netfilter: nf_tables: missing objects with no memcg accounting

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for
memory accounting, update them. This includes:

- catchall elements
- compat match large info area
- log prefix
- meta secctx
- numgen counters
- pipapo set backend datastructure
- tunnel private objects

Fixes: 33758c891479 ("memcg: enable accounting for nft objects")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 2 years ago 69e687ce 4ffcf5ca

+17 -15

7 changed files

expand all

net

netfilter

nf_tables_api.c

nft_compat.c

nft_log.c

nft_meta.c

nft_numgen.c

nft_set_pipapo.c

nft_tunnel.c

+1 -1

net/netfilter/nf_tables_api.c

··· 6684 6684 } 6685 6685 } 6686 6686 6687 - catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 6687 + catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT); 6688 6688 if (!catchall) 6689 6689 return -ENOMEM; 6690 6690

+3 -3

net/netfilter/nft_compat.c

··· 535 535 struct xt_match *m = expr->ops->data; 536 536 int ret; 537 537 538 - priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL); 538 + priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL_ACCOUNT); 539 539 if (!priv->info) 540 540 return -ENOMEM; 541 541 ··· 808 808 goto err; 809 809 } 810 810 811 - ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL); 811 + ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT); 812 812 if (!ops) { 813 813 err = -ENOMEM; 814 814 goto err; ··· 898 898 goto err; 899 899 } 900 900 901 - ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL); 901 + ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT); 902 902 if (!ops) { 903 903 err = -ENOMEM; 904 904 goto err;

+1 -1

net/netfilter/nft_log.c

··· 163 163 164 164 nla = tb[NFTA_LOG_PREFIX]; 165 165 if (nla != NULL) { 166 - priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL); 166 + priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL_ACCOUNT); 167 167 if (priv->prefix == NULL) 168 168 return -ENOMEM; 169 169 nla_strscpy(priv->prefix, nla, nla_len(nla) + 1);

+1 -1

net/netfilter/nft_meta.c

··· 952 952 if (tb[NFTA_SECMARK_CTX] == NULL) 953 953 return -EINVAL; 954 954 955 - priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL); 955 + priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL_ACCOUNT); 956 956 if (!priv->ctx) 957 957 return -ENOMEM; 958 958

+1 -1

net/netfilter/nft_numgen.c

··· 66 66 if (priv->offset + priv->modulus - 1 < priv->offset) 67 67 return -EOVERFLOW; 68 68 69 - priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL); 69 + priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL_ACCOUNT); 70 70 if (!priv->counter) 71 71 return -ENOMEM; 72 72

+7 -6

net/netfilter/nft_set_pipapo.c

··· 663 663 check_add_overflow(rules, extra, &rules_alloc)) 664 664 return -EOVERFLOW; 665 665 666 - new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL); 666 + new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL_ACCOUNT); 667 667 if (!new_mt) 668 668 return -ENOMEM; 669 669 ··· 936 936 return; 937 937 } 938 938 939 - new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL); 939 + new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL_ACCOUNT); 940 940 if (!new_lt) 941 941 return; 942 942 ··· 1212 1212 scratch = kzalloc_node(struct_size(scratch, map, 1213 1213 bsize_max * 2) + 1214 1214 NFT_PIPAPO_ALIGN_HEADROOM, 1215 - GFP_KERNEL, cpu_to_node(i)); 1215 + GFP_KERNEL_ACCOUNT, cpu_to_node(i)); 1216 1216 if (!scratch) { 1217 1217 /* On failure, there's no need to undo previous 1218 1218 * allocations: this means that some scratch maps have ··· 1427 1427 struct nft_pipapo_match *new; 1428 1428 int i; 1429 1429 1430 - new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL); 1430 + new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL_ACCOUNT); 1431 1431 if (!new) 1432 1432 return NULL; 1433 1433 ··· 1457 1457 new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) * 1458 1458 src->bsize * sizeof(*dst->lt) + 1459 1459 NFT_PIPAPO_ALIGN_HEADROOM, 1460 - GFP_KERNEL); 1460 + GFP_KERNEL_ACCOUNT); 1461 1461 if (!new_lt) 1462 1462 goto out_lt; 1463 1463 ··· 1470 1470 1471 1471 if (src->rules > 0) { 1472 1472 dst->mt = kvmalloc_array(src->rules_alloc, 1473 - sizeof(*src->mt), GFP_KERNEL); 1473 + sizeof(*src->mt), 1474 + GFP_KERNEL_ACCOUNT); 1474 1475 if (!dst->mt) 1475 1476 goto out_mt; 1476 1477

+3 -2

net/netfilter/nft_tunnel.c

··· 509 509 return err; 510 510 } 511 511 512 - md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, GFP_KERNEL); 512 + md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, 513 + GFP_KERNEL_ACCOUNT); 513 514 if (!md) 514 515 return -ENOMEM; 515 516 516 517 memcpy(&md->u.tun_info, &info, sizeof(info)); 517 518 #ifdef CONFIG_DST_CACHE 518 - err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL); 519 + err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL_ACCOUNT); 519 520 if (err < 0) { 520 521 metadata_dst_free(md); 521 522 return err;