summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c.HEADmasterJeremy Sowden8 days3-31/+27
| | | | | | | | ip_set_get_ip_port() is only used in ip_set_bitmap_port.c. Move it there and make it static. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move function to ip_set_bitmap_ip.c.Jeremy Sowden8 days2-14/+12
| | | | | | | | One inline function in ip_set_bitmap.h is only called in ip_set_bitmap_ip.c: move it and remove inline function specifier. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: make ip_set_put_flags extern.Jeremy Sowden8 days2-22/+25
| | | | | | | | ip_set_put_flags is rather large for a static inline function in a header-file. Move it to ip_set_core.c and export it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move functions to ip_set_core.c.Jeremy Sowden8 days2-102/+102
| | | | | | | | Several inline functions in ip_set.h are only called in ip_set_core.c: move them and remove inline function specifier. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move ip_set_comment functions from ip_set.h to ip_set_core.c.Jeremy Sowden8 days2-62/+67
| | | | | | | | | | | | | | | Most of the functions are only called from within ip_set_core.c. The exception is ip_set_init_comment. However, this is too complex to be a good candidate for a static inline function. Move it to ip_set_core.c, change its linkage to extern and export it, leaving a declaration in ip_set.h. ip_set_comment_free is only used as an extension destructor, so change its prototype to match and drop cast. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: remove inline from static functions in .c files.Jeremy Sowden8 days19-138/+138
| | | | | | | | | | | | | The inline function-specifier should not be used for static functions defined in .c files since it bloats the kernel. Instead leave the compiler to decide which functions to inline. While a couple of the files affected (ip_set_*_gen.h) are technically headers, they contain templates for generating the common parts of particular set-types and so we treat them like .c files. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: add a coding-style fix to ip_set_ext_destroy.Jeremy Sowden8 days1-3/+5
| | | | | | | | Use a local variable to hold comment in order to align the arguments of ip_set_comment_free properly. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: added missing includes to a number of header-files.Jeremy Sowden8 days1-0/+4
| | | | | | | | | A number of netfilter header-files used declarations and definitions from other headers without including them. Added include directives to make those declarations and definitions available. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: inlined four headers files into another one.Jeremy Sowden8 days7-297/+234
| | | | | | | | | | | | | | | | | | | | linux/netfilter/ipset/ip_set.h included four other header files: include/linux/netfilter/ipset/ip_set_comment.h include/linux/netfilter/ipset/ip_set_counter.h include/linux/netfilter/ipset/ip_set_skbinfo.h include/linux/netfilter/ipset/ip_set_timeout.h Of these the first three were not included anywhere else. The last, ip_set_timeout.h, was included in a couple of other places, but defined inline functions which call other inline functions defined in ip_set.h, so ip_set.h had to be included before it. Inlined all four into ip_set.h, and updated the other files that included ip_set_timeout.h. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: Fix an error code in ip_set_sockfn_get()Dan Carpenter2019-08-271-3/+5
| | | | | | | | | | | The copy_to_user() function returns the number of bytes remaining to be copied. In this code, that positive return is checked at the end of the function and we return zero/success. What we should do instead is return -EFAULT. Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.3 releasedv7.3Jozsef Kadlecsik2019-07-233-1/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix rename concurrency with listingJozsef Kadlecsik2019-07-231-1/+1
| | | | | | | | | | | | | Shijie Luo reported that when stress-testing ipset with multiple concurrent create, rename, flush, list, destroy commands, it can result ipset <version>: Broken LIST kernel message: missing DATA part! error messages and broken list results. The problem was the rename operation was not properly handled with respect of listing. The patch fixes the issue. Reported-by: Shijie Luo <luoshijie1@huawei.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac setsStefano Brivio2019-06-282-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the KADT functions for sets matching on MAC addreses the copy of source or destination MAC address depending on the configured match. This was done correctly for hash:mac, but for hash:ip,mac and bitmap:ip,mac, copying and pasting the same code block presents an obvious problem: in these two set types, the MAC address is the second dimension, not the first one, and we are actually selecting the MAC address depending on whether the first dimension (IP address) specifies source or destination. Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags. This way, mixing source and destination matches for the two dimensions of ip,mac set types works as expected. With this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add 192.0.2.1/24 dev veth1 ip -net A addr add 192.0.2.2/24 dev veth2 ip link set veth1 up ip -net A link set veth2 up dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16 ip netns exec A ipset add test_bitmap 192.0.2.1,${dst} ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP ip netns exec A ipset create test_hash hash:ip,mac ip netns exec A ipset add test_hash 192.0.2.1,${dst} ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP ipset correctly matches a test packet: # ping -c1 192.0.2.2 >/dev/null # echo $? 0 Reported-by: Chen Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Actually allow destination MAC address for hash:ip,mac sets tooStefano Brivio2019-06-281-4/+0
| | | | | | | | | | | | | | | In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the KADT check that prevents matching on destination MAC addresses for hash:mac sets, but forgot to remove the same check for hash:ip,mac set. Drop this check: functionality is now commented in man pages and there's no reason to restrict to source MAC address matching anymore. Reported-by: Chen Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: fix spelling error in libipset.3 manpageNeutron Soutmun2019-06-281-5/+5
| | | | | | | | | Fix these spelling errors, s/lenght/length/ s/controll/control/ s/funtion/function/ Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Explicitly comment that we need ipset_nest_start(),Jozsef Kadlecsik2019-06-101-0/+7
| | | | | | ipset_nest_end() in the package source. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.2 releasedJozsef Kadlecsik2019-06-103-1/+13
|
* ipset: update my email addressJozsef Kadlecsik2019-06-0575-89/+89
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix memory accounting for hash types on resizeStefano Brivio2019-06-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a fresh array block is allocated during resize, the current in-memory set size should be increased by the size of the block, not replaced by it. Before the fix, adding entries to a hash set type, leading to a table resize, caused an inconsistent memory size to be reported. This becomes more obvious when swapping sets with similar sizes: # cat hash_ip_size.sh #!/bin/sh FAIL_RETRIES=10 tries=0 while [ ${tries} -lt ${FAIL_RETRIES} ]; do ipset create t1 hash:ip for i in `seq 1 4345`; do ipset add t1 1.2.$((i / 255)).$((i % 255)) done t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" ipset create t2 hash:ip for i in `seq 1 4360`; do ipset add t2 1.2.$((i / 255)).$((i % 255)) done t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" ipset swap t1 t2 t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" ipset destroy t1 ipset destroy t2 tries=$((tries + 1)) if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then echo "FAIL after ${tries} tries:" echo "T1 size ${t1_init}, after swap ${t1_swap}" echo "T2 size ${t2_init}, after swap ${t2_swap}" exit 1 fi done echo "PASS" # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control # ./hash_ip_size.sh [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163) [ 2035.080353] Table destroy by resize 00000000fe6551fa FAIL after 4 tries: T1 size 9064, after swap 71128 T2 size 71128, after swap 9064 Reported-by: NOYB <JunkYardMail1@Frontier.com> Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix error path in set_target_v3_checkentry()Jozsef Kadlecsik2019-01-181-20/+21
| | | | Fix error path and release the references properly.
* Fix the last missing check of nla_parse()Jozsef Kadlecsik2019-01-101-3/+6
| | | | | In dump_init() the outdated comment was incorrect and we had a missing validation check of nla_parse().
* netfilter: ipset: fix a missing check of nla_parseAditya Pakki2019-01-081-2/+7
| | | | | | | | | When nla_parse fails, we should not use the results (the first argument). The fix checks if it fails, and if so, returns its error code upstream. Signed-off-by: Aditya Pakki <pakki001@umn.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: merge uadd and udel functionsFlorent Fourcot2019-01-082-54/+24
| | | | | | | | Both functions are using exactly the same code, except the command value passed to call_ad function. Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: remove useless memset() callsFlorent Fourcot2019-01-081-2/+0
| | | | | | | | | | One of the memset call is buggy: it does not erase full array, but only pointer size. Moreover, after a check, first step of nla_parse_nested/nla_parse is to erase tb array as well. We can remove both calls safely. Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 7.1 releasedv7.1Jozsef Kadlecsik2018-12-103-1/+18
|
* Add compatibility support for strscpy()Jozsef Kadlecsik2018-12-102-0/+15
|
* netfilter/ipset: replace a strncpy() with strscpy()Qian Cai2018-12-041-2/+4
| | | | | | | | | | | | | | To make overflows as obvious as possible and to prevent code from blithely proceeding with a truncated string. This also has a side-effect to fix a compilation warning when using GCC 8.2.1. net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get': net/netfilter/ipset/ip_set_core.c:2027:3: warning: 'strncpy' writing 32 bytes into a region of size 2 overflows the destination [-Wstringop-overflow=] Signed-off-by: Qian Cai <cai@gmx.us> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct the manpage about the sort option, supported since 3713072dJozsef Kadlecsik2018-11-301-1/+1
|
* Add missing functions to libipset.mapJozsef Kadlecsik2018-11-283-5/+12
| | | | | Some new functions was not added to libipset.map at the previous release, fix it.
* netfilter: ipset: fix ip_set_byindex functionFlorent Fourcot2018-11-281-1/+1
| | | | | | | | | New function added by "Introduction of new commands and protocol version 7" is not working, since we return skb2 to user Signed-off-by: Victorien Molle <victorien.molle@wifirst.fr> Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: do not call ipset_nest_end after nla_nest_cancelPan Bian2018-11-281-1/+1
| | | | | | | | | | | | | | In the error handling block, nla_nest_cancel(skb, atd) is called to cancel the nest operation. But then, ipset_nest_end(skb, atd) is unexpected called to end the nest operation. This patch calls the ipset_nest_end only on the branch that nla_nest_cancel is not called. Fixes: 45040978c89("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel") Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* configure.ac: Fix build regression on RHEL/CentOS/SLSerhey Popovych2018-11-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This was introduced with commit 0f82228387ae ("Use more robust awk patterns to check for backward compatibility") on RHEL 7.3+ because it's kernel contains backported upstream commit 633c9a840d0b ("netfilter: nfnetlink: avoid recurrent netns lookups in call_batch") that introduces @net of @struct net type parameter matched with $GREP after $AWK returns whole @struct nfnl_callback. This causes incorrect IPSET_CBFN() prototype choose for ->call() of @struct nfnl_callback producing following warnings during the build: .../ipset/ip_set_core.c:2007:3: warning: initialization from incompatible pointer type [enabled by default] .call = ip_set_destroy, ^ ../ipset/ip_set_core.c:2007:3: warning: (near initialization for ‘ip_set_netlink_subsys_cb[3].call’) [enabled by default] Fix by matching pattern to the end of first function pointer in @struct nfnl_callback instead of end of struct. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Implement sorting for hash types in the ipset toolJozsef Kadlecsik2018-11-2610-19/+66346
| | | | | Support listing/saving with sorted entries for the hash types. (bitmap and list types are automatically sorted.)
* Fix to list/save into file specified by optionJozsef Kadlecsik2018-11-101-2/+3
| | | | | list/save into file given by "-f filename" did not work in 7.0, reported by Isaac Good.
* Correct workaround in patch "Fix calling ip_set() macro at dumping"Jozsef Kadlecsik2018-10-301-15/+4
| | | | | | As Pablo pointed out, in order to fix the bogus warnings, there's no need for the non-useful rcu_read_lock/unlock dancing. Call rcu_dereference_raw() instead, the ref_netlink protects the set.
* ipset 7.0 releasedv7.0Jozsef Kadlecsik2018-10-273-1/+43
|
* Introduction of new commands and protocol version 7Jozsef Kadlecsik2018-10-2714-34/+209
| | | | | | | | | | | Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are introduced. The new commands makes possible to eliminate the getsockopt operation (in iptables set/SET match/target) and thus use only netlink communication between userspace and kernel for ipset. With the new protocol version, userspace can exactly know which functionality is supported by the running kernel. Both the kernel and userspace is fully backward compatible.
* License cleanup: add SPDX license identifier to uapi header files with no ↵Greg Kroah-Hartman2018-10-224-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | license Many user space API headers are missing licensing information, which makes it hard for compliance tools to determine the correct license. By default are files without license information under the default license of the kernel, which is GPLV2. Marking them GPLV2 would exclude them from being included in non GPLV2 code, which is obviously not intended. The user space API headers fall under the syscall exception which is in the kernels COPYING file: NOTE! This copyright does *not* cover user programs that use kernel services by normal system calls - this is merely considered normal use of the kernel, and does *not* fall under the heading of "derived work". otherwise syscall usage would not be possible. Update the files which contain no license information with an SPDX license identifier. The chosen identifier is 'GPL-2.0 WITH Linux-syscall-note' which is the officially assigned identifier for the Linux syscall exception. SPDX license identifiers are a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. See the previous patch in this series for the methodology of how this patch was researched. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add compatibility support for async in pernet_operations.Jozsef Kadlecsik2018-10-222-0/+11
|
* net: Convert ip_set_net_opsKirill Tkhai2018-10-221-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These pernet_operations initialize and destroy net_generic(net, ip_set_net_id)-related data. Since ip_set is under CONFIG_IP_SET, it's easy to watch drivers, which depend on this config. All of them are in net/netfilter/ipset directory, except of net/netfilter/xt_set.c. There are no more drivers, which use ip_set, and all of the above don't register another pernet_operations. Also, there are is no indirect users, as header file include/linux/netfilter/ipset/ip_set.h does not define indirect users by something like this: #ifdef CONFIG_IP_SET extern func(void); #else static inline func(void); #endif So, there are no more pernet operations, dereferencing net_generic(net, ip_set_net_id). ip_set_net_ops are OK to be executed in parallel for several net, so we mark them as async. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Use more robust awk patterns to check for backward compatibilityJozsef Kadlecsik2018-10-221-15/+15
|
* netfilter: Replace spin_is_locked() with lockdepLance Roy2018-10-221-1/+1
| | | | | | | | | | | | | | | | | lockdep_assert_held() is better suited to checking locking requirements, since it won't get confused when someone else holds the lock. This is also a step towards possibly removing spin_is_locked(). Signed-off-by: Lance Roy <ldr709@gmail.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Cc: Florian Westphal <fw@strlen.de> Cc: "David S. Miller" <davem@davemloft.net> Cc: <netfilter-devel@vger.kernel.org> Cc: <coreteam@netfilter.org> Cc: <netdev@vger.kernel.org> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Prepare the ipset tool to handle multiple protocol versionsJozsef Kadlecsik2018-10-223-9/+25
| | | | | From now on the "version" command asks the kernel protocol version too and reports if the userspace - kernel protocols do not match.
* Fix warning message handlingJozsef Kadlecsik2018-10-227-61/+76
| | | | | Warning messages were not printed and handled properly, the patch fixes the issue.
* Correct to test null valued entry in hash:net6,port,net6 testJozsef Kadlecsik2018-10-191-3/+9
|
* Fix calling ip_set() macro at dumpingJozsef Kadlecsik2018-10-191-4/+19
| | | | | | | | The ip_set() macro is called when either ip_set_ref_lock held only or no lock/nfnl mutex is held at dumping. Take this into account properly. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct rcu_dereference() call in ip_set_put_comment()Jozsef Kadlecsik2018-10-191-2/+2
| | | | | | | The function is called when rcu_read_lock() is held and not when rcu_read_lock_bh() is held. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Library reworked to support embedding ipset completelyJozsef Kadlecsik2018-10-1823-1066/+2160
| | | | | | | | | | | The ipset library is rewritten/extended to support embedding ipset, so that sets can fully be managed without calling the ipset binary. The ipset binary relies completely on the new library. The libipset.3 manpage was written about the library functions and usage. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add compatibility to support kvcalloc()Jozsef Kadlecsik2018-09-242-0/+15
|
* netfilter: ipset: fix ip_set_list allocation failureAndrey Ryabinin2018-09-241-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ip_set_create() and ip_set_net_init() attempt to allocate physically contiguous memory for ip_set_list. If memory is fragmented, the allocations could easily fail: vzctl: page allocation failure: order:7, mode:0xc0d0 Call Trace: dump_stack+0x19/0x1b warn_alloc_failed+0x110/0x180 __alloc_pages_nodemask+0x7bf/0xc60 alloc_pages_current+0x98/0x110 kmalloc_order+0x18/0x40 kmalloc_order_trace+0x26/0xa0 __kmalloc+0x279/0x290 ip_set_net_init+0x4b/0x90 [ip_set] ops_init+0x3b/0xb0 setup_net+0xbb/0x170 copy_net_ns+0xf1/0x1c0 create_new_namespaces+0xf9/0x180 copy_namespaces+0x8e/0xd0 copy_process+0xb61/0x1a00 do_fork+0x91/0x320 Use kvcalloc() to fallback to 0-order allocations if high order page isn't available. Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>