Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp86968lqb; Tue, 16 Apr 2024 09:27:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXmDqwlVyNHnW81vz5G79z89cHG1lTc3AQ+CkZUYczr+eb4IjUxNXkpBx1zxASQkRF+hVGsvARA+/esMwhyLmb+N5SLJvMNzrcMOuILIw== X-Google-Smtp-Source: AGHT+IE/ijJfHnz1PBE0UmFVNcH8Y+LJbdTiJlb3ffrfyg/p9kMDhh+74n4mtdigjsNt500vqOcv X-Received: by 2002:ac8:5704:0:b0:436:7766:deb5 with SMTP id 4-20020ac85704000000b004367766deb5mr13814663qtw.29.1713284865996; Tue, 16 Apr 2024 09:27:45 -0700 (PDT) Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id n4-20020ac85a04000000b004369224c9dfsi2564732qta.528.2024.04.16.09.27.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 09:27:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-147233-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=lJkQ+LRR; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-147233-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-147233-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A797C1C2182A for ; Tue, 16 Apr 2024 16:27:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EF5E9131750; Tue, 16 Apr 2024 16:27:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lJkQ+LRR" Received: from mail-oo1-f43.google.com (mail-oo1-f43.google.com [209.85.161.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B333B1327F8; Tue, 16 Apr 2024 16:27:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713284840; cv=none; b=VuaqZKqXz37Ba9F42d85kCX1XfsRlB2MfFzY4AV3q0mhe5UMewOzlGKqqG+vBJ1IMR73IVNsQlQwhSpatDpquZ8EHkleIJc+JzRTD+7U1aiW958zDXXW4GxK+Y55OYBi3vDr0n2zKSgoB2X2oK0ObPkCCeSmC26U18IzK33ciJM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713284840; c=relaxed/simple; bh=lrd3VvHkNlO2uIbQ+bSrXQpiygq+TDjfC9et7gc9kzE=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=h1D2vtOuHujRQX6NwtFj5IBZHE5n8VhrxZ5c28xC+RyUVZ976I+od24wGFulGPupgyn3XIH/3vbAmxK9cL7ggl21ZuNAMhMliCcIttfvaOxBwK0erE/6ziGKgLZxhNLrre9+EK3u2A35ak4XB+O5c+1Xj0sL4S32oM8nVCHYuTQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lJkQ+LRR; arc=none smtp.client-ip=209.85.161.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oo1-f43.google.com with SMTP id 006d021491bc7-5aa1b7a37b3so2771652eaf.0; Tue, 16 Apr 2024 09:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713284837; x=1713889637; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qb4PseByLCf0GEw8SDaozxk0Rdf60ydaj4DEGNJgoP8=; b=lJkQ+LRRBCkrZm+NmyC8HiIQpUKdfU1Gh4ItCue7lq0lFe5YwGZEApP83uXQVGGNeG WFAVrD2T8MVE8adOGKI4hctNXvQKNKIKZyjlIHkEpvIkgW9Eouo50YxfyC6khmx2qZaR yk1kL6GAn78PFV2+XdrpicPnI3f3J2FvMevLY/4O1/M0ZD8afhG/uWQkUn4u6EuZUi9Z mz6VRbRnIoFXqg4S7ROtJKZrPKQ1CKBaN8Op+8i8sB8ggvN/1so3h5EoPkpYusmXKL6s 0D/Ftr3XlvQEOw0fwRFjbQk1R18umrtLpBb79FO8MIMPnNlTjvsR82uhFp0k+jB3IFip i6cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713284837; x=1713889637; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qb4PseByLCf0GEw8SDaozxk0Rdf60ydaj4DEGNJgoP8=; b=uMaBGj/HdybiJkA2RfT0bzT4DXUlf+yV18h0NF3KmbvXpj2LgrpDCkJ73GbpOPrpiO KXw0/hNjuO8vfk/G28VxAUsCPI89GzKjZC1/XZd3AAuBOdH119htY5gzUIQm8+6vxqRS flPcfuEfjIKEmNrkvY8CdqP6VbkOox5Ny3rdUVBrbdN+YqjN7oGcZm+QnYN65xxhpEDJ NmRpjXVfPmrVhLeV4ZT6MyiLMXFYrCnR9yoQyaUo8k5jR43FQ3YOZtrTsSu3w0qS0EF5 R8xJr0YmHMFr+5Ok4S1NH0fnKLYwYY/f0MGuqaGZUgygjr3HCkEScLNTgYlxN4B4sj9s tdFA== X-Forwarded-Encrypted: i=1; AJvYcCUxj+sLF4v/2qn7bVglPSC2uzVpVBNG3UBQSAyrJjgmjyP2tmTAs1h8yh2Bqw+SO0+ys98d+I42uwaVdwJT6NLBorsxmc/pIG4ClzyViDXEhSiCHmOVIVmA8JCNZ3Ep9ELvhU2PBVFWbovHnw== X-Gm-Message-State: AOJu0Yy2Us6olfFCA2iizCN6XCLfxBy1UxQlaH/qpm1kTHPZDPZ9ixCv Qa++e6Mzs3M4ZRpkpKyw0emO+u0FdVAoWR7Hfiwgljaeav0lze95BoKGrKCadll6PvBF/9xha2N d7ieKIIa7dZr8wjzV03RPOdyUaTU= X-Received: by 2002:a05:6359:4dc2:b0:186:4ada:4256 with SMTP id pj2-20020a0563594dc200b001864ada4256mr14348657rwb.22.1713284837454; Tue, 16 Apr 2024 09:27:17 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <00000000000095bb400615f4b0ed@google.com> <20240413084519.1774-1-hdanton@sina.com> <20240415140333.y44rk5ggbadv4oej@quack3> <20240416132207.idn7rjzq4d4rayaz@quack3> In-Reply-To: <20240416132207.idn7rjzq4d4rayaz@quack3> From: Amir Goldstein Date: Tue, 16 Apr 2024 19:27:05 +0300 Message-ID: Subject: Re: [syzbot] Re: [syzbot] [ext4?] KASAN: slab-use-after-free Read in fsnotify To: Jan Kara Cc: Hillf Danton , syzbot , linux-fsdevel@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Content-Type: multipart/mixed; boundary="000000000000235907061639362b" --000000000000235907061639362b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 16, 2024 at 4:22=E2=80=AFPM Jan Kara wrote: > > On Mon 15-04-24 17:47:45, Amir Goldstein wrote: > > On Mon, Apr 15, 2024 at 5:03=E2=80=AFPM Jan Kara wrote: > > > > > > On Sat 13-04-24 12:32:32, Amir Goldstein wrote: > > > > On Sat, Apr 13, 2024 at 11:45=E2=80=AFAM Hillf Danton wrote: > > > > > On Fri, 12 Apr 2024 23:42:19 -0700 Amir Goldstein > > > > > > On Sat, Apr 13, 2024 at 4:41=3DE2=3D80=3DAFAM Hillf Danton wrote: > > > > > > > On Thu, 11 Apr 2024 01:11:20 -0700 > > > > > > > > syzbot found the following issue on: > > > > > > > > > > > > > > > > HEAD commit: 6ebf211bb11d Add linux-next specific files = for 20240410 > > > > > > > > git tree: linux-next > > > > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x= =3D3D1621af9d180000 > > > > > > > > > > > > > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/nex= t/linux-next.git 6ebf211bb11d > > > > > > > > > > > > > > --- x/fs/notify/fsnotify.c > > > > > > > +++ y/fs/notify/fsnotify.c > > > > > > > @@ -101,8 +101,8 @@ void fsnotify_sb_delete(struct super_blo > > > > > > > wait_var_event(fsnotify_sb_watched_objects(sb), > > > > > > > !atomic_long_read(fsnotify_sb_watched_= objects(sb))); > > > > > > > WARN_ON(fsnotify_sb_has_priority_watchers(sb, FSNOTIF= Y_PRIO_CONTENT)); > > > > > > > - WARN_ON(fsnotify_sb_has_priority_watchers(sb, > > > > > > > - FSNOTIFY_PR= IO_PRE_CONTENT)); > > > > > > > + WARN_ON(fsnotify_sb_has_priority_watchers(sb, FSNOTIF= Y_PRIO_PRE_CONTENT)); > > > > > > > + synchronize_srcu(&fsnotify_mark_srcu); > > > > > > > kfree(sbinfo); > > > > > > > } > > > > > > > > > > > > > > @@ -499,7 +499,7 @@ int fsnotify(__u32 mask, const void *dat > > > > > > > { > > > > > > > const struct path *path =3D3D fsnotify_data_path(data= , data_type); > > > > > > > struct super_block *sb =3D3D fsnotify_data_sb(data, d= ata_type); > > > > > > > - struct fsnotify_sb_info *sbinfo =3D3D fsnotify_sb_inf= o(sb); > > > > > > > + struct fsnotify_sb_info *sbinfo; > > > > > > > struct fsnotify_iter_info iter_info =3D {}; > > > > > > > struct mount *mnt =3D3D NULL; > > > > > > > struct inode *inode2 =3D3D NULL; > > > > > > > @@ -529,6 +529,8 @@ int fsnotify(__u32 mask, const void *dat > > > > > > > inode2_type =3D3D FSNOTIFY_ITER_TYPE_PARENT; > > > > > > > } > > > > > > > > > > > > > > + iter_info.srcu_idx =3D3D srcu_read_lock(&fsnotify_mar= k_srcu); > > > > > > > + sbinfo =3D3D fsnotify_sb_info(sb); > > > > > > > /* > > > > > > > * Optimization: srcu_read_lock() has a memory barrie= r which can > > > > > > > * be expensive. It protects walking the *_fsnotify_= marks lists. > > > > > > > > > > > > > > > > > > See comment above. This kills the optimization. > > > > > > It is not worth letting all the fsnotify hooks suffer the conse= quence > > > > > > for the edge case of calling fsnotify hook during fs shutdown. > > > > > > > > > > Say nothing before reading your fix. > > > > > > > > > > > > Also, fsnotify_sb_info(sb) in fsnotify_sb_has_priority_watchers= () > > > > > > is also not protected and using srcu_read_lock() there complete= ly > > > > > > nullifies the purpose of fsnotify_sb_info. > > > > > > > > > > > > Here is a simplified fix for fsnotify_sb_error() rebased on the > > > > > > pending mm fixes for this syzbot boot failure: > > > > > > > > > > > > #syz test: https://github.com/amir73il/linux fsnotify-fixes > > > > > > > > > > Feel free to post your patch at lore because not everyone has > > > > > access to sites like github. > > > > > > > > > > > > Jan, > > > > > > > > > > > > I think that all the functions called from fs shutdown context > > > > > > should observe that SB_ACTIVE is cleared but wasn't sure? > > > > > > > > > > If you composed fix based on SB_ACTIVE that is cleared in > > > > > generic_shutdown_super() with &sb->s_umount held for write, > > > > > I wonder what simpler serialization than srcu you could > > > > > find/create in fsnotify. > > > > > > > > As far as I can tell there is no need for serialisation. > > > > > > > > The problem is that fsnotify_sb_error() can be called from the > > > > context of ->put_super() call from generic_shutdown_super(). > > > > > > > > It's true that in the repro the thread calling fsnotify_sb_error() > > > > in the worker thread running quota deferred work from put_super() > > > > but I think there are sufficient barriers for this worker thread to > > > > observer the cleared SB_ACTIVE flag. > > > > > > > > Anyway, according to syzbot, repro does not trigger the UAF > > > > with my last fix. > > > > > > > > To be clear, any fsnotify_sb_error() that is a result of a user ope= ration > > > > would be holding an active reference to sb so cannot race with > > > > fsnotify_sb_delete(), but I am not sure that same is true for ext4 > > > > worker threads. > > > > > > > > Jan, > > > > > > > > You wrote that "In theory these two calls can even run in parallel > > > > and fsnotify() can be holding fsnotify_sb_info pointer while > > > > fsnotify_sb_delete() is freeing". > > > > > > > > Can you give an example of this case? > > > > > > Yeah, basically what Hilf writes: > > > > > > Task 1 Task 2 > > > umount() some delayed work, transactio= n > > > commit, whatever is still r= unning > > > before ext4_put_super() com= pletes > > > ... ext4_error() > > > fsnotify_sb_error() > > > fsnotify() > > > fetches fsnotify_sb= _info > > > generic_shutdown_super() > > > fsnotify_sb_delete() > > > frees fsnotify_sb_info > > > > OK, so what do you say about Hillf's fix patch? > > > > Maybe it is ok to let go of the optimization in fsnotify(), considering > > that we now have stronger optimizations in the inline hooks and > > in __fsnotify_parent()? > > > > I think that Hillf's patch is missing setting s_fsnotify_info to NULL? > > > > @@ -101,8 +101,8 @@ void fsnotify_sb_delete(struct super_blo > > wait_var_event(fsnotify_sb_watched_objects(sb), > > !atomic_long_read(fsnotify_sb_watched_objects(s= b))); > > WARN_ON(fsnotify_sb_has_priority_watchers(sb, FSNOTIFY_PRIO_CO= NTENT)); > > + WRITE_ONCE(sb->s_fsnotify_info, NULL); > > + synchronize_srcu(&fsnotify_mark_srcu); > > kfree(sbinfo); > > } > > So I had a look into this. Yes, something like this should work. We'll se= e > whether synchronize_srcu() won't slow down umount too much. If someone wi= ll > complain, we'll have to find a better solution. > Actually, kfree_rcu(sbinfo) may be enough. We do not actually access sbinfo during mark iteration and event handling, we only access it to get to the sb connector. Something like the attached patch? Thanks, Amir. --000000000000235907061639362b Content-Type: text/x-patch; charset="US-ASCII"; name="v2-0001-fsnotify-fix-UAF-from-FS_ERROR-event-on-a-shuttin.patch" Content-Disposition: attachment; filename="v2-0001-fsnotify-fix-UAF-from-FS_ERROR-event-on-a-shuttin.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_lv2lj4kh0 RnJvbSA4OTA3YjBlOTZhMWQ3ZDNiMDkwOTgyYWJjNmQ5ZWIzOTZlYjQ2N2YwIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBbWlyIEdvbGRzdGVpbiA8YW1pcjczaWxAZ21haWwuY29tPgpE YXRlOiBUaHUsIDExIEFwciAyMDI0IDE4OjU5OjA4ICswMzAwClN1YmplY3Q6IFtQQVRDSCB2Ml0g ZnNub3RpZnk6IGZpeCBVQUYgZnJvbSBGU19FUlJPUiBldmVudCBvbiBhIHNodXR0aW5nIGRvd24K IGZpbGVzeXN0ZW0KClByb3RlY3QgYWdhaW5zdCB1c2UgYWZ0ZXIgZnJlZSB3aGVuIGZpbGVzeXN0 ZW0gY2FsbHMgZnNub3RpZnlfc2JfZXJyb3IoKQpkdXJpbmcgZnMgc2h1dGRvd24uCgpmc25vdGlm eV9zYl9lcnJvcigpIG1heSBiZSBjYWxsZWQgd2l0aG91dCBhbiBzX2FjdGl2ZSByZWZlcmVuY2Us IHNvIHVzZQpSQ1UgdG8gc3luY2hyb25pemUgYWNjZXNzIHRvIGZzbm90aWZ5X3NiX2luZm8oKSBp biB0aGlzIGNhc2UuCgpSZXBvcnRlZC1ieTogc3l6Ym90KzVlM2Y5YjJhNjdiNDVmMTZkNGU2QHN5 emthbGxlci5hcHBzcG90bWFpbC5jb20KU3VnZ2VzdGVkLWJ5OiBIaWxsZiBEYW50b24gPGhkYW50 b25Ac2luYS5jb20+Ckxpbms6IGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2xpbnV4LWZzZGV2ZWwv MjAyNDA0MTMwMTQwMzMuMTcyMi0xLWhkYW50b25Ac2luYS5jb20vCkZpeGVzOiAwN2EzYjhkMGJm NzIgKCJmc25vdGlmeTogbGF6eSBhdHRhY2ggZnNub3RpZnlfc2JfaW5mbyBzdGF0ZSB0byBzYiIp ClNpZ25lZC1vZmYtYnk6IEFtaXIgR29sZHN0ZWluIDxhbWlyNzNpbEBnbWFpbC5jb20+Ci0tLQog ZnMvbm90aWZ5L2Zzbm90aWZ5LmMgICAgICAgICAgICAgfCAxNyArKysrKysrKysrKysrKy0tLQog aW5jbHVkZS9saW51eC9mc25vdGlmeV9iYWNrZW5kLmggfCAgNCArKysrCiAyIGZpbGVzIGNoYW5n ZWQsIDE4IGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZnMvbm90 aWZ5L2Zzbm90aWZ5LmMgYi9mcy9ub3RpZnkvZnNub3RpZnkuYwppbmRleCAyYWU5NjVlZjM3ZTgu LjMxMGM4ZTg0NTQ4MiAxMDA2NDQKLS0tIGEvZnMvbm90aWZ5L2Zzbm90aWZ5LmMKKysrIGIvZnMv bm90aWZ5L2Zzbm90aWZ5LmMKQEAgLTEwMyw3ICsxMDMsOCBAQCB2b2lkIGZzbm90aWZ5X3NiX2Rl bGV0ZShzdHJ1Y3Qgc3VwZXJfYmxvY2sgKnNiKQogCVdBUk5fT04oZnNub3RpZnlfc2JfaGFzX3By aW9yaXR5X3dhdGNoZXJzKHNiLCBGU05PVElGWV9QUklPX0NPTlRFTlQpKTsKIAlXQVJOX09OKGZz bm90aWZ5X3NiX2hhc19wcmlvcml0eV93YXRjaGVycyhzYiwKIAkJCQkJCSAgRlNOT1RJRllfUFJJ T19QUkVfQ09OVEVOVCkpOwotCWtmcmVlKHNiaW5mbyk7CisJV1JJVEVfT05DRShzYi0+c19mc25v dGlmeV9pbmZvLCBOVUxMKTsKKwlrZnJlZV9yY3Uoc2JpbmZvLCByY3UpOwogfQogCiAvKgpAQCAt NTA2LDYgKzUwNyw3IEBAIGludCBmc25vdGlmeShfX3UzMiBtYXNrLCBjb25zdCB2b2lkICpkYXRh LCBpbnQgZGF0YV90eXBlLCBzdHJ1Y3QgaW5vZGUgKmRpciwKIAlzdHJ1Y3QgZGVudHJ5ICptb3Zl ZDsKIAlpbnQgaW5vZGUyX3R5cGU7CiAJaW50IHJldCA9IDA7CisJYm9vbCBzYl9hY3RpdmVfcmVm ID0gIShtYXNrICYgRlNfRVZFTlRTX1BPU1NfT05fU0hVVERPV04pOwogCV9fdTMyIHRlc3RfbWFz aywgbWFya3NfbWFzazsKIAogCWlmIChwYXRoKQpAQCAtNTM1LDggKzUzNywxMCBAQCBpbnQgZnNu b3RpZnkoX191MzIgbWFzaywgY29uc3Qgdm9pZCAqZGF0YSwgaW50IGRhdGFfdHlwZSwgc3RydWN0 IGlub2RlICpkaXIsCiAJICogSG93ZXZlciwgaWYgd2UgZG8gbm90IHdhbGsgdGhlIGxpc3RzLCB3 ZSBkbyBub3QgaGF2ZSB0byBkbwogCSAqIFNSQ1UgYmVjYXVzZSB3ZSBoYXZlIG5vIHJlZmVyZW5j ZXMgdG8gYW55IG9iamVjdHMgYW5kIGRvIG5vdAogCSAqIG5lZWQgU1JDVSB0byBrZWVwIHRoZW0g ImFsaXZlIi4KKwkgKiBXZSBuZWVkIFJDVSByZWFkIHNpZGUgdG8ga2VlcCBzYmluZm8gImFsaXZl IiBmb3IgZXZlbnRzIHBvc3NpYmxlCisJICogZHVyaW5nIHNodXRkb3duIChlLmcuIEZTX0VSUk9S KS4KIAkgKi8KLQlpZiAoKCFzYmluZm8gfHwgIXNiaW5mby0+c2JfbWFya3MpICYmCisJaWYgKCgh c2JpbmZvIHx8IChzYl9hY3RpdmVfcmVmICYmICFzYmluZm8tPnNiX21hcmtzKSkgJiYKIAkgICAg KCFtbnQgfHwgIW1udC0+bW50X2Zzbm90aWZ5X21hcmtzKSAmJgogCSAgICAoIWlub2RlIHx8ICFp bm9kZS0+aV9mc25vdGlmeV9tYXJrcykgJiYKIAkgICAgKCFpbm9kZTIgfHwgIWlub2RlMi0+aV9m c25vdGlmeV9tYXJrcykpCkBAIC01NjIsMTEgKzU2NiwxOCBAQCBpbnQgZnNub3RpZnkoX191MzIg bWFzaywgY29uc3Qgdm9pZCAqZGF0YSwgaW50IGRhdGFfdHlwZSwgc3RydWN0IGlub2RlICpkaXIs CiAJCXJldHVybiAwOwogCiAJaXRlcl9pbmZvLnNyY3VfaWR4ID0gc3JjdV9yZWFkX2xvY2soJmZz bm90aWZ5X21hcmtfc3JjdSk7Ci0KKwkvKgorCSAqIEZvciBldmVudHMgcG9zc2libGUgZHVyaW5n IHNodXRkb3duIChlLmcuIEZTX0VSUk9SKSB3ZSBtYXkgbm90IGhvbGQKKwkgKiBhbiBzX2FjdGl2 ZSByZWZlcmVuY2Ugb24gc2IsIHNvIHdlIG5lZWQgdG8gZGVyZWZlcmVuY2Ugc2JpbmZvIHdpdGgK KwkgKiByY3VfcmVhZF9sb2NrKCkgaGVsZC4KKwkgKi8KKwlyY3VfcmVhZF9sb2NrKCk7CisJc2Jp bmZvID0gZnNub3RpZnlfc2JfaW5mbyhzYik7CiAJaWYgKHNiaW5mbykgewogCQlpdGVyX2luZm8u bWFya3NbRlNOT1RJRllfSVRFUl9UWVBFX1NCXSA9CiAJCQlmc25vdGlmeV9maXJzdF9tYXJrKCZz YmluZm8tPnNiX21hcmtzKTsKIAl9CisJcmN1X3JlYWRfdW5sb2NrKCk7CiAJaWYgKG1udCkgewog CQlpdGVyX2luZm8ubWFya3NbRlNOT1RJRllfSVRFUl9UWVBFX1ZGU01PVU5UXSA9CiAJCQlmc25v dGlmeV9maXJzdF9tYXJrKCZtbnQtPm1udF9mc25vdGlmeV9tYXJrcyk7CmRpZmYgLS1naXQgYS9p bmNsdWRlL2xpbnV4L2Zzbm90aWZ5X2JhY2tlbmQuaCBiL2luY2x1ZGUvbGludXgvZnNub3RpZnlf YmFja2VuZC5oCmluZGV4IDdmMWFiODI2NGU0MS4uZjExMDQ3MTI1NTIyIDEwMDY0NAotLS0gYS9p bmNsdWRlL2xpbnV4L2Zzbm90aWZ5X2JhY2tlbmQuaAorKysgYi9pbmNsdWRlL2xpbnV4L2Zzbm90 aWZ5X2JhY2tlbmQuaApAQCAtOTcsNiArOTcsOSBAQAogICovCiAjZGVmaW5lIEZTX0VWRU5UU19Q T1NTX1RPX1BBUkVOVCAoRlNfRVZFTlRTX1BPU1NfT05fQ0hJTEQpCiAKKy8qIEV2ZW50cyB0aGF0 IGNvdWxkIGJlIGdlbmVyYXRlZCB3aGlsZSBmcyBpcyBzaHV0dGluZyBkb3duICovCisjZGVmaW5l IEZTX0VWRU5UU19QT1NTX09OX1NIVVRET1dOIChGU19FUlJPUikKKwogLyogRXZlbnRzIHRoYXQg Y2FuIGJlIHJlcG9ydGVkIHRvIGJhY2tlbmRzICovCiAjZGVmaW5lIEFMTF9GU05PVElGWV9FVkVO VFMgKEFMTF9GU05PVElGWV9ESVJFTlRfRVZFTlRTIHwgXAogCQkJICAgICBGU19FVkVOVFNfUE9T U19PTl9DSElMRCB8IFwKQEAgLTQ4OCw2ICs0OTEsNyBAQCBzdHJ1Y3QgZnNub3RpZnlfbWFya19j b25uZWN0b3IgewogICovCiBzdHJ1Y3QgZnNub3RpZnlfc2JfaW5mbyB7CiAJc3RydWN0IGZzbm90 aWZ5X21hcmtfY29ubmVjdG9yIF9fcmN1ICpzYl9tYXJrczsKKwlzdHJ1Y3QgcmN1X2hlYWQgcmN1 OwogCS8qCiAJICogTnVtYmVyIG9mIGlub2RlL21vdW50L3NiIG9iamVjdHMgdGhhdCBhcmUgYmVp bmcgd2F0Y2hlZCBpbiB0aGlzIHNiLgogCSAqIE5vdGUgdGhhdCBpbm9kZXMgb2JqZWN0cyBhcmUg Y3VycmVudGx5IGRvdWJsZS1hY2NvdW50ZWQuCi0tIAoyLjM0LjEKCg== --000000000000235907061639362b--