On Mon, Feb 28, 2022 at 10:17:16AM +0300, Vasily Averin wrote:
> Following one-liner running inside memcg-limited container consumes
> huge number of host memory and can trigger global OOM.
>
> for i in `seq 1 xxx` ; do ip l a v$i type veth peer name vp$i ; done
>
> Patch accounts most part of these allocations and can protect host.
> ---[cut]---
> It is not polished, and perhaps should be splitted.
> obviously it affects other kind of netdevices too.
> Unfortunately I'm not sure that I will have enough time to handle it properly
> and decided to publish current patch version as is.
> OpenVz workaround it by using per-container limit for number of
> available netdevices, but upstream does not have any kind of
> per-container configuration.
> ------
Should this just be a new ucount limit on kernel/ucount.c and have veth
use something like inc_ucount(current_user_ns(), current_euid(), UCOUNT_VETH)?
This might be abusing ucounts though, not sure, Eric?
Luis
>
> Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx>
> ---
> drivers/net/veth.c | 2 +-
> fs/kernfs/mount.c | 2 +-
> fs/proc/proc_sysctl.c | 3 ++-
> net/core/neighbour.c | 4 ++--
> net/ipv4/devinet.c | 2 +-
> net/ipv6/addrconf.c | 6 +++---
> 6 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index 354a963075c5..6e0b4a9d0843 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -1307,7 +1307,7 @@ static int veth_alloc_queues(struct net_device *dev)
> struct veth_priv *priv = netdev_priv(dev);
> int i;
> - priv->rq = kcalloc(dev->num_rx_queues, sizeof(*priv->rq), GFP_KERNEL);
> + priv->rq = kcalloc(dev->num_rx_queues, sizeof(*priv->rq), GFP_KERNEL_ACCOUNT);
> if (!priv->rq)
> return -ENOMEM;
> diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
> index cfa79715fc1a..2881aeeaa880 100644
> --- a/fs/kernfs/mount.c
> +++ b/fs/kernfs/mount.c
> @@ -391,7 +391,7 @@ void __init kernfs_init(void)
> {
> kernfs_node_cache = kmem_cache_create("kernfs_node_cache",
> sizeof(struct kernfs_node),
> - 0, SLAB_PANIC, NULL);
> + 0, SLAB_PANIC | SLAB_ACCOUNT, NULL);
> /* Creates slab cache for kernfs inode attributes */
> kernfs_iattrs_cache = kmem_cache_create("kernfs_iattrs_cache",
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 7d9cfc730bd4..e20ce8198a44 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -1333,7 +1333,8 @@ struct ctl_table_header *__register_sysctl_table(
> nr_entries++;
> header = kzalloc(sizeof(struct ctl_table_header) +
> - sizeof(struct ctl_node)*nr_entries, GFP_KERNEL);
> + sizeof(struct ctl_node)*nr_entries,
> + GFP_KERNEL_ACCOUNT);
> if (!header)
> return NULL;
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index ec0bf737b076..66a4445421f1 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -1665,7 +1665,7 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
> struct net *net = dev_net(dev);
> const struct net_device_ops *ops = dev->netdev_ops;
> - p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL);
> + p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL_ACCOUNT);
> if (p) {
> p->tbl = tbl;
> refcount_set(&p->refcnt, 1);
> @@ -3728,7 +3728,7 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
> char neigh_path[ sizeof("net//neigh/") + IFNAMSIZ + IFNAMSIZ ];
> char *p_name;
> - t = kmemdup(&neigh_sysctl_template, sizeof(*t), GFP_KERNEL);
> + t = kmemdup(&neigh_sysctl_template, sizeof(*t), GFP_KERNEL_ACCOUNT);
> if (!t)
> goto err;
> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
> index fba2bffd65f7..47523fe5b891 100644
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -2566,7 +2566,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
> struct devinet_sysctl_table *t;
> char path[sizeof("net/ipv4/conf/") + IFNAMSIZ];
> - t = kmemdup(&devinet_sysctl, sizeof(*t), GFP_KERNEL);
> + t = kmemdup(&devinet_sysctl, sizeof(*t), GFP_KERNEL_ACCOUNT);
> if (!t)
> goto out;
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index f927c199a93c..9d903342bc41 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -358,7 +358,7 @@ static int snmp6_alloc_dev(struct inet6_dev *idev)
> if (!idev->stats.icmpv6dev)
> goto err_icmp;
> idev->stats.icmpv6msgdev = kzalloc(sizeof(struct icmpv6msg_mib_device),
> - GFP_KERNEL);
> + GFP_KERNEL_ACCOUNT);
> if (!idev->stats.icmpv6msgdev)
> goto err_icmpmsg;
> @@ -382,7 +382,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
> if (dev->mtu < IPV6_MIN_MTU)
> return ERR_PTR(-EINVAL);
> - ndev = kzalloc(sizeof(struct inet6_dev), GFP_KERNEL);
> + ndev = kzalloc(sizeof(struct inet6_dev), GFP_KERNEL_ACCOUNT);
> if (!ndev)
> return ERR_PTR(err);
> @@ -7023,7 +7023,7 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name,
> struct ctl_table *table;
> char path[sizeof("net/ipv6/conf/") + IFNAMSIZ];
> - table = kmemdup(addrconf_sysctl, sizeof(addrconf_sysctl), GFP_KERNEL);
> + table = kmemdup(addrconf_sysctl, sizeof(addrconf_sysctl), GFP_KERNEL_ACCOUNT);
> if (!table)
> goto out;
> --
> 2.25.1
>
