From patchwork Mon Feb 28 06:39:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Averin X-Patchwork-Id: 12762430 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A14DC433FE for ; Mon, 28 Feb 2022 06:40:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E20A48D0003; Mon, 28 Feb 2022 01:40:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DCFEA8D0001; Mon, 28 Feb 2022 01:40:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C70EC8D0003; Mon, 28 Feb 2022 01:40:06 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0030.hostedemail.com [216.40.44.30]) by kanga.kvack.org (Postfix) with ESMTP id B49458D0001 for ; Mon, 28 Feb 2022 01:40:06 -0500 (EST) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 6BD23181AF5C1 for ; Mon, 28 Feb 2022 06:40:06 +0000 (UTC) X-FDA: 79191238812.20.98F0330 Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30095.outbound.protection.outlook.com [40.107.3.95]) by imf12.hostedemail.com (Postfix) with ESMTP id B71A240008 for ; Mon, 28 Feb 2022 06:40:03 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CACTnXlGSHFzSBs7BfH/ks9TwlAP5EAywcUcNzb2exQTjpKw8rxltrWbZE1pCAurs5Vw9F7B+m4jxH+uQfA/gofEtvgpJuTgIIyw3jPRXYAx8+smWK7xwWJHUh/LLtmuQR/vy6mwd88Xd+RDkGxkw8gjV5xf3p8bvw2HsSMGLGWmW+VuFALgmTAHxvSZopL838IR2erENbDfVKZS1B7Gsi7r2+3kaeinJY0smtnaxfRBDGRVzaFqBpqlTlpJQ9gftARjthXI2PVfqzALkodPVAsAZ4VcMI3BxJm+fZ0njk6rqJ35b4o+zuq50pXig6nr/1sQMGeWTePLQm0/g70MTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Q9sUpoLWic4TAHJRENZjhXgcSYKelHItv+jsbhDyo/o=; b=USfpWf3HOGO5P0GpSUzaEVj1IB8d9JhJR5/9uDU8WVjdZQ/9n/xr9DS0720U7Ab6AgzTT5U6CHH5AKVF/Iu7Q++zlfsDAHbTbVdhtb8yWujd+KyNxL5HkZJx4yLRHtae+WOd3/Zx2RUl2wF5Lu5v0zOZOseAoFfn1s2oz1TfmG0JFi9RWVsZdDYGW9nFBseFNlwbMjseUs0WR0l4MlBFRRnEBETmiyK/Bmw446HJkcFZLpYFhGk8fPR8M2BM71t3LULM4xPQiGXuahPeue1uLkWzMISDH4+IlsH6LmN9KjuSmhOAFNm+nDMcDWrCx/XxuJGAUZyoWhzV+jGbYRx8eA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=virtuozzo.com; dmarc=pass action=none header.from=virtuozzo.com; dkim=pass header.d=virtuozzo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtuozzo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q9sUpoLWic4TAHJRENZjhXgcSYKelHItv+jsbhDyo/o=; b=Y6a1eM35Z93/AaMJqtkqigC+o4/5yP8/Rdu360MDl0+GPfh8s9TYLlwqZIdECj/1/SJ0Da//pTxhvnv4xO1qsMIA/UHyDGJpkDcVcIsDXH4me0WfH8IRrOTLuV7YYVxrPiLiyhgQXZHw1C+wBXs7Ikkba+VMciztMal0BWJXLcA= Received: from VI1PR08MB3245.eurprd08.prod.outlook.com (2603:10a6:803:48::20) by DB7PR08MB3340.eurprd08.prod.outlook.com (2603:10a6:5:20::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.26; Mon, 28 Feb 2022 06:39:59 +0000 Received: from VI1PR08MB3245.eurprd08.prod.outlook.com ([fe80::4007:6de5:a0b9:1533]) by VI1PR08MB3245.eurprd08.prod.outlook.com ([fe80::4007:6de5:a0b9:1533%6]) with mapi id 15.20.5017.026; Mon, 28 Feb 2022 06:39:59 +0000 Message-ID: <81d734aa-7a0f-81b4-34fb-516b17673eac@virtuozzo.com> Date: Mon, 28 Feb 2022 09:39:56 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 From: Vasily Averin Subject: [PATCH RFC] memcg: Enable accounting for nft objects To: Roman Gushchin , Linux MM Cc: kernel@openvz.org, netfilter-devel@vger.kernel.org, Pablo Neira Ayuso , Florian Westphal , Jozsef Kadlecsik , kernel@openvz.org Content-Language: en-US X-ClientProxiedBy: ZR0P278CA0009.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:16::19) To VI1PR08MB3245.eurprd08.prod.outlook.com (2603:10a6:803:48::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b14d1ded-8e10-42c4-5673-08d9fa85236b X-MS-TrafficTypeDiagnostic: DB7PR08MB3340:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5Gmpch8ULgvDYaaGijL90FkUhJdz4evgO4ANNwIsGP+KIrrLuGBFMSwn+1eXWEwuSg9k+jasMaUdvKxKUl22fiNs1Wz27RfskAazrEar4/rU1kugbauOBnMTN1TiVH7PjSj+P74FFcaQDtXq2j48/UmZT0nUYQAIjn7zzcbYPQ05LJhnZ779HGkYEFfE2zPQzQSNMvYteNfozkwT0HItMrznDLnR1MmNH80AFzAZ96i1DJVBKYOq4gr/k/XbLwFjBrSyNdmbp5L3qF80A2/vml/I3LgChIe8rP8BewcO0xdmPuO6qwrrWxd8/O4JyviUH/VlxeMiI583OvN4RMb2EsY6Z1zTe6gg8V39Xep2yG+xw0AspWFbu8Xdg/HcfvuT+iHyrYtDr9RB+/HyWIQn07E8lSOZEIYraKceb7lJ3npAkVP4LB0tlupTkNRW5xl7JXzuwU1aO9uVzwLq72NcBHHSB5q8dDPoJNr+znlELgY8DR6JVRoCW/H4rx4Gmwojks52Id4stMv/8ZvfRrQLNP1gPPEqXfZ+vvQRGqEP6RebM8xtoZkacn36tGCvQLCSb7EIu4aV3norIHJaQx/cULVLcPbth9ZhVAoFmAmW0ZXerbzSP92yOKRNPXWNaF7wlTcLVHufxMCC0hA9rhyQNyZqKpYi6v7+Lk9g12X/Uxwk9Jx6hATafLFCTfoKHDX0lGFKeGC0SPbHR1NmLLSiu1CeRJjeWntNDQ8lwunXx7rtrTkNIDbWxh25hkMiDHL01h5TB7uOUpTQxbMXDj/HIw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR08MB3245.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(54906003)(6486002)(2906002)(508600001)(110136005)(31696002)(6506007)(5660300002)(2616005)(8936002)(36756003)(38100700002)(38350700002)(31686004)(107886003)(316002)(52116002)(6512007)(66476007)(66946007)(4326008)(66556008)(8676002)(186003)(26005)(6666004)(86362001)(83380400001)(15650500001)(45980500001)(43740500002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?JeAl029+37jZJz2M5vYMcNJTjm7H?= =?utf-8?q?q708rfrB5jaQ3Sz69vyGqneWpXFGPuZJLP0PssDdv+ZkesuW+ghArNOn3/zKYfqIf?= =?utf-8?q?UZhaBKyNLVoPjUIPZVipu2iTM4kv+CuekOZiu3On2qucWzWwn85s0kPyhncuECFVU?= =?utf-8?q?c0GMorOPRvNA7VUzxuMeZadCuiJUx8XeJ6cVYN8RlXetfc7N2Zy8ztVqLu66sxBAV?= =?utf-8?q?SopCkVvwrRXIWUI5vdJXrtYXKQVngDU7ltJhYgjt1x2vicAb+gsOdk6MwJvifF7WG?= =?utf-8?q?MfK4IK00NRqJQA3tThDBPV949NmbOWrqcqjVasuagDr+UsVT823p+I0z9Gs8mRsrY?= =?utf-8?q?rqRvdl7bVUBZaOkEvywP8UNbsxtOSxFL1tpkH+enxX8DmOABgo+eAB9hURM8r972B?= =?utf-8?q?72ucWpcAKosu3Mn3jOIdTn1lcYq/NE03+XFEOsaf+tNke2q9y2aILk6FQatOoThM2?= =?utf-8?q?SAHKwgIdZ5EuzVqT1Nyi3XY8ngPuuHAY/E4kw7rzkh0mZ0eMF8RDIip31pJHRPF8K?= =?utf-8?q?gCTFv3elqwoY1y8/gOvCebX3DxDxfA85M5a7/Ns3+4QyjT8Q+nnwWsB5CKsJgPVE5?= =?utf-8?q?9TmNK+MXiVqdicZZSlOf/z4FS1Qo4qHHD187skVFwaW+y3Q7r52mq7kZVYZd8GRAm?= =?utf-8?q?spRf4s7kLfqMAIf2XTx/vj05By/kqnGcB7lpMXKvXJCDYv57Cb8ycU7/yBQFGgX6e?= =?utf-8?q?61pGZLXzRNp7xaz+L/JEoroUCEKJqpHqRQAawEo7sP6xpvirsJb6rMw09kWmlRcVJ?= =?utf-8?q?90i49Q3mhBWlttIdEmaQyMf7Tv8f/Bptn+4hVR0LQp/kZzg0hI5gDao7c4FDE39Fa?= =?utf-8?q?mRDe6o1NB5VItBzkq5svg1Ll1syB/iZZbAzqyOYmms8YjZ0hwgWNU00dV8Oo1Ds7Y?= =?utf-8?q?vnIqLNaB0kqw8+bw7sUw5E4xCypRiqJ11xkSkyScgQXxb8QT8nIVdWKszZ5dxvNRY?= =?utf-8?q?SBTyVQ1wtgNjTokEyXE83jWpFiicfXWO0EZ8gKm5Am3gF8lhTPBMBw+QKr/67WzSb?= =?utf-8?q?v1ElGYUUjNAAnQhgcE6bo0Nh0TT9z26w/4QyoLbuk0SVgyEFKVzxRkGrO6yvrh+jm?= =?utf-8?q?yLONuEby2OoFOcuW4d1RK2ajGfcR/YV04GoxfMpjyKNftpNJ2BkA/v8nj7vYOSXkO?= =?utf-8?q?rw1N1NQwsJg3VZNOAZiUOOqYkoO6aVFZbyVNx+bkrfMHoski5TXKHg8JVTNPh3sVm?= =?utf-8?q?+TNPLmiLO1c2k4IVOdNtbCPwrJ5kZHW0GOIBUD6O+T0WycA1cKZofr4Tu6vZzGDLJ?= =?utf-8?q?wyiVzxtrBiXE8L4CXxd8KEbnp9/KZF5UTiU8/z/sbyigx7eQvxNRxuJvvHi4oP2Nl?= =?utf-8?q?80/UTFwk0h7MQxoGiVcuUGugzi3gdwMal2J4B/ysgwAv3cABVVR+vUnuX7VN/cgZQ?= =?utf-8?q?gwht0F6wWnatD+EJliKo65++5vm4VvEv6JtuWIA/+qzK5Eol9B2RwkypL7WjMatZ9?= =?utf-8?q?5PDEl55I8oCE31Ikidj6yjdBJBxZLRLYkCNCkCizBzYUmxACeC3SbsjJEDm1y5CUd?= =?utf-8?q?CI7u+nU3kmBFqCjQaNFmbL17r17dq5JJpeHcHL0wK2X96x3C1GmFefE=3D?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-Network-Message-Id: b14d1ded-8e10-42c4-5673-08d9fa85236b X-MS-Exchange-CrossTenant-AuthSource: VI1PR08MB3245.eurprd08.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Feb 2022 06:39:59.2560 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VvPiEKYqcQow71Ocvw0HuP0zcPmEeOYBOaQ4B4TAYBH5XwAfCD24/kBXN+VeiuegghZB9hdJVs9UrA/y2SaF4g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3340 X-Rspamd-Queue-Id: B71A240008 X-Stat-Signature: iedqzfa3k9jha4pri5pjwehmaer4trm5 X-Rspam-User: Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=virtuozzo.com header.s=selector2 header.b=Y6a1eM35; dmarc=pass (policy=quarantine) header.from=virtuozzo.com; spf=none (imf12.hostedemail.com: domain of vvs@virtuozzo.com has no SPF policy when checking 40.107.3.95) smtp.mailfrom=vvs@virtuozzo.com X-Rspamd-Server: rspam03 X-HE-Tag: 1646030403-798233 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: nftables replaces iptables but still lacks memcg accounting. This patch account most part of nft-related allocation and should protect host from nft misuse inside memcg-limited container. Signed-off-by: Vasily Averin --- net/netfilter/core.c | 2 +- net/netfilter/nf_tables_api.c | 51 +++++++++++++++++++---------------- 2 files changed, 29 insertions(+), 24 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 354cb472f386..6a2b57774999 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num) if (num == 0) return NULL; - e = kvzalloc(alloc, GFP_KERNEL); + e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT); if (e) e->num_hook_entries = num; return e; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5fa16990da95..5e1987ec9715 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -149,7 +149,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, { struct nft_trans *trans; - trans = kzalloc(sizeof(struct nft_trans) + size, gfp); + trans = kzalloc(sizeof(struct nft_trans) + size, gfp | __GFP_ACCOUNT); if (trans == NULL) return NULL; @@ -1084,6 +1084,7 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, struct nft_table *table; struct nft_ctx ctx; u32 flags = 0; + gfp_t gfp = GFP_KERNEL_ACCOUNT; int err; lockdep_assert_held(&nft_net->commit_mutex); @@ -1113,16 +1114,16 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, } err = -ENOMEM; - table = kzalloc(sizeof(*table), GFP_KERNEL); + table = kzalloc(sizeof(*table), gfp); if (table == NULL) goto err_kzalloc; - table->name = nla_strdup(attr, GFP_KERNEL); + table->name = nla_strdup(attr, gfp); if (table->name == NULL) goto err_strdup; if (nla[NFTA_TABLE_USERDATA]) { - table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL); + table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], gfp); if (table->udata == NULL) goto err_table_udata; @@ -1803,7 +1804,7 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, struct nft_hook *hook; int err; - hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); + hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); if (!hook) { err = -ENOMEM; goto err_hook_alloc; @@ -2026,7 +2027,7 @@ static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) if (size > INT_MAX) return NULL; - blob = kvmalloc(size, GFP_KERNEL); + blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); if (!blob) return NULL; @@ -2110,6 +2111,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, struct nft_trans *trans; struct nft_chain *chain; unsigned int data_size; + gfp_t gfp = GFP_KERNEL_ACCOUNT; int err; if (table->use == UINT_MAX) @@ -2126,7 +2128,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, if (err < 0) return err; - basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); + basechain = kzalloc(sizeof(*basechain), gfp); if (basechain == NULL) { nft_chain_release_hook(&hook); return -ENOMEM; @@ -2156,7 +2158,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, if (flags & NFT_CHAIN_HW_OFFLOAD) return -EOPNOTSUPP; - chain = kzalloc(sizeof(*chain), GFP_KERNEL); + chain = kzalloc(sizeof(*chain), gfp); if (chain == NULL) return -ENOMEM; @@ -2169,7 +2171,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, chain->table = table; if (nla[NFTA_CHAIN_NAME]) { - chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); + chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], gfp); } else { if (!(flags & NFT_CHAIN_BINDING)) { err = -EINVAL; @@ -2177,7 +2179,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, } snprintf(name, sizeof(name), "__chain%llu", ++chain_id); - chain->name = kstrdup(name, GFP_KERNEL); + chain->name = kstrdup(name, gfp); } if (!chain->name) { @@ -2186,7 +2188,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, } if (nla[NFTA_CHAIN_USERDATA]) { - chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL); + chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], gfp); if (chain->udata == NULL) { err = -ENOMEM; goto err_destroy_chain; @@ -2349,7 +2351,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, char *name; err = -ENOMEM; - name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); + name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); if (!name) goto err; @@ -2797,7 +2799,7 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, goto err1; err = -ENOMEM; - expr = kzalloc(expr_info.ops->size, GFP_KERNEL); + expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); if (expr == NULL) goto err2; @@ -3405,7 +3407,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, } err = -ENOMEM; - rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); + rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); if (rule == NULL) goto err_release_expr; @@ -3818,7 +3820,7 @@ static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, free_page((unsigned long)inuse); } - set->name = kasprintf(GFP_KERNEL, name, min + n); + set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); if (!set->name) return -ENOMEM; @@ -4239,6 +4241,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, int err, i; u16 udlen; u64 size; + gfp_t gfp = GFP_KERNEL_ACCOUNT; if (nla[NFTA_SET_TABLE] == NULL || nla[NFTA_SET_NAME] == NULL || @@ -4382,11 +4385,12 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, alloc_size = sizeof(*set) + size + udlen; if (alloc_size < size || alloc_size > INT_MAX) return -ENOMEM; - set = kvzalloc(alloc_size, GFP_KERNEL); + + set = kvzalloc(alloc_size, gfp); if (!set) return -ENOMEM; - name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); + name = nla_strdup(nla[NFTA_SET_NAME], gfp); if (!name) { err = -ENOMEM; goto err_set_name; @@ -5921,7 +5925,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, err = -ENOMEM; elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, elem.key_end.val.data, elem.data.val.data, - timeout, expiration, GFP_KERNEL); + timeout, expiration, GFP_KERNEL_ACCOUNT); if (elem.priv == NULL) goto err_parse_data; @@ -6165,7 +6169,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, err = -ENOMEM; elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, elem.key_end.val.data, NULL, 0, 0, - GFP_KERNEL); + GFP_KERNEL_ACCOUNT); if (elem.priv == NULL) goto fail_elem; @@ -6477,7 +6481,7 @@ static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, } err = -ENOMEM; - obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); + obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); if (!obj) goto err2; @@ -6638,7 +6642,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, obj->key.table = table; obj->handle = nf_tables_alloc_handle(table); - obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); + obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); if (!obj->key.name) { err = -ENOMEM; goto err_strdup; @@ -7364,6 +7368,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, struct net *net = info->net; struct nft_table *table; struct nft_ctx ctx; + gfp_t gfp = GFP_KERNEL_ACCOUNT; int err; if (!nla[NFTA_FLOWTABLE_TABLE] || @@ -7399,7 +7404,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); - flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); + flowtable = kzalloc(sizeof(*flowtable), gfp); if (!flowtable) return -ENOMEM; @@ -7407,7 +7412,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, flowtable->handle = nf_tables_alloc_handle(table); INIT_LIST_HEAD(&flowtable->hook_list); - flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); + flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], gfp); if (!flowtable->name) { err = -ENOMEM; goto err1;