Commit 5bad8734 authored Dec 02, 2016 by Marcelo Ricardo Leitner Committed by Pablo Neira Ayuso Dec 07, 2016

netfilter: x_tables: avoid warn and OOM killer on vmalloc call



Andrey Konovalov reported that this vmalloc call is based on an
userspace request and that it's spewing traces, which may flood the logs
and cause DoS if abused.

Florian Westphal also mentioned that this call should not trigger OOM
killer.

This patch brings the vmalloc call in sync to kmalloc and disables the
warn trace on allocation failure and also disable OOM killer invocation.

Note, however, that under such stress situation, other places may
trigger OOM killer invocation.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 8411b644

net/netfilter/x_tables.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -959,7 +959,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
		if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
		info = kmalloc(sz, GFP_KERNEL \| __GFP_NOWARN \| __GFP_NORETRY);
		if (!info) {
		info = vmalloc(sz);
		info = __vmalloc(sz, GFP_KERNEL \| __GFP_NOWARN \|
		__GFP_NORETRY \| __GFP_HIGHMEM,
		PAGE_KERNEL);
		if (!info)
		return NULL;
		}

Admin message