From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Pablo Neira Ayuso <pablo@netfilter.org>,
Bin Lan <lanbincn@139.com>
Subject: [PATCH 6.6 19/25] netfilter: nf_tables: missing objects with no memcg accounting
Date: Fri, 13 Feb 2026 14:48:45 +0100 [thread overview]
Message-ID: <20260213134704.582003651@linuxfoundation.org> (raw)
In-Reply-To: <20260213134703.882698935@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 69e687cea79fc99a17dfb0116c8644b9391b915e upstream.
Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for
memory accounting, update them. This includes:
- catchall elements
- compat match large info area
- log prefix
- meta secctx
- numgen counters
- pipapo set backend datastructure
- tunnel private objects
Fixes: 33758c891479 ("memcg: enable accounting for nft objects")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[ Adjust context ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_compat.c | 6 +++---
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_set_pipapo.c | 10 +++++-----
net/netfilter/nft_tunnel.c | 5 +++--
7 files changed, 15 insertions(+), 14 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6615,7 +6615,7 @@ static int nft_setelem_catchall_insert(c
}
}
- catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
+ catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
if (!catchall)
return -ENOMEM;
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -535,7 +535,7 @@ nft_match_large_init(const struct nft_ct
struct xt_match *m = expr->ops->data;
int ret;
- priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
+ priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL_ACCOUNT);
if (!priv->info)
return -ENOMEM;
@@ -808,7 +808,7 @@ nft_match_select_ops(const struct nft_ct
goto err;
}
- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
+ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
if (!ops) {
err = -ENOMEM;
goto err;
@@ -898,7 +898,7 @@ nft_target_select_ops(const struct nft_c
goto err;
}
- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
+ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
if (!ops) {
err = -ENOMEM;
goto err;
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -163,7 +163,7 @@ static int nft_log_init(const struct nft
nla = tb[NFTA_LOG_PREFIX];
if (nla != NULL) {
- priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL);
+ priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL_ACCOUNT);
if (priv->prefix == NULL)
return -ENOMEM;
nla_strscpy(priv->prefix, nla, nla_len(nla) + 1);
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -952,7 +952,7 @@ static int nft_secmark_obj_init(const st
if (tb[NFTA_SECMARK_CTX] == NULL)
return -EINVAL;
- priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
+ priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL_ACCOUNT);
if (!priv->ctx)
return -ENOMEM;
--- a/net/netfilter/nft_numgen.c
+++ b/net/netfilter/nft_numgen.c
@@ -66,7 +66,7 @@ static int nft_ng_inc_init(const struct
if (priv->offset + priv->modulus - 1 < priv->offset)
return -EOVERFLOW;
- priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL);
+ priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL_ACCOUNT);
if (!priv->counter)
return -ENOMEM;
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -874,7 +874,7 @@ static void pipapo_lt_bits_adjust(struct
return;
}
- new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL);
+ new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL_ACCOUNT);
if (!new_lt)
return;
@@ -1150,7 +1150,7 @@ static int pipapo_realloc_scratch(struct
scratch = kzalloc_node(struct_size(scratch, map,
bsize_max * 2) +
NFT_PIPAPO_ALIGN_HEADROOM,
- GFP_KERNEL, cpu_to_node(i));
+ GFP_KERNEL_ACCOUNT, cpu_to_node(i));
if (!scratch) {
/* On failure, there's no need to undo previous
* allocations: this means that some scratch maps have
@@ -1323,7 +1323,7 @@ static struct nft_pipapo_match *pipapo_c
struct nft_pipapo_match *new;
int i;
- new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL);
+ new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL_ACCOUNT);
if (!new)
return ERR_PTR(-ENOMEM);
@@ -1353,7 +1353,7 @@ static struct nft_pipapo_match *pipapo_c
new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) *
src->bsize * sizeof(*dst->lt) +
NFT_PIPAPO_ALIGN_HEADROOM,
- GFP_KERNEL);
+ GFP_KERNEL_ACCOUNT);
if (!new_lt)
goto out_lt;
@@ -1367,7 +1367,7 @@ static struct nft_pipapo_match *pipapo_c
if (src->rules > (INT_MAX / sizeof(*src->mt)))
goto out_mt;
- dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL);
+ dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL_ACCOUNT);
if (!dst->mt)
goto out_mt;
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -503,13 +503,14 @@ static int nft_tunnel_obj_init(const str
return err;
}
- md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, GFP_KERNEL);
+ md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL,
+ GFP_KERNEL_ACCOUNT);
if (!md)
return -ENOMEM;
memcpy(&md->u.tun_info, &info, sizeof(info));
#ifdef CONFIG_DST_CACHE
- err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL);
+ err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL_ACCOUNT);
if (err < 0) {
metadata_dst_free(md);
return err;
next prev parent reply other threads:[~2026-02-13 13:57 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 13:48 [PATCH 6.6 00/25] 6.6.125-rc1 review Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 01/25] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 02/25] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 03/25] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 04/25] driver core: enforce device_lock for driver_match_device() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 05/25] Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 06/25] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 07/25] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 08/25] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 09/25] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 10/25] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 11/25] wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 12/25] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 13/25] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 14/25] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 15/25] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 16/25] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 17/25] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 18/25] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
2026-02-13 13:48 ` Greg Kroah-Hartman [this message]
2026-02-13 13:48 ` [PATCH 6.6 20/25] netfilter: nft_set_pipapo: prevent overflow in lookup table allocation Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 21/25] vsock/test: verify socket options after setting them Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 22/25] spi: cadence-quadspi: Implement refcount to handle unbind during busy Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 23/25] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 24/25] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.6 25/25] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-13 18:53 ` [PATCH 6.6 00/25] 6.6.125-rc1 review Florian Fainelli
2026-02-13 19:20 ` Jon Hunter
2026-02-14 1:05 ` Peter Schneider
2026-02-14 10:49 ` Ron Economos
2026-02-14 16:02 ` Brett A C Sheffield
2026-02-15 0:03 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213134704.582003651@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lanbincn@139.com \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.