2012-06-20 04:04:24

by fanchaoting

[permalink] [raw]
Subject: [patch] nfs client oops when receive a 'read reply Malformed Packet'

nfs client oops when receive a "read reply Malformed Packet".
I find that the xdr->iov may be NULL when client receive a
Malformed Packet(only have 'Status' and 'file_attributes').

rpcauth_unwrap_req_decode
nfs3_xdr_dec_read3res
decode_read3resok
......
hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
......

rpcauth_unwrap_req_decode
nfs3_xdr_dec_readlink3res
decode_nfspath3
.....
hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
.....

Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874745] BUG: unable to handle kernel NULL pointer dereference at (null)
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874823] IP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874905] *pdpt = 00000000368c6001 *pde = 0000000000000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874961] Oops: 0000 [#1] SMP
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874998] Modules linked in: nfs nfs_acl auth_rpcgss fscache lockd sunrpc ppdev snd_hda_codec_realtek parport_pc snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer iTCO_wdt iTCO_vendor_support microcode parport snd i2c_i801 serio_raw r8169 soundcore 8139too 8139cp mii usb_storage i915 video i2c_algo_bit drm_kms_helper drm i2c_core [last unloaded: scsi_wait_scan]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875393]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875411] Pid: 4, comm: kworker/0:0 Not tainted 3.3.4-5.fc17.i686.PAE #1 Acer ASPIRE AG1720/E945GCZ
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875501] EIP: 0060:[<f963d31a>] EFLAGS: 00010246 CPU: 0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875566] EIP is at nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875618] EAX: ff6f300c EBX: f4887ebc ECX: 00000000 EDX: 00000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875673] ESI: f37bdf5c EDI: 00000000 EBP: f4887ea0 ESP: f4887e7c
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Stack:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f7207b80 00000137 00000001 0251f8b2 00000000 00000000 f963d2b0 00000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f6897000 f4887ee4 f958d563 f43a3b00 f7207b80 00000082 f4887ee0 f963d2b0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] ff6f300c f689702c ff6f3032 00000000 00000000 00000000 f37bdf9c f37bde00
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Call Trace:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958d563>] rpcauth_unwrap_resp+0x73/0xb0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f9583cdb>] call_decode+0x17b/0x820 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c1b2>] __rpc_execute+0x52/0x2a0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c410>] rpc_async_schedule+0x10/0x20 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045e4b8>] process_one_work+0x108/0x370
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045d440>] ? do_work_for_cpu+0x20/0x20
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c400>] ? __rpc_execute+0x2a0/0x2a0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045fa09>] worker_thread+0xf9/0x280
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c046f26e>] ? complete+0x4e/0x60
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045f910>] ? manage_workers.isra.24+0x1d0/0x1d0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c04642e2>] kthread+0x72/0x80

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
kernel:[ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
kernel:[ 1339.875700] Stack:

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
kernel:[ 1339.875700] Call Trace:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c0464270>] ? flush_kthread_worker+0x70/0x70
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c094b3be>] kernel_thread_helper+0x6/0x10
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] CR2: 0000000000000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.899416] ---[ end trace 286ccde0ddd5fc09 ]---

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
kernel:[ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
kernel:[ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c




messages-20130414:Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182093] BUG: unable to handle kernel NULL pointer dereference at (null)
messages-20130414:Apr 13 22:53:00 RHEL7alpha1 kernel: [ 964.326085] BUG: unable to handle kernel NULL pointer dereference at (null)
[root@RHEL7alpha1 log]# vim messages-20130414
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182719] FS: 00007f12eeadc7c0(0000) GS:ffff88003c200000(0000) knlGS:0000000000000000
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182788] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182827] CR2: 0000000000000000 CR3: 000000003950d000 CR4: 00000000000006f0
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182872] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Process ls (pid: 1676, threadinfo ffff880037ae2000, task ffff880037cbcce0)
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Stack:
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b30 ffff8800371c2e38 ffff880037ae3b08 ffffffffa02ca5d8
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b90 0000000000000082 ffff88003434aa00 ffff88003887a764
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b98 ffffffffa00e1d3d ffff880037ae3b68 ffff8800371c2e38
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Call Trace:
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca5d8>] nfs3_xdr_dec_readlink3res+0x58/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e1d3d>] rpcauth_unwrap_resp+0x9d/0xd0 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca580>] ? nfs3_xdr_dec_create3res+0x80/0x80 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d653e>] call_decode+0x17e/0x250 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e02a6>] __rpc_execute+0x66/0x1d0 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e06d3>] rpc_execute+0x43/0x50 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7af5>] rpc_run_task+0x75/0x90 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7c13>] rpc_call_sync+0x43/0x70 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02b6234>] ? nfs_alloc_fattr+0x24/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c74bb>] nfs3_rpc_wrapper.constprop.7+0x4b/0x80 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c796b>] nfs3_proc_readlink+0x8b/0xf0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f50>] nfs_symlink_filler+0x30/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c5f2>] do_read_cache_page+0x82/0x1a0
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02e53c0>] ? nfs_mark_delegation_referenced+0x10/0x10 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f20>] ? nfs_follow_link+0xc0/0xc0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c75c>] read_cache_page_async+0x1c/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c76e>] read_cache_page+0xe/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1ec8>] nfs_follow_link+0x68/0xc0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811c0712>] generic_readlink+0x42/0xa0
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e0d>] sys_readlinkat+0xad/0xb0
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff810f4bbe>] ? audit_syscall_entry+0x30e/0x330
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e2b>] sys_readlink+0x1b/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff81639202>] system_call_fastpath+0x16/0x1b
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Code: 2f e2 ff 48 85 c0 74 4d 44 8b 20 48 8b 53 08 41 0f cc 41 81 fc 00 10 00 00 77 71 44 39 62 2c 76 6b 48 8b 4b 18 48 8b 03 8b 52 38 <48> 2b 01 29 c2 44 39 e2 72 36 48 89 df 44 89 e6 e8 1a 2c e2 ff
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RIP [<ffffffffa02c96e1>] decode_nfspath3+0x41/0xd0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RSP <ffff880037ae3ac8>
Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] CR2: 0000000000000000



Signed-off-by: fanchaoting<[email protected]>
---
fs/nfs/nfs3xdr.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
index 183c6b1..6f53070 100644
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -250,6 +250,8 @@ static int decode_nfspath3(struct xdr_stream *xdr)
p = xdr_inline_decode(xdr, 4);
if (unlikely(p == NULL))
goto out_overflow;
+ if (unlikely(xdr->iov == NULL))
+ goto iov_null;
count = be32_to_cpup(p);
if (unlikely(count >= xdr->buf->page_len || count > NFS3_MAXPATHLEN))
goto out_nametoolong;
@@ -269,6 +271,9 @@ out_cheating:
dprintk("NFS: server cheating in pathname result: "
"count %u > recvd %u\n", count, recvd);
return -EIO;
+iov_null:
+ dprintk("NFS: %s:xdr->iov is NULL\n", __func__);
+ return -EIO;
out_overflow:
print_overflow_msg(__func__, xdr);
return -EIO;
@@ -1588,6 +1593,8 @@ static int decode_read3resok(struct xdr_stream *xdr,
p = xdr_inline_decode(xdr, 4 + 4 + 4);
if (unlikely(p == NULL))
goto out_overflow;
+ if (unlikely(xdr->iov == NULL))
+ goto iov_null;
count = be32_to_cpup(p++);
eof = be32_to_cpup(p++);
ocount = be32_to_cpup(p++);
@@ -1613,6 +1620,9 @@ out_cheating:
count = recvd;
eof = 0;
goto out;
+iov_null:
+ dprintk("NFS: %s:xdr->iov is NULL\n", __func__);
+ return -EIO;
out_overflow:
print_overflow_msg(__func__, xdr);
return -EIO;
--
1.7.7


Attachments:
dump.pcap (5.35 kB)

2012-06-21 07:09:06

by fanchaoting

[permalink] [raw]
Subject: Re: [patch] nfs client oops when receive a 'read reply Malformed Packet'

Myklebust, Trond 写道:
> On Wed, 2012-06-20 at 12:05 +0800, fanchaoting wrote:
>> nfs client oops when receive a "read reply Malformed Packet".
>> I find that the xdr->iov may be NULL when client receive a
>> Malformed Packet(only have 'Status' and 'file_attributes').
>>
>> rpcauth_unwrap_req_decode
>> nfs3_xdr_dec_read3res
>> decode_read3resok
>> ......
>> hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
>> ......
>>
>> rpcauth_unwrap_req_decode
>> nfs3_xdr_dec_readlink3res
>> decode_nfspath3
>> .....
>> hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
>> .....
>>
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874745] BUG: unable to handle kernel NULL pointer dereference at (null)
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874823] IP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874905] *pdpt = 00000000368c6001 *pde = 0000000000000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874961] Oops: 0000 [#1] SMP
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874998] Modules linked in: nfs nfs_acl auth_rpcgss fscache lockd sunrpc ppdev snd_hda_codec_realtek parport_pc snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer iTCO_wdt iTCO_vendor_support microcode parport snd i2c_i801 serio_raw r8169 soundcore 8139too 8139cp mii usb_storage i915 video i2c_algo_bit drm_kms_helper drm i2c_core [last unloaded: scsi_wait_scan]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875393]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875411] Pid: 4, comm: kworker/0:0 Not tainted 3.3.4-5.fc17.i686.PAE #1 Acer ASPIRE AG1720/E945GCZ
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875501] EIP: 0060:[<f963d31a>] EFLAGS: 00010246 CPU: 0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875566] EIP is at nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875618] EAX: ff6f300c EBX: f4887ebc ECX: 00000000 EDX: 00000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875673] ESI: f37bdf5c EDI: 00000000 EBP: f4887ea0 ESP: f4887e7c
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Stack:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f7207b80 00000137 00000001 0251f8b2 00000000 00000000 f963d2b0 00000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f6897000 f4887ee4 f958d563 f43a3b00 f7207b80 00000082 f4887ee0 f963d2b0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] ff6f300c f689702c ff6f3032 00000000 00000000 00000000 f37bdf9c f37bde00
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Call Trace:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958d563>] rpcauth_unwrap_resp+0x73/0xb0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f9583cdb>] call_decode+0x17b/0x820 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c1b2>] __rpc_execute+0x52/0x2a0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c410>] rpc_async_schedule+0x10/0x20 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045e4b8>] process_one_work+0x108/0x370
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045d440>] ? do_work_for_cpu+0x20/0x20
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c400>] ? __rpc_execute+0x2a0/0x2a0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045fa09>] worker_thread+0xf9/0x280
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c046f26e>] ? complete+0x4e/0x60
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045f910>] ? manage_workers.isra.24+0x1d0/0x1d0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c04642e2>] kthread+0x72/0x80
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Stack:
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Call Trace:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c0464270>] ? flush_kthread_worker+0x70/0x70
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c094b3be>] kernel_thread_helper+0x6/0x10
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] CR2: 0000000000000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.899416] ---[ end trace 286ccde0ddd5fc09 ]---
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
>>
>>
>>
>>
>> messages-20130414:Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182093] BUG: unable to handle kernel NULL pointer dereference at (null)
>> messages-20130414:Apr 13 22:53:00 RHEL7alpha1 kernel: [ 964.326085] BUG: unable to handle kernel NULL pointer dereference at (null)
>> [root@RHEL7alpha1 log]# vim messages-20130414
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182719] FS: 00007f12eeadc7c0(0000) GS:ffff88003c200000(0000) knlGS:0000000000000000
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182788] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182827] CR2: 0000000000000000 CR3: 000000003950d000 CR4: 00000000000006f0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182872] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Process ls (pid: 1676, threadinfo ffff880037ae2000, task ffff880037cbcce0)
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Stack:
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b30 ffff8800371c2e38 ffff880037ae3b08 ffffffffa02ca5d8
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b90 0000000000000082 ffff88003434aa00 ffff88003887a764
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b98 ffffffffa00e1d3d ffff880037ae3b68 ffff8800371c2e38
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Call Trace:
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca5d8>] nfs3_xdr_dec_readlink3res+0x58/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e1d3d>] rpcauth_unwrap_resp+0x9d/0xd0 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca580>] ? nfs3_xdr_dec_create3res+0x80/0x80 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d653e>] call_decode+0x17e/0x250 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e02a6>] __rpc_execute+0x66/0x1d0 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e06d3>] rpc_execute+0x43/0x50 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7af5>] rpc_run_task+0x75/0x90 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7c13>] rpc_call_sync+0x43/0x70 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02b6234>] ? nfs_alloc_fattr+0x24/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c74bb>] nfs3_rpc_wrapper.constprop.7+0x4b/0x80 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c796b>] nfs3_proc_readlink+0x8b/0xf0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f50>] nfs_symlink_filler+0x30/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c5f2>] do_read_cache_page+0x82/0x1a0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02e53c0>] ? nfs_mark_delegation_referenced+0x10/0x10 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f20>] ? nfs_follow_link+0xc0/0xc0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c75c>] read_cache_page_async+0x1c/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c76e>] read_cache_page+0xe/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1ec8>] nfs_follow_link+0x68/0xc0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811c0712>] generic_readlink+0x42/0xa0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e0d>] sys_readlinkat+0xad/0xb0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff810f4bbe>] ? audit_syscall_entry+0x30e/0x330
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e2b>] sys_readlink+0x1b/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff81639202>] system_call_fastpath+0x16/0x1b
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Code: 2f e2 ff 48 85 c0 74 4d 44 8b 20 48 8b 53 08 41 0f cc 41 81 fc 00 10 00 00 77 71 44 39 62 2c 76 6b 48 8b 4b 18 48 8b 03 8b 52 38 <48> 2b 01 29 c2 44 39 e2 72 36 48 89 df 44 89 e6 e8 1a 2c e2 ff
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RIP [<ffffffffa02c96e1>] decode_nfspath3+0x41/0xd0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RSP <ffff880037ae3ac8>
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] CR2: 0000000000000000
>>
>>
>>
>> Signed-off-by: fanchaoting<[email protected]>
>> ---
>> fs/nfs/nfs3xdr.c | 10 ++++++++++
>> 1 files changed, 10 insertions(+), 0 deletions(-)
>>
>> diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
>> index 183c6b1..6f53070 100644
>> --- a/fs/nfs/nfs3xdr.c
>> +++ b/fs/nfs/nfs3xdr.c
>> @@ -250,6 +250,8 @@ static int decode_nfspath3(struct xdr_stream *xdr)
>> p = xdr_inline_decode(xdr, 4);
>> if (unlikely(p == NULL))
>> goto out_overflow;
>> + if (unlikely(xdr->iov == NULL))
>> + goto iov_null;
>
> Hmm... Isn't the problem here rather that we are reading beyond the RPC
> reply message boundary?

yes

>
> If so, won't something like the following patch fix the problem?
>

I apply you patch, but the system panic also.

> Cheers
> Trond
> 8<---------------------------------------------------
> From 6aab66457f7059ed8e047cf8915c61ede842a637 Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <[email protected]>
> Date: Wed, 20 Jun 2012 09:58:35 -0400
> Subject: [PATCH] SUNRPC: Don't decode beyond the end of the RPC reply message
>
> Now that xdr_inline_decode() will automatically cross into the page
> buffers, we need to ensure that it doesn't exceed the total reply
> message length.
>
> This patch sets up a counter that tracks the number of bytes
> remaining in the reply message, and ensures that xdr_inline_decode
> doesn't cross the end of message boundary.
>
> Signed-off-by: Trond Myklebust <[email protected]>
> ---
> include/linux/sunrpc/xdr.h | 5 +++--
> net/sunrpc/xdr.c | 29 ++++++++++++++++++++++-------
> 2 files changed, 25 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
> index af70af3..caa282b 100644
> --- a/include/linux/sunrpc/xdr.h
> +++ b/include/linux/sunrpc/xdr.h
> @@ -205,6 +205,7 @@ struct xdr_stream {
> struct kvec *iov; /* pointer to the current kvec */
> struct kvec scratch; /* Scratch buffer */
> struct page **page_ptr; /* pointer to the current page */
> + size_t nwords; /* Remaining decode buffer length */
> };
>
> /*
> @@ -222,8 +223,8 @@ extern void xdr_init_decode_pages(struct xdr_stream *xdr, struct xdr_buf *buf,
> struct page **pages, unsigned int len);
> extern void xdr_set_scratch_buffer(struct xdr_stream *xdr, void *buf, size_t buflen);
> extern __be32 *xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes);
> -extern void xdr_read_pages(struct xdr_stream *xdr, unsigned int len);
> -extern void xdr_enter_page(struct xdr_stream *xdr, unsigned int len);
> +extern int xdr_read_pages(struct xdr_stream *xdr, unsigned int len);
> +extern int xdr_enter_page(struct xdr_stream *xdr, unsigned int len);
> extern int xdr_process_buf(struct xdr_buf *buf, unsigned int offset, unsigned int len, int (*actor)(struct scatterlist *, void *), void *data);
>
> #endif /* __KERNEL__ */
> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
> index fddcccf..5900d66 100644
> --- a/net/sunrpc/xdr.c
> +++ b/net/sunrpc/xdr.c
> @@ -632,6 +632,7 @@ void xdr_init_decode(struct xdr_stream *xdr, struct xdr_buf *buf, __be32 *p)
> xdr->buf = buf;
> xdr->scratch.iov_base = NULL;
> xdr->scratch.iov_len = 0;
> + xdr->nwords = XDR_QUADLEN(buf->len);
> if (buf->head[0].iov_len != 0)
> xdr_set_iov(xdr, buf->head, p, buf->len);
> else if (buf->page_len != 0)
> @@ -660,12 +661,14 @@ EXPORT_SYMBOL_GPL(xdr_init_decode_pages);
>
> static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)
> {
> + size_t nwords = XDR_QUADLEN(nbytes);
> __be32 *p = xdr->p;
> - __be32 *q = p + XDR_QUADLEN(nbytes);
> + __be32 *q = p + nwords;
>
> - if (unlikely(q > xdr->end || q < p))
> + if (unlikely(nwords > xdr->nwords || q > xdr->end || q < p))
> return NULL;
> xdr->p = q;
> + xdr->nwords -= nwords;
> return p;
> }
>
> @@ -741,14 +744,17 @@ EXPORT_SYMBOL_GPL(xdr_inline_decode);
> * into the page list. Any data that lies beyond current position + "len"
> * bytes is moved into the XDR tail[].
> */
> -void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> +int xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> {
> struct xdr_buf *buf = xdr->buf;
> struct kvec *iov;
> + size_t nwords = XDR_QUADLEN(len);
> ssize_t shift;
> unsigned int end;
> int padding;
>
> + if (nwords > xdr->nwords)
> + return -EFAULT;
> /* Realign pages to current pointer position */
> iov = buf->head;
> shift = iov->iov_len + (char *)iov->iov_base - (char *)xdr->p;
> @@ -758,7 +764,7 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> /* Truncate page data and move it into the tail */
> if (buf->page_len > len)
> xdr_shrink_pagelen(buf, buf->page_len - len);
> - padding = (XDR_QUADLEN(len) << 2) - len;
> + padding = (nwords << 2) - len;
> xdr->iov = iov = buf->tail;
> /* Compute remaining message length. */
> end = iov->iov_len;
> @@ -773,6 +779,8 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> */
> xdr->p = (__be32 *)((char *)iov->iov_base + padding);
> xdr->end = (__be32 *)((char *)iov->iov_base + end);
> + xdr->nwords -= nwords;
> + return 0;
> }
> EXPORT_SYMBOL_GPL(xdr_read_pages);
>
> @@ -786,14 +794,21 @@ EXPORT_SYMBOL_GPL(xdr_read_pages);
> * bytes is moved into the XDR tail[]. The current pointer is then
> * repositioned at the beginning of the first XDR page.
> */
> -void xdr_enter_page(struct xdr_stream *xdr, unsigned int len)
> +int xdr_enter_page(struct xdr_stream *xdr, unsigned int len)
> {
> - xdr_read_pages(xdr, len);
> + size_t save_nwords = xdr->nwords;
> + int ret;
> +
> + ret = xdr_read_pages(xdr, len);
> + if (ret < 0)
> + return ret;
> /*
> * Position current pointer at beginning of tail, and
> - * set remaining message length.
> + * reset remaining message length.
> */
> xdr_set_page_base(xdr, 0, len);
> + xdr->nwords = save_nwords;
> + return 0;
> }
> EXPORT_SYMBOL_GPL(xdr_enter_page);
>




2012-06-21 07:33:16

by fanchaoting

[permalink] [raw]
Subject: Re: [patch] nfs client oops when receive a 'read reply Malformed Packet'

Myklebust, Trond 写道:
> On Wed, 2012-06-20 at 12:05 +0800, fanchaoting wrote:
>> nfs client oops when receive a "read reply Malformed Packet".
>> I find that the xdr->iov may be NULL when client receive a
>> Malformed Packet(only have 'Status' and 'file_attributes').
>>
>> rpcauth_unwrap_req_decode
>> nfs3_xdr_dec_read3res
>> decode_read3resok
>> ......
>> hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
>> ......
>>
>> rpcauth_unwrap_req_decode
>> nfs3_xdr_dec_readlink3res
>> decode_nfspath3
>> .....
>> hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base; (oops xdr->iov is NULL)
>> .....
>>
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874745] BUG: unable to handle kernel NULL pointer dereference at (null)
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874823] IP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874905] *pdpt = 00000000368c6001 *pde = 0000000000000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874961] Oops: 0000 [#1] SMP
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874998] Modules linked in: nfs nfs_acl auth_rpcgss fscache lockd sunrpc ppdev snd_hda_codec_realtek parport_pc snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer iTCO_wdt iTCO_vendor_support microcode parport snd i2c_i801 serio_raw r8169 soundcore 8139too 8139cp mii usb_storage i915 video i2c_algo_bit drm_kms_helper drm i2c_core [last unloaded: scsi_wait_scan]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875393]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875411] Pid: 4, comm: kworker/0:0 Not tainted 3.3.4-5.fc17.i686.PAE #1 Acer ASPIRE AG1720/E945GCZ
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875501] EIP: 0060:[<f963d31a>] EFLAGS: 00010246 CPU: 0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875566] EIP is at nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875618] EAX: ff6f300c EBX: f4887ebc ECX: 00000000 EDX: 00000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875673] ESI: f37bdf5c EDI: 00000000 EBP: f4887ea0 ESP: f4887e7c
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Stack:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f7207b80 00000137 00000001 0251f8b2 00000000 00000000 f963d2b0 00000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] f6897000 f4887ee4 f958d563 f43a3b00 f7207b80 00000082 f4887ee0 f963d2b0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] ff6f300c f689702c ff6f3032 00000000 00000000 00000000 f37bdf9c f37bde00
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Call Trace:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958d563>] rpcauth_unwrap_resp+0x73/0xb0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f9583cdb>] call_decode+0x17b/0x820 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c1b2>] __rpc_execute+0x52/0x2a0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c410>] rpc_async_schedule+0x10/0x20 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045e4b8>] process_one_work+0x108/0x370
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045d440>] ? do_work_for_cpu+0x20/0x20
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<f958c400>] ? __rpc_execute+0x2a0/0x2a0 [sunrpc]
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045fa09>] worker_thread+0xf9/0x280
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c046f26e>] ? complete+0x4e/0x60
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c045f910>] ? manage_workers.isra.24+0x1d0/0x1d0
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c04642e2>] kthread+0x72/0x80
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Stack:
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Call Trace:
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c0464270>] ? flush_kthread_worker+0x70/0x70
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] [<c094b3be>] kernel_thread_helper+0x6/0x10
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] CR2: 0000000000000000
>> Jun 18 00:54:42 RHEL5GA kernel: [ 1339.899416] ---[ end trace 286ccde0ddd5fc09 ]---
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
>>
>> Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
>> kernel:[ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
>>
>>
>>
>>
>> messages-20130414:Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182093] BUG: unable to handle kernel NULL pointer dereference at (null)
>> messages-20130414:Apr 13 22:53:00 RHEL7alpha1 kernel: [ 964.326085] BUG: unable to handle kernel NULL pointer dereference at (null)
>> [root@RHEL7alpha1 log]# vim messages-20130414
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182719] FS: 00007f12eeadc7c0(0000) GS:ffff88003c200000(0000) knlGS:0000000000000000
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182788] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182827] CR2: 0000000000000000 CR3: 000000003950d000 CR4: 00000000000006f0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182872] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Process ls (pid: 1676, threadinfo ffff880037ae2000, task ffff880037cbcce0)
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Stack:
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b30 ffff8800371c2e38 ffff880037ae3b08 ffffffffa02ca5d8
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b90 0000000000000082 ffff88003434aa00 ffff88003887a764
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] ffff880037ae3b98 ffffffffa00e1d3d ffff880037ae3b68 ffff8800371c2e38
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Call Trace:
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca5d8>] nfs3_xdr_dec_readlink3res+0x58/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e1d3d>] rpcauth_unwrap_resp+0x9d/0xd0 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02ca580>] ? nfs3_xdr_dec_create3res+0x80/0x80 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d653e>] call_decode+0x17e/0x250 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e02a6>] __rpc_execute+0x66/0x1d0 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00e06d3>] rpc_execute+0x43/0x50 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7af5>] rpc_run_task+0x75/0x90 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa00d7c13>] rpc_call_sync+0x43/0x70 [sunrpc]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02b6234>] ? nfs_alloc_fattr+0x24/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c74bb>] nfs3_rpc_wrapper.constprop.7+0x4b/0x80 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c796b>] nfs3_proc_readlink+0x8b/0xf0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f50>] nfs_symlink_filler+0x30/0x70 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c5f2>] do_read_cache_page+0x82/0x1a0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02e53c0>] ? nfs_mark_delegation_referenced+0x10/0x10 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1f20>] ? nfs_follow_link+0xc0/0xc0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c75c>] read_cache_page_async+0x1c/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff8114c76e>] read_cache_page+0xe/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffffa02c1ec8>] nfs_follow_link+0x68/0xc0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811c0712>] generic_readlink+0x42/0xa0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e0d>] sys_readlinkat+0xad/0xb0
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff810f4bbe>] ? audit_syscall_entry+0x30e/0x330
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff811b9e2b>] sys_readlink+0x1b/0x20
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] [<ffffffff81639202>] system_call_fastpath+0x16/0x1b
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] Code: 2f e2 ff 48 85 c0 74 4d 44 8b 20 48 8b 53 08 41 0f cc 41 81 fc 00 10 00 00 77 71 44 39 62 2c 76 6b 48 8b 4b 18 48 8b 03 8b 52 38 <48> 2b 01 29 c2 44 39 e2 72 36 48 89 df 44 89 e6 e8 1a 2c e2 ff
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RIP [<ffffffffa02c96e1>] decode_nfspath3+0x41/0xd0 [nfs]
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] RSP <ffff880037ae3ac8>
>> Apr 13 04:29:40 RHEL7alpha1 kernel: [ 963.182914] CR2: 0000000000000000
>>
>>
>>
>> Signed-off-by: fanchaoting<[email protected]>
>> ---
>> fs/nfs/nfs3xdr.c | 10 ++++++++++
>> 1 files changed, 10 insertions(+), 0 deletions(-)
>>
>> diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
>> index 183c6b1..6f53070 100644
>> --- a/fs/nfs/nfs3xdr.c
>> +++ b/fs/nfs/nfs3xdr.c
>> @@ -250,6 +250,8 @@ static int decode_nfspath3(struct xdr_stream *xdr)
>> p = xdr_inline_decode(xdr, 4);
>> if (unlikely(p == NULL))
>> goto out_overflow;
>> + if (unlikely(xdr->iov == NULL))
>> + goto iov_null;
>
> Hmm... Isn't the problem here rather that we are reading beyond the RPC
> reply message boundary?
>
> If so, won't something like the following patch fix the problem?

yes.

>

I apply you patch, but the system panic also.

> Cheers
> Trond
> 8<---------------------------------------------------
> From 6aab66457f7059ed8e047cf8915c61ede842a637 Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <[email protected]>
> Date: Wed, 20 Jun 2012 09:58:35 -0400
> Subject: [PATCH] SUNRPC: Don't decode beyond the end of the RPC reply message
>
> Now that xdr_inline_decode() will automatically cross into the page
> buffers, we need to ensure that it doesn't exceed the total reply
> message length.
>
> This patch sets up a counter that tracks the number of bytes
> remaining in the reply message, and ensures that xdr_inline_decode
> doesn't cross the end of message boundary.
>
> Signed-off-by: Trond Myklebust <[email protected]>
> ---
> include/linux/sunrpc/xdr.h | 5 +++--
> net/sunrpc/xdr.c | 29 ++++++++++++++++++++++-------
> 2 files changed, 25 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
> index af70af3..caa282b 100644
> --- a/include/linux/sunrpc/xdr.h
> +++ b/include/linux/sunrpc/xdr.h
> @@ -205,6 +205,7 @@ struct xdr_stream {
> struct kvec *iov; /* pointer to the current kvec */
> struct kvec scratch; /* Scratch buffer */
> struct page **page_ptr; /* pointer to the current page */
> + size_t nwords; /* Remaining decode buffer length */
> };
>
> /*
> @@ -222,8 +223,8 @@ extern void xdr_init_decode_pages(struct xdr_stream *xdr, struct xdr_buf *buf,
> struct page **pages, unsigned int len);
> extern void xdr_set_scratch_buffer(struct xdr_stream *xdr, void *buf, size_t buflen);
> extern __be32 *xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes);
> -extern void xdr_read_pages(struct xdr_stream *xdr, unsigned int len);
> -extern void xdr_enter_page(struct xdr_stream *xdr, unsigned int len);
> +extern int xdr_read_pages(struct xdr_stream *xdr, unsigned int len);
> +extern int xdr_enter_page(struct xdr_stream *xdr, unsigned int len);
> extern int xdr_process_buf(struct xdr_buf *buf, unsigned int offset, unsigned int len, int (*actor)(struct scatterlist *, void *), void *data);
>
> #endif /* __KERNEL__ */
> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
> index fddcccf..5900d66 100644
> --- a/net/sunrpc/xdr.c
> +++ b/net/sunrpc/xdr.c
> @@ -632,6 +632,7 @@ void xdr_init_decode(struct xdr_stream *xdr, struct xdr_buf *buf, __be32 *p)
> xdr->buf = buf;
> xdr->scratch.iov_base = NULL;
> xdr->scratch.iov_len = 0;
> + xdr->nwords = XDR_QUADLEN(buf->len);
> if (buf->head[0].iov_len != 0)
> xdr_set_iov(xdr, buf->head, p, buf->len);
> else if (buf->page_len != 0)
> @@ -660,12 +661,14 @@ EXPORT_SYMBOL_GPL(xdr_init_decode_pages);
>
> static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)
> {
> + size_t nwords = XDR_QUADLEN(nbytes);
> __be32 *p = xdr->p;
> - __be32 *q = p + XDR_QUADLEN(nbytes);
> + __be32 *q = p + nwords;
>
> - if (unlikely(q > xdr->end || q < p))
> + if (unlikely(nwords > xdr->nwords || q > xdr->end || q < p))
> return NULL;
> xdr->p = q;
> + xdr->nwords -= nwords;
> return p;
> }
>
> @@ -741,14 +744,17 @@ EXPORT_SYMBOL_GPL(xdr_inline_decode);
> * into the page list. Any data that lies beyond current position + "len"
> * bytes is moved into the XDR tail[].
> */
> -void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> +int xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> {
> struct xdr_buf *buf = xdr->buf;
> struct kvec *iov;
> + size_t nwords = XDR_QUADLEN(len);
> ssize_t shift;
> unsigned int end;
> int padding;
>
> + if (nwords > xdr->nwords)
> + return -EFAULT;
> /* Realign pages to current pointer position */
> iov = buf->head;
> shift = iov->iov_len + (char *)iov->iov_base - (char *)xdr->p;
> @@ -758,7 +764,7 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> /* Truncate page data and move it into the tail */
> if (buf->page_len > len)
> xdr_shrink_pagelen(buf, buf->page_len - len);
> - padding = (XDR_QUADLEN(len) << 2) - len;
> + padding = (nwords << 2) - len;
> xdr->iov = iov = buf->tail;
> /* Compute remaining message length. */
> end = iov->iov_len;
> @@ -773,6 +779,8 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
> */
> xdr->p = (__be32 *)((char *)iov->iov_base + padding);
> xdr->end = (__be32 *)((char *)iov->iov_base + end);
> + xdr->nwords -= nwords;
> + return 0;
> }
> EXPORT_SYMBOL_GPL(xdr_read_pages);
>
> @@ -786,14 +794,21 @@ EXPORT_SYMBOL_GPL(xdr_read_pages);
> * bytes is moved into the XDR tail[]. The current pointer is then
> * repositioned at the beginning of the first XDR page.
> */
> -void xdr_enter_page(struct xdr_stream *xdr, unsigned int len)
> +int xdr_enter_page(struct xdr_stream *xdr, unsigned int len)
> {
> - xdr_read_pages(xdr, len);
> + size_t save_nwords = xdr->nwords;
> + int ret;
> +
> + ret = xdr_read_pages(xdr, len);
> + if (ret < 0)
> + return ret;
> /*
> * Position current pointer at beginning of tail, and
> - * set remaining message length.
> + * reset remaining message length.
> */
> xdr_set_page_base(xdr, 0, len);
> + xdr->nwords = save_nwords;
> + return 0;
> }
> EXPORT_SYMBOL_GPL(xdr_enter_page);
>




2012-06-20 14:49:05

by Myklebust, Trond

[permalink] [raw]
Subject: Re: [patch] nfs client oops when receive a 'read reply Malformed Packet'

T24gV2VkLCAyMDEyLTA2LTIwIGF0IDEyOjA1ICswODAwLCBmYW5jaGFvdGluZyB3cm90ZToNCj4g
bmZzIGNsaWVudCBvb3BzIHdoZW4gcmVjZWl2ZSBhICJyZWFkIHJlcGx5IE1hbGZvcm1lZCBQYWNr
ZXQiLg0KPiBJIGZpbmQgdGhhdCB0aGUgeGRyLT5pb3YgbWF5IGJlIE5VTEwgd2hlbiBjbGllbnQg
cmVjZWl2ZSBhIA0KPiBNYWxmb3JtZWQgUGFja2V0KG9ubHkgaGF2ZSAnU3RhdHVzJyBhbmQgJ2Zp
bGVfYXR0cmlidXRlcycpLg0KPiANCj4gcnBjYXV0aF91bndyYXBfcmVxX2RlY29kZQ0KPiAgICAg
bmZzM194ZHJfZGVjX3JlYWQzcmVzDQo+ICAgICAgICAgIGRlY29kZV9yZWFkM3Jlc29rICANCj4g
ICAgICAgICAgICAgIC4uLi4uLg0KPiAgICAgICAgICAgICAgaGRybGVuID0gKHU4ICopeGRyLT5w
IC0gKHU4ICopeGRyLT5pb3YtPmlvdl9iYXNlOyAgICAob29wcyAgeGRyLT5pb3YgaXMgTlVMTCkN
Cj4gICAgICAgICAgICAgIC4uLi4uLg0KPiANCj4gcnBjYXV0aF91bndyYXBfcmVxX2RlY29kZQ0K
PiAgICAgbmZzM194ZHJfZGVjX3JlYWRsaW5rM3Jlcw0KPiAgICAgICAgICBkZWNvZGVfbmZzcGF0
aDMNCj4gICAgICAgICAgICAgIC4uLi4uDQo+ICAgICAgICAgICAgICBoZHJsZW4gPSAodTggKil4
ZHItPnAgLSAodTggKil4ZHItPmlvdi0+aW92X2Jhc2U7ICAgIChvb3BzICB4ZHItPmlvdiBpcyBO
VUxMKQ0KPiAgICAgICAgICAgICAgLi4uLi4NCj4gICAgICAgIA0KPiBKdW4gMTggMDA6NTQ6NDIg
UkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzQ3NDVdIEJVRzogdW5hYmxlIHRvIGhhbmRsZSBrZXJu
ZWwgTlVMTCBwb2ludGVyIGRlcmVmZXJlbmNlIGF0ICAgKG51bGwpDQo+IEp1biAxOCAwMDo1NDo0
MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NDgyM10gSVA6IFs8Zjk2M2QzMWE+XSBuZnMzX3hk
cl9kZWNfcmVhZDNyZXMrMHg2YS8weDEyMCBbbmZzXQ0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVH
QSBrZXJuZWw6IFsgMTMzOS44NzQ5MDVdICpwZHB0ID0gMDAwMDAwMDAzNjhjNjAwMSAqcGRlID0g
MDAwMDAwMDAwMDAwMDAwMA0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMz
OS44NzQ5NjFdIE9vcHM6IDAwMDAgWyMxXSBTTVANCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Eg
a2VybmVsOiBbIDEzMzkuODc0OTk4XSBNb2R1bGVzIGxpbmtlZCBpbjogbmZzIG5mc19hY2wgYXV0
aF9ycGNnc3MgZnNjYWNoZSBsb2NrZCBzdW5ycGMgcHBkZXYgc25kX2hkYV9jb2RlY19yZWFsdGVr
IHBhcnBvcnRfcGMgc25kX2hkYV9pbnRlbCBzbmRfaGRhX2NvZGVjIHNuZF9od2RlcCBzbmRfcGNt
IHNuZF9wYWdlX2FsbG9jIHNuZF90aW1lciBpVENPX3dkdCBpVENPX3ZlbmRvcl9zdXBwb3J0IG1p
Y3JvY29kZSBwYXJwb3J0IHNuZCBpMmNfaTgwMSBzZXJpb19yYXcgcjgxNjkgc291bmRjb3JlIDgx
Mzl0b28gODEzOWNwIG1paSB1c2Jfc3RvcmFnZSBpOTE1IHZpZGVvIGkyY19hbGdvX2JpdCBkcm1f
a21zX2hlbHBlciBkcm0gaTJjX2NvcmUgW2xhc3QgdW5sb2FkZWQ6IHNjc2lfd2FpdF9zY2FuXQ0K
PiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzUzOTNdDQo+IEp1biAx
OCAwMDo1NDo0MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NTQxMV0gUGlkOiA0LCBjb21tOiBr
d29ya2VyLzA6MCBOb3QgdGFpbnRlZCAzLjMuNC01LmZjMTcuaTY4Ni5QQUUgIzEgQWNlciBBU1BJ
UkUgQUcxNzIwL0U5NDVHQ1oNCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEz
MzkuODc1NTAxXSBFSVA6IDAwNjA6WzxmOTYzZDMxYT5dIEVGTEFHUzogMDAwMTAyNDYgQ1BVOiAw
DQo+IEp1biAxOCAwMDo1NDo0MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NTU2Nl0gRUlQIGlz
IGF0IG5mczNfeGRyX2RlY19yZWFkM3JlcysweDZhLzB4MTIwIFtuZnNdDQo+IEp1biAxOCAwMDo1
NDo0MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NTYxOF0gRUFYOiBmZjZmMzAwYyBFQlg6IGY0
ODg3ZWJjIEVDWDogMDAwMDAwMDAgRURYOiAwMDAwMDAwMA0KPiBKdW4gMTggMDA6NTQ6NDIgUkhF
TDVHQSBrZXJuZWw6IFsgMTMzOS44NzU2NzNdIEVTSTogZjM3YmRmNWMgRURJOiAwMDAwMDAwMCBF
QlA6IGY0ODg3ZWEwIEVTUDogZjQ4ODdlN2MNCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2Vy
bmVsOiBbIDEzMzkuODc1NzAwXSAgRFM6IDAwN2IgRVM6IDAwN2IgRlM6IDAwZDggR1M6IDAwZTAg
U1M6IDAwNjgNCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAw
XSBQcm9jZXNzIGt3b3JrZXIvMDowIChwaWQ6IDQsIHRpPWY0ODg2MDAwIHRhc2s9ZjQ4NWE1YjAg
dGFzay50aT1mNDg4NjAwMCkNCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEz
MzkuODc1NzAwXSBTdGFjazoNCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEz
MzkuODc1NzAwXSAgZjcyMDdiODAgMDAwMDAxMzcgMDAwMDAwMDEgMDI1MWY4YjIgMDAwMDAwMDAg
MDAwMDAwMDAgZjk2M2QyYjAgMDAwMDAwMDANCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2Vy
bmVsOiBbIDEzMzkuODc1NzAwXSAgZjY4OTcwMDAgZjQ4ODdlZTQgZjk1OGQ1NjMgZjQzYTNiMDAg
ZjcyMDdiODAgMDAwMDAwODIgZjQ4ODdlZTAgZjk2M2QyYjANCj4gSnVuIDE4IDAwOjU0OjQyIFJI
RUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSAgZmY2ZjMwMGMgZjY4OTcwMmMgZmY2ZjMwMzIg
MDAwMDAwMDAgMDAwMDAwMDAgMDAwMDAwMDAgZjM3YmRmOWMgZjM3YmRlMDANCj4gSnVuIDE4IDAw
OjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSBDYWxsIFRyYWNlOg0KPiBKdW4g
MTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzU3MDBdICBbPGY5NjNkMmIwPl0g
PyBuZnMzX3hkcl9kZWNfcmVhZGRpcjNyZXMrMHhmMC8weGYwIFtuZnNdDQo+IEp1biAxOCAwMDo1
NDo0MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NTcwMF0gIFs8Zjk1OGQ1NjM+XSBycGNhdXRo
X3Vud3JhcF9yZXNwKzB4NzMvMHhiMCBbc3VucnBjXQ0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVH
QSBrZXJuZWw6IFsgMTMzOS44NzU3MDBdICBbPGY5NjNkMmIwPl0gPyBuZnMzX3hkcl9kZWNfcmVh
ZGRpcjNyZXMrMHhmMC8weGYwIFtuZnNdDQo+IEp1biAxOCAwMDo1NDo0MiBSSEVMNUdBIGtlcm5l
bDogWyAxMzM5Ljg3NTcwMF0gIFs8Zjk1ODNjZGI+XSBjYWxsX2RlY29kZSsweDE3Yi8weDgyMCBb
c3VucnBjXQ0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzU3MDBd
ICBbPGY5NjNkMmIwPl0gPyBuZnMzX3hkcl9kZWNfcmVhZGRpcjNyZXMrMHhmMC8weGYwIFtuZnNd
DQo+IEp1biAxOCAwMDo1NDo0MiBSSEVMNUdBIGtlcm5lbDogWyAxMzM5Ljg3NTcwMF0gIFs8Zjk1
OGMxYjI+XSBfX3JwY19leGVjdXRlKzB4NTIvMHgyYTAgW3N1bnJwY10NCj4gSnVuIDE4IDAwOjU0
OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSAgWzxmOTU4YzQxMD5dIHJwY19hc3lu
Y19zY2hlZHVsZSsweDEwLzB4MjAgW3N1bnJwY10NCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Eg
a2VybmVsOiBbIDEzMzkuODc1NzAwXSAgWzxjMDQ1ZTRiOD5dIHByb2Nlc3Nfb25lX3dvcmsrMHgx
MDgvMHgzNzANCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAw
XSAgWzxjMDQ1ZDQ0MD5dID8gZG9fd29ya19mb3JfY3B1KzB4MjAvMHgyMA0KPiBKdW4gMTggMDA6
NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzU3MDBdICBbPGY5NThjNDAwPl0gPyBfX3Jw
Y19leGVjdXRlKzB4MmEwLzB4MmEwIFtzdW5ycGNdDQo+IEp1biAxOCAwMDo1NDo0MiBSSEVMNUdB
IGtlcm5lbDogWyAxMzM5Ljg3NTcwMF0gIFs8YzA0NWZhMDk+XSB3b3JrZXJfdGhyZWFkKzB4Zjkv
MHgyODANCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSAg
WzxjMDQ2ZjI2ZT5dID8gY29tcGxldGUrMHg0ZS8weDYwDQo+IEp1biAxOCAwMDo1NDo0MiBSSEVM
NUdBIGtlcm5lbDogWyAxMzM5Ljg3NTcwMF0gIFs8YzA0NWY5MTA+XSA/IG1hbmFnZV93b3JrZXJz
LmlzcmEuMjQrMHgxZDAvMHgxZDANCj4gSnVuIDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBb
IDEzMzkuODc1NzAwXSAgWzxjMDQ2NDJlMj5dIGt0aHJlYWQrMHg3Mi8weDgwDQo+IA0KPiBNZXNz
YWdlIGZyb20gc3lzbG9nZEBSSEVMNUdBIGF0IEp1biAxOCAwMDo1NDo0MiAuLi4NCj4gIGtlcm5l
bDpbIDEzMzkuODc1NzAwXSBQcm9jZXNzIGt3b3JrZXIvMDowIChwaWQ6IDQsIHRpPWY0ODg2MDAw
IHRhc2s9ZjQ4NWE1YjAgdGFzay50aT1mNDg4NjAwMCkNCj4gDQo+IE1lc3NhZ2UgZnJvbSBzeXNs
b2dkQFJIRUw1R0EgYXQgSnVuIDE4IDAwOjU0OjQyIC4uLg0KPiAga2VybmVsOlsgMTMzOS44NzU3
MDBdIFN0YWNrOg0KPiANCj4gTWVzc2FnZSBmcm9tIHN5c2xvZ2RAUkhFTDVHQSBhdCBKdW4gMTgg
MDA6NTQ6NDIgLi4uDQo+ICBrZXJuZWw6WyAxMzM5Ljg3NTcwMF0gQ2FsbCBUcmFjZToNCj4gSnVu
IDE4IDAwOjU0OjQyIFJIRUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSAgWzxjMDQ2NDI3MD5d
ID8gZmx1c2hfa3RocmVhZF93b3JrZXIrMHg3MC8weDcwDQo+IEp1biAxOCAwMDo1NDo0MiBSSEVM
NUdBIGtlcm5lbDogWyAxMzM5Ljg3NTcwMF0gIFs8YzA5NGIzYmU+XSBrZXJuZWxfdGhyZWFkX2hl
bHBlcisweDYvMHgxMA0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44
NzU3MDBdIENvZGU6IDBjIDAwIDAwIDAwIDg5IGQ4IGU4IGQ2IDhkIGY1IGZmIDg1IGMwIDc0IDY4
IDhiIDA4IDhiIDUwIDA0IDBmIGM5IDBmIGNhIDg5IDU1IGVjIDhiIDUwIDA4IDg5IGNmIDBmIGNh
IDM5IGQxIDc1IDY3IDhiIDUzIDBjIDhiIDAzIDwyYj4gMDIgOGIgNTMgMDQgOGIgNTIgMjQgMjkg
YzIgMzkgZDEgODkgNTUgZTggNzcgNzUgODkgZDggODkgZmENCj4gSnVuIDE4IDAwOjU0OjQyIFJI
RUw1R0Ega2VybmVsOiBbIDEzMzkuODc1NzAwXSBFSVA6IFs8Zjk2M2QzMWE+XSBuZnMzX3hkcl9k
ZWNfcmVhZDNyZXMrMHg2YS8weDEyMCBbbmZzXSBTUzpFU1AgMDA2ODpmNDg4N2U3Yw0KPiBKdW4g
MTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44NzU3MDBdIENSMjogMDAwMDAwMDAw
MDAwMDAwMA0KPiBKdW4gMTggMDA6NTQ6NDIgUkhFTDVHQSBrZXJuZWw6IFsgMTMzOS44OTk0MTZd
IC0tLVsgZW5kIHRyYWNlIDI4NmNjZGUwZGRkNWZjMDkgXS0tLQ0KPiANCj4gTWVzc2FnZSBmcm9t
IHN5c2xvZ2RAUkhFTDVHQSBhdCBKdW4gMTggMDA6NTQ6NDIgLi4uDQo+ICBrZXJuZWw6WyAxMzM5
Ljg3NTcwMF0gQ29kZTogMGMgMDAgMDAgMDAgODkgZDggZTggZDYgOGQgZjUgZmYgODUgYzAgNzQg
NjggOGIgMDggOGIgNTAgMDQgMGYgYzkgMGYgY2EgODkgNTUgZWMgOGIgNTAgMDggODkgY2YgMGYg
Y2EgMzkgZDEgNzUgNjcgOGIgNTMgMGMgOGIgMDMgPDJiPiAwMiA4YiA1MyAwNCA4YiA1MiAyNCAy
OSBjMiAzOSBkMSA4OSA1NSBlOCA3NyA3NSA4OSBkOCA4OSBmYQ0KPiANCj4gTWVzc2FnZSBmcm9t
IHN5c2xvZ2RAUkhFTDVHQSBhdCBKdW4gMTggMDA6NTQ6NDIgLi4uDQo+ICBrZXJuZWw6WyAxMzM5
Ljg3NTcwMF0gRUlQOiBbPGY5NjNkMzFhPl0gbmZzM194ZHJfZGVjX3JlYWQzcmVzKzB4NmEvMHgx
MjAgW25mc10gU1M6RVNQIDAwNjg6ZjQ4ODdlN2MNCj4gDQo+IA0KPiANCj4gDQo+IG1lc3NhZ2Vz
LTIwMTMwNDE0OkFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODIw
OTNdIEJVRzogdW5hYmxlIHRvIGhhbmRsZSBrZXJuZWwgTlVMTCBwb2ludGVyIGRlcmVmZXJlbmNl
IGF0ICAgICAgICAgICAobnVsbCkNCj4gbWVzc2FnZXMtMjAxMzA0MTQ6QXByIDEzIDIyOjUzOjAw
IFJIRUw3YWxwaGExIGtlcm5lbDogWyAgOTY0LjMyNjA4NV0gQlVHOiB1bmFibGUgdG8gaGFuZGxl
IGtlcm5lbCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgYXQgICAgICAgICAgIChudWxsKQ0KPiBb
cm9vdEBSSEVMN2FscGhhMSBsb2ddIyB2aW0gbWVzc2FnZXMtMjAxMzA0MTQNCj4gQXByIDEzIDA0
OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5lbDogWyAgOTYzLjE4MjcxOV0gRlM6ICAwMDAwN2YxMmVl
YWRjN2MwKDAwMDApIEdTOmZmZmY4ODAwM2MyMDAwMDAoMDAwMCkga25sR1M6MDAwMDAwMDAwMDAw
MDAwMA0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyNzg4
XSBDUzogIDAwMTAgRFM6IDAwMDAgRVM6IDAwMDAgQ1IwOiAwMDAwMDAwMDgwMDUwMDNiDQo+IEFw
ciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI4MjddIENSMjogMDAw
MDAwMDAwMDAwMDAwMCBDUjM6IDAwMDAwMDAwMzk1MGQwMDAgQ1I0OiAwMDAwMDAwMDAwMDAwNmYw
DQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI4NzJdIERS
MDogMDAwMDAwMDAwMDAwMDAwMCBEUjE6IDAwMDAwMDAwMDAwMDAwMDAgRFIyOiAwMDAwMDAwMDAw
MDAwMDAwDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5
MTRdIERSMzogMDAwMDAwMDAwMDAwMDAwMCBEUjY6IDAwMDAwMDAwZmZmZjBmZjAgRFI3OiAwMDAw
MDAwMDAwMDAwNDAwDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2
My4xODI5MTRdIFByb2Nlc3MgbHMgKHBpZDogMTY3NiwgdGhyZWFkaW5mbyBmZmZmODgwMDM3YWUy
MDAwLCB0YXNrIGZmZmY4ODAwMzdjYmNjZTApDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhh
MSBrZXJuZWw6IFsgIDk2My4xODI5MTRdIFN0YWNrOg0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdh
bHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgZmZmZjg4MDAzN2FlM2IzMCBmZmZmODgwMDM3
MWMyZTM4IGZmZmY4ODAwMzdhZTNiMDggZmZmZmZmZmZhMDJjYTVkOA0KPiBBcHIgMTMgMDQ6Mjk6
NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgZmZmZjg4MDAzN2FlM2I5MCAw
MDAwMDAwMDAwMDAwMDgyIGZmZmY4ODAwMzQzNGFhMDAgZmZmZjg4MDAzODg3YTc2NA0KPiBBcHIg
MTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgZmZmZjg4MDAz
N2FlM2I5OCBmZmZmZmZmZmEwMGUxZDNkIGZmZmY4ODAwMzdhZTNiNjggZmZmZjg4MDAzNzFjMmUz
OA0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSBD
YWxsIFRyYWNlOg0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMu
MTgyOTE0XSAgWzxmZmZmZmZmZmEwMmNhNWQ4Pl0gbmZzM194ZHJfZGVjX3JlYWRsaW5rM3Jlcysw
eDU4LzB4NzAgW25mc10NCj4gQXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5lbDogWyAg
OTYzLjE4MjkxNF0gIFs8ZmZmZmZmZmZhMDBlMWQzZD5dIHJwY2F1dGhfdW53cmFwX3Jlc3ArMHg5
ZC8weGQwIFtzdW5ycGNdDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsg
IDk2My4xODI5MTRdICBbPGZmZmZmZmZmYTAyY2E1ODA+XSA/IG5mczNfeGRyX2RlY19jcmVhdGUz
cmVzKzB4ODAvMHg4MCBbbmZzXQ0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVs
OiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZmZmEwMGQ2NTNlPl0gY2FsbF9kZWNvZGUrMHgxN2Uv
MHgyNTAgW3N1bnJwY10NCj4gQXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5lbDogWyAg
OTYzLjE4MjkxNF0gIFs8ZmZmZmZmZmZhMDBlMDJhNj5dIF9fcnBjX2V4ZWN1dGUrMHg2Ni8weDFk
MCBbc3VucnBjXQ0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMu
MTgyOTE0XSAgWzxmZmZmZmZmZmEwMGUwNmQzPl0gcnBjX2V4ZWN1dGUrMHg0My8weDUwIFtzdW5y
cGNdDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRd
ICBbPGZmZmZmZmZmYTAwZDdhZjU+XSBycGNfcnVuX3Rhc2srMHg3NS8weDkwIFtzdW5ycGNdDQo+
IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRdICBbPGZm
ZmZmZmZmYTAwZDdjMTM+XSBycGNfY2FsbF9zeW5jKzB4NDMvMHg3MCBbc3VucnBjXQ0KPiBBcHIg
MTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZm
ZmEwMmI2MjM0Pl0gPyBuZnNfYWxsb2NfZmF0dHIrMHgyNC8weDcwIFtuZnNdDQo+IEFwciAxMyAw
NDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRdICBbPGZmZmZmZmZmYTAy
Yzc0YmI+XSBuZnMzX3JwY193cmFwcGVyLmNvbnN0cHJvcC43KzB4NGIvMHg4MCBbbmZzXQ0KPiBB
cHIgMTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZm
ZmZmZmEwMmM3OTZiPl0gbmZzM19wcm9jX3JlYWRsaW5rKzB4OGIvMHhmMCBbbmZzXQ0KPiBBcHIg
MTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZm
ZmEwMmMxZjUwPl0gbmZzX3N5bWxpbmtfZmlsbGVyKzB4MzAvMHg3MCBbbmZzXQ0KPiBBcHIgMTMg
MDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZmZjgx
MTRjNWYyPl0gZG9fcmVhZF9jYWNoZV9wYWdlKzB4ODIvMHgxYTANCj4gQXByIDEzIDA0OjI5OjQw
IFJIRUw3YWxwaGExIGtlcm5lbDogWyAgOTYzLjE4MjkxNF0gIFs8ZmZmZmZmZmZhMDJlNTNjMD5d
ID8gbmZzX21hcmtfZGVsZWdhdGlvbl9yZWZlcmVuY2VkKzB4MTAvMHgxMCBbbmZzXQ0KPiBBcHIg
MTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZm
ZmEwMmMxZjIwPl0gPyBuZnNfZm9sbG93X2xpbmsrMHhjMC8weGMwIFtuZnNdDQo+IEFwciAxMyAw
NDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRdICBbPGZmZmZmZmZmODEx
NGM3NWM+XSByZWFkX2NhY2hlX3BhZ2VfYXN5bmMrMHgxYy8weDIwDQo+IEFwciAxMyAwNDoyOTo0
MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRdICBbPGZmZmZmZmZmODExNGM3NmU+
XSByZWFkX2NhY2hlX3BhZ2UrMHhlLzB4MjANCj4gQXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGEx
IGtlcm5lbDogWyAgOTYzLjE4MjkxNF0gIFs8ZmZmZmZmZmZhMDJjMWVjOD5dIG5mc19mb2xsb3df
bGluaysweDY4LzB4YzAgW25mc10NCj4gQXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5l
bDogWyAgOTYzLjE4MjkxNF0gIFs8ZmZmZmZmZmY4MTFjMDcxMj5dIGdlbmVyaWNfcmVhZGxpbmsr
MHg0Mi8weGEwDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4x
ODI5MTRdICBbPGZmZmZmZmZmODExYjllMGQ+XSBzeXNfcmVhZGxpbmthdCsweGFkLzB4YjANCj4g
QXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5lbDogWyAgOTYzLjE4MjkxNF0gIFs8ZmZm
ZmZmZmY4MTBmNGJiZT5dID8gYXVkaXRfc3lzY2FsbF9lbnRyeSsweDMwZS8weDMzMA0KPiBBcHIg
MTMgMDQ6Mjk6NDAgUkhFTDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZm
ZjgxMWI5ZTJiPl0gc3lzX3JlYWRsaW5rKzB4MWIvMHgyMA0KPiBBcHIgMTMgMDQ6Mjk6NDAgUkhF
TDdhbHBoYTEga2VybmVsOiBbICA5NjMuMTgyOTE0XSAgWzxmZmZmZmZmZjgxNjM5MjAyPl0gc3lz
dGVtX2NhbGxfZmFzdHBhdGgrMHgxNi8weDFiDQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhh
MSBrZXJuZWw6IFsgIDk2My4xODI5MTRdIENvZGU6IDJmIGUyIGZmIDQ4IDg1IGMwIDc0IDRkIDQ0
IDhiIDIwIDQ4IDhiIDUzIDA4IDQxIDBmIGNjIDQxIDgxIGZjIDAwIDEwIDAwIDAwIDc3IDcxIDQ0
IDM5IDYyIDJjIDc2IDZiIDQ4IDhiIDRiIDE4IDQ4IDhiIDAzIDhiIDUyIDM4IDw0OD4gMmIgMDEg
MjkgYzIgNDQgMzkgZTIgNzIgMzYgNDggODkgZGYgNDQgODkgZTYgZTggMWEgMmMgZTIgZmYNCj4g
QXByIDEzIDA0OjI5OjQwIFJIRUw3YWxwaGExIGtlcm5lbDogWyAgOTYzLjE4MjkxNF0gUklQICBb
PGZmZmZmZmZmYTAyYzk2ZTE+XSBkZWNvZGVfbmZzcGF0aDMrMHg0MS8weGQwIFtuZnNdDQo+IEFw
ciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsgIDk2My4xODI5MTRdICBSU1AgPGZm
ZmY4ODAwMzdhZTNhYzg+DQo+IEFwciAxMyAwNDoyOTo0MCBSSEVMN2FscGhhMSBrZXJuZWw6IFsg
IDk2My4xODI5MTRdIENSMjogMDAwMDAwMDAwMDAwMDAwMA0KPiANCj4gDQo+IA0KPiBTaWduZWQt
b2ZmLWJ5OiBmYW5jaGFvdGluZzxmYW5jaGFvdGluZ0Bjbi5mdWppdHN1LmNvbT4NCj4gLS0tDQo+
ICBmcy9uZnMvbmZzM3hkci5jIHwgICAxMCArKysrKysrKysrDQo+ICAxIGZpbGVzIGNoYW5nZWQs
IDEwIGluc2VydGlvbnMoKyksIDAgZGVsZXRpb25zKC0pDQo+IA0KPiBkaWZmIC0tZ2l0IGEvZnMv
bmZzL25mczN4ZHIuYyBiL2ZzL25mcy9uZnMzeGRyLmMNCj4gaW5kZXggMTgzYzZiMS4uNmY1MzA3
MCAxMDA2NDQNCj4gLS0tIGEvZnMvbmZzL25mczN4ZHIuYw0KPiArKysgYi9mcy9uZnMvbmZzM3hk
ci5jDQo+IEBAIC0yNTAsNiArMjUwLDggQEAgc3RhdGljIGludCBkZWNvZGVfbmZzcGF0aDMoc3Ry
dWN0IHhkcl9zdHJlYW0gKnhkcikNCj4gIAlwID0geGRyX2lubGluZV9kZWNvZGUoeGRyLCA0KTsN
Cj4gIAlpZiAodW5saWtlbHkocCA9PSBOVUxMKSkNCj4gIAkJZ290byBvdXRfb3ZlcmZsb3c7DQo+
ICsJaWYgKHVubGlrZWx5KHhkci0+aW92ID09IE5VTEwpKQ0KPiArCQlnb3RvIGlvdl9udWxsOw0K
DQpIbW0uLi4gSXNuJ3QgdGhlIHByb2JsZW0gaGVyZSByYXRoZXIgdGhhdCB3ZSBhcmUgcmVhZGlu
ZyBiZXlvbmQgdGhlIFJQQw0KcmVwbHkgbWVzc2FnZSBib3VuZGFyeT8NCg0KSWYgc28sIHdvbid0
IHNvbWV0aGluZyBsaWtlIHRoZSBmb2xsb3dpbmcgcGF0Y2ggZml4IHRoZSBwcm9ibGVtPw0KDQpD
aGVlcnMNCiAgVHJvbmQNCjg8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tDQpGcm9tIDZhYWI2NjQ1N2Y3MDU5ZWQ4ZTA0N2NmODkxNWM2MWVkZTg0MmE2
MzcgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxDQpGcm9tOiBUcm9uZCBNeWtsZWJ1c3QgPFRyb25k
Lk15a2xlYnVzdEBuZXRhcHAuY29tPg0KRGF0ZTogV2VkLCAyMCBKdW4gMjAxMiAwOTo1ODozNSAt
MDQwMA0KU3ViamVjdDogW1BBVENIXSBTVU5SUEM6IERvbid0IGRlY29kZSBiZXlvbmQgdGhlIGVu
ZCBvZiB0aGUgUlBDIHJlcGx5IG1lc3NhZ2UNCg0KTm93IHRoYXQgeGRyX2lubGluZV9kZWNvZGUo
KSB3aWxsIGF1dG9tYXRpY2FsbHkgY3Jvc3MgaW50byB0aGUgcGFnZQ0KYnVmZmVycywgd2UgbmVl
ZCB0byBlbnN1cmUgdGhhdCBpdCBkb2Vzbid0IGV4Y2VlZCB0aGUgdG90YWwgcmVwbHkNCm1lc3Nh
Z2UgbGVuZ3RoLg0KDQpUaGlzIHBhdGNoIHNldHMgdXAgYSBjb3VudGVyIHRoYXQgdHJhY2tzIHRo
ZSBudW1iZXIgb2YgYnl0ZXMNCnJlbWFpbmluZyBpbiB0aGUgcmVwbHkgbWVzc2FnZSwgYW5kIGVu
c3VyZXMgdGhhdCB4ZHJfaW5saW5lX2RlY29kZQ0KZG9lc24ndCBjcm9zcyB0aGUgZW5kIG9mIG1l
c3NhZ2UgYm91bmRhcnkuDQoNClNpZ25lZC1vZmYtYnk6IFRyb25kIE15a2xlYnVzdCA8VHJvbmQu
TXlrbGVidXN0QG5ldGFwcC5jb20+DQotLS0NCiBpbmNsdWRlL2xpbnV4L3N1bnJwYy94ZHIuaCB8
ICAgIDUgKysrLS0NCiBuZXQvc3VucnBjL3hkci5jICAgICAgICAgICB8ICAgMjkgKysrKysrKysr
KysrKysrKysrKysrKy0tLS0tLS0NCiAyIGZpbGVzIGNoYW5nZWQsIDI1IGluc2VydGlvbnMoKyks
IDkgZGVsZXRpb25zKC0pDQoNCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L3N1bnJwYy94ZHIu
aCBiL2luY2x1ZGUvbGludXgvc3VucnBjL3hkci5oDQppbmRleCBhZjcwYWYzLi5jYWEyODJiIDEw
MDY0NA0KLS0tIGEvaW5jbHVkZS9saW51eC9zdW5ycGMveGRyLmgNCisrKyBiL2luY2x1ZGUvbGlu
dXgvc3VucnBjL3hkci5oDQpAQCAtMjA1LDYgKzIwNSw3IEBAIHN0cnVjdCB4ZHJfc3RyZWFtIHsN
CiAJc3RydWN0IGt2ZWMgKmlvdjsJLyogcG9pbnRlciB0byB0aGUgY3VycmVudCBrdmVjICovDQog
CXN0cnVjdCBrdmVjIHNjcmF0Y2g7CS8qIFNjcmF0Y2ggYnVmZmVyICovDQogCXN0cnVjdCBwYWdl
ICoqcGFnZV9wdHI7CS8qIHBvaW50ZXIgdG8gdGhlIGN1cnJlbnQgcGFnZSAqLw0KKwlzaXplX3Qg
bndvcmRzOwkJLyogUmVtYWluaW5nIGRlY29kZSBidWZmZXIgbGVuZ3RoICovDQogfTsNCiANCiAv
Kg0KQEAgLTIyMiw4ICsyMjMsOCBAQCBleHRlcm4gdm9pZCB4ZHJfaW5pdF9kZWNvZGVfcGFnZXMo
c3RydWN0IHhkcl9zdHJlYW0gKnhkciwgc3RydWN0IHhkcl9idWYgKmJ1ZiwNCiAJCXN0cnVjdCBw
YWdlICoqcGFnZXMsIHVuc2lnbmVkIGludCBsZW4pOw0KIGV4dGVybiB2b2lkIHhkcl9zZXRfc2Ny
YXRjaF9idWZmZXIoc3RydWN0IHhkcl9zdHJlYW0gKnhkciwgdm9pZCAqYnVmLCBzaXplX3QgYnVm
bGVuKTsNCiBleHRlcm4gX19iZTMyICp4ZHJfaW5saW5lX2RlY29kZShzdHJ1Y3QgeGRyX3N0cmVh
bSAqeGRyLCBzaXplX3QgbmJ5dGVzKTsNCi1leHRlcm4gdm9pZCB4ZHJfcmVhZF9wYWdlcyhzdHJ1
Y3QgeGRyX3N0cmVhbSAqeGRyLCB1bnNpZ25lZCBpbnQgbGVuKTsNCi1leHRlcm4gdm9pZCB4ZHJf
ZW50ZXJfcGFnZShzdHJ1Y3QgeGRyX3N0cmVhbSAqeGRyLCB1bnNpZ25lZCBpbnQgbGVuKTsNCitl
eHRlcm4gaW50IHhkcl9yZWFkX3BhZ2VzKHN0cnVjdCB4ZHJfc3RyZWFtICp4ZHIsIHVuc2lnbmVk
IGludCBsZW4pOw0KK2V4dGVybiBpbnQgeGRyX2VudGVyX3BhZ2Uoc3RydWN0IHhkcl9zdHJlYW0g
KnhkciwgdW5zaWduZWQgaW50IGxlbik7DQogZXh0ZXJuIGludCB4ZHJfcHJvY2Vzc19idWYoc3Ry
dWN0IHhkcl9idWYgKmJ1ZiwgdW5zaWduZWQgaW50IG9mZnNldCwgdW5zaWduZWQgaW50IGxlbiwg
aW50ICgqYWN0b3IpKHN0cnVjdCBzY2F0dGVybGlzdCAqLCB2b2lkICopLCB2b2lkICpkYXRhKTsN
CiANCiAjZW5kaWYgLyogX19LRVJORUxfXyAqLw0KZGlmZiAtLWdpdCBhL25ldC9zdW5ycGMveGRy
LmMgYi9uZXQvc3VucnBjL3hkci5jDQppbmRleCBmZGRjY2NmLi41OTAwZDY2IDEwMDY0NA0KLS0t
IGEvbmV0L3N1bnJwYy94ZHIuYw0KKysrIGIvbmV0L3N1bnJwYy94ZHIuYw0KQEAgLTYzMiw2ICs2
MzIsNyBAQCB2b2lkIHhkcl9pbml0X2RlY29kZShzdHJ1Y3QgeGRyX3N0cmVhbSAqeGRyLCBzdHJ1
Y3QgeGRyX2J1ZiAqYnVmLCBfX2JlMzIgKnApDQogCXhkci0+YnVmID0gYnVmOw0KIAl4ZHItPnNj
cmF0Y2guaW92X2Jhc2UgPSBOVUxMOw0KIAl4ZHItPnNjcmF0Y2guaW92X2xlbiA9IDA7DQorCXhk
ci0+bndvcmRzID0gWERSX1FVQURMRU4oYnVmLT5sZW4pOw0KIAlpZiAoYnVmLT5oZWFkWzBdLmlv
dl9sZW4gIT0gMCkNCiAJCXhkcl9zZXRfaW92KHhkciwgYnVmLT5oZWFkLCBwLCBidWYtPmxlbik7
DQogCWVsc2UgaWYgKGJ1Zi0+cGFnZV9sZW4gIT0gMCkNCkBAIC02NjAsMTIgKzY2MSwxNCBAQCBF
WFBPUlRfU1lNQk9MX0dQTCh4ZHJfaW5pdF9kZWNvZGVfcGFnZXMpOw0KIA0KIHN0YXRpYyBfX2Jl
MzIgKiBfX3hkcl9pbmxpbmVfZGVjb2RlKHN0cnVjdCB4ZHJfc3RyZWFtICp4ZHIsIHNpemVfdCBu
Ynl0ZXMpDQogew0KKwlzaXplX3QgbndvcmRzID0gWERSX1FVQURMRU4obmJ5dGVzKTsNCiAJX19i
ZTMyICpwID0geGRyLT5wOw0KLQlfX2JlMzIgKnEgPSBwICsgWERSX1FVQURMRU4obmJ5dGVzKTsN
CisJX19iZTMyICpxID0gcCArIG53b3JkczsNCiANCi0JaWYgKHVubGlrZWx5KHEgPiB4ZHItPmVu
ZCB8fCBxIDwgcCkpDQorCWlmICh1bmxpa2VseShud29yZHMgPiB4ZHItPm53b3JkcyB8fCBxID4g
eGRyLT5lbmQgfHwgcSA8IHApKQ0KIAkJcmV0dXJuIE5VTEw7DQogCXhkci0+cCA9IHE7DQorCXhk
ci0+bndvcmRzIC09IG53b3JkczsNCiAJcmV0dXJuIHA7DQogfQ0KIA0KQEAgLTc0MSwxNCArNzQ0
LDE3IEBAIEVYUE9SVF9TWU1CT0xfR1BMKHhkcl9pbmxpbmVfZGVjb2RlKTsNCiAgKiBpbnRvIHRo
ZSBwYWdlIGxpc3QuIEFueSBkYXRhIHRoYXQgbGllcyBiZXlvbmQgY3VycmVudCBwb3NpdGlvbiAr
ICJsZW4iDQogICogYnl0ZXMgaXMgbW92ZWQgaW50byB0aGUgWERSIHRhaWxbXS4NCiAgKi8NCi12
b2lkIHhkcl9yZWFkX3BhZ2VzKHN0cnVjdCB4ZHJfc3RyZWFtICp4ZHIsIHVuc2lnbmVkIGludCBs
ZW4pDQoraW50IHhkcl9yZWFkX3BhZ2VzKHN0cnVjdCB4ZHJfc3RyZWFtICp4ZHIsIHVuc2lnbmVk
IGludCBsZW4pDQogew0KIAlzdHJ1Y3QgeGRyX2J1ZiAqYnVmID0geGRyLT5idWY7DQogCXN0cnVj
dCBrdmVjICppb3Y7DQorCXNpemVfdCBud29yZHMgPSBYRFJfUVVBRExFTihsZW4pOw0KIAlzc2l6
ZV90IHNoaWZ0Ow0KIAl1bnNpZ25lZCBpbnQgZW5kOw0KIAlpbnQgcGFkZGluZzsNCiANCisJaWYg
KG53b3JkcyA+IHhkci0+bndvcmRzKQ0KKwkJcmV0dXJuIC1FRkFVTFQ7DQogCS8qIFJlYWxpZ24g
cGFnZXMgdG8gY3VycmVudCBwb2ludGVyIHBvc2l0aW9uICovDQogCWlvdiAgPSBidWYtPmhlYWQ7
DQogCXNoaWZ0ID0gaW92LT5pb3ZfbGVuICsgKGNoYXIgKilpb3YtPmlvdl9iYXNlIC0gKGNoYXIg
Kil4ZHItPnA7DQpAQCAtNzU4LDcgKzc2NCw3IEBAIHZvaWQgeGRyX3JlYWRfcGFnZXMoc3RydWN0
IHhkcl9zdHJlYW0gKnhkciwgdW5zaWduZWQgaW50IGxlbikNCiAJLyogVHJ1bmNhdGUgcGFnZSBk
YXRhIGFuZCBtb3ZlIGl0IGludG8gdGhlIHRhaWwgKi8NCiAJaWYgKGJ1Zi0+cGFnZV9sZW4gPiBs
ZW4pDQogCQl4ZHJfc2hyaW5rX3BhZ2VsZW4oYnVmLCBidWYtPnBhZ2VfbGVuIC0gbGVuKTsNCi0J
cGFkZGluZyA9IChYRFJfUVVBRExFTihsZW4pIDw8IDIpIC0gbGVuOw0KKwlwYWRkaW5nID0gKG53
b3JkcyA8PCAyKSAtIGxlbjsNCiAJeGRyLT5pb3YgPSBpb3YgPSBidWYtPnRhaWw7DQogCS8qIENv
bXB1dGUgcmVtYWluaW5nIG1lc3NhZ2UgbGVuZ3RoLiAgKi8NCiAJZW5kID0gaW92LT5pb3ZfbGVu
Ow0KQEAgLTc3Myw2ICs3NzksOCBAQCB2b2lkIHhkcl9yZWFkX3BhZ2VzKHN0cnVjdCB4ZHJfc3Ry
ZWFtICp4ZHIsIHVuc2lnbmVkIGludCBsZW4pDQogCSAqLw0KIAl4ZHItPnAgPSAoX19iZTMyICop
KChjaGFyICopaW92LT5pb3ZfYmFzZSArIHBhZGRpbmcpOw0KIAl4ZHItPmVuZCA9IChfX2JlMzIg
KikoKGNoYXIgKilpb3YtPmlvdl9iYXNlICsgZW5kKTsNCisJeGRyLT5ud29yZHMgLT0gbndvcmRz
Ow0KKwlyZXR1cm4gMDsNCiB9DQogRVhQT1JUX1NZTUJPTF9HUEwoeGRyX3JlYWRfcGFnZXMpOw0K
IA0KQEAgLTc4NiwxNCArNzk0LDIxIEBAIEVYUE9SVF9TWU1CT0xfR1BMKHhkcl9yZWFkX3BhZ2Vz
KTsNCiAgKiBieXRlcyBpcyBtb3ZlZCBpbnRvIHRoZSBYRFIgdGFpbFtdLiBUaGUgY3VycmVudCBw
b2ludGVyIGlzIHRoZW4NCiAgKiByZXBvc2l0aW9uZWQgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUg
Zmlyc3QgWERSIHBhZ2UuDQogICovDQotdm9pZCB4ZHJfZW50ZXJfcGFnZShzdHJ1Y3QgeGRyX3N0
cmVhbSAqeGRyLCB1bnNpZ25lZCBpbnQgbGVuKQ0KK2ludCB4ZHJfZW50ZXJfcGFnZShzdHJ1Y3Qg
eGRyX3N0cmVhbSAqeGRyLCB1bnNpZ25lZCBpbnQgbGVuKQ0KIHsNCi0JeGRyX3JlYWRfcGFnZXMo
eGRyLCBsZW4pOw0KKwlzaXplX3Qgc2F2ZV9ud29yZHMgPSB4ZHItPm53b3JkczsNCisJaW50IHJl
dDsNCisNCisJcmV0ID0geGRyX3JlYWRfcGFnZXMoeGRyLCBsZW4pOw0KKwlpZiAocmV0IDwgMCkN
CisJCXJldHVybiByZXQ7DQogCS8qDQogCSAqIFBvc2l0aW9uIGN1cnJlbnQgcG9pbnRlciBhdCBi
ZWdpbm5pbmcgb2YgdGFpbCwgYW5kDQotCSAqIHNldCByZW1haW5pbmcgbWVzc2FnZSBsZW5ndGgu
DQorCSAqIHJlc2V0IHJlbWFpbmluZyBtZXNzYWdlIGxlbmd0aC4NCiAJICovDQogCXhkcl9zZXRf
cGFnZV9iYXNlKHhkciwgMCwgbGVuKTsNCisJeGRyLT5ud29yZHMgPSBzYXZlX253b3JkczsNCisJ
cmV0dXJuIDA7DQogfQ0KIEVYUE9SVF9TWU1CT0xfR1BMKHhkcl9lbnRlcl9wYWdlKTsNCiANCi0t
IA0KMS43LjEwLjINCg0KDQotLSANClRyb25kIE15a2xlYnVzdA0KTGludXggTkZTIGNsaWVudCBt
YWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0QG5ldGFwcC5jb20NCnd3dy5uZXRh
cHAuY29tDQoNCg==