On Wed, Jan 02, 2019 at 07:14:31PM -0800, Shakeel Butt wrote: > The [ip,ip6,arp]_tables use x_tables_info internally and the underlying > memory is already accounted to kmemcg. Do the same for ebtables. The > syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the > whole system from a restricted memcg, a potential DoS. > > By accounting the ebt_table_info, the memory used for ebt_table_info can > be contained within the memcg of the allocating process. However the > lifetime of ebt_table_info is independent of the allocating process and > is tied to the network namespace. So, the oom-killer will not be able to > relieve the memory pressure due to ebt_table_info memory. The memory for > ebt_table_info is allocated through vmalloc. Currently vmalloc does not > handle the oom-killed allocating process correctly and one large > allocation can bypass memcg limit enforcement. So, with this patch, > at least the small allocations will be contained. For large allocations, > we need to fix vmalloc. OK, patch is applied, thanks.
