1. 14 4月, 2012 1 次提交
    • W
      seccomp: add system call filtering using BPF · e2cfabdf
      Will Drewry 提交于
      [This patch depends on luto@mit.edu's no_new_privs patch:
         https://lkml.org/lkml/2012/1/30/264
       The whole series including Andrew's patches can be found here:
         https://github.com/redpig/linux/tree/seccomp
       Complete diff here:
         https://github.com/redpig/linux/compare/1dc65fed...seccomp
      ]
      
      This patch adds support for seccomp mode 2.  Mode 2 introduces the
      ability for unprivileged processes to install system call filtering
      policy expressed in terms of a Berkeley Packet Filter (BPF) program.
      This program will be evaluated in the kernel for each system call
      the task makes and computes a result based on data in the format
      of struct seccomp_data.
      
      A filter program may be installed by calling:
        struct sock_fprog fprog = { ... };
        ...
        prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog);
      
      The return value of the filter program determines if the system call is
      allowed to proceed or denied.  If the first filter program installed
      allows prctl(2) calls, then the above call may be made repeatedly
      by a task to further reduce its access to the kernel.  All attached
      programs must be evaluated before a system call will be allowed to
      proceed.
      
      Filter programs will be inherited across fork/clone and execve.
      However, if the task attaching the filter is unprivileged
      (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task.  This
      ensures that unprivileged tasks cannot attach filters that affect
      privileged tasks (e.g., setuid binary).
      
      There are a number of benefits to this approach. A few of which are
      as follows:
      - BPF has been exposed to userland for a long time
      - BPF optimization (and JIT'ing) are well understood
      - Userland already knows its ABI: system call numbers and desired
        arguments
      - No time-of-check-time-of-use vulnerable data accesses are possible.
      - system call arguments are loaded on access only to minimize copying
        required for system call policy decisions.
      
      Mode 2 support is restricted to architectures that enable
      HAVE_ARCH_SECCOMP_FILTER.  In this patch, the primary dependency is on
      syscall_get_arguments().  The full desired scope of this feature will
      add a few minor additional requirements expressed later in this series.
      Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be
      the desired additional functionality.
      
      No architectures are enabled in this patch.
      Signed-off-by: NWill Drewry <wad@chromium.org>
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Reviewed-by: NIndan Zupancic <indan@nul.nu>
      Acked-by: NEric Paris <eparis@redhat.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      
      v18: - rebase to v3.4-rc2
           - s/chk/check/ (akpm@linux-foundation.org,jmorris@namei.org)
           - allocate with GFP_KERNEL|__GFP_NOWARN (indan@nul.nu)
           - add a comment for get_u32 regarding endianness (akpm@)
           - fix other typos, style mistakes (akpm@)
           - added acked-by
      v17: - properly guard seccomp filter needed headers (leann@ubuntu.com)
           - tighten return mask to 0x7fff0000
      v16: - no change
      v15: - add a 4 instr penalty when counting a path to account for seccomp_filter
             size (indan@nul.nu)
           - drop the max insns to 256KB (indan@nul.nu)
           - return ENOMEM if the max insns limit has been hit (indan@nul.nu)
           - move IP checks after args (indan@nul.nu)
           - drop !user_filter check (indan@nul.nu)
           - only allow explicit bpf codes (indan@nul.nu)
           - exit_code -> exit_sig
      v14: - put/get_seccomp_filter takes struct task_struct
             (indan@nul.nu,keescook@chromium.org)
           - adds seccomp_chk_filter and drops general bpf_run/chk_filter user
           - add seccomp_bpf_load for use by net/core/filter.c
           - lower max per-process/per-hierarchy: 1MB
           - moved nnp/capability check prior to allocation
             (all of the above: indan@nul.nu)
      v13: - rebase on to 88ebdda6
      v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com)
           - removed copy_seccomp (keescook@chromium.org,indan@nul.nu)
           - reworded the prctl_set_seccomp comment (indan@nul.nu)
      v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com)
           - style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu)
           - do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu)
           - pare down Kconfig doc reference.
           - extra comment clean up
      v10: - seccomp_data has changed again to be more aesthetically pleasing
             (hpa@zytor.com)
           - calling convention is noted in a new u32 field using syscall_get_arch.
             This allows for cross-calling convention tasks to use seccomp filters.
             (hpa@zytor.com)
           - lots of clean up (thanks, Indan!)
       v9: - n/a
       v8: - use bpf_chk_filter, bpf_run_filter. update load_fns
           - Lots of fixes courtesy of indan@nul.nu:
           -- fix up load behavior, compat fixups, and merge alloc code,
           -- renamed pc and dropped __packed, use bool compat.
           -- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch
              dependencies
       v7:  (massive overhaul thanks to Indan, others)
           - added CONFIG_HAVE_ARCH_SECCOMP_FILTER
           - merged into seccomp.c
           - minimal seccomp_filter.h
           - no config option (part of seccomp)
           - no new prctl
           - doesn't break seccomp on systems without asm/syscall.h
             (works but arg access always fails)
           - dropped seccomp_init_task, extra free functions, ...
           - dropped the no-asm/syscall.h code paths
           - merges with network sk_run_filter and sk_chk_filter
       v6: - fix memory leak on attach compat check failure
           - require no_new_privs || CAP_SYS_ADMIN prior to filter
             installation. (luto@mit.edu)
           - s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com)
           - cleaned up Kconfig (amwang@redhat.com)
           - on block, note if the call was compat (so the # means something)
       v5: - uses syscall_get_arguments
             (indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org)
            - uses union-based arg storage with hi/lo struct to
              handle endianness.  Compromises between the two alternate
              proposals to minimize extra arg shuffling and account for
              endianness assuming userspace uses offsetof().
              (mcgrathr@chromium.org, indan@nul.nu)
            - update Kconfig description
            - add include/seccomp_filter.h and add its installation
            - (naive) on-demand syscall argument loading
            - drop seccomp_t (eparis@redhat.com)
       v4:  - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS
            - now uses current->no_new_privs
              (luto@mit.edu,torvalds@linux-foundation.com)
            - assign names to seccomp modes (rdunlap@xenotime.net)
            - fix style issues (rdunlap@xenotime.net)
            - reworded Kconfig entry (rdunlap@xenotime.net)
       v3:  - macros to inline (oleg@redhat.com)
            - init_task behavior fixed (oleg@redhat.com)
            - drop creator entry and extra NULL check (oleg@redhat.com)
            - alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com)
            - adds tentative use of "always_unprivileged" as per
              torvalds@linux-foundation.org and luto@mit.edu
       v2:  - (patch 2 only)
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      e2cfabdf
  2. 01 4月, 2012 1 次提交
  3. 05 3月, 2012 1 次提交
    • P
      ppp: Move ioctl definitions from if_ppp.h to new ppp-ioctl.h · bf7daebb
      Paul Mackerras 提交于
      This moves the definitions of the ioctls, constants and structures
      relating to the ppp_generic interface to userspace out from if_ppp.h
      to a new file, ppp-ioctl.h.  The new file has my copyright since I
      designed and implemented the ppp_generic interface in the late 1990s.
      None of the contents of this file comes from the original if_ppp.h
      published by Carnegie Mellon University.
      
      Of the remainder of if_ppp.h, only the PPP_MTU definition was being
      used, and this replaces the uses of it with PPP_MRU (which is identical).
      Therefore, this replaces the entire file with the single line
      
      #include <linux/ppp-ioctl.h>
      
      which clearly doesn't contain any CMU code.  Thus I have removed the
      CMU copyright notice with its problematic advertising clause, and in
      fact since it's only one trivial line I have not added any other
      copyright notice.
      Signed-off-by: NPaul Mackerras <paulus@samba.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bf7daebb
  4. 02 3月, 2012 1 次提交
    • B
      mdio: Export mdio.h to userland · 9c717758
      Ben Hutchings 提交于
      The ID packing definitions are needed by userland and the register
      definitions may also be useful there.
      
      Do not export mdio_phy_id_{is_c45,prtad,devad}() as the use of bool is
      problematic and it's not that useful to export only a subset of these.
      
      Do not export MDIO_SUPPORTS_{C22,C45} directly; these flags are only
      exposed to userland through struct ethtool_cmd so they should be
      defined alongside that with appropriate names.
      Signed-off-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9c717758
  5. 21 2月, 2012 1 次提交
  6. 05 1月, 2012 1 次提交
  7. 31 12月, 2011 2 次提交
  8. 14 11月, 2011 1 次提交
    • J
      net: introduce ethernet teaming device · 3d249d4c
      Jiri Pirko 提交于
      This patch introduces new network device called team. It supposes to be
      very fast, simple, userspace-driven alternative to existing bonding
      driver.
      
      Userspace library called libteam with couple of demo apps is available
      here:
      https://github.com/jpirko/libteam
      Note it's still in its dipers atm.
      
      team<->libteam use generic netlink for communication. That and rtnl
      suppose to be the only way to configure team device, no sysfs etc.
      
      Python binding of libteam was recently introduced.
      Daemon providing arpmon/miimon active-backup functionality will be
      introduced shortly. All what's necessary is already implemented in
      kernel team driver.
      
      v7->v8:
      	- check ndo_ndo_vlan_rx_[add/kill]_vid functions before calling
      	  them.
      	- use dev_kfree_skb_any() instead of dev_kfree_skb()
      
      v6->v7:
      	- transmit and receive functions are not checked in hot paths.
      	  That also resolves memory leak on transmit when no port is
      	  present
      
      v5->v6:
      	- changed couple of _rcu calls to non _rcu ones in non-readers
      
      v4->v5:
      	- team_change_mtu() uses team->lock while travesing though port
      	  list
      	- mac address changes are moved completely to jurisdiction of
      	  userspace daemon. This way the daemon can do FOM1, FOM2 and
      	  possibly other weird things with mac addresses.
      	  Only round-robin mode sets up all ports to bond's address then
      	  enslaved.
      	- Extended Kconfig text
      
      v3->v4:
      	- remove redundant synchronize_rcu from __team_change_mode()
      	- revert "set and clear of mode_ops happens per pointer, not per
      	  byte"
      	- extend comment of function __team_change_mode()
      
      v2->v3:
      	- team_change_mtu() uses rcu version of list traversal to unwind
      	- set and clear of mode_ops happens per pointer, not per byte
      	- port hashlist changed to be embedded into team structure
      	- error branch in team_port_enter() does cleanup now
      	- fixed rtln->rtnl
      
      v1->v2:
      	- modes are made as modules. Makes team more modular and
      	  extendable.
      	- several commenters' nitpicks found on v1 were fixed
      	- several other bugs were fixed.
      	- note I ignored Eric's comment about roundrobin port selector
      	  as Eric's way may be easily implemented as another mode (mode
      	  "random") in future.
      Signed-off-by: NJiri Pirko <jpirko@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d249d4c
  9. 08 7月, 2011 1 次提交
    • T
      drivers/virt: introduce Freescale hypervisor management driver · 6db71994
      Timur Tabi 提交于
      Add the drivers/virt directory, which houses drivers that support
      virtualization environments, and add the Freescale hypervisor management
      driver.
      
      The Freescale hypervisor management driver provides several services to
      drivers and applications related to the Freescale hypervisor:
      
      1. An ioctl interface for querying and managing partitions
      
      2. A file interface to reading incoming doorbells
      
      3. An interrupt handler for shutting down the partition upon receiving the
         shutdown doorbell from a manager partition
      
      4. A kernel interface for receiving callbacks when a managed partition
         shuts down.
      Signed-off-by: NTimur Tabi <timur@freescale.com>
      Acked-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NKumar Gala <galak@kernel.crashing.org>
      6db71994
  10. 25 5月, 2011 1 次提交
    • J
      mmc: core: Add mmc CMD+ACMD passthrough ioctl · cb87ea28
      John Calixto 提交于
      Allows appropriately-privileged applications to send CMD (normal) and ACMD
      (application-specific; preceded with CMD55) commands to cards/devices on
      the mmc bus.  This is primarily useful for enabling the security
      functionality built in to every SD card.
      
      It can also be used as a generic passthrough (e.g. to enable virtual
      machines to control mmc bus devices directly).  However, this use case has
      not been tested rigorously.  Generic passthrough testing was only conducted
      for a few non-security opcodes to prove the feasibility of the passthrough.
      
      Since any opcode can be sent using this passthrough, it is very possible to
      render the card/device unusable.  Applications that use this ioctl must
      have CAP_SYS_RAWIO.
      
      Security commands tested on TI PCIxx12 (SDHCI), Sigma Designs SMP8652 SoC,
      TI OMAP3621/OMAP3630 SoC, Samsung S5PC110 SoC, Qualcomm MSM7200A SoC.
      Signed-off-by: NJohn Calixto <john.calixto@modsystems.com>
      Reviewed-by: NAndrei Warkentin <andreiw@motorola.com>
      Reviewed-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NChris Ball <cjb@laptop.org>
      cb87ea28
  11. 24 5月, 2011 1 次提交
  12. 20 5月, 2011 1 次提交
  13. 22 3月, 2011 4 次提交
  14. 01 2月, 2011 2 次提交
    • G
      Revert "appletalk: move to staging" · 0ffbf8bf
      Greg Kroah-Hartman 提交于
      This reverts commit a6238f21
      
      Appletalk got some patches to fix up the BLK usage in it in the
      network tree, so this removal isn't needed.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: <acme@ghostprotocols.net>
      Cc: netdev@vger.kernel.org,
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      0ffbf8bf
    • A
      appletalk: move to staging · a6238f21
      Arnd Bergmann 提交于
      For all I know, Appletalk is dead, the only reasonable
      use right now would be nostalgia, and that can be served
      well enough by old kernels. The code is largely not
      in a bad shape, but it still uses the big kernel lock,
      and nobody seems motivated to change that.
      
      FWIW, the last release of MacOS that supported Appletalk
      was MacOS X 10.5, made in 2007, and it has been abandoned
      by Apple with 10.6. Using TCP/IP instead of Appletalk has
      been supported since MacOS 7.6, which was released in
      1997 and is able to run on most of the legacy hardware.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      a6238f21
  15. 30 1月, 2011 1 次提交
  16. 29 12月, 2010 1 次提交
  17. 15 12月, 2010 1 次提交
  18. 03 12月, 2010 1 次提交
  19. 29 10月, 2010 1 次提交
  20. 21 10月, 2010 1 次提交
    • H
      V4L/DVB: videotext: remove this obsolete API · 226c0eea
      Hans Verkuil 提交于
      Remove the vtx (aka videotext aka teletext) API from the v4l2 core.
      This API was scheduled for removal in kernel 2.6.35.
      
      The vtx device nodes have been superseded by vbi device nodes
      for many years. No applications exist that use the vtx support.
      Of the two i2c drivers that actually support this API the saa5249
      has been impossible to use for a year now and no known hardware
      that supports this device exists. The saa5246a is theoretically
      supported by the old mxb boards, but it never actually worked.
      
      In summary: there is no hardware that can use this API and there
      are no applications actually implementing this API.
      
      The vtx support still reserves minors 192-223 and we would really
      like to reuse those for upcoming new functionality. In the unlikely
      event that new hardware appears that wants to use the functionality
      provided by the vtx API, then that functionality should be build
      around the sliced VBI API instead.
      Signed-off-by: NHans Verkuil <hverkuil@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@redhat.com>
      226c0eea
  21. 12 10月, 2010 1 次提交
    • E
      fanotify: disable fanotify syscalls · 7c534773
      Eric Paris 提交于
      This patch disables the fanotify syscalls by just not building them and
      letting the cond_syscall() statements in kernel/sys_ni.c redirect them
      to sys_ni_syscall().
      
      It was pointed out by Tvrtko Ursulin that the fanotify interface did not
      include an explicit prioritization between groups.  This is necessary
      for fanotify to be usable for hierarchical storage management software,
      as they must get first access to the file, before inotify-like notifiers
      see the file.
      
      This feature can be added in an ABI compatible way in the next release
      (by using a number of bits in the flags field to carry the info) but it
      was suggested by Alan that maybe we should just hold off and do it in
      the next cycle, likely with an (new) explicit argument to the syscall.
      I don't like this approach best as I know people are already starting to
      use the current interface, but Alan is all wise and noone on list backed
      me up with just using what we have.  I feel this is needlessly ripping
      the rug out from under people at the last minute, but if others think it
      needs to be a new argument it might be the best way forward.
      
      Three choices:
      Go with what we got (and implement the new feature next cycle).  Add a
      new field right now (and implement the new feature next cycle).  Wait
      till next cycle to release the ABI (and implement the new feature next
      cycle).  This is number 3.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7c534773
  22. 06 10月, 2010 1 次提交
  23. 09 9月, 2010 1 次提交
  24. 15 8月, 2010 1 次提交
  25. 08 8月, 2010 1 次提交
  26. 03 8月, 2010 1 次提交
  27. 28 7月, 2010 1 次提交
    • E
      fanotify: fscking all notification system · ff0b16a9
      Eric Paris 提交于
      fanotify is a novel file notification system which bases notification on
      giving userspace both an event type (open, close, read, write) and an open
      file descriptor to the object in question.  This should address a number of
      races and problems with other notification systems like inotify and dnotify
      and should allow the future implementation of blocking or access controlled
      notification.  These are useful for on access scanners or hierachical storage
      management schemes.
      
      This patch just implements the basics of the fsnotify functions.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      ff0b16a9
  28. 23 4月, 2010 1 次提交
  29. 01 3月, 2010 1 次提交
  30. 23 2月, 2010 1 次提交
  31. 15 1月, 2010 1 次提交
    • M
      vhost_net: a kernel-level virtio server · 3a4d5c94
      Michael S. Tsirkin 提交于
      What it is: vhost net is a character device that can be used to reduce
      the number of system calls involved in virtio networking.
      Existing virtio net code is used in the guest without modification.
      
      There's similarity with vringfd, with some differences and reduced scope
      - uses eventfd for signalling
      - structures can be moved around in memory at any time (good for
        migration, bug work-arounds in userspace)
      - write logging is supported (good for migration)
      - support memory table and not just an offset (needed for kvm)
      
      common virtio related code has been put in a separate file vhost.c and
      can be made into a separate module if/when more backends appear.  I used
      Rusty's lguest.c as the source for developing this part : this supplied
      me with witty comments I wouldn't be able to write myself.
      
      What it is not: vhost net is not a bus, and not a generic new system
      call. No assumptions are made on how guest performs hypercalls.
      Userspace hypervisors are supported as well as kvm.
      
      How it works: Basically, we connect virtio frontend (configured by
      userspace) to a backend. The backend could be a network device, or a tap
      device.  Backend is also configured by userspace, including vlan/mac
      etc.
      
      Status: This works for me, and I haven't see any crashes.
      Compared to userspace, people reported improved latency (as I save up to
      4 system calls per packet), as well as better bandwidth and CPU
      utilization.
      
      Features that I plan to look at in the future:
      - mergeable buffers
      - zero copy
      - scalability tuning: figure out the best threading model to use
      
      Note on RCU usage (this is also documented in vhost.h, near
      private_pointer which is the value protected by this variant of RCU):
      what is happening is that the rcu_dereference() is being used in a
      workqueue item.  The role of rcu_read_lock() is taken on by the start of
      execution of the workqueue item, of rcu_read_unlock() by the end of
      execution of the workqueue item, and of synchronize_rcu() by
      flush_workqueue()/flush_work(). In the future we might need to apply
      some gcc attribute or sparse annotation to the function passed to
      INIT_WORK(). Paul's ack below is for this RCU usage.
      
      (Includes fixes by Alan Cox <alan@linux.intel.com>,
      David L Stevens <dlstevens@us.ibm.com>,
      Chris Wright <chrisw@redhat.com>)
      Acked-by: NRusty Russell <rusty@rustcorp.com.au>
      Acked-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: N"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a4d5c94
  32. 12 12月, 2009 2 次提交
  33. 30 10月, 2009 1 次提交
    • S
      define convenient securebits masks for prctl users (v2) · 5975c725
      Serge E. Hallyn 提交于
      Hi James, would you mind taking the following into
      security-testing?
      
      The securebits are used by passing them to prctl with the
      PR_{S,G}ET_SECUREBITS commands.  But the defines must be
      shifted to be used in prctl, which begs to be confused and
      misused by userspace.  So define some more convenient
      values for userspace to specify.  This way userspace does
      
      	prctl(PR_SET_SECUREBITS, SECBIT_NOROOT);
      
      instead of
      
      	prctl(PR_SET_SECUREBITS, 1 << SECURE_NOROOT);
      
      (Thanks to Michael for the idea)
      
      This patch also adds include/linux/securebits to the installed headers.
      Then perhaps it can be included by glibc's sys/prctl.h.
      
      Changelog:
      	Oct 29: Stephen Rothwell points out that issecure can
      		be under __KERNEL__.
      	Oct 14: (Suggestions by Michael Kerrisk):
      		1. spell out SETUID in SECBIT_NO_SETUID*
      		2. SECBIT_X_LOCKED does not imply SECBIT_X
      		3. add definitions for keepcaps
              Oct 14: As suggested by Michael Kerrisk, don't
      		use SB_* as that convention is already in
      		use.  Use SECBIT_ prefix instead.
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: NAndrew G. Morgan <morgan@kernel.org>
      Acked-by: NMichael Kerrisk <mtk.manpages@gmail.com>
      Cc: Ulrich Drepper <drepper@redhat.com>
      Cc: James Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      5975c725
  34. 22 10月, 2009 1 次提交
    • C
      virtio: let header files include virtio_ids.h · e95646c3
      Christian Borntraeger 提交于
      Rusty,
      
      commit 3ca4f5ca
          virtio: add virtio IDs file
      moved all device IDs into a single file. While the change itself is
      a very good one, it can break userspace applications. For example
      if a userspace tool wanted to get the ID of virtio_net it used to
      include virtio_net.h. This does no longer work, since virtio_net.h
      does not include virtio_ids.h.
      This patch moves all "#include <linux/virtio_ids.h>" from the C
      files into the header files, making the header files compatible with
      the old ones.
      
      In addition, this patch exports virtio_ids.h to userspace.
      
      CC: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
      Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      e95646c3