netfilter: ipset: enable memory accounting for ipset allocations

Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.

v2: fixed typo ALLOC -> ACCOUNT

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 920b7c4..6f35832 100644 (file)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister);
 void *
 ip_set_alloc(size_t size)
 {
-       void *members = NULL;
-
-       if (size < KMALLOC_MAX_SIZE)
-               members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
-       if (members) {
-               pr_debug("%p: allocated with kmalloc\n", members);
-               return members;
-       }
-
-       members = vzalloc(size);
-       if (!members)
-               return NULL;
-       pr_debug("%p: allocated with vmalloc\n", members);
-
-       return members;
+       return kvzalloc(size, GFP_KERNEL_ACCOUNT);
 }
 EXPORT_SYMBOL_GPL(ip_set_alloc);