On Thu 02-08-18 11:25:49, Pablo Neira Ayuso wrote: > On Thu, Aug 02, 2018 at 10:50:43AM +0200, Michal Hocko wrote: [...] > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index d0d8397c9588..b769408e04ab 100644 > > --- a/net/netfilter/x_tables.c > > +++ b/net/netfilter/x_tables.c > > @@ -1178,12 +1178,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) > > if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE) > > return NULL; > > > > - /* __GFP_NORETRY is not fully supported by kvmalloc but it should > > - * work reasonably well if sz is too large and bail out rather > > - * than shoot all processes down before realizing there is nothing > > - * more to reclaim. > > - */ > > - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); > > + info = kvmalloc(sz, GFP_KERNEL | __GFP_ACCOUNT); > > I guess the large number of cgroups match is helping to consume a lot > of memory very quickly? We have a PATH_MAX in struct xt_cgroup_info_v1. I really fail to see how that is related to the patch here. -- Michal Hocko SUSE Labs