[apparmor] [PATCH] AppArmor: be less aggressive about kmalloc usage

[Kees Cook]

When allocating memory, skip kmalloc for large profiles since it is not
critical to have physically contiguous memory for these.  Additionally,
do not allow the memory subsystem to perform any IO so that the system
will not thrash under kernel memory pressure, and will just fall back
to vmalloc as well.

Hopefully this will help reduce the symptoms seen in LP: #602261.

Signed-off-by: Kees Cook <kees.cook at canonical.com>
---
 security/apparmor/apparmorfs.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 5fb9385..a01dc1a 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -26,7 +26,7 @@
 #include "include/policy.h"
 
 /**
- * kvmalloc - do allocation prefering kmalloc but falling back to vmalloc
+ * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
  * @size: size of allocation
  *
  * Return: allocated buffer or NULL if failed
@@ -36,12 +36,14 @@
  */
 static void *kvmalloc(size_t size)
 {
-	void *buffer;
+	void *buffer = NULL;
 
 	if (size == 0)
 		return NULL;
 
-	buffer = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
+	/* do not attempt kmalloc if we need more than 16 pages at once */
+	if (size <= (16*PAGE_SIZE))
+		buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN);
 	if (!buffer)
 		buffer = vmalloc(size);
 	return buffer;
-- 
1.7.1


-- 
Kees Cook
Ubuntu Security Team