Re: netfilter xt_alloc_table_info regression

Georgi Nikolov <gnikolov@xxxxxxxxxxx> · Wed, 25 Jul 2018 14:34:36 +0300

    Hello,
    I made tests with patch reverted and seems that old version is
      masking errors.
    I will write to cgroup developers, because this only happens when
      cgroups are enabled and there are large number of cgroups created.
    Thank you for your time.
    Regards,
    -- Georgi Nikolov

    On 07/24/2018 11:39 AM, Michal Hocko
      wrote:

      On Tue 24-07-18 10:36:38, Georgi Nikolov wrote:

        Hello,

I posted a kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=200639 and
i hope this is the correct place to discuss this.

      Let me quote your report for the full context

: Folowing commit leads to "vmalloc: allocation failure" when cgroups memory controller is enabled:
: 
: https://github.com/torvalds/linux/commit/eacd86ca3b036e55e172b7279f101cef4a6ff3a4
: 
: After creating large number of cgroups and under memory pressure, iptables command fails with following error:
: 
: "iptables-restor: vmalloc: allocation failure, allocated 3047424 of 3465216 bytes, mode:0x14010c0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null)"
: 
: System which is used to reproduce the bug is with 2 vcpus and 2GB of ram, but it happens on more powerfull systems.
: 
: Steps to reproduce:
: 
: mkdir /cgroup
: mount cgroup -t cgroup -omemory,pids,blkio,cpuacct /cgroup
: for a in `seq 1 1000`; do for b in `seq 1 4` ; do mkdir -p "/cgroup/user/$a/$b"; done; done
: 
: Then in separate consoles
: 
: cat /dev/vda > /dev/null
: ./test
: ./test
: i=0;while sleep 0 ; do iptables-restore < iptables.save ; i=$(($i+1)); echo $i; done
: 
: Here is the source of "test" program and attached iptables.save. It happens also with smaller iptables.save file.
: 
: #include <stdio.h>
: #include <stdlib.h>
: 
: int main(void) {
: 
:     srand(time(NULL));
:     int i = 0, j = 0, randnum=0;
:     int arr[6] = { 3072, 7168, 15360 , 31744, 64512, 130048}; 
:     while(1) {
: 
:         for (i = 0; i < 6 ; i++) {
: 
:             int *ptr = (int*) malloc(arr[i] * 93);  
: 
:             for(j = 0 ; j < arr[i] * 93 / sizeof(int); j++) {
:                 *(ptr+j) = j+1;
:             }
: 
:             free(ptr);
:         }
:     }       
: }

Have you confirmed that revering eacd86ca3b03
("net/netfilter/x_tables.c: use kvmalloc() in xt_alloc_table_info()")
fixes the allocation failure you are seeing?

There are only two differences the patch has introduced. It has
introduced vmalloc fallback for all but order-0 sizes and it dropped
__GFP_NOWARN from the vmalloc call.

The later would allow to print the error message. Just to make it clear,
the regression you are seeing is not just the error message. It is
iptables-restore that fails and hasn't before, right?