From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next 7/9] netfilter: nf_tables: allow large allocations for new sets
Date: Wed, 24 May 2017 11:50:51 +0200 [thread overview]
Message-ID: <1495619453-22307-8-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1495619453-22307-1-git-send-email-pablo@netfilter.org>
The new fixed size hashtable backend implementation may result in a
large array of buckets that would spew splats from mm. Update this code
to fall back on vmalloc in case the memory allocation order is too
costly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2969016d8cad..0e54090caa8a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -13,6 +13,7 @@
#include <linux/list.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
+#include <linux/vmalloc.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nf_tables.h>
@@ -2909,13 +2910,13 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
{
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
u8 genmask = nft_genmask_next(net);
+ unsigned int size, alloc_size;
const struct nft_set_ops *ops;
struct nft_af_info *afi;
struct nft_table *table;
struct nft_set *set;
struct nft_ctx ctx;
char name[NFT_SET_MAXNAMELEN];
- unsigned int size;
bool create;
u64 timeout;
u32 ktype, dtype, flags, policy, gc_int, objtype;
@@ -3031,6 +3032,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
if (IS_ERR(set)) {
if (PTR_ERR(set) != -ENOENT)
return PTR_ERR(set);
+
+ set = NULL;
} else {
if (nlh->nlmsg_flags & NLM_F_EXCL)
return -EEXIST;
@@ -3054,10 +3057,16 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
if (ops->privsize != NULL)
size = ops->privsize(nla, &desc);
- err = -ENOMEM;
- set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
+ alloc_size = sizeof(*set) + size + udlen;
+ if (alloc_size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
+ set = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN |
+ __GFP_NORETRY);
if (set == NULL)
+ set = vzalloc(alloc_size);
+ if (set == NULL) {
+ err = -ENOMEM;
goto err1;
+ }
nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
err = nf_tables_set_alloc_name(&ctx, set, name);
@@ -3100,7 +3109,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
err3:
ops->destroy(set);
err2:
- kfree(set);
+ kvfree(set);
err1:
module_put(ops->type->owner);
return err;
@@ -3110,7 +3119,7 @@ static void nft_set_destroy(struct nft_set *set)
{
set->ops->destroy(set);
module_put(set->ops->type->owner);
- kfree(set);
+ kvfree(set);
}
static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
--
2.1.4
next prev parent reply other threads:[~2017-05-24 9:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-24 9:50 [PATCH nf-next 0/9] nf_tables set updates Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 1/9] netfilter: nft_set_hash: unnecessary forward declaration Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 2/9] netfilter: nf_tables: no size estimation if number of set elements is unknown Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 3/9] netfilter: nft_set_hash: use nft_rhash prefix for resizable set backend Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 4/9] netfilter: nf_tables: select set backend flavour depending on description Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 5/9] netfilter: nf_tables: pass set description to ->privsize Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 6/9] netfilter: nft_set_hash: add nft_hash_buckets() Pablo Neira Ayuso
2017-05-24 9:50 ` Pablo Neira Ayuso [this message]
2017-05-26 10:02 ` [PATCH nf-next 7/9] netfilter: nf_tables: allow large allocations for new sets Liping Zhang
2017-05-26 10:18 ` Pablo Neira Ayuso
2017-05-26 10:33 ` Liping Zhang
2017-05-24 9:50 ` [PATCH nf-next 8/9] netfilter: nft_set_hash: add non-resizable hashtable implementation Pablo Neira Ayuso
2017-05-24 10:14 ` Pablo Neira Ayuso
2017-05-24 9:50 ` [PATCH nf-next 9/9] netfilter: nft_set_hash: add lookup variant for fixed size hashtable Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495619453-22307-8-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).