From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB612C433FE for ; Mon, 28 Feb 2022 12:24:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4894C8D0009; Mon, 28 Feb 2022 07:24:35 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 411678D0001; Mon, 28 Feb 2022 07:24:35 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2D9368D0009; Mon, 28 Feb 2022 07:24:35 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0207.hostedemail.com [216.40.44.207]) by kanga.kvack.org (Postfix) with ESMTP id 1B2FC8D0001 for ; Mon, 28 Feb 2022 07:24:35 -0500 (EST) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id D050718195417 for ; Mon, 28 Feb 2022 12:24:34 +0000 (UTC) X-FDA: 79192106868.18.ACAA8E7 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [193.142.43.52]) by imf20.hostedemail.com (Postfix) with ESMTP id 40A9D1C0003 for ; Mon, 28 Feb 2022 12:24:34 +0000 (UTC) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1nOf4n-0001Xr-VC; Mon, 28 Feb 2022 13:24:30 +0100 Date: Mon, 28 Feb 2022 13:24:29 +0100 From: Florian Westphal To: Vasily Averin Cc: Roman Gushchin , Linux MM , kernel@openvz.org, netfilter-devel@vger.kernel.org, Pablo Neira Ayuso , Florian Westphal , Jozsef Kadlecsik Subject: Re: [PATCH RFC] memcg: Enable accounting for nft objects Message-ID: <20220228122429.GC26547@breakpoint.cc> References: <81d734aa-7a0f-81b4-34fb-516b17673eac@virtuozzo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <81d734aa-7a0f-81b4-34fb-516b17673eac@virtuozzo.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 40A9D1C0003 X-Rspam-User: Authentication-Results: imf20.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf20.hostedemail.com: domain of fw@strlen.de designates 193.142.43.52 as permitted sender) smtp.mailfrom=fw@strlen.de X-Stat-Signature: hhb8q5msh4gtmfysmubhn5mxofh3xwdn X-HE-Tag: 1646051074-689006 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Vasily Averin wrote: > nftables replaces iptables but still lacks memcg accounting. >=20 > This patch account most part of nft-related allocation and should protect= host from nft misuse > inside memcg-limited container. >=20 > Signed-off-by: Vasily Averin > --- > net/netfilter/core.c | 2 +- > net/netfilter/nf_tables_api.c | 51 +++++++++++++++++++---------------- > 2 files changed, 29 insertions(+), 24 deletions(-) >=20 > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > index 354cb472f386..6a2b57774999 100644 > --- a/net/netfilter/core.c > +++ b/net/netfilter/core.c > @@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_si= ze(u16 num) > if (num =3D=3D 0) > return NULL; > - e =3D kvzalloc(alloc, GFP_KERNEL); > + e =3D kvzalloc(alloc, GFP_KERNEL_ACCOUNT); makes sense to me. > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 5fa16990da95..5e1987ec9715 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -149,7 +149,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const st= ruct nft_ctx *ctx, > { > struct nft_trans *trans; > - trans =3D kzalloc(sizeof(struct nft_trans) + size, gfp); > + trans =3D kzalloc(sizeof(struct nft_trans) + size, gfp | __GFP_ACCOUNT); trans_alloc is temporary in nature, they are always free'd by the time syscall returns (else, bug). > @@ -1084,6 +1084,7 @@ static int nf_tables_newtable(struct sk_buff *skb, = const struct nfnl_info *info, > struct nft_table *table; > struct nft_ctx ctx; > u32 flags =3D 0; > + gfp_t gfp =3D GFP_KERNEL_ACCOUNT; > int err; > lockdep_assert_held(&nft_net->commit_mutex); > @@ -1113,16 +1114,16 @@ static int nf_tables_newtable(struct sk_buff *skb= , const struct nfnl_info *info, > } > err =3D -ENOMEM; > - table =3D kzalloc(sizeof(*table), GFP_KERNEL); > + table =3D kzalloc(sizeof(*table), gfp); Why gfp temporary variable? Readability? The subsititution looks correct. Rest looks good, you might need to update nft_limit_init() and a few other stateful expressions that alloc internal data too.