From: Jiri Olsa <jolsa@redhat.com> Date: Wed, 17 Mar 2010 08:18:16 -0400 Subject: [net] netfilter: fix vmalloc ENOMEM caused by iptables Message-id: <1268813896-3806-1-git-send-email-jolsa@redhat.com> Patchwork-id: 23596 O-Subject: [PATCH RHEL5] BZ#570491 netfilter: vmalloc ENOMEM caused by iptables Bugzilla: 570491 RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: David S. Miller <davem@redhat.com> Bugzilla: 570491 https://bugzilla.redhat.com/show_bug.cgi?id=570491 Description: ============ Cannot create more than ~50000 firewall rules. Upstream status: ================ Backported following patch: - [NETFILTER]: x_tables: remove obsolete overflow check commit 9e67d5a739327c44885adebb4f3a538050be73e4 Author: Patrick McHardy <kaber@trash.net> The change is slightly based also on this commit: - [NETFILTER]: x_tables: struct xt_table_info diet commit 259d4e41f3ec25f22169daece42729f597b89f9a Author: Eric Dumazet <dada1@cosmosbay.com> Brew: ===== https://brewweb.devel.redhat.com/taskinfo?taskID=2320191 Tested: ======= Able to cross the ~50000 limit by customer's reproducer. wbr, jirka Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 8d1d7a6..e6665da 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -815,9 +815,6 @@ static int do_replace(void __user *user, unsigned int len) return -ENOPROTOOPT; /* overflow check */ - if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - - SMP_CACHE_BYTES) - return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 048514f..197eb5a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1260,9 +1260,6 @@ do_replace(void __user *user, unsigned int len) return -ENOPROTOOPT; /* overflow check */ - if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - - SMP_CACHE_BYTES) - return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 49a6f08..29fd6d4 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -964,9 +964,6 @@ do_replace(void __user *user, unsigned int len) return -EFAULT; /* overflow check */ - if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - - SMP_CACHE_BYTES) - return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM;