Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp45932imn; Wed, 27 Jul 2022 14:46:17 -0700 (PDT) X-Google-Smtp-Source: AGRyM1t03CzOB5Kxnws5laMHB9grIOX8qS7xoMTLQ7zpE92sTuv43dcA0Bw4mUWZ1RQX68tq3u4x X-Received: by 2002:a50:fc89:0:b0:43c:bf1e:165d with SMTP id f9-20020a50fc89000000b0043cbf1e165dmr4038478edq.161.1658958376816; Wed, 27 Jul 2022 14:46:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658958376; cv=none; d=google.com; s=arc-20160816; b=Tu4GhPI913MDYHEaEXpPzvSQ9dhGT1soCQ1kcFpgwgW6R3hS96T8d6zWQ4J3drTc+/ 2wJuyd7YKydJjG/w1IFL05MuIN7Nq4yMXSUxfyJmZq7A8WyIssq2eagtM5nC9UwcAJAm UJPQFzLevfDMmlxz2z7YZkxhasLYWhhut2bAKID6BkNN5OJFpmMNJsAIAhhLiJT/gXtd qBezi1q/YPbSF+i1z0dYl/kEGshM3yLYdGjuy1HB5XwK7w7GxxnC7F1aKBUPmj+dCiaI 86qrR6Xsueu1oENt3cn6SpNnaEFtsSiMCtYDbvFj1enSyDBz4VlD1mjpQXg9x4KkFcqK 4gtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=8FW5b1dp1sRdNeatGSAMcF8uH7fwV3D/tMqMm+pXGzE=; b=MeXvwYZETWlf/n6+49oTcy4KDfUms/Nidpc3Yo3AONwWQrWdH6Vo3n307Y00AfgVMm BUzciB3yVv5Cn5vWx1c9Wy0vy9bWD/YSNudNcHjAYq8EBJ07LhDT6aVaGS9Owq0CcRnt OFU62KvWHoGimiAwusDxUmYVrcJeHmQTMvzaHNjw5VgX/9FR6Z79skPDsKSJSEOWwueM Vv6pthAXdYwgP9exTRUqo0uIKfjesd20jmvWLZA5+Rcn6vKNw+lloPs6UEcOSKJb1Sn0 NfFD71YVNtgUZcMiZHLrie7GrUcGHBLKekn/UU4OYc+/38IJovYlTl7Bqq7G5ntvpXS6 s7oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YMoGNHl8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j12-20020a056402238c00b0043bca9c457csi16382319eda.396.2022.07.27.14.45.30; Wed, 27 Jul 2022 14:46:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YMoGNHl8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235118AbiG0V3C (ORCPT + 99 others); Wed, 27 Jul 2022 17:29:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbiG0V3A (ORCPT ); Wed, 27 Jul 2022 17:29:00 -0400 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCF4A5F9A0 for ; Wed, 27 Jul 2022 14:28:58 -0700 (PDT) Received: by mail-ed1-x534.google.com with SMTP id s9so3804577edd.8 for ; Wed, 27 Jul 2022 14:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=8FW5b1dp1sRdNeatGSAMcF8uH7fwV3D/tMqMm+pXGzE=; b=YMoGNHl8J2bXC00IyDxF/vk/8c3j4gp5OmLjDVJDFtzblOTQVGn5gIoAfxJMLhb5to JkAZjju4fmL336SuZuXxJN9HIZZjpxH/npoBFh/M7fzjp/5dUIQp5JRjOhxPVQa88L+n 0QDwqFuDrmmx9QVm/9PAm6lKuDousvcfTPulbfxVxJhz6eGeO0usqtT+8XoV/R8MF4DC QxyFSttx1rIOU7Ct6y1CC2tcU3spws22kZPsCxHulqJwvA/COKF4EwPf/sN8FT9f18OS kXxXSdjDmRIaSN13uy4/Yeruy0lcwkS3kM0OSRIO0C9xY1ENlh8hpQ1p4elkzm4lZVfT cjaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=8FW5b1dp1sRdNeatGSAMcF8uH7fwV3D/tMqMm+pXGzE=; b=nib0wux5g4+YSwQhqMccCZywqERdb3ykcfdla8psqtqkjzl97gbYAd6wckt2ctSg5P 04Pm8SyrK1OL2/bYdh0N6JLBJMFl5iCw0wWTX29+g+VOgJDUhhvtv14oIASi/d10qwxu xM+/C9Iny9amRGsqpwGhmYjDTAfgXEYSxld4GgD+5RNj4fzg5ZJoyP/Jl2UYkRkLjpUh NQ7pAbAkBaPRGROyR6G9Feo29SFUkUc3yno/SWqGTFmOIhNHJzBeM+/6d1jLKoCCwzUw INxXPZYvAkqOZsbp962A8/mI25F5wnMlH8rxNAng1mxlgWGLx9aYpOE6RlpwX0SD+h9V saHQ== X-Gm-Message-State: AJIora/RpB5Lk2AG8WcGA+UR5k8G1poJP/RIOXIEcUsjvs7nNX/O4GlN Jcrkv4l0hhaWe1UaKbKWjIybrV/bMiDE+GHlaFo= X-Received: by 2002:aa7:cac4:0:b0:43b:ddac:aa79 with SMTP id l4-20020aa7cac4000000b0043bddacaa79mr24256777edt.202.1658957337072; Wed, 27 Jul 2022 14:28:57 -0700 (PDT) MIME-Version: 1.0 From: Dipanjan Das Date: Wed, 27 Jul 2022 14:28:45 -0700 Message-ID: Subject: KASAN: use-after-free Read in post_one_notification To: dhowells@redhat.com, Greg KH , sashal@kernel.org, fmdefrancesco@gmail.com, edumazet@google.com, linux-kernel@vger.kernel.org Cc: syzkaller@googlegroups.com, fleischermarius@googlemail.com, its.priyanka.bose@gmail.com Content-Type: multipart/mixed; boundary="000000000000c63d2305e4d01ab2" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000c63d2305e4d01ab2 Content-Type: text/plain; charset="UTF-8" Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: KASAN: use-after-free Read in post_one_notification affected file: kernel/watch_queue.c kernel version: 5.10.131 kernel commit: 8f95261a006489c828f1d909355669875649668b git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 crash reproducer: attached patch: This bug was previously reported by syzkaller for kernel version 5.17. The same patch works for kernel version 5.10 as well, i.e., we tested that the repro can no longer triggers the reported crash with this patch: https://syzkaller.appspot.com/text?tag=Patch&x=13b8c83c080000 ====================================================== Crash log: ====================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3867/0x5840 kernel/locking/lockdep.c:4824 Read of size 8 at addr ffff8880aa5f8ca8 by task syz-executor.5/1878 CPU: 0 PID: 1878 Comm: syz-executor.5 Tainted: G OE 5.10.131+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x4f7 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 __lock_acquire+0x3867/0x5840 kernel/locking/lockdep.c:4824 lock_acquire kernel/locking/lockdep.c:5564 [inline] lock_acquire+0x1a8/0x4b0 kernel/locking/lockdep.c:5529 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:379 [inline] post_one_notification+0x59/0x860 kernel/watch_queue.c:86 __post_watch_notification kernel/watch_queue.c:206 [inline] __post_watch_notification+0x562/0x840 kernel/watch_queue.c:176 post_watch_notification include/linux/watch_queue.h:109 [inline] notify_key security/keys/internal.h:199 [inline] __key_update security/keys/key.c:774 [inline] key_create_or_update+0xbff/0xd00 security/keys/key.c:977 __do_sys_add_key security/keys/keyctl.c:134 [inline] __se_sys_add_key security/keys/keyctl.c:74 [inline] __x64_sys_add_key+0x2ab/0x4b0 security/keys/keyctl.c:74 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc85a2514ed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc858201be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007fc85a36ff60 RCX: 00007fc85a2514ed RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000 RBP: 00007fc85a2bd2e1 R08: fffffffffffffffc R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffde3e9524f R14: 00007fc85a36ff60 R15: 00007fc858201d80 Allocated by task 1368: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49 kasan_set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:471 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] alloc_pipe_info+0x10c/0x500 fs/pipe.c:789 get_pipe_inode fs/pipe.c:880 [inline] create_pipe_files+0x8f/0x7d0 fs/pipe.c:912 __do_pipe_flags+0x41/0x240 fs/pipe.c:961 do_pipe2+0x77/0x160 fs/pipe.c:1009 __do_sys_pipe2 fs/pipe.c:1027 [inline] __se_sys_pipe2 fs/pipe.c:1025 [inline] __x64_sys_pipe2+0x50/0x70 fs/pipe.c:1025 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 1402: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49 kasan_set_track+0x1c/0x30 mm/kasan/common.c:57 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:363 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:427 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook mm/slub.c:1576 [inline] slab_free mm/slub.c:3149 [inline] kfree+0xfa/0x460 mm/slub.c:4125 put_pipe_info+0xb9/0xe0 fs/pipe.c:710 pipe_release+0x1d2/0x260 fs/pipe.c:733 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xe0/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x195/0x1b0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880aa5f8c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 168 bytes inside of 512-byte region [ffff8880aa5f8c00, ffff8880aa5f8e00) The buggy address belongs to the page: page:000000000cd222be refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaa5f8 head:000000000cd222be order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888100041280 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880aa5f8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880aa5f8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880aa5f8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880aa5f8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880aa5f8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== -- Thanks and Regards, Dipanjan --000000000000c63d2305e4d01ab2 Content-Type: text/x-csrc; charset="US-ASCII"; name="repro.c" Content-Disposition: attachment; filename="repro.c" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l644atw50 Ly8gYXV0b2dlbmVyYXRlZCBieSBzeXprYWxsZXIgKGh0dHBzOi8vZ2l0aHViLmNvbS9nb29nbGUv c3l6a2FsbGVyKQoKI2RlZmluZSBfR05VX1NPVVJDRSAKCiNpbmNsdWRlIDxkaXJlbnQuaD4KI2lu Y2x1ZGUgPGVuZGlhbi5oPgojaW5jbHVkZSA8ZXJybm8uaD4KI2luY2x1ZGUgPGZjbnRsLmg+CiNp bmNsdWRlIDxwdGhyZWFkLmg+CiNpbmNsdWRlIDxzaWduYWwuaD4KI2luY2x1ZGUgPHN0ZGFyZy5o PgojaW5jbHVkZSA8c3RkYm9vbC5oPgojaW5jbHVkZSA8c3RkaW50Lmg+CiNpbmNsdWRlIDxzdGRp by5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHN5 cy9wcmN0bC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPHN5cy9zeXNjYWxsLmg+ CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN5cy93YWl0Lmg+CiNpbmNsdWRlIDx0 aW1lLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KCiNpbmNsdWRlIDxsaW51eC9mdXRleC5oPgoKI2lm bmRlZiBfX05SX2Nsb3NlX3JhbmdlCiNkZWZpbmUgX19OUl9jbG9zZV9yYW5nZSA0MzYKI2VuZGlm CgpzdGF0aWMgdm9pZCBzbGVlcF9tcyh1aW50NjRfdCBtcykKewoJdXNsZWVwKG1zICogMTAwMCk7 Cn0KCnN0YXRpYyB1aW50NjRfdCBjdXJyZW50X3RpbWVfbXModm9pZCkKewoJc3RydWN0IHRpbWVz cGVjIHRzOwoJaWYgKGNsb2NrX2dldHRpbWUoQ0xPQ0tfTU9OT1RPTklDLCAmdHMpKQoJZXhpdCgx KTsKCXJldHVybiAodWludDY0X3QpdHMudHZfc2VjICogMTAwMCArICh1aW50NjRfdCl0cy50dl9u c2VjIC8gMTAwMDAwMDsKfQoKc3RhdGljIHZvaWQgdGhyZWFkX3N0YXJ0KHZvaWQqICgqZm4pKHZv aWQqKSwgdm9pZCogYXJnKQp7CglwdGhyZWFkX3QgdGg7CglwdGhyZWFkX2F0dHJfdCBhdHRyOwoJ cHRocmVhZF9hdHRyX2luaXQoJmF0dHIpOwoJcHRocmVhZF9hdHRyX3NldHN0YWNrc2l6ZSgmYXR0 ciwgMTI4IDw8IDEwKTsKCWludCBpID0gMDsKCWZvciAoOyBpIDwgMTAwOyBpKyspIHsKCQlpZiAo cHRocmVhZF9jcmVhdGUoJnRoLCAmYXR0ciwgZm4sIGFyZykgPT0gMCkgewoJCQlwdGhyZWFkX2F0 dHJfZGVzdHJveSgmYXR0cik7CgkJCXJldHVybjsKCQl9CgkJaWYgKGVycm5vID09IEVBR0FJTikg ewoJCQl1c2xlZXAoNTApOwoJCQljb250aW51ZTsKCQl9CgkJYnJlYWs7Cgl9CglleGl0KDEpOwp9 Cgp0eXBlZGVmIHN0cnVjdCB7CglpbnQgc3RhdGU7Cn0gZXZlbnRfdDsKCnN0YXRpYyB2b2lkIGV2 ZW50X2luaXQoZXZlbnRfdCogZXYpCnsKCWV2LT5zdGF0ZSA9IDA7Cn0KCnN0YXRpYyB2b2lkIGV2 ZW50X3Jlc2V0KGV2ZW50X3QqIGV2KQp7Cglldi0+c3RhdGUgPSAwOwp9CgpzdGF0aWMgdm9pZCBl dmVudF9zZXQoZXZlbnRfdCogZXYpCnsKCWlmIChldi0+c3RhdGUpCglleGl0KDEpOwoJX19hdG9t aWNfc3RvcmVfbigmZXYtPnN0YXRlLCAxLCBfX0FUT01JQ19SRUxFQVNFKTsKCXN5c2NhbGwoU1lT X2Z1dGV4LCAmZXYtPnN0YXRlLCBGVVRFWF9XQUtFIHwgRlVURVhfUFJJVkFURV9GTEFHLCAxMDAw MDAwKTsKfQoKc3RhdGljIHZvaWQgZXZlbnRfd2FpdChldmVudF90KiBldikKewoJd2hpbGUgKCFf X2F0b21pY19sb2FkX24oJmV2LT5zdGF0ZSwgX19BVE9NSUNfQUNRVUlSRSkpCgkJc3lzY2FsbChT WVNfZnV0ZXgsICZldi0+c3RhdGUsIEZVVEVYX1dBSVQgfCBGVVRFWF9QUklWQVRFX0ZMQUcsIDAs IDApOwp9CgpzdGF0aWMgaW50IGV2ZW50X2lzc2V0KGV2ZW50X3QqIGV2KQp7CglyZXR1cm4gX19h dG9taWNfbG9hZF9uKCZldi0+c3RhdGUsIF9fQVRPTUlDX0FDUVVJUkUpOwp9CgpzdGF0aWMgaW50 IGV2ZW50X3RpbWVkd2FpdChldmVudF90KiBldiwgdWludDY0X3QgdGltZW91dCkKewoJdWludDY0 X3Qgc3RhcnQgPSBjdXJyZW50X3RpbWVfbXMoKTsKCXVpbnQ2NF90IG5vdyA9IHN0YXJ0OwoJZm9y ICg7OykgewoJCXVpbnQ2NF90IHJlbWFpbiA9IHRpbWVvdXQgLSAobm93IC0gc3RhcnQpOwoJCXN0 cnVjdCB0aW1lc3BlYyB0czsKCQl0cy50dl9zZWMgPSByZW1haW4gLyAxMDAwOwoJCXRzLnR2X25z ZWMgPSAocmVtYWluICUgMTAwMCkgKiAxMDAwICogMTAwMDsKCQlzeXNjYWxsKFNZU19mdXRleCwg JmV2LT5zdGF0ZSwgRlVURVhfV0FJVCB8IEZVVEVYX1BSSVZBVEVfRkxBRywgMCwgJnRzKTsKCQlp ZiAoX19hdG9taWNfbG9hZF9uKCZldi0+c3RhdGUsIF9fQVRPTUlDX0FDUVVJUkUpKQoJCQlyZXR1 cm4gMTsKCQlub3cgPSBjdXJyZW50X3RpbWVfbXMoKTsKCQlpZiAobm93IC0gc3RhcnQgPiB0aW1l b3V0KQoJCQlyZXR1cm4gMDsKCX0KfQoKc3RhdGljIGJvb2wgd3JpdGVfZmlsZShjb25zdCBjaGFy KiBmaWxlLCBjb25zdCBjaGFyKiB3aGF0LCAuLi4pCnsKCWNoYXIgYnVmWzEwMjRdOwoJdmFfbGlz dCBhcmdzOwoJdmFfc3RhcnQoYXJncywgd2hhdCk7Cgl2c25wcmludGYoYnVmLCBzaXplb2YoYnVm KSwgd2hhdCwgYXJncyk7Cgl2YV9lbmQoYXJncyk7CglidWZbc2l6ZW9mKGJ1ZikgLSAxXSA9IDA7 CglpbnQgbGVuID0gc3RybGVuKGJ1Zik7CglpbnQgZmQgPSBvcGVuKGZpbGUsIE9fV1JPTkxZIHwg T19DTE9FWEVDKTsKCWlmIChmZCA9PSAtMSkKCQlyZXR1cm4gZmFsc2U7CglpZiAod3JpdGUoZmQs IGJ1ZiwgbGVuKSAhPSBsZW4pIHsKCQlpbnQgZXJyID0gZXJybm87CgkJY2xvc2UoZmQpOwoJCWVy cm5vID0gZXJyOwoJCXJldHVybiBmYWxzZTsKCX0KCWNsb3NlKGZkKTsKCXJldHVybiB0cnVlOwp9 CgpzdGF0aWMgdm9pZCBraWxsX2FuZF93YWl0KGludCBwaWQsIGludCogc3RhdHVzKQp7CglraWxs KC1waWQsIFNJR0tJTEwpOwoJa2lsbChwaWQsIFNJR0tJTEwpOwoJZm9yIChpbnQgaSA9IDA7IGkg PCAxMDA7IGkrKykgewoJCWlmICh3YWl0cGlkKC0xLCBzdGF0dXMsIFdOT0hBTkcgfCBfX1dBTEwp ID09IHBpZCkKCQkJcmV0dXJuOwoJCXVzbGVlcCgxMDAwKTsKCX0KCURJUiogZGlyID0gb3BlbmRp cigiL3N5cy9mcy9mdXNlL2Nvbm5lY3Rpb25zIik7CglpZiAoZGlyKSB7CgkJZm9yICg7OykgewoJ CQlzdHJ1Y3QgZGlyZW50KiBlbnQgPSByZWFkZGlyKGRpcik7CgkJCWlmICghZW50KQoJCQkJYnJl YWs7CgkJCWlmIChzdHJjbXAoZW50LT5kX25hbWUsICIuIikgPT0gMCB8fCBzdHJjbXAoZW50LT5k X25hbWUsICIuLiIpID09IDApCgkJCQljb250aW51ZTsKCQkJY2hhciBhYm9ydFszMDBdOwoJCQlz bnByaW50ZihhYm9ydCwgc2l6ZW9mKGFib3J0KSwgIi9zeXMvZnMvZnVzZS9jb25uZWN0aW9ucy8l cy9hYm9ydCIsIGVudC0+ZF9uYW1lKTsKCQkJaW50IGZkID0gb3BlbihhYm9ydCwgT19XUk9OTFkp OwoJCQlpZiAoZmQgPT0gLTEpIHsKCQkJCWNvbnRpbnVlOwoJCQl9CgkJCWlmICh3cml0ZShmZCwg YWJvcnQsIDEpIDwgMCkgewoJCQl9CgkJCWNsb3NlKGZkKTsKCQl9CgkJY2xvc2VkaXIoZGlyKTsK CX0gZWxzZSB7Cgl9Cgl3aGlsZSAod2FpdHBpZCgtMSwgc3RhdHVzLCBfX1dBTEwpICE9IHBpZCkg ewoJfQp9CgpzdGF0aWMgdm9pZCBzZXR1cF90ZXN0KCkKewoJcHJjdGwoUFJfU0VUX1BERUFUSFNJ RywgU0lHS0lMTCwgMCwgMCwgMCk7CglzZXRwZ3JwKCk7Cgl3cml0ZV9maWxlKCIvcHJvYy9zZWxm L29vbV9zY29yZV9hZGoiLCAiMTAwMCIpOwp9CgpzdHJ1Y3QgdGhyZWFkX3QgewoJaW50IGNyZWF0 ZWQsIGNhbGw7CglldmVudF90IHJlYWR5LCBkb25lOwp9OwoKc3RhdGljIHN0cnVjdCB0aHJlYWRf dCB0aHJlYWRzWzE2XTsKc3RhdGljIHZvaWQgZXhlY3V0ZV9jYWxsKGludCBjYWxsKTsKc3RhdGlj IGludCBydW5uaW5nOwoKc3RhdGljIHZvaWQqIHRocih2b2lkKiBhcmcpCnsKCXN0cnVjdCB0aHJl YWRfdCogdGggPSAoc3RydWN0IHRocmVhZF90Kilhcmc7Cglmb3IgKDs7KSB7CgkJZXZlbnRfd2Fp dCgmdGgtPnJlYWR5KTsKCQlldmVudF9yZXNldCgmdGgtPnJlYWR5KTsKCQlleGVjdXRlX2NhbGwo dGgtPmNhbGwpOwoJCV9fYXRvbWljX2ZldGNoX3N1YigmcnVubmluZywgMSwgX19BVE9NSUNfUkVM QVhFRCk7CgkJZXZlbnRfc2V0KCZ0aC0+ZG9uZSk7Cgl9CglyZXR1cm4gMDsKfQoKc3RhdGljIHZv aWQgZXhlY3V0ZV9vbmUodm9pZCkKewoJaW50IGksIGNhbGwsIHRocmVhZDsKCWZvciAoY2FsbCA9 IDA7IGNhbGwgPCA1OyBjYWxsKyspIHsKCQlmb3IgKHRocmVhZCA9IDA7IHRocmVhZCA8IChpbnQp KHNpemVvZih0aHJlYWRzKSAvIHNpemVvZih0aHJlYWRzWzBdKSk7IHRocmVhZCsrKSB7CgkJCXN0 cnVjdCB0aHJlYWRfdCogdGggPSAmdGhyZWFkc1t0aHJlYWRdOwoJCQlpZiAoIXRoLT5jcmVhdGVk KSB7CgkJCQl0aC0+Y3JlYXRlZCA9IDE7CgkJCQlldmVudF9pbml0KCZ0aC0+cmVhZHkpOwoJCQkJ ZXZlbnRfaW5pdCgmdGgtPmRvbmUpOwoJCQkJZXZlbnRfc2V0KCZ0aC0+ZG9uZSk7CgkJCQl0aHJl YWRfc3RhcnQodGhyLCB0aCk7CgkJCX0KCQkJaWYgKCFldmVudF9pc3NldCgmdGgtPmRvbmUpKQoJ CQkJY29udGludWU7CgkJCWV2ZW50X3Jlc2V0KCZ0aC0+ZG9uZSk7CgkJCXRoLT5jYWxsID0gY2Fs bDsKCQkJX19hdG9taWNfZmV0Y2hfYWRkKCZydW5uaW5nLCAxLCBfX0FUT01JQ19SRUxBWEVEKTsK CQkJZXZlbnRfc2V0KCZ0aC0+cmVhZHkpOwoJCQlpZiAoY2FsbCA9PSAzKQoJCQkJYnJlYWs7CgkJ CWV2ZW50X3RpbWVkd2FpdCgmdGgtPmRvbmUsIDUwKTsKCQkJYnJlYWs7CgkJfQoJfQoJZm9yIChp ID0gMDsgaSA8IDEwMCAmJiBfX2F0b21pY19sb2FkX24oJnJ1bm5pbmcsIF9fQVRPTUlDX1JFTEFY RUQpOyBpKyspCgkJc2xlZXBfbXMoMSk7Cn0KCnN0YXRpYyB2b2lkIGV4ZWN1dGVfb25lKHZvaWQp OwoKI2RlZmluZSBXQUlUX0ZMQUdTIF9fV0FMTAoKc3RhdGljIHZvaWQgbG9vcCh2b2lkKQp7Cglp bnQgaXRlciA9IDA7Cglmb3IgKDs7IGl0ZXIrKykgewoJCWludCBwaWQgPSBmb3JrKCk7CgkJaWYg KHBpZCA8IDApCglleGl0KDEpOwoJCWlmIChwaWQgPT0gMCkgewoJCQlzZXR1cF90ZXN0KCk7CgkJ CWV4ZWN1dGVfb25lKCk7CgkJCWV4aXQoMCk7CgkJfQoJCWludCBzdGF0dXMgPSAwOwoJCXVpbnQ2 NF90IHN0YXJ0ID0gY3VycmVudF90aW1lX21zKCk7CgkJZm9yICg7OykgewoJCQlpZiAod2FpdHBp ZCgtMSwgJnN0YXR1cywgV05PSEFORyB8IFdBSVRfRkxBR1MpID09IHBpZCkKCQkJCWJyZWFrOwoJ CQlzbGVlcF9tcygxKTsKCQkJaWYgKGN1cnJlbnRfdGltZV9tcygpIC0gc3RhcnQgPCA1MDAwKQoJ CQkJY29udGludWU7CgkJCWtpbGxfYW5kX3dhaXQocGlkLCAmc3RhdHVzKTsKCQkJYnJlYWs7CgkJ fQoJfQp9Cgp1aW50NjRfdCByWzJdID0gezB4ZmZmZmZmZmZmZmZmZmZmZiwgMHgwfTsKCnZvaWQg ZXhlY3V0ZV9jYWxsKGludCBjYWxsKQp7CgkJaW50cHRyX3QgcmVzID0gMDsKCXN3aXRjaCAoY2Fs bCkgewoJY2FzZSAwOgoJCXJlcyA9IHN5c2NhbGwoX19OUl9waXBlMiwgMHgyMDAwMDE0MHVsLCAw eDgwdWwpOwoJCWlmIChyZXMgIT0gLTEpCnJbMF0gPSAqKHVpbnQzMl90KikweDIwMDAwMTQwOwoJ CWJyZWFrOwoJY2FzZSAxOgptZW1jcHkoKHZvaWQqKTB4MjAwMDAwMDAsICJiaWdfa2V5XDAwMCIs IDgpOwptZW1jcHkoKHZvaWQqKTB4MjAwMDAwNDAsICJzeXoiLCAzKTsKKih1aW50OF90KikweDIw MDAwMDQzID0gMHgyMTsKKih1aW50OF90KikweDIwMDAwMDQ0ID0gMDsKbWVtc2V0KCh2b2lkKikw eDIwMDAwMDgwLCA2NCwgMSk7CgkJcmVzID0gc3lzY2FsbChfX05SX2FkZF9rZXksIDB4MjAwMDAw MDB1bCwgMHgyMDAwMDA0MHVsLCAweDIwMDAwMDgwdWwsIDF1bCwgMHhmZmZmZmZmYyk7CgkJaWYg KHJlcyAhPSAtMSkKCQkJCXJbMV0gPSByZXM7CgkJYnJlYWs7CgljYXNlIDI6CgkJc3lzY2FsbChf X05SX3BpcGUyLCAwdWwsIDB4ODB1bCk7CgkJYnJlYWs7CgljYXNlIDM6CgkJc3lzY2FsbChfX05S X2tleWN0bCwgMHgyMHVsLCByWzFdLCByWzBdLCAwdWwsIDApOwoJCWJyZWFrOwoJY2FzZSA0OgoJ CXN5c2NhbGwoX19OUl9jbG9zZV9yYW5nZSwgclswXSwgLTEsIDB1bCk7CgkJYnJlYWs7Cgl9Cgp9 CmludCBtYWluKHZvaWQpCnsKCQlzeXNjYWxsKF9fTlJfbW1hcCwgMHgxZmZmZjAwMHVsLCAweDEw MDB1bCwgMHVsLCAweDMydWwsIC0xLCAwdWwpOwoJc3lzY2FsbChfX05SX21tYXAsIDB4MjAwMDAw MDB1bCwgMHgxMDAwMDAwdWwsIDd1bCwgMHgzMnVsLCAtMSwgMHVsKTsKCXN5c2NhbGwoX19OUl9t bWFwLCAweDIxMDAwMDAwdWwsIDB4MTAwMHVsLCAwdWwsIDB4MzJ1bCwgLTEsIDB1bCk7CgkJCWxv b3AoKTsKCXJldHVybiAwOwp9Cg== --000000000000c63d2305e4d01ab2 Content-Type: application/octet-stream; name="repro.syz" Content-Disposition: attachment; filename="repro.syz" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l644atwh1 cGlwZTIkd2F0Y2hfcXVldWUoJigweDdmMDAwMDAwMDE0MCk9ezxyMD0+MHhmZmZmZmZmZmZmZmZm ZmZmfSwgMHg4MCkKcjEgPSBhZGRfa2V5KCYoMHg3ZjAwMDAwMDAwMDApPSdiaWdfa2V5XHgwMCcs ICYoMHg3ZjAwMDAwMDAwNDApPXsnc3l6JywgMHgxfSwgJigweDdmMDAwMDAwMDA4MCk9J0AnLCAw eDEsIDB4ZmZmZmZmZmZmZmZmZmZmYykKcGlwZTIkd2F0Y2hfcXVldWUoMHgwLCAweDgwKQprZXlj dGwkS0VZQ1RMX1dBVENIX0tFWSgweDIwLCByMSwgcjAsIDB4MCkgKGFzeW5jKQpjbG9zZV9yYW5n ZShyMCwgMHhmZmZmZmZmZmZmZmZmZmZmLCAweDApCg== --000000000000c63d2305e4d01ab2--