Created attachment 277477 [details]
iptables save

Folowing commit leads to "vmalloc: allocation failure" when cgroups memory controller is enabled:

https://github.com/torvalds/linux/commit/eacd86ca3b036e55e172b7279f101cef4a6ff3a4

After creating large number of cgroups and under memory pressure, iptables command fails with following error:

"iptables-restor: vmalloc: allocation failure, allocated 3047424 of 3465216 bytes, mode:0x14010c0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null)"

System which is used to reproduce the bug is with 2 vcpus and 2GB of ram, but it happens on more powerfull systems.

Steps to reproduce:

mkdir /cgroup
mount cgroup -t cgroup -omemory,pids,blkio,cpuacct /cgroup
for a in `seq 1 1000`; do for b in `seq 1 4` ; do mkdir -p "/cgroup/user/$a/$b"; done; done

Then in separate consoles

cat /dev/vda > /dev/null
./test
./test
i=0;while sleep 0 ; do iptables-restore < iptables.save ; i=$(($i+1)); echo $i; done

Here is the source of "test" program and attached iptables.save. It happens also with smaller iptables.save file.

#include <stdio.h>
#include <stdlib.h>

int main(void) {

    srand(time(NULL));
    int i = 0, j = 0, randnum=0;
    int arr[6] = { 3072, 7168, 15360 , 31744, 64512, 130048}; 
    while(1) {

        for (i = 0; i < 6 ; i++) {

            int *ptr = (int*) malloc(arr[i] * 93);  

            for(j = 0 ; j < arr[i] * 93 / sizeof(int); j++) {
                *(ptr+j) = j+1;
            }

            free(ptr);
        }
    }       
}