On Thu, Oct 27, 2022 at 03:10:22PM +0200, Jozsef Kadlecsik wrote: > Daniel Xu reported that the hash:net,iface type of the ipset subsystem does > not limit adding the same network with different interfaces to a set, which > can lead to huge memory usage or allocation failure. > > The quick reproducer is > > $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 > $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done > > The backtrace when vmalloc fails: > > [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages > <...> > [Tue Oct 25 00:13:08 2022] Call Trace: > [Tue Oct 25 00:13:08 2022] <TASK> > [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60 > [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180 > [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760 > [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20 > [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90 > [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0 > [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710 > <...> > > The fix is to enforce the limit documented in the ipset(8) manpage: > > > The internal restriction of the hash:net,iface set type is that the same > > network prefix cannot be stored with more than 64 different interfaces > > in a single set. > > Reported-by: Daniel Xu <dxu@xxxxxxxxx> > Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> Works for me. Tested-by: Daniel Xu <dxu@xxxxxxxxx> Thanks, Daniel
