Re: netfilter xt_alloc_table_info regression

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue 24-07-18 10:36:38, Georgi Nikolov wrote:
> Hello,
> 
> I posted a kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=200639 and
> i hope this is the correct place to discuss this.

Let me quote your report for the full context

: Folowing commit leads to "vmalloc: allocation failure" when cgroups memory controller is enabled:
: 
: https://github.com/torvalds/linux/commit/eacd86ca3b036e55e172b7279f101cef4a6ff3a4
: 
: After creating large number of cgroups and under memory pressure, iptables command fails with following error:
: 
: "iptables-restor: vmalloc: allocation failure, allocated 3047424 of 3465216 bytes, mode:0x14010c0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null)"
: 
: System which is used to reproduce the bug is with 2 vcpus and 2GB of ram, but it happens on more powerfull systems.
: 
: Steps to reproduce:
: 
: mkdir /cgroup
: mount cgroup -t cgroup -omemory,pids,blkio,cpuacct /cgroup
: for a in `seq 1 1000`; do for b in `seq 1 4` ; do mkdir -p "/cgroup/user/$a/$b"; done; done
: 
: Then in separate consoles
: 
: cat /dev/vda > /dev/null
: ./test
: ./test
: i=0;while sleep 0 ; do iptables-restore < iptables.save ; i=$(($i+1)); echo $i; done
: 
: Here is the source of "test" program and attached iptables.save. It happens also with smaller iptables.save file.
: 
: #include <stdio.h>
: #include <stdlib.h>
: 
: int main(void) {
: 
:     srand(time(NULL));
:     int i = 0, j = 0, randnum=0;
:     int arr[6] = { 3072, 7168, 15360 , 31744, 64512, 130048}; 
:     while(1) {
: 
:         for (i = 0; i < 6 ; i++) {
: 
:             int *ptr = (int*) malloc(arr[i] * 93);  
: 
:             for(j = 0 ; j < arr[i] * 93 / sizeof(int); j++) {
:                 *(ptr+j) = j+1;
:             }
: 
:             free(ptr);
:         }
:     }       
: }

Have you confirmed that revering eacd86ca3b03
("net/netfilter/x_tables.c: use kvmalloc() in xt_alloc_table_info()")
fixes the allocation failure you are seeing?

There are only two differences the patch has introduced. It has
introduced vmalloc fallback for all but order-0 sizes and it dropped
__GFP_NOWARN from the vmalloc call.

The later would allow to print the error message. Just to make it clear,
the regression you are seeing is not just the error message. It is
iptables-restore that fails and hasn't before, right?
-- 
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux