Skip to content

Commit

Permalink
netfilter: x_tables: avoid warn and OOM killer on vmalloc call
Browse files Browse the repository at this point in the history
Andrey Konovalov reported that this vmalloc call is based on an
userspace request and that it's spewing traces, which may flood the logs
and cause DoS if abused.

Florian Westphal also mentioned that this call should not trigger OOM
killer.

This patch brings the vmalloc call in sync to kmalloc and disables the
warn trace on allocation failure and also disable OOM killer invocation.

Note, however, that under such stress situation, other places may
trigger OOM killer invocation.

Reported-by: Andrey Konovalov <[email protected]>
Cc: Florian Westphal <[email protected]>
Signed-off-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
  • Loading branch information
marceloleitner authored and ummakynes committed Dec 7, 2016
1 parent 8411b64 commit 5bad873
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion net/netfilter/x_tables.c
Original file line number Diff line number Diff line change
Expand Up @@ -959,7 +959,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
info = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
if (!info) {
info = vmalloc(sz);
info = __vmalloc(sz, GFP_KERNEL | __GFP_NOWARN |
__GFP_NORETRY | __GFP_HIGHMEM,
PAGE_KERNEL);
if (!info)
return NULL;
}
Expand Down

0 comments on commit 5bad873

Please sign in to comment.