Thu, 10 Jan 2019 16:40:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547167230; cv=none; d=google.com; s=arc-20160816; b=MCjeiwfPaEDBwc4Z3bNHP9JORB8qRileZUePqyRjobWxZi2a+S5bbFatiYPOaNdFSg RkxaRDoomHZEAJ0t21ADCPn78OEhkuPgImKQ60J0nTwiq8TyTmpcwTSiUDx+GDHOCYo9 Tedjz19NKTR7hh2RbiINXM4j+T5Y/i1Y8nAwFXsxbpfcPNIKSgJUFmfojRtzuIcckjyO 0cej1LuHcA1d/iDHEEjUr4vM6Y1zHl0uKC6ppOhk2uBvdL1Y85mgj7nBM+9rxqXst/k6 T6UP30rB7oHZvLDSIcYMGEcwNM/QKP82X96mfV42SbJd1pdhAiCtaa350yUgWc47ZGnS njTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ELuRpFO/GW2wgMJTh2Twonmp9J02ydEbPjTSst++kaQ=; b=fieUjYjTCm/hgVpaBcsIzHylzxmroO/4/z7ljqr/DvWyutP9G5ouSKTlS1bcBq5U7n O2lxVxa4bhbYca1QbEyWUiqnYi/e39Nzw9jJoSZ/VIkdqKCHQgoaaycbS2nq8e5KCXjg 0URbaKDH6pICmriL9JpSYRBqahnlPRfPgkbb2rzLEShkwmbNvxpaIb3mOSIgN9XBfUvh kjb5xAvhaPHivTOdoOxNVFk3VppGu8Hkda4Kk+6kLj2c7sw0zXezkbzOwwqf3/NVllL8 SiW/l+tYv6EywZrhe1aMGOANT0p1bApX7+ffTuxzQclzjpJWH7CwKgvp+pASf4r5aGVe lQGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d15si2044066pgt.498.2019.01.10.16.40.14; Thu, 10 Jan 2019 16:40:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730627AbfAJX5v (ORCPT + 99 others); Thu, 10 Jan 2019 18:57:51 -0500 Received: from mail.us.es ([193.147.175.20]:40306 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729416AbfAJX5v (ORCPT ); Thu, 10 Jan 2019 18:57:51 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id A06D461EA7 for ; Fri, 11 Jan 2019 00:57:49 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 902BFDA85D for ; Fri, 11 Jan 2019 00:57:49 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 77175DA863; Fri, 11 Jan 2019 00:57:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 786ADDA84C; Fri, 11 Jan 2019 00:57:47 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 11 Jan 2019 00:57:47 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (sys.soleta.eu [212.170.55.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id 44F674265A4E; Fri, 11 Jan 2019 00:57:47 +0100 (CET) Date: Fri, 11 Jan 2019 00:57:46 +0100 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Shakeel Butt Cc: Michal Hocko , Andrew Morton , Florian Westphal , Kirill Tkhai , linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com, Jozsef Kadlecsik , Roopa Prabhu , Nikolay Aleksandrov , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux-foundation.org Subject: Re: [PATCH v2] netfilter: account ebt_table_info to kmemcg Message-ID: <20190110235746.65mp4kgyscgjhktl@salvia> References: <20190103031431.247970-1-shakeelb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190103031431.247970-1-shakeelb@google.com> User-Agent: NeoMutt/20170113 (1.7.2) X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 02, 2019 at 07:14:31PM -0800, Shakeel Butt wrote: > The [ip,ip6,arp]_tables use x_tables_info internally and the underlying > memory is already accounted to kmemcg. Do the same for ebtables. The > syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the > whole system from a restricted memcg, a potential DoS. > > By accounting the ebt_table_info, the memory used for ebt_table_info can > be contained within the memcg of the allocating process. However the > lifetime of ebt_table_info is independent of the allocating process and > is tied to the network namespace. So, the oom-killer will not be able to > relieve the memory pressure due to ebt_table_info memory. The memory for > ebt_table_info is allocated through vmalloc. Currently vmalloc does not > handle the oom-killed allocating process correctly and one large > allocation can bypass memcg limit enforcement. So, with this patch, > at least the small allocations will be contained. For large allocations, > we need to fix vmalloc. OK, patch is applied, thanks.