From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark Rutland <mark.rutland@arm.com>
Subject: Re: kvm/arm64: use-after-free in
 kvm_unmap_hva_handler/unmap_stage2_pmds
Date: Tue, 18 Apr 2017 09:32:31 +0100
Message-ID: <20170418083230.GA17866@leverpostej>
References: <CAAeHK+yjKm3mO2h9M30t-V_PnMhXEM887_zESCSg6gkbzivPsQ@mail.gmail.com>
 <20f6c994-d83e-7a6f-9f13-f10287211a6c@arm.com>
 <9f473bb9-d0eb-6803-1263-75ffef0301fe@redhat.com>
 <CAAeHK+x8udHKq9xa1zkTO6ax5E8Dk32HYWfaT05FMchL2cr48g@mail.gmail.com>
 <1050c9d8-5813-5df9-29e5-3ab6e61b5de6@arm.com>
 <88715300-ef58-e7bd-81f5-95e0b9c9c533@arm.com>
 <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <kvmarm-bounces@lists.cs.columbia.edu>
Received: from localhost (localhost [127.0.0.1])
 by mm01.cs.columbia.edu (Postfix) with ESMTP id B9B8A40296
 for <kvmarm@lists.cs.columbia.edu>; Tue, 18 Apr 2017 04:30:27 -0400 (EDT)
Received: from mm01.cs.columbia.edu ([127.0.0.1])
 by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id flOgxffvKqap for <kvmarm@lists.cs.columbia.edu>;
 Tue, 18 Apr 2017 04:30:24 -0400 (EDT)
Received: from foss.arm.com (foss.arm.com [217.140.101.70])
 by mm01.cs.columbia.edu (Postfix) with ESMTP id B6968400E9
 for <kvmarm@lists.cs.columbia.edu>; Tue, 18 Apr 2017 04:30:24 -0400 (EDT)
Content-Disposition: inline
In-Reply-To: <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
List-Unsubscribe: <https://lists.cs.columbia.edu/mailman/options/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=unsubscribe>
List-Archive: <https://lists.cs.columbia.edu/pipermail/kvmarm>
List-Post: <mailto:kvmarm@lists.cs.columbia.edu>
List-Help: <mailto:kvmarm-request@lists.cs.columbia.edu?subject=help>
List-Subscribe: <https://lists.cs.columbia.edu/mailman/listinfo/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=subscribe>
Errors-To: kvmarm-bounces@lists.cs.columbia.edu
Sender: kvmarm-bounces@lists.cs.columbia.edu
To: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
Cc: kvm@vger.kernel.org, Marc Zyngier <marc.zyngier@arm.com>, Andrey Konovalov <andreyknvl@google.com>, will.deacon@arm.com, linux-kernel@vger.kernel.org, kcc@google.com, syzkaller@googlegroups.com, catalin.marinas@arm.com, dvyukov@google.com, Paolo Bonzini <pbonzini@redhat.com>, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org
List-Id: kvmarm@lists.cs.columbia.edu

SGkgU3V6dWtpLAoKT24gVGh1LCBBcHIgMTMsIDIwMTcgYXQgMDQ6NTA6NDZQTSArMDEwMCwgU3V6
dWtpIEsuIFBvdWxvc2Ugd3JvdGU6Cj4ga3ZtOiBIb2xkIHJlZmVyZW5jZSB0byB0aGUgdXNlciBh
ZGRyZXNzIHNwYWNlCj4gCj4gVGhlIGNvcmUgS1ZNIGNvZGUsIHVzZXMgbW1ncmFiL21tZHJvcCB0
byBwaW4gdGhlIG1tIHN0cnVjdCBvZiB0aGUgdXNlcgo+IGFwcGxpY2F0aW9uLiBtbWdyYWIgb25s
eSBndWFyYW50ZWVzIHRoYXQgdGhlIG1tIHN0cnVjdCBpcyBhdmFpbGFibGUsCj4gd2hpbGUgdGhl
ICJyZWFsIGFkZHJlc3Mgc3BhY2UiIChzZWUgRG9jdW1lbnRhdGlvbi92bS9hY3RpdmVfbW0udHh0
KSBtYXkKPiBiZSBkZXN0cm95ZWQuIFNpbmNlIHRoZSBLVk0gZGVwZW5kcyBvbiB0aGUgdXNlciBz
cGFjZSBwYWdlIHRhYmxlcyBmb3IKPiB0aGUgR3Vlc3QgcGFnZXMsIHdlIHNob3VsZCBpbnN0ZWFk
IGRvIGFuIG1tZ2V0L21tcHV0LiBFdmVuIHRob3VnaAo+IG1tZ2V0L21tcHV0IGlzIG5vdCBlbmNv
dXJhZ2VkIGZvciB1c2VzIHdpdGggdW5ib3VuZGVkIHRpbWUsIHRoZSBLVk0KPiBpcyBmaW5lIHRv
IGRvIHNvLCBhcyB3ZSBhcmUgZG9pbmcgaXQgZnJvbSB0aGUgY29udGV4dCBvZiB0aGUgc2FtZSBw
cm9jZXNzLgo+IAo+IFRoaXMgYWxzbyBwcmV2ZW50cyB0aGUgcmFjZSBjb25kaXRpb24gd2hlcmUg
bW11X25vdGlmaWVyX3JlbGVhc2UoKSBjb3VsZAo+IGJlIGNhbGxlZCBpbiBwYXJhbGxlbCBhbmQg
b25lIGluc3RhbmNlIGNvdWxkIGVuZCB1cCB1c2luZyBhIGZyZWUnZCBrdm0KPiBpbnN0YW5jZS4K
PiAKPiBDYzogTWFyayBSdXRsYW5kIDxtYXJrLnJ1dGxhbmRAYXJtLmNvbT4KPiBDYzogUGFvbG8g
Qm9uemluIDxwYm9uemluaUByZWRoYXQuY29tPgo+IENjOiBSYWRpbSBLcsSNbcOhxZkgPHJrcmNt
YXJAcmVkaGF0LmNvbT4KPiBDYzogTWFyYyBaeW5naWVyIDxtYXJjLnp5bmdpZXJAYXJtLmNvbT4K
PiBDYzogQ2hyaXN0b2ZmZXIgRGFsbCA8Y2hyaXN0b2ZmZXIuZGFsbEBsaW5hcm8ub3JnPgo+IENj
OiBhbmRyZXlrbnZsQGdvb2dsZS5jb20KPiBTaWduZWQtb2ZmLWJ5OiBTdXp1a2kgSyBQb3Vsb3Nl
IDxzdXp1a2kucG91bG9zZUBhcm0uY29tPgo+IC0tLQo+ICB2aXJ0L2t2bS9rdm1fbWFpbi5jIHwg
NiArKystLS0KPiAgMSBmaWxlIGNoYW5nZWQsIDMgaW5zZXJ0aW9ucygrKSwgMyBkZWxldGlvbnMo
LSkKPiAKPiBkaWZmIC0tZ2l0IGEvdmlydC9rdm0va3ZtX21haW4uYyBiL3ZpcnQva3ZtL2t2bV9t
YWluLmMKPiBpbmRleCA4ODI1N2IzLi41NTU3MTJlIDEwMDY0NAo+IC0tLSBhL3ZpcnQva3ZtL2t2
bV9tYWluLmMKPiArKysgYi92aXJ0L2t2bS9rdm1fbWFpbi5jCj4gQEAgLTYxMyw3ICs2MTMsNyBA
QCBzdGF0aWMgc3RydWN0IGt2bSAqa3ZtX2NyZWF0ZV92bSh1bnNpZ25lZCBsb25nIHR5cGUpCj4g
IAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7Cj4gIAo+ICAJc3Bpbl9sb2NrX2luaXQoJmt2bS0+
bW11X2xvY2spOwo+IC0JbW1ncmFiKGN1cnJlbnQtPm1tKTsKPiArCW1tZ2V0KGN1cnJlbnQtPm1t
KTsKPiAgCWt2bS0+bW0gPSBjdXJyZW50LT5tbTsKPiAgCWt2bV9ldmVudGZkX2luaXQoa3ZtKTsK
PiAgCW11dGV4X2luaXQoJmt2bS0+bG9jayk7Cj4gQEAgLTY4NSw3ICs2ODUsNyBAQCBzdGF0aWMg
c3RydWN0IGt2bSAqa3ZtX2NyZWF0ZV92bSh1bnNpZ25lZCBsb25nIHR5cGUpCj4gIAlmb3IgKGkg
PSAwOyBpIDwgS1ZNX0FERFJFU1NfU1BBQ0VfTlVNOyBpKyspCj4gIAkJa3ZtX2ZyZWVfbWVtc2xv
dHMoa3ZtLCBrdm0tPm1lbXNsb3RzW2ldKTsKPiAgCWt2bV9hcmNoX2ZyZWVfdm0oa3ZtKTsKPiAt
CW1tZHJvcChjdXJyZW50LT5tbSk7Cj4gKwltbXB1dChjdXJyZW50LT5tbSk7Cj4gIAlyZXR1cm4g
RVJSX1BUUihyKTsKPiAgfQo+ICAKPiBAQCAtNzQ3LDcgKzc0Nyw3IEBAIHN0YXRpYyB2b2lkIGt2
bV9kZXN0cm95X3ZtKHN0cnVjdCBrdm0gKmt2bSkKPiAgCWt2bV9hcmNoX2ZyZWVfdm0oa3ZtKTsK
PiAgCXByZWVtcHRfbm90aWZpZXJfZGVjKCk7Cj4gIAloYXJkd2FyZV9kaXNhYmxlX2FsbCgpOwo+
IC0JbW1kcm9wKG1tKTsKPiArCW1tcHV0KG1tKTsKPiAgfQoKCkFzIGEgaGVhZHMtdXAsIEknbSBz
ZWVpbmcgd2hhdCBsb29rcyB0byBiZSBhIEtWTSBtZW1vcnkgbGVhayB3aXRoIHRoaXMKcGF0Y2gg
YXBwbGllZCBhdG9wIG9mIG5leHQtMjAxNzA0MTEuCgpJIGRvbid0IHlldCBrbm93IGlmIHRoaXMg
aXMgYSBwcm9ibGVtIHdpdGggbmV4dC0yMDE3MDQxMSBvciB0aGlzIHBhdGNoCmluIHBhcnRpY3Vs
YXIgLS0gSSB3aWxsIHRyeSB0byB0cmFjayB0aGF0IGRvd24uIEluIHRoZSBtZWFuIHRpbWUsIGlu
Zm8KZHVtcCBiZWxvdy4KCkkgbGVmdCBzeXprYWxsZXIgcnVubmluZyBvdmVyIHRoZSB3ZWVrZW5k
IHVzaW5nIHRoaXMga2VybmVsIG9uIHRoZSBob3N0LAphbmQgT09NIGtpY2tlZCBpbiBhZnRlciBp
dCBoYWQgYmVlbiBydW5uaW5nIGZvciBhIHNob3J0IHdoaWxlLiBBbG1vc3QKYWxsIG9mIG15IG1l
bW9yeSBpcyBpbiB1c2UsIGJ1dCBqdWRnaW5nIGJ5IHRvcCwgYWxtb3N0IG5vbmUgb2YgdGhpcyBp
cwphc3NvY2lhdGVkIHdpdGggcHJvY2Vzc2VzLgoKSXQgbG9va3MgbGlrZSB0aGlzIGlzIGFsbW9z
dCBhbGwgQW5vblBhZ2VzIGFsbG9jYXRpb25zOgoKbmFub29rQG1lZGlzdGVyOn4kIGNhdCAvcHJv
Yy9tZW1pbmZvIApNZW1Ub3RhbDogICAgICAgMTQyNTgxNzYga0IKTWVtRnJlZTogICAgICAgICAg
MTA2MTkyIGtCCk1lbUF2YWlsYWJsZTogICAgICAzODE5NiBrQgpCdWZmZXJzOiAgICAgICAgICAg
MjcxNjAga0IKQ2FjaGVkOiAgICAgICAgICAgIDQyNTA4IGtCClN3YXBDYWNoZWQ6ICAgICAgICAg
ICAgMCBrQgpBY3RpdmU6ICAgICAgICAgMTM0NDI5MTIga0IKSW5hY3RpdmU6ICAgICAgICAgICA3
Mzg4IGtCCkFjdGl2ZShhbm9uKTogICAxMzM4MDg3NiBrQgpJbmFjdGl2ZShhbm9uKTogICAgICA0
MDAga0IKQWN0aXZlKGZpbGUpOiAgICAgIDYyMDM2IGtCCkluYWN0aXZlKGZpbGUpOiAgICAgNjk4
OCBrQgpVbmV2aWN0YWJsZTogICAgICAgICAgIDAga0IKTWxvY2tlZDogICAgICAgICAgICAgICAw
IGtCClN3YXBUb3RhbDogICAgICAgICAgICAgMCBrQgpTd2FwRnJlZTogICAgICAgICAgICAgIDAg
a0IKRGlydHk6ICAgICAgICAgICAgICAgICAwIGtCCldyaXRlYmFjazogICAgICAgICAgICAgMCBr
QgpBbm9uUGFnZXM6ICAgICAgMTMzODA2ODgga0IKTWFwcGVkOiAgICAgICAgICAgICA3MzUyIGtC
ClNobWVtOiAgICAgICAgICAgICAgIDYyMCBrQgpTbGFiOiAgICAgICAgICAgICA1NjgxOTYga0IK
U1JlY2xhaW1hYmxlOiAgICAgIDIxNzU2IGtCClNVbnJlY2xhaW06ICAgICAgIDU0NjQ0MCBrQgpL
ZXJuZWxTdGFjazogICAgICAgIDI4MzIga0IKUGFnZVRhYmxlczogICAgICAgIDQ5MTY4IGtCCk5G
U19VbnN0YWJsZTogICAgICAgICAgMCBrQgpCb3VuY2U6ICAgICAgICAgICAgICAgIDAga0IKV3Jp
dGViYWNrVG1wOiAgICAgICAgICAwIGtCCkNvbW1pdExpbWl0OiAgICAgNzEyOTA4OCBrQgpDb21t
aXR0ZWRfQVM6ICAgNDE1NTQ2NTIga0IKVm1hbGxvY1RvdGFsOiAgIDEwMDkzMDU1MTc0NCBrQgpW
bWFsbG9jVXNlZDogICAgICAgICAgIDAga0IKVm1hbGxvY0NodW5rOiAgICAgICAgICAwIGtCCkFu
b25IdWdlUGFnZXM6ICAxMjcyODMyMCBrQgpTaG1lbUh1Z2VQYWdlczogICAgICAgIDAga0IKU2ht
ZW1QbWRNYXBwZWQ6ICAgICAgICAwIGtCCkNtYVRvdGFsOiAgICAgICAgICAxNjM4NCBrQgpDbWFG
cmVlOiAgICAgICAgICAgICAgIDAga0IKSHVnZVBhZ2VzX1RvdGFsOiAgICAgICAwCkh1Z2VQYWdl
c19GcmVlOiAgICAgICAgMApIdWdlUGFnZXNfUnN2ZDogICAgICAgIDAKSHVnZVBhZ2VzX1N1cnA6
ICAgICAgICAwCkh1Z2VwYWdlc2l6ZTogICAgICAgMjA0OCBrQgoKTG9va2luZyBhdCBzbGFidG9w
LCB0aGVyZSBhcmUgbGFyZ2UgbnVtYmVyIG9mIHZtX2FyZWFfc3RydWN0cyBhcm91bmQ6CgogQWN0
aXZlIC8gVG90YWwgT2JqZWN0cyAoJSB1c2VkKSAgICA6IDUzMTUxMSAvIDU4NzIxNCAoOTAuNSUp
CiBBY3RpdmUgLyBUb3RhbCBTbGFicyAoJSB1c2VkKSAgICAgIDogMjk0NDMgLyAyOTQ0MyAoMTAw
LjAlKQogQWN0aXZlIC8gVG90YWwgQ2FjaGVzICglIHVzZWQpICAgICA6IDEwOCAvIDE1NiAoNjku
MiUpCiBBY3RpdmUgLyBUb3RhbCBTaXplICglIHVzZWQpICAgICAgIDogNTE0MDUyLjIzSyAvIDUz
NjgzOS41N0sgKDk1LjglKQogTWluaW11bSAvIEF2ZXJhZ2UgLyBNYXhpbXVtIE9iamVjdCA6IDAu
MDNLIC8gMC45MUsgLyA4LjI4SwoKICBPQkpTIEFDVElWRSAgVVNFIE9CSiBTSVpFICBTTEFCUyBP
QkovU0xBQiBDQUNIRSBTSVpFIE5BTUUgICAgICAgICAgICAgICAgICAgCiA5NDkyNCAgODk3NTcg
IDk0JSAgICAwLjI0SyAgIDI4NzcgICAgICAgMzMgICAgIDIzMDE2SyB2bV9hcmVhX3N0cnVjdAog
NzI0MDAgIDYwNjg3ICA4MyUgICAgMC4zMUsgICAyODk2ICAgICAgIDI1ICAgICAyMzE2OEsgZmls
cAogNzA1NTMgIDcwNDg0ICA5OSUgICAgNC4yNUsgIDEwMDc5ICAgICAgICA3ICAgIDMyMjUyOEsg
bmFtZXNfY2FjaGUKIDcwMTEyICA2NDYwNSAgOTIlICAgIDAuMjVLICAgMjE5MSAgICAgICAzMiAg
ICAgMTc1MjhLIGttYWxsb2MtMTI4CiA1MjQ1OCAgNTA4MzcgIDk2JSAgICAwLjA5SyAgIDEyNDkg
ICAgICAgNDIgICAgICA0OTk2SyBhbm9uX3ZtYV9jaGFpbgogMjM0OTIgIDIyOTQ5ICA5NyUgICAg
NC4yNUsgICAzMzU2ICAgICAgICA3ICAgIDEwNzM5Mksga21hbGxvYy00MDk2CiAyMDYzMSAgMjA2
MzEgMTAwJSAgICAwLjEwSyAgICA1MjkgICAgICAgMzkgICAgICAyMTE2SyBhbm9uX3ZtYQoKLi4u
IHNvIGl0IGxvb2tzIGxpa2Ugd2UgY291bGQgYmUgbGVha2luZyB0aGUgbW0gYW5kIGFzc29jaWF0
ZWQgbWFwcGluZ3MuCgpGdWxsIE9PTSBzcGxhdDoKClszOTU5NTMuMjMxODM4XSBodG9wIGludm9r
ZWQgb29tLWtpbGxlcjogZ2ZwX21hc2s9MHgxNjA0MGQwKEdGUF9URU1QT1JBUll8X19HRlBfQ09N
UHxfX0dGUF9OT1RSQUNLKSwgbm9kZW1hc2s9KG51bGwpLCAgb3JkZXI9MCwgb29tX3Njb3JlX2Fk
aj0wClszOTU5NTMuMjQ0NTIzXSBodG9wIGNwdXNldD0vIG1lbXNfYWxsb3dlZD0wClszOTU5NTMu
MjQ4NTU2XSBDUFU6IDQgUElEOiAyMzAxIENvbW06IGh0b3AgTm90IHRhaW50ZWQgNC4xMS4wLXJj
Ni1uZXh0LTIwMTcwNDExLWRpcnR5ICM3MDQ0ClszOTU5NTMuMjU2NzI3XSBIYXJkd2FyZSBuYW1l
OiBBTUQgU2VhdHRsZSAoUmV2LkIwKSBEZXZlbG9wbWVudCBCb2FyZCAoT3ZlcmRyaXZlKSAoRFQp
ClszOTU5NTMuMjY0Mzc0XSBDYWxsIHRyYWNlOgpbMzk1OTUzLjI2NjkxMV0gWzxmZmZmMjAwMDA4
MDhjMzU4Pl0gZHVtcF9iYWNrdHJhY2UrMHgwLzB4M2E4ClszOTU5NTMuMjcyMzk0XSBbPGZmZmYy
MDAwMDgwOGM4NjA+XSBzaG93X3N0YWNrKzB4MjAvMHgzMApbMzk1OTUzLjI3NzUzMF0gWzxmZmZm
MjAwMDA4NWE4NmYwPl0gZHVtcF9zdGFjaysweGJjLzB4ZWMKWzM5NTk1My4yODI2NjZdIFs8ZmZm
ZjIwMDAwODJkNjZmOD5dIGR1bXBfaGVhZGVyKzB4ZDgvMHgzMjgKWzM5NTk1My4yODc5NzddIFs8
ZmZmZjIwMDAwODIxNTA3OD5dIG9vbV9raWxsX3Byb2Nlc3MrMHg0MDAvMHg2YjAKWzM5NTk1My4y
OTM4MDddIFs8ZmZmZjIwMDAwODIxNTg2ND5dIG91dF9vZl9tZW1vcnkrMHgxZWMvMHg3YzAKWzM5
NTk1My4yOTkzNzddIFs8ZmZmZjIwMDAwODIxZDkxOD5dIF9fYWxsb2NfcGFnZXNfbm9kZW1hc2sr
MHhkODgvMHhlNjgKWzM5NTk1My4zMDU3MjhdIFs8ZmZmZjIwMDAwODI5YmQ4Yz5dIGFsbG9jX3Bh
Z2VzX2N1cnJlbnQrMHhjYy8weDIxOApbMzk1OTUzLjMxMTczMl0gWzxmZmZmMjAwMDA4MmE5MDI4
Pl0gbmV3X3NsYWIrMHg0MjAvMHg2NTgKWzM5NTk1My4zMTY4NjhdIFs8ZmZmZjIwMDAwODJhYjM2
MD5dIF9fX3NsYWJfYWxsb2MrMHgzNzAvMHg1ZDgKWzM5NTk1My4zMjI0MzZdIFs8ZmZmZjIwMDAw
ODJhYjVlYz5dIF9fc2xhYl9hbGxvYy5pc3JhLjIyKzB4MjQvMHgzOApbMzk1OTUzLjMyODQzOF0g
WzxmZmZmMjAwMDA4MmFiZTVjPl0ga21lbV9jYWNoZV9hbGxvYysweDFiYy8weDFlOApbMzk1OTUz
LjMzNDI2OF0gWzxmZmZmMjAwMDA4Mzg3ZWVjPl0gcHJvY19hbGxvY19pbm9kZSsweDI0LzB4YTgK
WzM5NTk1My4zMzk5MjRdIFs8ZmZmZjIwMDAwODMwYWYxND5dIGFsbG9jX2lub2RlKzB4M2MvMHhm
MApbMzk1OTUzLjM0NTE0Nl0gWzxmZmZmMjAwMDA4MzBkZjkwPl0gbmV3X2lub2RlX3BzZXVkbysw
eDIwLzB4ODAKWzM5NTk1My4zNTA4MDBdIFs8ZmZmZjIwMDAwODMwZTAxND5dIG5ld19pbm9kZSsw
eDI0LzB4NTAKWzM5NTk1My4zNTU4NTBdIFs8ZmZmZjIwMDAwODM4ZTg2MD5dIHByb2NfcGlkX21h
a2VfaW5vZGUrMHgyOC8weDExOApbMzk1OTUzLjM2MTg1M10gWzxmZmZmMjAwMDA4MzhlYTc4Pl0g
cHJvY19waWRlbnRfaW5zdGFudGlhdGUrMHg0OC8weDE0MApbMzk1OTUzLjM2ODIwNF0gWzxmZmZm
MjAwMDA4MzhlYzZjPl0gcHJvY19waWRlbnRfbG9va3VwKzB4ZmMvMHgxNjgKWzM5NTk1My4zNzQx
MjFdIFs8ZmZmZjIwMDAwODM4ZWQ4Yz5dIHByb2NfdGdpZF9iYXNlX2xvb2t1cCsweDM0LzB4NDAK
WzM5NTk1My4zODAyMTBdIFs8ZmZmZjIwMDAwODJmNzdlYz5dIHBhdGhfb3BlbmF0KzB4MTk0Yy8w
eDFiNjgKWzM5NTk1My4zODU3NzldIFs8ZmZmZjIwMDAwODJmOTZlMD5dIGRvX2ZpbHBfb3Blbisw
eGUwLzB4MTc4ClszOTU5NTMuMzkxMTc4XSBbPGZmZmYyMDAwMDgyZDlmNzA+XSBkb19zeXNfb3Bl
bisweDFlOC8weDMwMApbMzk1OTUzLjM5NjU3NV0gWzxmZmZmMjAwMDA4MmRhMTA4Pl0gU3lTX29w
ZW5hdCsweDM4LzB4NDgKWzM5NTk1My40MDE3MTBdIFs8ZmZmZjIwMDAwODA4MzczMD5dIGVsMF9z
dmNfbmFrZWQrMHgyNC8weDI4ClszOTU5NTMuNDA4MDUxXSBNZW0tSW5mbzoKWzM5NTk1My40MTA0
MjNdIGFjdGl2ZV9hbm9uOjMzNTQ2NDMgaW5hY3RpdmVfYW5vbjoxMDAgaXNvbGF0ZWRfYW5vbjow
ClszOTU5NTMuNDEwNDIzXSAgYWN0aXZlX2ZpbGU6MTYgaW5hY3RpdmVfZmlsZTowIGlzb2xhdGVk
X2ZpbGU6MApbMzk1OTUzLjQxMDQyM10gIHVuZXZpY3RhYmxlOjAgZGlydHk6MCB3cml0ZWJhY2s6
MCB1bnN0YWJsZTowClszOTU5NTMuNDEwNDIzXSAgc2xhYl9yZWNsYWltYWJsZToxNTUwNSBzbGFi
X3VucmVjbGFpbWFibGU6MTQzNDM3ClszOTU5NTMuNDEwNDIzXSAgbWFwcGVkOjAgc2htZW06MTU1
IHBhZ2V0YWJsZXM6MTAzMjkgYm91bmNlOjAKWzM5NTk1My40MTA0MjNdICBmcmVlOjIxMDYwIGZy
ZWVfcGNwOjQwMyBmcmVlX2NtYTowClszOTU5NTMuNDQzNjM2XSBOb2RlIDAgYWN0aXZlX2Fub246
MTM0MTg1NzJrQiBpbmFjdGl2ZV9hbm9uOjQwMGtCIGFjdGl2ZV9maWxlOjU0MGtCIGluYWN0aXZl
X2ZpbGU6MTA0a0IgdW5ldmljdGFibGU6MGtCIGlzb2xhdGVkKGFub24pOjBrQiBpc29sYXRlZChm
aWxlKTowa0IgbWFwcGVkOjM4MGtCIGRpcnR5OjBrQiB3cml0ZWJhY2s6MGtCIHNobWVtOjYyMGtC
IHNobWVtX3RocDogMGtCIHNobWVtX3BtZG1hcHBlZDogMGtCIGFub25fdGhwOiAxMjkyNjk3NmtC
IHdyaXRlYmFja190bXA6MGtCIHVuc3RhYmxlOjBrQiBhbGxfdW5yZWNsYWltYWJsZT8gbm8KWzM5
NTk1My40NzEzNTFdIE5vZGUgMCBETUEgZnJlZTo1MDYyMGtCIG1pbjoxMjgyOGtCIGxvdzoxNjg4
NGtCIGhpZ2g6MjA5NDBrQiBhY3RpdmVfYW5vbjozOTg5NjAwa0IgaW5hY3RpdmVfYW5vbjowa0Ig
YWN0aXZlX2ZpbGU6MGtCIGluYWN0aXZlX2ZpbGU6MGtCIHVuZXZpY3RhYmxlOjBrQiB3cml0ZXBl
bmRpbmc6MGtCIHByZXNlbnQ6NDE5NDMwNGtCIG1hbmFnZWQ6NDA2MDc4OGtCIG1sb2NrZWQ6MGtC
IHNsYWJfcmVjbGFpbWFibGU6MjkyOGtCIHNsYWJfdW5yZWNsYWltYWJsZToxMDY0OGtCIGtlcm5l
bF9zdGFjazowa0IgcGFnZXRhYmxlczozNjAwa0IgYm91bmNlOjBrQiBmcmVlX3BjcDowa0IgbG9j
YWxfcGNwOjBrQiBmcmVlX2NtYTowa0IKWzM5NTk1My41MDM1NDNdIGxvd21lbV9yZXNlcnZlW106
IDAgOTk1OCA5OTU4ClszOTU5NTMuNTA3NjU0XSBOb2RlIDAgTm9ybWFsIGZyZWU6MzMwMDRrQiBt
aW46MzIyMjRrQiBsb3c6NDI0MjBrQiBoaWdoOjUyNjE2a0IgYWN0aXZlX2Fub246OTQyODk3MmtC
IGluYWN0aXZlX2Fub246NDAwa0IgYWN0aXZlX2ZpbGU6MTMya0IgaW5hY3RpdmVfZmlsZTo4MGtC
IHVuZXZpY3RhYmxlOjBrQiB3cml0ZXBlbmRpbmc6MGtCIHByZXNlbnQ6MTI1ODI5MTJrQiBtYW5h
Z2VkOjEwMTk3Mzg4a0IgbWxvY2tlZDowa0Igc2xhYl9yZWNsYWltYWJsZTo1OTA5MmtCIHNsYWJf
dW5yZWNsYWltYWJsZTo1NjMxMDBrQiBrZXJuZWxfc3RhY2s6NDAzMmtCIHBhZ2V0YWJsZXM6Mzc3
MTZrQiBib3VuY2U6MGtCIGZyZWVfcGNwOjU2MGtCIGxvY2FsX3BjcDowa0IgZnJlZV9jbWE6MGtC
ClszOTU5NTMuNTQxMzkyXSBsb3dtZW1fcmVzZXJ2ZVtdOiAwIDAgMApbMzk1OTUzLjU0NDk3OV0g
Tm9kZSAwIERNQTogNTMxKjRrQiAoVU1FKSAyMTAqOGtCIChVTUUpIDExNCoxNmtCIChVTUUpIDM0
KjMya0IgKE1FKSAxOCo2NGtCIChVTUUpIDM0KjEyOGtCIChVTUUpIDQ2KjI1NmtCIChVTSkgMTQq
NTEya0IgKFVNKSA3KjEwMjRrQiAoVU0pIDAqMjA0OGtCIDMqNDA5NmtCIChNKSA9IDUwNjIwa0IK
WzM5NTk1My41NjEzOTBdIE5vZGUgMCBOb3JtYWw6IDMwNDEqNGtCIChVTUVIKSAxNjk0KjhrQiAo
VU1FSCkgNDQ3KjE2a0IgKFVNRUgpIDEwKjMya0IgKFUpIDIqNjRrQiAoSCkgMCoxMjhrQiAwKjI1
NmtCIDAqNTEya0IgMCoxMDI0a0IgMCoyMDQ4a0IgMCo0MDk2a0IgPSAzMzMxNmtCClszOTU5NTMu
NTc1NzAyXSBOb2RlIDAgaHVnZXBhZ2VzX3RvdGFsPTAgaHVnZXBhZ2VzX2ZyZWU9MCBodWdlcGFn
ZXNfc3VycD0wIGh1Z2VwYWdlc19zaXplPTIwNDhrQgpbMzk1OTUzLjU4NDIyOV0gNTIxIHRvdGFs
IHBhZ2VjYWNoZSBwYWdlcwpbMzk1OTUzLjU4Nzk4NF0gMCBwYWdlcyBpbiBzd2FwIGNhY2hlClsz
OTU5NTMuNTkxMzkyXSBTd2FwIGNhY2hlIHN0YXRzOiBhZGQgMCwgZGVsZXRlIDAsIGZpbmQgMC8w
ClszOTU5NTMuNTk2NzA2XSBGcmVlIHN3YXAgID0gMGtCClszOTU5NTMuNTk5Njc3XSBUb3RhbCBz
d2FwID0gMGtCClszOTU5NTMuNjAyNjM4XSA0MTk0MzA0IHBhZ2VzIFJBTQpbMzk1OTUzLjYwNTY5
Ml0gMCBwYWdlcyBIaWdoTWVtL01vdmFibGVPbmx5ClszOTU5NTMuNjA5NjE3XSA2Mjk3NjAgcGFn
ZXMgcmVzZXJ2ZWQKWzM5NTk1My42MTMwMjFdIDQwOTYgcGFnZXMgY21hIHJlc2VydmVkClszOTU5
NTMuNjE2NTk5XSBbIHBpZCBdICAgdWlkICB0Z2lkIHRvdGFsX3ZtICAgICAgcnNzIG5yX3B0ZXMg
bnJfcG1kcyBzd2FwZW50cyBvb21fc2NvcmVfYWRqIG5hbWUKWzM5NTk1My42MjUyNDRdIFsgMTQ0
N10gICAgIDAgIDE0NDcgICAgICA3MTQgICAgICAgNzQgICAgICAgNSAgICAgICAzICAgICAgICAw
ICAgICAgICAgICAgIDAgdXBzdGFydC11ZGV2LWJyClszOTU5NTMuNjM0ODE4XSBbIDE0NTBdICAg
ICAwICAxNDUwICAgICAyNzU4ICAgICAgMTg3ICAgICAgIDcgICAgICAgMyAgICAgICAgMCAgICAg
ICAgIC0xMDAwIHN5c3RlbWQtdWRldmQKWzM5NTk1My42NDQyMThdIFsgMTgzM10gICAgIDAgIDE4
MzMgICAgICA2MzIgICAgICAgNDYgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAgICAg
IDAgdXBzdGFydC1zb2NrZXQtClszOTU5NTMuNjUzNzkwXSBbIDE4NDddICAgICAwICAxODQ3ICAg
ICAgNzA4ICAgICAgIDYzICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHJw
Y2JpbmQKWzM5NTk1My42NjI2NjhdIFsgMTg3OV0gICAxMDYgIDE4NzkgICAgICA3MzcgICAgICAx
MTQgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgcnBjLnN0YXRkClszOTU5
NTMuNjcxNzM0XSBbIDE5ODRdICAgICAwICAxOTg0ICAgICAgNjM2ICAgICAgIDU0ICAgICAgIDUg
ICAgICAgNCAgICAgICAgMCAgICAgICAgICAgICAwIHVwc3RhcnQtZmlsZS1icgpbMzk1OTUzLjY4
MTMwN10gWyAyMDAwXSAgIDEwMyAgMjAwMCAgICAgMTE1MiAgICAgIDEyMCAgICAgICA2ICAgICAg
IDMgICAgICAgIDAgICAgICAgICAgICAgMCBkYnVzLWRhZW1vbgpbMzk1OTUzLjY5MDUzNF0gWyAy
MDA2XSAgICAgMCAgMjAwNiAgICAgIDcyMCAgICAgICA0OSAgICAgICA2ICAgICAgIDMgICAgICAg
IDAgICAgICAgICAgICAgMCBycGMuaWRtYXBkClszOTU5NTMuNjk5Njc2XSBbIDIwMDhdICAgMTAx
ICAyMDA4ICAgIDU2MzA4ICAgICAgMjAxICAgICAgMTIgICAgICAgMyAgICAgICAgMCAgICAgICAg
ICAgICAwIHJzeXNsb2dkClszOTU5NTMuNzA4NjQxXSBbIDIwMTRdICAgICAwICAyMDE0ICAgIDU4
NDE0ICAgICAgMjg5ICAgICAgMTYgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIE1vZGVt
TWFuYWdlcgpbMzk1OTUzLjcxNzk1Ml0gWyAyMDMyXSAgICAgMCAgMjAzMiAgICAgMTIyMiAgICAg
ICA4NyAgICAgICA2ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBzeXN0ZW1kLWxvZ2lu
ZApbMzk1OTUzLjcyNzQ0MF0gWyAyMDUwXSAgICAgMCAgMjA1MCAgICA2MTQ1NiAgICAgIDM3MSAg
ICAgIDE4ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBOZXR3b3JrTWFuYWdlcgpbMzk1
OTUzLjczNjkyN10gWyAyMDY4XSAgICAgMCAgMjA2OCAgICAgIDU4NyAgICAgICAzOSAgICAgICA1
ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBnZXR0eQpbMzk1OTUzLjc0NTYzMl0gWyAy
MDcxXSAgICAgMCAgMjA3MSAgICA1NzI0MiAgICAgIDE3MyAgICAgIDE0ICAgICAgIDMgICAgICAg
IDAgICAgICAgICAgICAgMCBwb2xraXRkClszOTU5NTMuNzU0NTEwXSBbIDIwNzVdICAgICAwICAy
MDc1ICAgICAgNTg3ICAgICAgIDQwICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAg
ICAwIGdldHR5ClszOTU5NTMuNzYzMjE2XSBbIDIwNzhdICAgICAwICAyMDc4ICAgICAgNTg3ICAg
ICAgIDM5ICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGdldHR5ClszOTU5
NTMuNzcxOTIyXSBbIDIwNzldICAgICAwICAyMDc5ICAgICAgNTg3ICAgICAgIDM4ICAgICAgIDUg
ICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGdldHR5ClszOTU5NTMuNzgwNjI4XSBbIDIw
ODFdICAgICAwICAyMDgxICAgICAgNTg3ICAgICAgIDQwICAgICAgIDUgICAgICAgMyAgICAgICAg
MCAgICAgICAgICAgICAwIGdldHR5ClszOTU5NTMuNzg5MzM0XSBbIDIxMDFdICAgICAwICAyMTAx
ICAgICAyMDYxICAgICAgMTYzICAgICAgIDggICAgICAgNCAgICAgICAgMCAgICAgICAgIC0xMDAw
IHNzaGQKWzM5NTk1My43OTc5NTJdIFsgMjEwMl0gICAgIDAgIDIxMDIgICAgICA3OTMgICAgICAg
NTcgICAgICAgNiAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgY3JvbgpbMzk1OTUzLjgw
NjU4M10gWyAyMTU5XSAgICAgMCAgMjE1OSAgICAgIDU0MiAgICAgICAzOCAgICAgICA1ICAgICAg
IDMgICAgICAgIDAgICAgICAgICAgICAgMCBnZXR0eQpbMzk1OTUzLjgxNTI4OF0gWyAyMTYxXSAg
ICAgMCAgMjE2MSAgICAgIDU4NyAgICAgICA0MCAgICAgICA1ICAgICAgIDMgICAgICAgIDAgICAg
ICAgICAgICAgMCBnZXR0eQpbMzk1OTUzLjgyMzk5Ml0gWyAyMTcxXSAgICAgMCAgMjE3MSAgICAg
MTM1NiAgICAgIDU3NSAgICAgICA2ICAgICAgIDQgICAgICAgIDAgICAgICAgICAgICAgMCBkaGNs
aWVudApbMzk1OTUzLjgzMjk1Nl0gWyAyMTc1XSA2NTUzNCAgMjE3NSAgICAgIDg0NSAgICAgICA1
OCAgICAgICA1ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBkbnNtYXNxClszOTU5NTMu
ODQxODM0XSBbIDIyNjVdICAgICAwICAyMjY1ICAgICAzMjQ5ICAgICAgMjYxICAgICAgMTAgICAg
ICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHNzaGQKWzM5NTk1My44NTA0NTFdIFsgMjI3OF0g
IDEwMDAgIDIyNzggICAgIDMyNDkgICAgICAyNjIgICAgICAgOSAgICAgICAzICAgICAgICAwICAg
ICAgICAgICAgIDAgc3NoZApbMzk1OTUzLjg1OTA2N10gWyAyMjc5XSAgMTAwMCAgMjI3OSAgICAg
IDkyMCAgICAgIDE3NiAgICAgICA1ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBiYXNo
ClszOTU5NTMuODY3Njg2XSBbIDIyODldICAxMDAwICAyMjg5ICAgICAgODYyICAgICAgIDYzICAg
ICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHNjcmVlbgpbMzk1OTUzLjg3NjQ3
OV0gWyAyMjkwXSAgMTAwMCAgMjI5MCAgICAgMTA2MyAgICAgIDI4NiAgICAgICA1ICAgICAgIDMg
ICAgICAgIDAgICAgICAgICAgICAgMCBzY3JlZW4KWzM5NTk1My44ODUyNzJdIFsgMjI5MV0gIDEw
MDAgIDIyOTEgICAgICA5MzAgICAgICAxODYgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAg
ICAgICAgIDAgYmFzaApbMzk1OTUzLjg5Mzg5MF0gWyAyMzAxXSAgMTAwMCAgMjMwMSAgICAgMTE5
MCAgICAgIDU1MCAgICAgICA2ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBodG9wClsz
OTU5NTMuOTAyNTA4XSBbIDIzMDJdICAxMDAwICAyMzAyICAgICAgOTQwICAgICAgMTk3ICAgICAg
IDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGJhc2gKWzM5NTk1My45MTExMjZdIFsg
MjM1OF0gIDEwMDAgIDIzNTggICA0NDc0NjEgICAgNDYxNDggICAgIDE2MyAgICAgICA1ICAgICAg
ICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFyClszOTU5NTMuOTIwNjk5XSBbIDIzNTld
ICAxMDAwICAyMzU5ICAgNDQ5NTAyICAgIDQ1NTA5ICAgICAxNjYgICAgICAgNCAgICAgICAgMCAg
ICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1OTUzLjkzMDI3MV0gWyAyMzYwXSAgMTAw
MCAgMjM2MCAgIDQ0NzQ2MSAgICA0Mzc1MyAgICAgMTYwICAgICAgIDUgICAgICAgIDAgICAgICAg
ICAgICAgMCBxZW11LXN5c3RlbS1hYXIKWzM5NTk1My45Mzk4NTRdIFsgMjM2MV0gIDEwMDAgIDIz
NjEgICA0NDc0NjEgICAgNDYxNDQgICAgIDE2MSAgICAgICA0ICAgICAgICAwICAgICAgICAgICAg
IDAgcWVtdS1zeXN0ZW0tYWFyClszOTU5NTMuOTQ5NDI5XSBbIDIzNjJdICAxMDAwICAyMzYyICAg
NDQ3NDYxICAgIDQ0NTIyICAgICAxNjAgICAgICAgNSAgICAgICAgMCAgICAgICAgICAgICAwIHFl
bXUtc3lzdGVtLWFhcgpbMzk1OTUzLjk1OTAwMV0gWyAyMzYzXSAgMTAwMCAgMjM2MyAgIDQ0NzQ2
MSAgICA0NDMxMSAgICAgMTYxICAgICAgIDQgICAgICAgIDAgICAgICAgICAgICAgMCBxZW11LXN5
c3RlbS1hYXIKWzM5NTk1My45Njg1NzRdIFsgNDYwMF0gIDEwMDAgIDQ2MDAgICAgMTk0NjggICAg
MTI4MjggICAgICA0MiAgICAgICA1ICAgICAgICAwICAgICAgICAgICAgIDAgc3l6LW1hbmFnZXIK
WzM5NTk1My45Nzc4MjBdIFsgNDkxNV0gIDEwMDAgIDQ5MTUgICAgMTYzNjQgICAgIDExMjcgICAg
ICAyOCAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFyClszOTU5
NTMuOTg3Mzk3XSBbIDQ5MTddICAxMDAwICA0OTE3ICAgIDE2MzY0ICAgICAxMTI3ICAgICAgMjcg
ICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1OTUzLjk5
Njk3Ml0gWyA0OTE4XSAgMTAwMCAgNDkxOCAgICAxNjM2NCAgICAgMTEyNyAgICAgIDI4ICAgICAg
IDMgICAgICAgIDAgICAgICAgICAgICAgMCBxZW11LXN5c3RlbS1hYXIKWzM5NTk1NC4wMDY1NDZd
IFsgNDkxOV0gIDEwMDAgIDQ5MTkgICAgMTYzNjQgICAgIDExMjggICAgICAyOCAgICAgICAzICAg
ICAgICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFyClszOTU5NTQuMDE2MTE5XSBbIDQ5
MjBdICAxMDAwICA0OTIwICAgIDE2MzY0ICAgICAgNjE3ICAgICAgMzAgICAgICAgMyAgICAgICAg
MCAgICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1OTU0LjAyNTY5Ml0gWyA0OTIyXSAg
MTAwMCAgNDkyMiAgICAxNDAyOCAgICAgIDM0NCAgICAgIDIxICAgICAgIDMgICAgICAgIDAgICAg
ICAgICAgICAgMCBxZW11LXN5c3RlbS1hYXIKWzM5NTk1NC4wMzUyNzNdIE91dCBvZiBtZW1vcnk6
IEtpbGwgcHJvY2VzcyAyMzU4IChxZW11LXN5c3RlbS1hYXIpIHNjb3JlIDEyIG9yIHNhY3JpZmlj
ZSBjaGlsZApbMzk1OTU0LjA0MzY1OV0gS2lsbGVkIHByb2Nlc3MgMjM1OCAocWVtdS1zeXN0ZW0t
YWFyKSB0b3RhbC12bToxNzg5ODQ0a0IsIGFub24tcnNzOjE4NDU5MmtCLCBmaWxlLXJzczowa0Is
IHNobWVtLXJzczowa0IKWzM5NTk1NC4wNTUyMTFdIHFlbXUtc3lzdGVtLWFhcjogcGFnZSBhbGxv
Y2F0aW9uIGZhaWx1cmU6IG9yZGVyOjAsIG1vZGU6MHgxNDIwMWNhKEdGUF9ISUdIVVNFUl9NT1ZB
QkxFfF9fR0ZQX0NPTEQpLCBub2RlbWFzaz0obnVsbCkKWzM5NTk1NC4wNjY4MTddIHFlbXUtc3lz
dGVtLWFhciBjcHVzZXQ9LyBtZW1zX2FsbG93ZWQ9MApbMzk1OTU0LjA2NzYwNl0gb29tX3JlYXBl
cjogcmVhcGVkIHByb2Nlc3MgMjM1OCAocWVtdS1zeXN0ZW0tYWFyKSwgbm93IGFub24tcnNzOjBr
QiwgZmlsZS1yc3M6MGtCLCBzaG1lbS1yc3M6MGtCClszOTU5NTQuMDgxNzYxXSBDUFU6IDUgUElE
OiAyMzU4IENvbW06IHFlbXUtc3lzdGVtLWFhciBOb3QgdGFpbnRlZCA0LjExLjAtcmM2LW5leHQt
MjAxNzA0MTEtZGlydHkgIzcwNDQKWzM5NTk1NC4wOTA4ODZdIEhhcmR3YXJlIG5hbWU6IEFNRCBT
ZWF0dGxlIChSZXYuQjApIERldmVsb3BtZW50IEJvYXJkIChPdmVyZHJpdmUpIChEVCkKWzM5NTk1
NC4wOTg1MzNdIENhbGwgdHJhY2U6ClszOTU5NTQuMTAxMDcyXSBbPGZmZmYyMDAwMDgwOGMzNTg+
XSBkdW1wX2JhY2t0cmFjZSsweDAvMHgzYTgKWzM5NTk1NC4xMDY1NTVdIFs8ZmZmZjIwMDAwODA4
Yzg2MD5dIHNob3dfc3RhY2srMHgyMC8weDMwClszOTU5NTQuMTExNjkyXSBbPGZmZmYyMDAwMDg1
YTg2ZjA+XSBkdW1wX3N0YWNrKzB4YmMvMHhlYwpbMzk1OTU0LjExNjgzMF0gWzxmZmZmMjAwMDA4
MjFjYTRjPl0gd2Fybl9hbGxvYysweDE0NC8weDFkOApbMzk1OTU0LjEyMjE0MF0gWzxmZmZmMjAw
MDA4MjFkOWU4Pl0gX19hbGxvY19wYWdlc19ub2RlbWFzaysweGU1OC8weGU2OApbMzk1OTU0LjEy
ODQ5MV0gWzxmZmZmMjAwMDA4MjliZDhjPl0gYWxsb2NfcGFnZXNfY3VycmVudCsweGNjLzB4MjE4
ClszOTU5NTQuMTM0NDk0XSBbPGZmZmYyMDAwMDgyMGU3NzA+XSBfX3BhZ2VfY2FjaGVfYWxsb2Mr
MHgxMjgvMHgxNTAKWzM5NTk1NC4xNDA0OThdIFs8ZmZmZjIwMDAwODIxMjY0OD5dIGZpbGVtYXBf
ZmF1bHQrMHg3NjgvMHg5NDAKWzM5NTk1NC4xNDYwNjldIFs8ZmZmZjIwMDAwODNjYWY4Yz5dIGV4
dDRfZmlsZW1hcF9mYXVsdCsweDRjLzB4NjgKWzM5NTk1NC4xNTE4OThdIFs8ZmZmZjIwMDAwODI1
YmFjND5dIF9fZG9fZmF1bHQrMHg0NC8weGQwClszOTU5NTQuMTU3MDMzXSBbPGZmZmYyMDAwMDgy
NjRjNWM+XSBfX2hhbmRsZV9tbV9mYXVsdCsweDEyYzQvMHgxOTc4ClszOTU5NTQuMTYzMTIyXSBb
PGZmZmYyMDAwMDgyNjU1MTQ+XSBoYW5kbGVfbW1fZmF1bHQrMHgyMDQvMHgzODgKWzM5NTk1NC4x
Njg4NjVdIFs8ZmZmZjIwMDAwODBhMzk5ND5dIGRvX3BhZ2VfZmF1bHQrMHgzZmMvMHg0YjAKWzM5
NTk1NC4xNzQ0MzRdIFs8ZmZmZjIwMDAwODA4MTQ0ND5dIGRvX21lbV9hYm9ydCsweGE0LzB4MTM4
ClszOTU5NTQuMTc5ODI3XSBFeGNlcHRpb24gc3RhY2soMHhmZmZmODAwMzRkYjA3ZGMwIHRvIDB4
ZmZmZjgwMDM0ZGIwN2VmMCkKWzM5NTk1NC4xODYzNTJdIDdkYzA6IDAwMDAwMDAwMDAwMDAwMDAg
MDAwMDYwMDNmNjdmYzAwMCBmZmZmZmZmZmZmZmZmZmZmIDAwMDAwMDAwMDA0MTA5YjAKWzM5NTk1
NC4xOTQyNjZdIDdkZTA6IDAwMDAwMDAwNjAwMDAwMDAgMDAwMDAwMDAwMDAwMDAyMCAwMDAwMDAw
MDgyMDAwMDA3IDAwMDAwMDAwMDA0MTA5YjAKWzM5NTk1NC4yMDIxNzldIDdlMDA6IDAwMDAwMDAw
NDFiNThhYjMgZmZmZjIwMDAwOTU1ZDM3MCBmZmZmMjAwMDA4MDgxM2EwIDAwMDAwMDAwMDAwMDAx
MjQKWzM5NTk1NC4yMTAwOTNdIDdlMjA6IDAwMDAwMDAwMDAwMDAwNDkgZmZmZjIwMDAwOGY0NDAw
MCBmZmZmODAwMzRkYjA3ZTQwIGZmZmYyMDAwMDgwODVmNjAKWzM5NTk1NC4yMTgwMDZdIDdlNDA6
IGZmZmY4MDAzNGRiMDdlODAgZmZmZjIwMDAwODA4YjVhMCAwMDAwMDAwMDAwMDAwMDA4IGZmZmY4
MDAzNWRkZTVlODAKWzM5NTk1NC4yMjU5MjBdIDdlNjA6IGZmZmY4MDAzNWRkZTVlODAgZmZmZjgw
MDM1ZGRlNjRmMCBmZmZmODAwMzRkYjA3ZTgwIGZmZmYyMDAwMDgwOGI1ODAKWzM5NTk1NC4yMzM4
MzNdIDdlODA6IDAwMDAwMDAwMDAwMDAwMDAgZmZmZjIwMDAwODA4MzYxOCAwMDAwMDAwMDAwMDAw
MDAwIDAwMDA2MDAzZjY3ZmMwMDAKWzM5NTk1NC4yNDE3NDZdIDdlYTA6IGZmZmZmZmZmZmZmZmZm
ZmYgMDAwMDAwMDAwMDc4ZDc5MCAwMDAwMDAwMDYwMDAwMDAwIDAwMDA2MDAzZjY4MTMwMDAKWzM5
NTk1NC4yNDk2NTldIDdlYzA6IDAwMDBmZmZmYTY4NWY3MDggMDAwMDAwMDAwMDAwMDAwMSAwMDAw
MDAwMDAwMDAwMDAxIDAwMDAwMDAwMDAwMDAwMDAKWzM5NTk1NC4yNTc1NjldIDdlZTA6IDAwMDAw
MDAwMDAwMDAwMDIgMDAwMDAwMDAwMDAwMDAwMApbMzk1OTU0LjI2MjUzMF0gWzxmZmZmMjAwMDA4
MDgzMzg4Pl0gZWwwX2lhKzB4MTgvMHgxYwpbMzk1OTU0LjI2NzQzM10gTWVtLUluZm86ClszOTU5
NTQuMjY5ODA2XSBhY3RpdmVfYW5vbjozMzA4NDc2IGluYWN0aXZlX2Fub246MTAwIGlzb2xhdGVk
X2Fub246MApbMzk1OTU0LjI2OTgwNl0gIGFjdGl2ZV9maWxlOjk4IGluYWN0aXZlX2ZpbGU6NTcw
IGlzb2xhdGVkX2ZpbGU6MApbMzk1OTU0LjI2OTgwNl0gIHVuZXZpY3RhYmxlOjAgZGlydHk6MCB3
cml0ZWJhY2s6MCB1bnN0YWJsZTowClszOTU5NTQuMjY5ODA2XSAgc2xhYl9yZWNsYWltYWJsZTox
NTUwMyBzbGFiX3VucmVjbGFpbWFibGU6MTQzNTU3ClszOTU5NTQuMjY5ODA2XSAgbWFwcGVkOjI2
NCBzaG1lbToxNTUgcGFnZXRhYmxlczoxMDMyOSBib3VuY2U6MApbMzk1OTU0LjI2OTgwNl0gIGZy
ZWU6NjYxNzMgZnJlZV9wY3A6NDcwIGZyZWVfY21hOjAKWzM5NTk1NC4zMDMzNzFdIE5vZGUgMCBh
Y3RpdmVfYW5vbjoxMzIzMzkwNGtCIGluYWN0aXZlX2Fub246NDAwa0IgYWN0aXZlX2ZpbGU6Mzky
a0IgaW5hY3RpdmVfZmlsZTozMzIwa0IgdW5ldmljdGFibGU6MGtCIGlzb2xhdGVkKGFub24pOjBr
QiBpc29sYXRlZChmaWxlKTowa0IgbWFwcGVkOjE4MzZrQiBkaXJ0eTowa0Igd3JpdGViYWNrOjBr
QiBzaG1lbTo2MjBrQiBzaG1lbV90aHA6IDBrQiBzaG1lbV9wbWRtYXBwZWQ6IDBrQiBhbm9uX3Ro
cDogMTI3MjgzMjBrQiB3cml0ZWJhY2tfdG1wOjBrQiB1bnN0YWJsZTowa0IgYWxsX3VucmVjbGFp
bWFibGU/IG5vClszOTU5NTQuMzMxMTY5XSBOb2RlIDAgRE1BIGZyZWU6NTA2MjBrQiBtaW46MTI4
MjhrQiBsb3c6MTY4ODRrQiBoaWdoOjIwOTQwa0IgYWN0aXZlX2Fub246Mzk4OTYwMGtCIGluYWN0
aXZlX2Fub246MGtCIGFjdGl2ZV9maWxlOjBrQiBpbmFjdGl2ZV9maWxlOjBrQiB1bmV2aWN0YWJs
ZTowa0Igd3JpdGVwZW5kaW5nOjBrQiBwcmVzZW50OjQxOTQzMDRrQiBtYW5hZ2VkOjQwNjA3ODhr
QiBtbG9ja2VkOjBrQiBzbGFiX3JlY2xhaW1hYmxlOjI5MjhrQiBzbGFiX3VucmVjbGFpbWFibGU6
MTA2NDhrQiBrZXJuZWxfc3RhY2s6MGtCIHBhZ2V0YWJsZXM6MzYwMGtCIGJvdW5jZTowa0IgZnJl
ZV9wY3A6MGtCIGxvY2FsX3BjcDowa0IgZnJlZV9jbWE6MGtCClszOTU5NTQuMzYzMzM1XSBsb3dt
ZW1fcmVzZXJ2ZVtdOiAwIDk5NTggOTk1OApbMzk1OTU0LjM2NzYyNV0gTm9kZSAwIE5vcm1hbCBm
cmVlOjIxMjUxNmtCIG1pbjozMjIyNGtCIGxvdzo0MjQyMGtCIGhpZ2g6NTI2MTZrQiBhY3RpdmVf
YW5vbjo5MjQ0NjQ0a0IgaW5hY3RpdmVfYW5vbjo0MDBrQiBhY3RpdmVfZmlsZTo1NDhrQiBpbmFj
dGl2ZV9maWxlOjM4MjhrQiB1bmV2aWN0YWJsZTowa0Igd3JpdGVwZW5kaW5nOjBrQiBwcmVzZW50
OjEyNTgyOTEya0IgbWFuYWdlZDoxMDE5NzM4OGtCIG1sb2NrZWQ6MGtCIHNsYWJfcmVjbGFpbWFi
bGU6NTkwODRrQiBzbGFiX3VucmVjbGFpbWFibGU6NTYzOTEya0Iga2VybmVsX3N0YWNrOjQwMzJr
QiBwYWdldGFibGVzOjM3NzE2a0IgYm91bmNlOjBrQiBmcmVlX3BjcDoxODQwa0IgbG9jYWxfcGNw
OjBrQiBmcmVlX2NtYTowa0IKWzM5NTk1NC40MDE3MTBdIGxvd21lbV9yZXNlcnZlW106IDAgMCAw
ClszOTU5NTQuNDA1Mjk4XSBOb2RlIDAgRE1BOiA1MzEqNGtCIChVTUUpIDIxMCo4a0IgKFVNRSkg
MTE0KjE2a0IgKFVNRSkgMzQqMzJrQiAoTUUpIDE4KjY0a0IgKFVNRSkgMzQqMTI4a0IgKFVNRSkg
NDYqMjU2a0IgKFVNKSAxNCo1MTJrQiAoVU0pIDcqMTAyNGtCIChVTSkgMCoyMDQ4a0IgMyo0MDk2
a0IgKE0pID0gNTA2MjBrQgpbMzk1OTU0LjQyMTY5OF0gTm9kZSAwIE5vcm1hbDogMTg0MCo0a0Ig
KFVNRUgpIDE3NDAqOGtCIChNRUgpIDQ5NioxNmtCIChNRSkgNDcqMzJrQiAoVU1FKSAyNSo2NGtC
IChNRUgpIDMqMTI4a0IgKFVNRSkgMioyNTZrQiAoVUUpIDEqNTEya0IgKEUpIDIqMTAyNGtCIChV
RSkgNjEqMjA0OGtCIChVTUUpIDEyKjQwOTZrQiAoTSkgPSAyMDk4NTZrQgpbMzk1OTU0LjQzOTA1
OF0gTm9kZSAwIGh1Z2VwYWdlc190b3RhbD0wIGh1Z2VwYWdlc19mcmVlPTAgaHVnZXBhZ2VzX3N1
cnA9MCBodWdlcGFnZXNfc2l6ZT0yMDQ4a0IKWzM5NTk1NC40NDc1ODJdIDIxMDQgdG90YWwgcGFn
ZWNhY2hlIHBhZ2VzClszOTU5NTQuNDUxNDIxXSAwIHBhZ2VzIGluIHN3YXAgY2FjaGUKWzM5NTk1
NC40NTQ4MTddIFN3YXAgY2FjaGUgc3RhdHM6IGFkZCAwLCBkZWxldGUgMCwgZmluZCAwLzAKWzM5
NTk1NC40NjAxMzBdIEZyZWUgc3dhcCAgPSAwa0IKWzM5NTk1NC40NjMwOTBdIFRvdGFsIHN3YXAg
PSAwa0IKWzM5NTk1NC40NjYwNTddIDQxOTQzMDQgcGFnZXMgUkFNClszOTU5NTQuNDY5MTExXSAw
IHBhZ2VzIEhpZ2hNZW0vTW92YWJsZU9ubHkKWzM5NTk1NC40NzMwMzVdIDYyOTc2MCBwYWdlcyBy
ZXNlcnZlZApbMzk1OTU0LjQ3NjQzNl0gNDA5NiBwYWdlcyBjbWEgcmVzZXJ2ZWQKWzM5NTk1NC40
ODAxNTFdIHFlbXUtc3lzdGVtLWFhciBpbnZva2VkIG9vbS1raWxsZXI6IGdmcF9tYXNrPTB4MCgp
LCBub2RlbWFzaz0obnVsbCksICBvcmRlcj0wLCBvb21fc2NvcmVfYWRqPTAKWzM5NTk1NC40ODk4
OThdIHFlbXUtc3lzdGVtLWFhciBjcHVzZXQ9LyBtZW1zX2FsbG93ZWQ9MApbMzk1OTU0LjQ5NDg3
OV0gQ1BVOiA1IFBJRDogMjM1OCBDb21tOiBxZW11LXN5c3RlbS1hYXIgTm90IHRhaW50ZWQgNC4x
MS4wLXJjNi1uZXh0LTIwMTcwNDExLWRpcnR5ICM3MDQ0ClszOTU5NTQuNTA0MDAzXSBIYXJkd2Fy
ZSBuYW1lOiBBTUQgU2VhdHRsZSAoUmV2LkIwKSBEZXZlbG9wbWVudCBCb2FyZCAoT3ZlcmRyaXZl
KSAoRFQpClszOTU5NTQuNTExNjUxXSBDYWxsIHRyYWNlOgpbMzk1OTU0LjUxNDE4NF0gWzxmZmZm
MjAwMDA4MDhjMzU4Pl0gZHVtcF9iYWNrdHJhY2UrMHgwLzB4M2E4ClszOTU5NTQuNTE5NjY4XSBb
PGZmZmYyMDAwMDgwOGM4NjA+XSBzaG93X3N0YWNrKzB4MjAvMHgzMApbMzk1OTU0LjUyNDgwMl0g
WzxmZmZmMjAwMDA4NWE4NmYwPl0gZHVtcF9zdGFjaysweGJjLzB4ZWMKWzM5NTk1NC41Mjk5Mzld
IFs8ZmZmZjIwMDAwODJkNjZmOD5dIGR1bXBfaGVhZGVyKzB4ZDgvMHgzMjgKWzM5NTk1NC41MzUy
NDhdIFs8ZmZmZjIwMDAwODIxNTA3OD5dIG9vbV9raWxsX3Byb2Nlc3MrMHg0MDAvMHg2YjAKWzM5
NTk1NC41NDEwNzhdIFs8ZmZmZjIwMDAwODIxNTg2ND5dIG91dF9vZl9tZW1vcnkrMHgxZWMvMHg3
YzAKWzM5NTk1NC41NDY2NDhdIFs8ZmZmZjIwMDAwODIxNWVmYz5dIHBhZ2VmYXVsdF9vdXRfb2Zf
bWVtb3J5KzB4YzQvMHhkMApbMzk1OTU0LjU1MjkxMV0gWzxmZmZmMjAwMDA4MGEzYTQwPl0gZG9f
cGFnZV9mYXVsdCsweDRhOC8weDRiMApbMzk1OTU0LjU1ODQ3OF0gWzxmZmZmMjAwMDA4MDgxNDQ0
Pl0gZG9fbWVtX2Fib3J0KzB4YTQvMHgxMzgKWzM5NTk1NC41NjM4NzJdIEV4Y2VwdGlvbiBzdGFj
aygweGZmZmY4MDAzNGRiMDdkYzAgdG8gMHhmZmZmODAwMzRkYjA3ZWYwKQpbMzk1OTU0LjU3MDM5
N10gN2RjMDogMDAwMDAwMDAwMDAwMDAwMCAwMDAwNjAwM2Y2N2ZjMDAwIGZmZmZmZmZmZmZmZmZm
ZmYgMDAwMDAwMDAwMDQxMDliMApbMzk1OTU0LjU3ODMxMF0gN2RlMDogMDAwMDAwMDA2MDAwMDAw
MCAwMDAwMDAwMDAwMDAwMDIwIDAwMDAwMDAwODIwMDAwMDcgMDAwMDAwMDAwMDQxMDliMApbMzk1
OTU0LjU4NjIyNF0gN2UwMDogMDAwMDAwMDA0MWI1OGFiMyBmZmZmMjAwMDA5NTVkMzcwIGZmZmYy
MDAwMDgwODEzYTAgMDAwMDAwMDAwMDAwMDEyNApbMzk1OTU0LjU5NDEzN10gN2UyMDogMDAwMDAw
MDAwMDAwMDA0OSBmZmZmMjAwMDA4ZjQ0MDAwIGZmZmY4MDAzNGRiMDdlNDAgZmZmZjIwMDAwODA4
NWY2MApbMzk1OTU0LjYwMjA1MV0gN2U0MDogZmZmZjgwMDM0ZGIwN2U4MCBmZmZmMjAwMDA4MDhi
NWEwIDAwMDAwMDAwMDAwMDAwMDggZmZmZjgwMDM1ZGRlNWU4MApbMzk1OTU0LjYwOTk2NV0gN2U2
MDogZmZmZjgwMDM1ZGRlNWU4MCBmZmZmODAwMzVkZGU2NGYwIGZmZmY4MDAzNGRiMDdlODAgZmZm
ZjIwMDAwODA4YjU4MApbMzk1OTU0LjYxNzg3OF0gN2U4MDogMDAwMDAwMDAwMDAwMDAwMCBmZmZm
MjAwMDA4MDgzNjE4IDAwMDAwMDAwMDAwMDAwMDAgMDAwMDYwMDNmNjdmYzAwMApbMzk1OTU0LjYy
NTc5MV0gN2VhMDogZmZmZmZmZmZmZmZmZmZmZiAwMDAwMDAwMDAwNzhkNzkwIDAwMDAwMDAwNjAw
MDAwMDAgMDAwMDYwMDNmNjgxMzAwMApbMzk1OTU0LjYzMzcwNF0gN2VjMDogMDAwMGZmZmZhNjg1
ZjcwOCAwMDAwMDAwMDAwMDAwMDAxIDAwMDAwMDAwMDAwMDAwMDEgMDAwMDAwMDAwMDAwMDAwMApb
Mzk1OTU0LjY0MTYxNF0gN2VlMDogMDAwMDAwMDAwMDAwMDAwMiAwMDAwMDAwMDAwMDAwMDAwClsz
OTU5NTQuNjQ2NTc1XSBbPGZmZmYyMDAwMDgwODMzODg+XSBlbDBfaWErMHgxOC8weDFjClszOTU5
NTQuNjUxMzk2XSBNZW0tSW5mbzoKWzM5NTk1NC42NTM3NzJdIGFjdGl2ZV9hbm9uOjMzMDg0NzYg
aW5hY3RpdmVfYW5vbjoxMDAgaXNvbGF0ZWRfYW5vbjowClszOTU5NTQuNjUzNzcyXSAgYWN0aXZl
X2ZpbGU6OTggaW5hY3RpdmVfZmlsZToyMzkwIGlzb2xhdGVkX2ZpbGU6MApbMzk1OTU0LjY1Mzc3
Ml0gIHVuZXZpY3RhYmxlOjAgZGlydHk6MCB3cml0ZWJhY2s6MCB1bnN0YWJsZTowClszOTU5NTQu
NjUzNzcyXSAgc2xhYl9yZWNsYWltYWJsZToxNTUwMyBzbGFiX3VucmVjbGFpbWFibGU6MTQzNjM0
ClszOTU5NTQuNjUzNzcyXSAgbWFwcGVkOjE2OTQgc2htZW06MTU1IHBhZ2V0YWJsZXM6MTAzMjkg
Ym91bmNlOjAKWzM5NTk1NC42NTM3NzJdICBmcmVlOjY0MjQ0IGZyZWVfcGNwOjM3OSBmcmVlX2Nt
YTowClszOTU5NTQuNjg3NTExXSBOb2RlIDAgYWN0aXZlX2Fub246MTMyMzM5MDRrQiBpbmFjdGl2
ZV9hbm9uOjQwMGtCIGFjdGl2ZV9maWxlOjM5MmtCIGluYWN0aXZlX2ZpbGU6OTgyMGtCIHVuZXZp
Y3RhYmxlOjBrQiBpc29sYXRlZChhbm9uKTowa0IgaXNvbGF0ZWQoZmlsZSk6MGtCIG1hcHBlZDo3
MDM2a0IgZGlydHk6MGtCIHdyaXRlYmFjazowa0Igc2htZW06NjIwa0Igc2htZW1fdGhwOiAwa0Ig
c2htZW1fcG1kbWFwcGVkOiAwa0IgYW5vbl90aHA6IDEyNzI4MzIwa0Igd3JpdGViYWNrX3RtcDow
a0IgdW5zdGFibGU6MGtCIGFsbF91bnJlY2xhaW1hYmxlPyBubwpbMzk1OTU0LjcxNTM3NV0gTm9k
ZSAwIERNQSBmcmVlOjUwNjIwa0IgbWluOjEyODI4a0IgbG93OjE2ODg0a0IgaGlnaDoyMDk0MGtC
IGFjdGl2ZV9hbm9uOjM5ODk2MDBrQiBpbmFjdGl2ZV9hbm9uOjBrQiBhY3RpdmVfZmlsZTowa0Ig
aW5hY3RpdmVfZmlsZTowa0IgdW5ldmljdGFibGU6MGtCIHdyaXRlcGVuZGluZzowa0IgcHJlc2Vu
dDo0MTk0MzA0a0IgbWFuYWdlZDo0MDYwNzg4a0IgbWxvY2tlZDowa0Igc2xhYl9yZWNsYWltYWJs
ZToyOTI4a0Igc2xhYl91bnJlY2xhaW1hYmxlOjEwNjQ4a0Iga2VybmVsX3N0YWNrOjBrQiBwYWdl
dGFibGVzOjM2MDBrQiBib3VuY2U6MGtCIGZyZWVfcGNwOjBrQiBsb2NhbF9wY3A6MGtCIGZyZWVf
Y21hOjBrQgpbMzk1OTU0Ljc0NzU2NV0gbG93bWVtX3Jlc2VydmVbXTogMCA5OTU4IDk5NTgKWzM5
NTk1NC43NTE2NzldIE5vZGUgMCBOb3JtYWwgZnJlZToyMDQ5MDBrQiBtaW46MzIyMjRrQiBsb3c6
NDI0MjBrQiBoaWdoOjUyNjE2a0IgYWN0aXZlX2Fub246OTI0NDIyMGtCIGluYWN0aXZlX2Fub246
NDAwa0IgYWN0aXZlX2ZpbGU6NTQ4a0IgaW5hY3RpdmVfZmlsZToxMDMyOGtCIHVuZXZpY3RhYmxl
OjBrQiB3cml0ZXBlbmRpbmc6MGtCIHByZXNlbnQ6MTI1ODI5MTJrQiBtYW5hZ2VkOjEwMTk3Mzg4
a0IgbWxvY2tlZDowa0Igc2xhYl9yZWNsYWltYWJsZTo1OTYyMGtCIHNsYWJfdW5yZWNsYWltYWJs
ZTo1NjQxNzZrQiBrZXJuZWxfc3RhY2s6NDAzMmtCIHBhZ2V0YWJsZXM6Mzc3MTZrQiBib3VuY2U6
MGtCIGZyZWVfcGNwOjE1NDhrQiBsb2NhbF9wY3A6MjQ0a0IgZnJlZV9jbWE6MGtCClszOTU5NTQu
Nzg2MDI0XSBsb3dtZW1fcmVzZXJ2ZVtdOiAwIDAgMApbMzk1OTU0Ljc4OTYxNV0gTm9kZSAwIERN
QTogNTMxKjRrQiAoVU1FKSAyMTAqOGtCIChVTUUpIDExNCoxNmtCIChVTUUpIDM0KjMya0IgKE1F
KSAxOCo2NGtCIChVTUUpIDM0KjEyOGtCIChVTUUpIDQ2KjI1NmtCIChVTSkgMTQqNTEya0IgKFVN
KSA3KjEwMjRrQiAoVU0pIDAqMjA0OGtCIDMqNDA5NmtCIChNKSA9IDUwNjIwa0IKWzM5NTk1NC44
MDYwOTddIE5vZGUgMCBOb3JtYWw6IDYwMCo0a0IgKFVNRUgpIDE3NzIqOGtCIChVTUVIKSA0OTYq
MTZrQiAoVU1FKSA1MyozMmtCIChVTUUpIDI1KjY0a0IgKFVNSCkgMyoxMjhrQiAoVU1FKSAxKjI1
NmtCIChVKSAxKjUxMmtCIChVKSAxKjEwMjRrQiAoRSkgNjEqMjA0OGtCIChVTUUpIDEyKjQwOTZr
QiAoTSkgPSAyMDQwNjRrQgpbMzk1OTU0LjgyMzQ3N10gTm9kZSAwIGh1Z2VwYWdlc190b3RhbD0w
IGh1Z2VwYWdlc19mcmVlPTAgaHVnZXBhZ2VzX3N1cnA9MCBodWdlcGFnZXNfc2l6ZT0yMDQ4a0IK
WzM5NTk1NC44MzIwNTVdIDMxNzEgdG90YWwgcGFnZWNhY2hlIHBhZ2VzClszOTU5NTQuODM1OTMz
XSAwIHBhZ2VzIGluIHN3YXAgY2FjaGUKWzM5NTk1NC44MzkzNDNdIFN3YXAgY2FjaGUgc3RhdHM6
IGFkZCAwLCBkZWxldGUgMCwgZmluZCAwLzAKWzM5NTk1NC44NDQ2NzBdIEZyZWUgc3dhcCAgPSAw
a0IKWzM5NTk1NC44NDc2NDJdIFRvdGFsIHN3YXAgPSAwa0IKWzM5NTk1NC44NTA2MTRdIDQxOTQz
MDQgcGFnZXMgUkFNClszOTU5NTQuODUzNjcxXSAwIHBhZ2VzIEhpZ2hNZW0vTW92YWJsZU9ubHkK
WzM5NTk1NC44NTc2MDNdIDYyOTc2MCBwYWdlcyByZXNlcnZlZApbMzk1OTU0Ljg2MTAyM10gNDA5
NiBwYWdlcyBjbWEgcmVzZXJ2ZWQKWzM5NTk1NC44NjQ2MTFdIFsgcGlkIF0gICB1aWQgIHRnaWQg
dG90YWxfdm0gICAgICByc3MgbnJfcHRlcyBucl9wbWRzIHN3YXBlbnRzIG9vbV9zY29yZV9hZGog
bmFtZQpbMzk1OTU0Ljg3MzI4MV0gWyAxNDQ3XSAgICAgMCAgMTQ0NyAgICAgIDcxNCAgICAgICA3
NCAgICAgICA1ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCB1cHN0YXJ0LXVkZXYtYnIK
WzM5NTk1NC44ODI4NjhdIFsgMTQ1MF0gICAgIDAgIDE0NTAgICAgIDI3NTggICAgICAxODcgICAg
ICAgNyAgICAgICAzICAgICAgICAwICAgICAgICAgLTEwMDAgc3lzdGVtZC11ZGV2ZApbMzk1OTU0
Ljg5MjI5NF0gWyAxODMzXSAgICAgMCAgMTgzMyAgICAgIDYzMiAgICAgICA0NiAgICAgICA1ICAg
ICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCB1cHN0YXJ0LXNvY2tldC0KWzM5NTk1NC45MDE4
ODJdIFsgMTg0N10gICAgIDAgIDE4NDcgICAgICA3MDggICAgICAgNjMgICAgICAgNSAgICAgICAz
ICAgICAgICAwICAgICAgICAgICAgIDAgcnBjYmluZApbMzk1OTU0LjkxMDc2Nl0gWyAxODc5XSAg
IDEwNiAgMTg3OSAgICAgIDczNyAgICAgIDExNCAgICAgICA1ICAgICAgIDMgICAgICAgIDAgICAg
ICAgICAgICAgMCBycGMuc3RhdGQKWzM5NTk1NC45MTk4NTZdIFsgMTk4NF0gICAgIDAgIDE5ODQg
ICAgICA2MzYgICAgICAgNTQgICAgICAgNSAgICAgICA0ICAgICAgICAwICAgICAgICAgICAgIDAg
dXBzdGFydC1maWxlLWJyClszOTU5NTQuOTI5NDYyXSBbIDIwMDBdICAgMTAzICAyMDAwICAgICAx
MTUyICAgICAgMTIwICAgICAgIDYgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGRidXMt
ZGFlbW9uClszOTU5NTQuOTM4NzAxXSBbIDIwMDZdICAgICAwICAyMDA2ICAgICAgNzIwICAgICAg
IDQ5ICAgICAgIDYgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHJwYy5pZG1hcGQKWzM5
NTk1NC45NDc4NThdIFsgMjAwOF0gICAxMDEgIDIwMDggICAgNTYzMDggICAgICAyMDEgICAgICAx
MiAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgcnN5c2xvZ2QKWzM5NTk1NC45NTcxNjRd
IFsgMjAxNF0gICAgIDAgIDIwMTQgICAgNTg0MTQgICAgICAyODkgICAgICAxNiAgICAgICAzICAg
ICAgICAwICAgICAgICAgICAgIDAgTW9kZW1NYW5hZ2VyClszOTU5NTQuOTY2NTAzXSBbIDIwMzJd
ICAgICAwICAyMDMyICAgICAxMjIyICAgICAgIDg3ICAgICAgIDYgICAgICAgMyAgICAgICAgMCAg
ICAgICAgICAgICAwIHN5c3RlbWQtbG9naW5kClszOTU5NTQuOTc2MDA0XSBbIDIwNTBdICAgICAw
ICAyMDUwICAgIDYxNDU2ICAgICAgMzcxICAgICAgMTggICAgICAgMyAgICAgICAgMCAgICAgICAg
ICAgICAwIE5ldHdvcmtNYW5hZ2VyClszOTU5NTQuOTg1NTMxXSBbIDIwNjhdICAgICAwICAyMDY4
ICAgICAgNTg3ICAgICAgIDM5ICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAw
IGdldHR5ClszOTU5NTQuOTk0MjU1XSBbIDIwNzFdICAgICAwICAyMDcxICAgIDU3MjQyICAgICAg
MTczICAgICAgMTQgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHBvbGtpdGQKWzM5NTk1
NS4wMDMxNTRdIFsgMjA3NV0gICAgIDAgIDIwNzUgICAgICA1ODcgICAgICAgNDAgICAgICAgNSAg
ICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgZ2V0dHkKWzM5NTk1NS4wMTE4NzhdIFsgMjA3
OF0gICAgIDAgIDIwNzggICAgICA1ODcgICAgICAgMzkgICAgICAgNSAgICAgICAzICAgICAgICAw
ICAgICAgICAgICAgIDAgZ2V0dHkKWzM5NTk1NS4wMjA1OTVdIFsgMjA3OV0gICAgIDAgIDIwNzkg
ICAgICA1ODcgICAgICAgMzggICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAg
Z2V0dHkKWzM5NTk1NS4wMjkzMjJdIFsgMjA4MV0gICAgIDAgIDIwODEgICAgICA1ODcgICAgICAg
NDAgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgZ2V0dHkKWzM5NTk1NS4w
MzgxMzVdIFsgMjEwMV0gICAgIDAgIDIxMDEgICAgIDIwNjEgICAgICAxNjMgICAgICAgOCAgICAg
ICA0ICAgICAgICAwICAgICAgICAgLTEwMDAgc3NoZApbMzk1OTU1LjA0NjgwMF0gWyAyMTAyXSAg
ICAgMCAgMjEwMiAgICAgIDc5MyAgICAgICA1NyAgICAgICA2ICAgICAgIDMgICAgICAgIDAgICAg
ICAgICAgICAgMCBjcm9uClszOTU5NTUuMDU1NDMyXSBbIDIxNTldICAgICAwICAyMTU5ICAgICAg
NTQyICAgICAgIDM4ICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGdldHR5
ClszOTU5NTUuMDY0MTQ5XSBbIDIxNjFdICAgICAwICAyMTYxICAgICAgNTg3ICAgICAgIDQwICAg
ICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIGdldHR5ClszOTU5NTUuMDcyODg0
XSBbIDIxNzFdICAgICAwICAyMTcxICAgICAxMzU2ICAgICAgNTc1ICAgICAgIDYgICAgICAgNCAg
ICAgICAgMCAgICAgICAgICAgICAwIGRoY2xpZW50ClszOTU5NTUuMDgxODc0XSBbIDIxNzVdIDY1
NTM0ICAyMTc1ICAgICAgODQ1ICAgICAgIDU4ICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAg
ICAgICAgICAwIGRuc21hc3EKWzM5NTk1NS4wOTA5ODFdIFsgMjI2NV0gICAgIDAgIDIyNjUgICAg
IDMyNDkgICAgICAyNjEgICAgICAxMCAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgc3No
ZApbMzk1OTU1LjA5OTc2MF0gWyAyMjc4XSAgMTAwMCAgMjI3OCAgICAgMzI0OSAgICAgIDI2MiAg
ICAgICA5ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBzc2hkClszOTU5NTUuMTA4NDIw
XSBbIDIyNzldICAxMDAwICAyMjc5ICAgICAgOTIwICAgICAgMTc2ICAgICAgIDUgICAgICAgMyAg
ICAgICAgMCAgICAgICAgICAgICAwIGJhc2gKWzM5NTk1NS4xMTcwNTBdIFsgMjI4OV0gIDEwMDAg
IDIyODkgICAgICA4NjIgICAgICAgNjMgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAg
ICAgIDAgc2NyZWVuClszOTU5NTUuMTI1ODcwXSBbIDIyOTBdICAxMDAwICAyMjkwICAgICAxMDYz
ICAgICAgMjg2ICAgICAgIDUgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHNjcmVlbgpb
Mzk1OTU1LjEzNDY3NF0gWyAyMjkxXSAgMTAwMCAgMjI5MSAgICAgIDkzMCAgICAgIDE4NiAgICAg
ICA1ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBiYXNoClszOTU5NTUuMTQzMzIxXSBb
IDIzMDFdICAxMDAwICAyMzAxICAgICAxMTkwICAgICAgODY0ICAgICAgIDYgICAgICAgMyAgICAg
ICAgMCAgICAgICAgICAgICAwIGh0b3AKWzM5NTk1NS4xNTE5NTFdIFsgMjMwMl0gIDEwMDAgIDIz
MDIgICAgICA5NDAgICAgICAxOTcgICAgICAgNSAgICAgICAzICAgICAgICAwICAgICAgICAgICAg
IDAgYmFzaApbMzk1OTU1LjE2MDU5NV0gWyAyMzU4XSAgMTAwMCAgMjM1OCAgIDQ0NzQ2MSAgICAg
ICAgMCAgICAgIDc2ICAgICAgIDUgICAgICAgIDAgICAgICAgICAgICAgMCBxZW11LXN5c3RlbS1h
YXIKWzM5NTk1NS4xNzAxNzVdIFsgMjM1OV0gIDEwMDAgIDIzNTkgICA0NDk1MDIgICAgNDU1MDkg
ICAgIDE2NiAgICAgICA0ICAgICAgICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFyClsz
OTU5NTUuMTgwMzEwXSBbIDIzNjBdICAxMDAwICAyMzYwICAgNDQ3NDYxICAgIDQzNzUzICAgICAx
NjAgICAgICAgNSAgICAgICAgMCAgICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1OTU1
LjE5MDQ2N10gWyAyMzYxXSAgMTAwMCAgMjM2MSAgIDQ0NzQ2MSAgICA0NjE4MCAgICAgMTYxICAg
ICAgIDQgICAgICAgIDAgICAgICAgICAgICAgMCBxZW11LXN5c3RlbS1hYXIKWzM5NTk1NS4yMDAy
MDRdIFsgMjM2Ml0gIDEwMDAgIDIzNjIgICA0NDc0NjEgICAgNDQ1MjIgICAgIDE2MCAgICAgICA1
ICAgICAgICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFyClszOTU5NTUuMjA5ODM0XSBb
IDIzNjNdICAxMDAwICAyMzYzICAgNDQ3NDYxICAgIDQ0MzExICAgICAxNjEgICAgICAgNCAgICAg
ICAgMCAgICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1OTU1LjIxOTgxOF0gWyA0NjAw
XSAgMTAwMCAgNDYwMCAgICAxOTQ2OCAgICAxMzk0MyAgICAgIDQyICAgICAgIDUgICAgICAgIDAg
ICAgICAgICAgICAgMCBzeXotbWFuYWdlcgpbMzk1OTU1LjIyOTQxMl0gWyA0OTE1XSAgMTAwMCAg
NDkxNSAgICAxNjM2NCAgICAgMTI3OCAgICAgIDI4ICAgICAgIDMgICAgICAgIDAgICAgICAgICAg
ICAgMCBxZW11LXN5c3RlbS1hYXIKWzM5NTk1NS4yMzk3MDddIFsgNDkxN10gIDEwMDAgIDQ5MTcg
ICAgMTYzNjQgICAgIDExOTYgICAgICAyNyAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAg
cWVtdS1zeXN0ZW0tYWFyClszOTU5NTUuMjQ5ODM3XSBbIDQ5MThdICAxMDAwICA0OTE4ICAgIDE2
MzY0ICAgICAxNDczICAgICAgMjggICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHFlbXUt
c3lzdGVtLWFhcgpbMzk1OTU1LjI2MDU2OV0gWyA0OTE5XSAgMTAwMCAgNDkxOSAgICAxNjM2NCAg
ICAgMTY5MiAgICAgIDI4ICAgICAgIDMgICAgICAgIDAgICAgICAgICAgICAgMCBxZW11LXN5c3Rl
bS1hYXIKWzM5NTk1NS4yNzA4NzFdIFsgNDkyMF0gIDEwMDAgIDQ5MjAgICAgMTYzNjQgICAgICA5
NDIgICAgICAzMCAgICAgICAzICAgICAgICAwICAgICAgICAgICAgIDAgcWVtdS1zeXN0ZW0tYWFy
ClszOTU5NTUuMjgwNzYyXSBbIDQ5MjJdICAxMDAwICA0OTIyICAgIDE0MDI4ICAgICAgNzUxICAg
ICAgMjEgICAgICAgMyAgICAgICAgMCAgICAgICAgICAgICAwIHFlbXUtc3lzdGVtLWFhcgpbMzk1
OTU1LjI5MDM3Ml0gT3V0IG9mIG1lbW9yeTogS2lsbCBwcm9jZXNzIDIzNjEgKHFlbXUtc3lzdGVt
LWFhcikgc2NvcmUgMTMgb3Igc2FjcmlmaWNlIGNoaWxkClszOTU5NTUuMjk4ODU4XSBLaWxsZWQg
cHJvY2VzcyAyMzYxIChxZW11LXN5c3RlbS1hYXIpIHRvdGFsLXZtOjE3ODk4NDRrQiwgYW5vbi1y
c3M6MTg0NTc2a0IsIGZpbGUtcnNzOjE0NGtCLCBzaG1lbS1yc3M6MGtCClszOTU5NTUuMzI0NzUx
XSBvb21fcmVhcGVyOiByZWFwZWQgcHJvY2VzcyAyMzYxIChxZW11LXN5c3RlbS1hYXIpLCBub3cg
YW5vbi1yc3M6MGtCLCBmaWxlLXJzczoyMGtCLCBzaG1lbS1yc3M6MGtCCgpUaGFua3MsCk1hcmsu
Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmt2bWFybSBt
YWlsaW5nIGxpc3QKa3ZtYXJtQGxpc3RzLmNzLmNvbHVtYmlhLmVkdQpodHRwczovL2xpc3RzLmNz
LmNvbHVtYmlhLmVkdS9tYWlsbWFuL2xpc3RpbmZvL2t2bWFybQo=

From mboxrd@z Thu Jan  1 00:00:00 1970
From: mark.rutland@arm.com (Mark Rutland)
Date: Tue, 18 Apr 2017 09:32:31 +0100
Subject: kvm/arm64: use-after-free in
 kvm_unmap_hva_handler/unmap_stage2_pmds
In-Reply-To: <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
References: <CAAeHK+yjKm3mO2h9M30t-V_PnMhXEM887_zESCSg6gkbzivPsQ@mail.gmail.com>
 <20f6c994-d83e-7a6f-9f13-f10287211a6c@arm.com>
 <9f473bb9-d0eb-6803-1263-75ffef0301fe@redhat.com>
 <CAAeHK+x8udHKq9xa1zkTO6ax5E8Dk32HYWfaT05FMchL2cr48g@mail.gmail.com>
 <1050c9d8-5813-5df9-29e5-3ab6e61b5de6@arm.com>
 <88715300-ef58-e7bd-81f5-95e0b9c9c533@arm.com>
 <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
Message-ID: <20170418083230.GA17866@leverpostej>
To: linux-arm-kernel@lists.infradead.org
List-Id: linux-arm-kernel.lists.infradead.org

Hi Suzuki,

On Thu, Apr 13, 2017 at 04:50:46PM +0100, Suzuki K. Poulose wrote:
> kvm: Hold reference to the user address space
> 
> The core KVM code, uses mmgrab/mmdrop to pin the mm struct of the user
> application. mmgrab only guarantees that the mm struct is available,
> while the "real address space" (see Documentation/vm/active_mm.txt) may
> be destroyed. Since the KVM depends on the user space page tables for
> the Guest pages, we should instead do an mmget/mmput. Even though
> mmget/mmput is not encouraged for uses with unbounded time, the KVM
> is fine to do so, as we are doing it from the context of the same process.
> 
> This also prevents the race condition where mmu_notifier_release() could
> be called in parallel and one instance could end up using a free'd kvm
> instance.
> 
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Paolo Bonzin <pbonzini@redhat.com>
> Cc: Radim Kr?m?? <rkrcmar@redhat.com>
> Cc: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> Cc: andreyknvl at google.com
> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
> ---
>  virt/kvm/kvm_main.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 88257b3..555712e 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -613,7 +613,7 @@ static struct kvm *kvm_create_vm(unsigned long type)
>  		return ERR_PTR(-ENOMEM);
>  
>  	spin_lock_init(&kvm->mmu_lock);
> -	mmgrab(current->mm);
> +	mmget(current->mm);
>  	kvm->mm = current->mm;
>  	kvm_eventfd_init(kvm);
>  	mutex_init(&kvm->lock);
> @@ -685,7 +685,7 @@ static struct kvm *kvm_create_vm(unsigned long type)
>  	for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)
>  		kvm_free_memslots(kvm, kvm->memslots[i]);
>  	kvm_arch_free_vm(kvm);
> -	mmdrop(current->mm);
> +	mmput(current->mm);
>  	return ERR_PTR(r);
>  }
>  
> @@ -747,7 +747,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
>  	kvm_arch_free_vm(kvm);
>  	preempt_notifier_dec();
>  	hardware_disable_all();
> -	mmdrop(mm);
> +	mmput(mm);
>  }


As a heads-up, I'm seeing what looks to be a KVM memory leak with this
patch applied atop of next-20170411.

I don't yet know if this is a problem with next-20170411 or this patch
in particular -- I will try to track that down. In the mean time, info
dump below.

I left syzkaller running over the weekend using this kernel on the host,
and OOM kicked in after it had been running for a short while. Almost
all of my memory is in use, but judging by top, almost none of this is
associated with processes.

It looks like this is almost all AnonPages allocations:

nanook at medister:~$ cat /proc/meminfo 
MemTotal:       14258176 kB
MemFree:          106192 kB
MemAvailable:      38196 kB
Buffers:           27160 kB
Cached:            42508 kB
SwapCached:            0 kB
Active:         13442912 kB
Inactive:           7388 kB
Active(anon):   13380876 kB
Inactive(anon):      400 kB
Active(file):      62036 kB
Inactive(file):     6988 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:      13380688 kB
Mapped:             7352 kB
Shmem:               620 kB
Slab:             568196 kB
SReclaimable:      21756 kB
SUnreclaim:       546440 kB
KernelStack:        2832 kB
PageTables:        49168 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     7129088 kB
Committed_AS:   41554652 kB
VmallocTotal:   100930551744 kB
VmallocUsed:           0 kB
VmallocChunk:          0 kB
AnonHugePages:  12728320 kB
ShmemHugePages:        0 kB
ShmemPmdMapped:        0 kB
CmaTotal:          16384 kB
CmaFree:               0 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB

Looking at slabtop, there are large number of vm_area_structs around:

 Active / Total Objects (% used)    : 531511 / 587214 (90.5%)
 Active / Total Slabs (% used)      : 29443 / 29443 (100.0%)
 Active / Total Caches (% used)     : 108 / 156 (69.2%)
 Active / Total Size (% used)       : 514052.23K / 536839.57K (95.8%)
 Minimum / Average / Maximum Object : 0.03K / 0.91K / 8.28K

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME                   
 94924  89757  94%    0.24K   2877       33     23016K vm_area_struct
 72400  60687  83%    0.31K   2896       25     23168K filp
 70553  70484  99%    4.25K  10079        7    322528K names_cache
 70112  64605  92%    0.25K   2191       32     17528K kmalloc-128
 52458  50837  96%    0.09K   1249       42      4996K anon_vma_chain
 23492  22949  97%    4.25K   3356        7    107392K kmalloc-4096
 20631  20631 100%    0.10K    529       39      2116K anon_vma

... so it looks like we could be leaking the mm and associated mappings.

Full OOM splat:

[395953.231838] htop invoked oom-killer: gfp_mask=0x16040d0(GFP_TEMPORARY|__GFP_COMP|__GFP_NOTRACK), nodemask=(null),  order=0, oom_score_adj=0
[395953.244523] htop cpuset=/ mems_allowed=0
[395953.248556] CPU: 4 PID: 2301 Comm: htop Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395953.256727] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395953.264374] Call trace:
[395953.266911] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395953.272394] [<ffff20000808c860>] show_stack+0x20/0x30
[395953.277530] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395953.282666] [<ffff2000082d66f8>] dump_header+0xd8/0x328
[395953.287977] [<ffff200008215078>] oom_kill_process+0x400/0x6b0
[395953.293807] [<ffff200008215864>] out_of_memory+0x1ec/0x7c0
[395953.299377] [<ffff20000821d918>] __alloc_pages_nodemask+0xd88/0xe68
[395953.305728] [<ffff20000829bd8c>] alloc_pages_current+0xcc/0x218
[395953.311732] [<ffff2000082a9028>] new_slab+0x420/0x658
[395953.316868] [<ffff2000082ab360>] ___slab_alloc+0x370/0x5d8
[395953.322436] [<ffff2000082ab5ec>] __slab_alloc.isra.22+0x24/0x38
[395953.328438] [<ffff2000082abe5c>] kmem_cache_alloc+0x1bc/0x1e8
[395953.334268] [<ffff200008387eec>] proc_alloc_inode+0x24/0xa8
[395953.339924] [<ffff20000830af14>] alloc_inode+0x3c/0xf0
[395953.345146] [<ffff20000830df90>] new_inode_pseudo+0x20/0x80
[395953.350800] [<ffff20000830e014>] new_inode+0x24/0x50
[395953.355850] [<ffff20000838e860>] proc_pid_make_inode+0x28/0x118
[395953.361853] [<ffff20000838ea78>] proc_pident_instantiate+0x48/0x140
[395953.368204] [<ffff20000838ec6c>] proc_pident_lookup+0xfc/0x168
[395953.374121] [<ffff20000838ed8c>] proc_tgid_base_lookup+0x34/0x40
[395953.380210] [<ffff2000082f77ec>] path_openat+0x194c/0x1b68
[395953.385779] [<ffff2000082f96e0>] do_filp_open+0xe0/0x178
[395953.391178] [<ffff2000082d9f70>] do_sys_open+0x1e8/0x300
[395953.396575] [<ffff2000082da108>] SyS_openat+0x38/0x48
[395953.401710] [<ffff200008083730>] el0_svc_naked+0x24/0x28
[395953.408051] Mem-Info:
[395953.410423] active_anon:3354643 inactive_anon:100 isolated_anon:0
[395953.410423]  active_file:16 inactive_file:0 isolated_file:0
[395953.410423]  unevictable:0 dirty:0 writeback:0 unstable:0
[395953.410423]  slab_reclaimable:15505 slab_unreclaimable:143437
[395953.410423]  mapped:0 shmem:155 pagetables:10329 bounce:0
[395953.410423]  free:21060 free_pcp:403 free_cma:0
[395953.443636] Node 0 active_anon:13418572kB inactive_anon:400kB active_file:540kB inactive_file:104kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:380kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12926976kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395953.471351] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395953.503543] lowmem_reserve[]: 0 9958 9958
[395953.507654] Node 0 Normal free:33004kB min:32224kB low:42420kB high:52616kB active_anon:9428972kB inactive_anon:400kB active_file:132kB inactive_file:80kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59092kB slab_unreclaimable:563100kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:560kB local_pcp:0kB free_cma:0kB
[395953.541392] lowmem_reserve[]: 0 0 0
[395953.544979] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395953.561390] Node 0 Normal: 3041*4kB (UMEH) 1694*8kB (UMEH) 447*16kB (UMEH) 10*32kB (U) 2*64kB (H) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 33316kB
[395953.575702] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395953.584229] 521 total pagecache pages
[395953.587984] 0 pages in swap cache
[395953.591392] Swap cache stats: add 0, delete 0, find 0/0
[395953.596706] Free swap  = 0kB
[395953.599677] Total swap = 0kB
[395953.602638] 4194304 pages RAM
[395953.605692] 0 pages HighMem/MovableOnly
[395953.609617] 629760 pages reserved
[395953.613021] 4096 pages cma reserved
[395953.616599] [ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
[395953.625244] [ 1447]     0  1447      714       74       5       3        0             0 upstart-udev-br
[395953.634818] [ 1450]     0  1450     2758      187       7       3        0         -1000 systemd-udevd
[395953.644218] [ 1833]     0  1833      632       46       5       3        0             0 upstart-socket-
[395953.653790] [ 1847]     0  1847      708       63       5       3        0             0 rpcbind
[395953.662668] [ 1879]   106  1879      737      114       5       3        0             0 rpc.statd
[395953.671734] [ 1984]     0  1984      636       54       5       4        0             0 upstart-file-br
[395953.681307] [ 2000]   103  2000     1152      120       6       3        0             0 dbus-daemon
[395953.690534] [ 2006]     0  2006      720       49       6       3        0             0 rpc.idmapd
[395953.699676] [ 2008]   101  2008    56308      201      12       3        0             0 rsyslogd
[395953.708641] [ 2014]     0  2014    58414      289      16       3        0             0 ModemManager
[395953.717952] [ 2032]     0  2032     1222       87       6       3        0             0 systemd-logind
[395953.727440] [ 2050]     0  2050    61456      371      18       3        0             0 NetworkManager
[395953.736927] [ 2068]     0  2068      587       39       5       3        0             0 getty
[395953.745632] [ 2071]     0  2071    57242      173      14       3        0             0 polkitd
[395953.754510] [ 2075]     0  2075      587       40       5       3        0             0 getty
[395953.763216] [ 2078]     0  2078      587       39       5       3        0             0 getty
[395953.771922] [ 2079]     0  2079      587       38       5       3        0             0 getty
[395953.780628] [ 2081]     0  2081      587       40       5       3        0             0 getty
[395953.789334] [ 2101]     0  2101     2061      163       8       4        0         -1000 sshd
[395953.797952] [ 2102]     0  2102      793       57       6       3        0             0 cron
[395953.806583] [ 2159]     0  2159      542       38       5       3        0             0 getty
[395953.815288] [ 2161]     0  2161      587       40       5       3        0             0 getty
[395953.823992] [ 2171]     0  2171     1356      575       6       4        0             0 dhclient
[395953.832956] [ 2175] 65534  2175      845       58       5       3        0             0 dnsmasq
[395953.841834] [ 2265]     0  2265     3249      261      10       3        0             0 sshd
[395953.850451] [ 2278]  1000  2278     3249      262       9       3        0             0 sshd
[395953.859067] [ 2279]  1000  2279      920      176       5       3        0             0 bash
[395953.867686] [ 2289]  1000  2289      862       63       5       3        0             0 screen
[395953.876479] [ 2290]  1000  2290     1063      286       5       3        0             0 screen
[395953.885272] [ 2291]  1000  2291      930      186       5       3        0             0 bash
[395953.893890] [ 2301]  1000  2301     1190      550       6       3        0             0 htop
[395953.902508] [ 2302]  1000  2302      940      197       5       3        0             0 bash
[395953.911126] [ 2358]  1000  2358   447461    46148     163       5        0             0 qemu-system-aar
[395953.920699] [ 2359]  1000  2359   449502    45509     166       4        0             0 qemu-system-aar
[395953.930271] [ 2360]  1000  2360   447461    43753     160       5        0             0 qemu-system-aar
[395953.939854] [ 2361]  1000  2361   447461    46144     161       4        0             0 qemu-system-aar
[395953.949429] [ 2362]  1000  2362   447461    44522     160       5        0             0 qemu-system-aar
[395953.959001] [ 2363]  1000  2363   447461    44311     161       4        0             0 qemu-system-aar
[395953.968574] [ 4600]  1000  4600    19468    12828      42       5        0             0 syz-manager
[395953.977820] [ 4915]  1000  4915    16364     1127      28       3        0             0 qemu-system-aar
[395953.987397] [ 4917]  1000  4917    16364     1127      27       3        0             0 qemu-system-aar
[395953.996972] [ 4918]  1000  4918    16364     1127      28       3        0             0 qemu-system-aar
[395954.006546] [ 4919]  1000  4919    16364     1128      28       3        0             0 qemu-system-aar
[395954.016119] [ 4920]  1000  4920    16364      617      30       3        0             0 qemu-system-aar
[395954.025692] [ 4922]  1000  4922    14028      344      21       3        0             0 qemu-system-aar
[395954.035273] Out of memory: Kill process 2358 (qemu-system-aar) score 12 or sacrifice child
[395954.043659] Killed process 2358 (qemu-system-aar) total-vm:1789844kB, anon-rss:184592kB, file-rss:0kB, shmem-rss:0kB
[395954.055211] qemu-system-aar: page allocation failure: order:0, mode:0x14201ca(GFP_HIGHUSER_MOVABLE|__GFP_COLD), nodemask=(null)
[395954.066817] qemu-system-aar cpuset=/ mems_allowed=0
[395954.067606] oom_reaper: reaped process 2358 (qemu-system-aar), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
[395954.081761] CPU: 5 PID: 2358 Comm: qemu-system-aar Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395954.090886] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395954.098533] Call trace:
[395954.101072] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395954.106555] [<ffff20000808c860>] show_stack+0x20/0x30
[395954.111692] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395954.116830] [<ffff20000821ca4c>] warn_alloc+0x144/0x1d8
[395954.122140] [<ffff20000821d9e8>] __alloc_pages_nodemask+0xe58/0xe68
[395954.128491] [<ffff20000829bd8c>] alloc_pages_current+0xcc/0x218
[395954.134494] [<ffff20000820e770>] __page_cache_alloc+0x128/0x150
[395954.140498] [<ffff200008212648>] filemap_fault+0x768/0x940
[395954.146069] [<ffff2000083caf8c>] ext4_filemap_fault+0x4c/0x68
[395954.151898] [<ffff20000825bac4>] __do_fault+0x44/0xd0
[395954.157033] [<ffff200008264c5c>] __handle_mm_fault+0x12c4/0x1978
[395954.163122] [<ffff200008265514>] handle_mm_fault+0x204/0x388
[395954.168865] [<ffff2000080a3994>] do_page_fault+0x3fc/0x4b0
[395954.174434] [<ffff200008081444>] do_mem_abort+0xa4/0x138
[395954.179827] Exception stack(0xffff80034db07dc0 to 0xffff80034db07ef0)
[395954.186352] 7dc0: 0000000000000000 00006003f67fc000 ffffffffffffffff 00000000004109b0
[395954.194266] 7de0: 0000000060000000 0000000000000020 0000000082000007 00000000004109b0
[395954.202179] 7e00: 0000000041b58ab3 ffff20000955d370 ffff2000080813a0 0000000000000124
[395954.210093] 7e20: 0000000000000049 ffff200008f44000 ffff80034db07e40 ffff200008085f60
[395954.218006] 7e40: ffff80034db07e80 ffff20000808b5a0 0000000000000008 ffff80035dde5e80
[395954.225920] 7e60: ffff80035dde5e80 ffff80035dde64f0 ffff80034db07e80 ffff20000808b580
[395954.233833] 7e80: 0000000000000000 ffff200008083618 0000000000000000 00006003f67fc000
[395954.241746] 7ea0: ffffffffffffffff 000000000078d790 0000000060000000 00006003f6813000
[395954.249659] 7ec0: 0000ffffa685f708 0000000000000001 0000000000000001 0000000000000000
[395954.257569] 7ee0: 0000000000000002 0000000000000000
[395954.262530] [<ffff200008083388>] el0_ia+0x18/0x1c
[395954.267433] Mem-Info:
[395954.269806] active_anon:3308476 inactive_anon:100 isolated_anon:0
[395954.269806]  active_file:98 inactive_file:570 isolated_file:0
[395954.269806]  unevictable:0 dirty:0 writeback:0 unstable:0
[395954.269806]  slab_reclaimable:15503 slab_unreclaimable:143557
[395954.269806]  mapped:264 shmem:155 pagetables:10329 bounce:0
[395954.269806]  free:66173 free_pcp:470 free_cma:0
[395954.303371] Node 0 active_anon:13233904kB inactive_anon:400kB active_file:392kB inactive_file:3320kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:1836kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12728320kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395954.331169] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395954.363335] lowmem_reserve[]: 0 9958 9958
[395954.367625] Node 0 Normal free:212516kB min:32224kB low:42420kB high:52616kB active_anon:9244644kB inactive_anon:400kB active_file:548kB inactive_file:3828kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59084kB slab_unreclaimable:563912kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:1840kB local_pcp:0kB free_cma:0kB
[395954.401710] lowmem_reserve[]: 0 0 0
[395954.405298] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395954.421698] Node 0 Normal: 1840*4kB (UMEH) 1740*8kB (MEH) 496*16kB (ME) 47*32kB (UME) 25*64kB (MEH) 3*128kB (UME) 2*256kB (UE) 1*512kB (E) 2*1024kB (UE) 61*2048kB (UME) 12*4096kB (M) = 209856kB
[395954.439058] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395954.447582] 2104 total pagecache pages
[395954.451421] 0 pages in swap cache
[395954.454817] Swap cache stats: add 0, delete 0, find 0/0
[395954.460130] Free swap  = 0kB
[395954.463090] Total swap = 0kB
[395954.466057] 4194304 pages RAM
[395954.469111] 0 pages HighMem/MovableOnly
[395954.473035] 629760 pages reserved
[395954.476436] 4096 pages cma reserved
[395954.480151] qemu-system-aar invoked oom-killer: gfp_mask=0x0(), nodemask=(null),  order=0, oom_score_adj=0
[395954.489898] qemu-system-aar cpuset=/ mems_allowed=0
[395954.494879] CPU: 5 PID: 2358 Comm: qemu-system-aar Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395954.504003] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395954.511651] Call trace:
[395954.514184] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395954.519668] [<ffff20000808c860>] show_stack+0x20/0x30
[395954.524802] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395954.529939] [<ffff2000082d66f8>] dump_header+0xd8/0x328
[395954.535248] [<ffff200008215078>] oom_kill_process+0x400/0x6b0
[395954.541078] [<ffff200008215864>] out_of_memory+0x1ec/0x7c0
[395954.546648] [<ffff200008215efc>] pagefault_out_of_memory+0xc4/0xd0
[395954.552911] [<ffff2000080a3a40>] do_page_fault+0x4a8/0x4b0
[395954.558478] [<ffff200008081444>] do_mem_abort+0xa4/0x138
[395954.563872] Exception stack(0xffff80034db07dc0 to 0xffff80034db07ef0)
[395954.570397] 7dc0: 0000000000000000 00006003f67fc000 ffffffffffffffff 00000000004109b0
[395954.578310] 7de0: 0000000060000000 0000000000000020 0000000082000007 00000000004109b0
[395954.586224] 7e00: 0000000041b58ab3 ffff20000955d370 ffff2000080813a0 0000000000000124
[395954.594137] 7e20: 0000000000000049 ffff200008f44000 ffff80034db07e40 ffff200008085f60
[395954.602051] 7e40: ffff80034db07e80 ffff20000808b5a0 0000000000000008 ffff80035dde5e80
[395954.609965] 7e60: ffff80035dde5e80 ffff80035dde64f0 ffff80034db07e80 ffff20000808b580
[395954.617878] 7e80: 0000000000000000 ffff200008083618 0000000000000000 00006003f67fc000
[395954.625791] 7ea0: ffffffffffffffff 000000000078d790 0000000060000000 00006003f6813000
[395954.633704] 7ec0: 0000ffffa685f708 0000000000000001 0000000000000001 0000000000000000
[395954.641614] 7ee0: 0000000000000002 0000000000000000
[395954.646575] [<ffff200008083388>] el0_ia+0x18/0x1c
[395954.651396] Mem-Info:
[395954.653772] active_anon:3308476 inactive_anon:100 isolated_anon:0
[395954.653772]  active_file:98 inactive_file:2390 isolated_file:0
[395954.653772]  unevictable:0 dirty:0 writeback:0 unstable:0
[395954.653772]  slab_reclaimable:15503 slab_unreclaimable:143634
[395954.653772]  mapped:1694 shmem:155 pagetables:10329 bounce:0
[395954.653772]  free:64244 free_pcp:379 free_cma:0
[395954.687511] Node 0 active_anon:13233904kB inactive_anon:400kB active_file:392kB inactive_file:9820kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:7036kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12728320kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395954.715375] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395954.747565] lowmem_reserve[]: 0 9958 9958
[395954.751679] Node 0 Normal free:204900kB min:32224kB low:42420kB high:52616kB active_anon:9244220kB inactive_anon:400kB active_file:548kB inactive_file:10328kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59620kB slab_unreclaimable:564176kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:1548kB local_pcp:244kB free_cma:0kB
[395954.786024] lowmem_reserve[]: 0 0 0
[395954.789615] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395954.806097] Node 0 Normal: 600*4kB (UMEH) 1772*8kB (UMEH) 496*16kB (UME) 53*32kB (UME) 25*64kB (UMH) 3*128kB (UME) 1*256kB (U) 1*512kB (U) 1*1024kB (E) 61*2048kB (UME) 12*4096kB (M) = 204064kB
[395954.823477] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395954.832055] 3171 total pagecache pages
[395954.835933] 0 pages in swap cache
[395954.839343] Swap cache stats: add 0, delete 0, find 0/0
[395954.844670] Free swap  = 0kB
[395954.847642] Total swap = 0kB
[395954.850614] 4194304 pages RAM
[395954.853671] 0 pages HighMem/MovableOnly
[395954.857603] 629760 pages reserved
[395954.861023] 4096 pages cma reserved
[395954.864611] [ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
[395954.873281] [ 1447]     0  1447      714       74       5       3        0             0 upstart-udev-br
[395954.882868] [ 1450]     0  1450     2758      187       7       3        0         -1000 systemd-udevd
[395954.892294] [ 1833]     0  1833      632       46       5       3        0             0 upstart-socket-
[395954.901882] [ 1847]     0  1847      708       63       5       3        0             0 rpcbind
[395954.910766] [ 1879]   106  1879      737      114       5       3        0             0 rpc.statd
[395954.919856] [ 1984]     0  1984      636       54       5       4        0             0 upstart-file-br
[395954.929462] [ 2000]   103  2000     1152      120       6       3        0             0 dbus-daemon
[395954.938701] [ 2006]     0  2006      720       49       6       3        0             0 rpc.idmapd
[395954.947858] [ 2008]   101  2008    56308      201      12       3        0             0 rsyslogd
[395954.957164] [ 2014]     0  2014    58414      289      16       3        0             0 ModemManager
[395954.966503] [ 2032]     0  2032     1222       87       6       3        0             0 systemd-logind
[395954.976004] [ 2050]     0  2050    61456      371      18       3        0             0 NetworkManager
[395954.985531] [ 2068]     0  2068      587       39       5       3        0             0 getty
[395954.994255] [ 2071]     0  2071    57242      173      14       3        0             0 polkitd
[395955.003154] [ 2075]     0  2075      587       40       5       3        0             0 getty
[395955.011878] [ 2078]     0  2078      587       39       5       3        0             0 getty
[395955.020595] [ 2079]     0  2079      587       38       5       3        0             0 getty
[395955.029322] [ 2081]     0  2081      587       40       5       3        0             0 getty
[395955.038135] [ 2101]     0  2101     2061      163       8       4        0         -1000 sshd
[395955.046800] [ 2102]     0  2102      793       57       6       3        0             0 cron
[395955.055432] [ 2159]     0  2159      542       38       5       3        0             0 getty
[395955.064149] [ 2161]     0  2161      587       40       5       3        0             0 getty
[395955.072884] [ 2171]     0  2171     1356      575       6       4        0             0 dhclient
[395955.081874] [ 2175] 65534  2175      845       58       5       3        0             0 dnsmasq
[395955.090981] [ 2265]     0  2265     3249      261      10       3        0             0 sshd
[395955.099760] [ 2278]  1000  2278     3249      262       9       3        0             0 sshd
[395955.108420] [ 2279]  1000  2279      920      176       5       3        0             0 bash
[395955.117050] [ 2289]  1000  2289      862       63       5       3        0             0 screen
[395955.125870] [ 2290]  1000  2290     1063      286       5       3        0             0 screen
[395955.134674] [ 2291]  1000  2291      930      186       5       3        0             0 bash
[395955.143321] [ 2301]  1000  2301     1190      864       6       3        0             0 htop
[395955.151951] [ 2302]  1000  2302      940      197       5       3        0             0 bash
[395955.160595] [ 2358]  1000  2358   447461        0      76       5        0             0 qemu-system-aar
[395955.170175] [ 2359]  1000  2359   449502    45509     166       4        0             0 qemu-system-aar
[395955.180310] [ 2360]  1000  2360   447461    43753     160       5        0             0 qemu-system-aar
[395955.190467] [ 2361]  1000  2361   447461    46180     161       4        0             0 qemu-system-aar
[395955.200204] [ 2362]  1000  2362   447461    44522     160       5        0             0 qemu-system-aar
[395955.209834] [ 2363]  1000  2363   447461    44311     161       4        0             0 qemu-system-aar
[395955.219818] [ 4600]  1000  4600    19468    13943      42       5        0             0 syz-manager
[395955.229412] [ 4915]  1000  4915    16364     1278      28       3        0             0 qemu-system-aar
[395955.239707] [ 4917]  1000  4917    16364     1196      27       3        0             0 qemu-system-aar
[395955.249837] [ 4918]  1000  4918    16364     1473      28       3        0             0 qemu-system-aar
[395955.260569] [ 4919]  1000  4919    16364     1692      28       3        0             0 qemu-system-aar
[395955.270871] [ 4920]  1000  4920    16364      942      30       3        0             0 qemu-system-aar
[395955.280762] [ 4922]  1000  4922    14028      751      21       3        0             0 qemu-system-aar
[395955.290372] Out of memory: Kill process 2361 (qemu-system-aar) score 13 or sacrifice child
[395955.298858] Killed process 2361 (qemu-system-aar) total-vm:1789844kB, anon-rss:184576kB, file-rss:144kB, shmem-rss:0kB
[395955.324751] oom_reaper: reaped process 2361 (qemu-system-aar), now anon-rss:0kB, file-rss:20kB, shmem-rss:0kB

Thanks,
Mark.

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756173AbdDRIdL (ORCPT <rfc822;w@1wt.eu>);
        Tue, 18 Apr 2017 04:33:11 -0400
Received: from foss.arm.com ([217.140.101.70]:53748 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755266AbdDRIdB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Apr 2017 04:33:01 -0400
Date: Tue, 18 Apr 2017 09:32:31 +0100
From: Mark Rutland <mark.rutland@arm.com>
To: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>, rkrcmar@redhat.com,
        christoffer.dall@linaro.org, linux-arm-kernel@lists.infradead.org,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org, dvyukov@google.com,
        kvmarm@lists.cs.columbia.edu, catalin.marinas@arm.com,
        will.deacon@arm.com, kcc@google.com, syzkaller@googlegroups.com
Subject: Re: kvm/arm64: use-after-free in
 kvm_unmap_hva_handler/unmap_stage2_pmds
Message-ID: <20170418083230.GA17866@leverpostej>
References: <CAAeHK+yjKm3mO2h9M30t-V_PnMhXEM887_zESCSg6gkbzivPsQ@mail.gmail.com>
 <20f6c994-d83e-7a6f-9f13-f10287211a6c@arm.com>
 <9f473bb9-d0eb-6803-1263-75ffef0301fe@redhat.com>
 <CAAeHK+x8udHKq9xa1zkTO6ax5E8Dk32HYWfaT05FMchL2cr48g@mail.gmail.com>
 <1050c9d8-5813-5df9-29e5-3ab6e61b5de6@arm.com>
 <88715300-ef58-e7bd-81f5-95e0b9c9c533@arm.com>
 <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20170413155045.GA8387@e107814-lin.cambridge.arm.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Suzuki,

On Thu, Apr 13, 2017 at 04:50:46PM +0100, Suzuki K. Poulose wrote:
> kvm: Hold reference to the user address space
> 
> The core KVM code, uses mmgrab/mmdrop to pin the mm struct of the user
> application. mmgrab only guarantees that the mm struct is available,
> while the "real address space" (see Documentation/vm/active_mm.txt) may
> be destroyed. Since the KVM depends on the user space page tables for
> the Guest pages, we should instead do an mmget/mmput. Even though
> mmget/mmput is not encouraged for uses with unbounded time, the KVM
> is fine to do so, as we are doing it from the context of the same process.
> 
> This also prevents the race condition where mmu_notifier_release() could
> be called in parallel and one instance could end up using a free'd kvm
> instance.
> 
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Paolo Bonzin <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> Cc: andreyknvl@google.com
> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
> ---
>  virt/kvm/kvm_main.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 88257b3..555712e 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -613,7 +613,7 @@ static struct kvm *kvm_create_vm(unsigned long type)
>  		return ERR_PTR(-ENOMEM);
>  
>  	spin_lock_init(&kvm->mmu_lock);
> -	mmgrab(current->mm);
> +	mmget(current->mm);
>  	kvm->mm = current->mm;
>  	kvm_eventfd_init(kvm);
>  	mutex_init(&kvm->lock);
> @@ -685,7 +685,7 @@ static struct kvm *kvm_create_vm(unsigned long type)
>  	for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)
>  		kvm_free_memslots(kvm, kvm->memslots[i]);
>  	kvm_arch_free_vm(kvm);
> -	mmdrop(current->mm);
> +	mmput(current->mm);
>  	return ERR_PTR(r);
>  }
>  
> @@ -747,7 +747,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
>  	kvm_arch_free_vm(kvm);
>  	preempt_notifier_dec();
>  	hardware_disable_all();
> -	mmdrop(mm);
> +	mmput(mm);
>  }


As a heads-up, I'm seeing what looks to be a KVM memory leak with this
patch applied atop of next-20170411.

I don't yet know if this is a problem with next-20170411 or this patch
in particular -- I will try to track that down. In the mean time, info
dump below.

I left syzkaller running over the weekend using this kernel on the host,
and OOM kicked in after it had been running for a short while. Almost
all of my memory is in use, but judging by top, almost none of this is
associated with processes.

It looks like this is almost all AnonPages allocations:

nanook@medister:~$ cat /proc/meminfo 
MemTotal:       14258176 kB
MemFree:          106192 kB
MemAvailable:      38196 kB
Buffers:           27160 kB
Cached:            42508 kB
SwapCached:            0 kB
Active:         13442912 kB
Inactive:           7388 kB
Active(anon):   13380876 kB
Inactive(anon):      400 kB
Active(file):      62036 kB
Inactive(file):     6988 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:      13380688 kB
Mapped:             7352 kB
Shmem:               620 kB
Slab:             568196 kB
SReclaimable:      21756 kB
SUnreclaim:       546440 kB
KernelStack:        2832 kB
PageTables:        49168 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     7129088 kB
Committed_AS:   41554652 kB
VmallocTotal:   100930551744 kB
VmallocUsed:           0 kB
VmallocChunk:          0 kB
AnonHugePages:  12728320 kB
ShmemHugePages:        0 kB
ShmemPmdMapped:        0 kB
CmaTotal:          16384 kB
CmaFree:               0 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB

Looking at slabtop, there are large number of vm_area_structs around:

 Active / Total Objects (% used)    : 531511 / 587214 (90.5%)
 Active / Total Slabs (% used)      : 29443 / 29443 (100.0%)
 Active / Total Caches (% used)     : 108 / 156 (69.2%)
 Active / Total Size (% used)       : 514052.23K / 536839.57K (95.8%)
 Minimum / Average / Maximum Object : 0.03K / 0.91K / 8.28K

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME                   
 94924  89757  94%    0.24K   2877       33     23016K vm_area_struct
 72400  60687  83%    0.31K   2896       25     23168K filp
 70553  70484  99%    4.25K  10079        7    322528K names_cache
 70112  64605  92%    0.25K   2191       32     17528K kmalloc-128
 52458  50837  96%    0.09K   1249       42      4996K anon_vma_chain
 23492  22949  97%    4.25K   3356        7    107392K kmalloc-4096
 20631  20631 100%    0.10K    529       39      2116K anon_vma

... so it looks like we could be leaking the mm and associated mappings.

Full OOM splat:

[395953.231838] htop invoked oom-killer: gfp_mask=0x16040d0(GFP_TEMPORARY|__GFP_COMP|__GFP_NOTRACK), nodemask=(null),  order=0, oom_score_adj=0
[395953.244523] htop cpuset=/ mems_allowed=0
[395953.248556] CPU: 4 PID: 2301 Comm: htop Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395953.256727] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395953.264374] Call trace:
[395953.266911] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395953.272394] [<ffff20000808c860>] show_stack+0x20/0x30
[395953.277530] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395953.282666] [<ffff2000082d66f8>] dump_header+0xd8/0x328
[395953.287977] [<ffff200008215078>] oom_kill_process+0x400/0x6b0
[395953.293807] [<ffff200008215864>] out_of_memory+0x1ec/0x7c0
[395953.299377] [<ffff20000821d918>] __alloc_pages_nodemask+0xd88/0xe68
[395953.305728] [<ffff20000829bd8c>] alloc_pages_current+0xcc/0x218
[395953.311732] [<ffff2000082a9028>] new_slab+0x420/0x658
[395953.316868] [<ffff2000082ab360>] ___slab_alloc+0x370/0x5d8
[395953.322436] [<ffff2000082ab5ec>] __slab_alloc.isra.22+0x24/0x38
[395953.328438] [<ffff2000082abe5c>] kmem_cache_alloc+0x1bc/0x1e8
[395953.334268] [<ffff200008387eec>] proc_alloc_inode+0x24/0xa8
[395953.339924] [<ffff20000830af14>] alloc_inode+0x3c/0xf0
[395953.345146] [<ffff20000830df90>] new_inode_pseudo+0x20/0x80
[395953.350800] [<ffff20000830e014>] new_inode+0x24/0x50
[395953.355850] [<ffff20000838e860>] proc_pid_make_inode+0x28/0x118
[395953.361853] [<ffff20000838ea78>] proc_pident_instantiate+0x48/0x140
[395953.368204] [<ffff20000838ec6c>] proc_pident_lookup+0xfc/0x168
[395953.374121] [<ffff20000838ed8c>] proc_tgid_base_lookup+0x34/0x40
[395953.380210] [<ffff2000082f77ec>] path_openat+0x194c/0x1b68
[395953.385779] [<ffff2000082f96e0>] do_filp_open+0xe0/0x178
[395953.391178] [<ffff2000082d9f70>] do_sys_open+0x1e8/0x300
[395953.396575] [<ffff2000082da108>] SyS_openat+0x38/0x48
[395953.401710] [<ffff200008083730>] el0_svc_naked+0x24/0x28
[395953.408051] Mem-Info:
[395953.410423] active_anon:3354643 inactive_anon:100 isolated_anon:0
[395953.410423]  active_file:16 inactive_file:0 isolated_file:0
[395953.410423]  unevictable:0 dirty:0 writeback:0 unstable:0
[395953.410423]  slab_reclaimable:15505 slab_unreclaimable:143437
[395953.410423]  mapped:0 shmem:155 pagetables:10329 bounce:0
[395953.410423]  free:21060 free_pcp:403 free_cma:0
[395953.443636] Node 0 active_anon:13418572kB inactive_anon:400kB active_file:540kB inactive_file:104kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:380kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12926976kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395953.471351] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395953.503543] lowmem_reserve[]: 0 9958 9958
[395953.507654] Node 0 Normal free:33004kB min:32224kB low:42420kB high:52616kB active_anon:9428972kB inactive_anon:400kB active_file:132kB inactive_file:80kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59092kB slab_unreclaimable:563100kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:560kB local_pcp:0kB free_cma:0kB
[395953.541392] lowmem_reserve[]: 0 0 0
[395953.544979] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395953.561390] Node 0 Normal: 3041*4kB (UMEH) 1694*8kB (UMEH) 447*16kB (UMEH) 10*32kB (U) 2*64kB (H) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 33316kB
[395953.575702] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395953.584229] 521 total pagecache pages
[395953.587984] 0 pages in swap cache
[395953.591392] Swap cache stats: add 0, delete 0, find 0/0
[395953.596706] Free swap  = 0kB
[395953.599677] Total swap = 0kB
[395953.602638] 4194304 pages RAM
[395953.605692] 0 pages HighMem/MovableOnly
[395953.609617] 629760 pages reserved
[395953.613021] 4096 pages cma reserved
[395953.616599] [ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
[395953.625244] [ 1447]     0  1447      714       74       5       3        0             0 upstart-udev-br
[395953.634818] [ 1450]     0  1450     2758      187       7       3        0         -1000 systemd-udevd
[395953.644218] [ 1833]     0  1833      632       46       5       3        0             0 upstart-socket-
[395953.653790] [ 1847]     0  1847      708       63       5       3        0             0 rpcbind
[395953.662668] [ 1879]   106  1879      737      114       5       3        0             0 rpc.statd
[395953.671734] [ 1984]     0  1984      636       54       5       4        0             0 upstart-file-br
[395953.681307] [ 2000]   103  2000     1152      120       6       3        0             0 dbus-daemon
[395953.690534] [ 2006]     0  2006      720       49       6       3        0             0 rpc.idmapd
[395953.699676] [ 2008]   101  2008    56308      201      12       3        0             0 rsyslogd
[395953.708641] [ 2014]     0  2014    58414      289      16       3        0             0 ModemManager
[395953.717952] [ 2032]     0  2032     1222       87       6       3        0             0 systemd-logind
[395953.727440] [ 2050]     0  2050    61456      371      18       3        0             0 NetworkManager
[395953.736927] [ 2068]     0  2068      587       39       5       3        0             0 getty
[395953.745632] [ 2071]     0  2071    57242      173      14       3        0             0 polkitd
[395953.754510] [ 2075]     0  2075      587       40       5       3        0             0 getty
[395953.763216] [ 2078]     0  2078      587       39       5       3        0             0 getty
[395953.771922] [ 2079]     0  2079      587       38       5       3        0             0 getty
[395953.780628] [ 2081]     0  2081      587       40       5       3        0             0 getty
[395953.789334] [ 2101]     0  2101     2061      163       8       4        0         -1000 sshd
[395953.797952] [ 2102]     0  2102      793       57       6       3        0             0 cron
[395953.806583] [ 2159]     0  2159      542       38       5       3        0             0 getty
[395953.815288] [ 2161]     0  2161      587       40       5       3        0             0 getty
[395953.823992] [ 2171]     0  2171     1356      575       6       4        0             0 dhclient
[395953.832956] [ 2175] 65534  2175      845       58       5       3        0             0 dnsmasq
[395953.841834] [ 2265]     0  2265     3249      261      10       3        0             0 sshd
[395953.850451] [ 2278]  1000  2278     3249      262       9       3        0             0 sshd
[395953.859067] [ 2279]  1000  2279      920      176       5       3        0             0 bash
[395953.867686] [ 2289]  1000  2289      862       63       5       3        0             0 screen
[395953.876479] [ 2290]  1000  2290     1063      286       5       3        0             0 screen
[395953.885272] [ 2291]  1000  2291      930      186       5       3        0             0 bash
[395953.893890] [ 2301]  1000  2301     1190      550       6       3        0             0 htop
[395953.902508] [ 2302]  1000  2302      940      197       5       3        0             0 bash
[395953.911126] [ 2358]  1000  2358   447461    46148     163       5        0             0 qemu-system-aar
[395953.920699] [ 2359]  1000  2359   449502    45509     166       4        0             0 qemu-system-aar
[395953.930271] [ 2360]  1000  2360   447461    43753     160       5        0             0 qemu-system-aar
[395953.939854] [ 2361]  1000  2361   447461    46144     161       4        0             0 qemu-system-aar
[395953.949429] [ 2362]  1000  2362   447461    44522     160       5        0             0 qemu-system-aar
[395953.959001] [ 2363]  1000  2363   447461    44311     161       4        0             0 qemu-system-aar
[395953.968574] [ 4600]  1000  4600    19468    12828      42       5        0             0 syz-manager
[395953.977820] [ 4915]  1000  4915    16364     1127      28       3        0             0 qemu-system-aar
[395953.987397] [ 4917]  1000  4917    16364     1127      27       3        0             0 qemu-system-aar
[395953.996972] [ 4918]  1000  4918    16364     1127      28       3        0             0 qemu-system-aar
[395954.006546] [ 4919]  1000  4919    16364     1128      28       3        0             0 qemu-system-aar
[395954.016119] [ 4920]  1000  4920    16364      617      30       3        0             0 qemu-system-aar
[395954.025692] [ 4922]  1000  4922    14028      344      21       3        0             0 qemu-system-aar
[395954.035273] Out of memory: Kill process 2358 (qemu-system-aar) score 12 or sacrifice child
[395954.043659] Killed process 2358 (qemu-system-aar) total-vm:1789844kB, anon-rss:184592kB, file-rss:0kB, shmem-rss:0kB
[395954.055211] qemu-system-aar: page allocation failure: order:0, mode:0x14201ca(GFP_HIGHUSER_MOVABLE|__GFP_COLD), nodemask=(null)
[395954.066817] qemu-system-aar cpuset=/ mems_allowed=0
[395954.067606] oom_reaper: reaped process 2358 (qemu-system-aar), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
[395954.081761] CPU: 5 PID: 2358 Comm: qemu-system-aar Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395954.090886] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395954.098533] Call trace:
[395954.101072] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395954.106555] [<ffff20000808c860>] show_stack+0x20/0x30
[395954.111692] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395954.116830] [<ffff20000821ca4c>] warn_alloc+0x144/0x1d8
[395954.122140] [<ffff20000821d9e8>] __alloc_pages_nodemask+0xe58/0xe68
[395954.128491] [<ffff20000829bd8c>] alloc_pages_current+0xcc/0x218
[395954.134494] [<ffff20000820e770>] __page_cache_alloc+0x128/0x150
[395954.140498] [<ffff200008212648>] filemap_fault+0x768/0x940
[395954.146069] [<ffff2000083caf8c>] ext4_filemap_fault+0x4c/0x68
[395954.151898] [<ffff20000825bac4>] __do_fault+0x44/0xd0
[395954.157033] [<ffff200008264c5c>] __handle_mm_fault+0x12c4/0x1978
[395954.163122] [<ffff200008265514>] handle_mm_fault+0x204/0x388
[395954.168865] [<ffff2000080a3994>] do_page_fault+0x3fc/0x4b0
[395954.174434] [<ffff200008081444>] do_mem_abort+0xa4/0x138
[395954.179827] Exception stack(0xffff80034db07dc0 to 0xffff80034db07ef0)
[395954.186352] 7dc0: 0000000000000000 00006003f67fc000 ffffffffffffffff 00000000004109b0
[395954.194266] 7de0: 0000000060000000 0000000000000020 0000000082000007 00000000004109b0
[395954.202179] 7e00: 0000000041b58ab3 ffff20000955d370 ffff2000080813a0 0000000000000124
[395954.210093] 7e20: 0000000000000049 ffff200008f44000 ffff80034db07e40 ffff200008085f60
[395954.218006] 7e40: ffff80034db07e80 ffff20000808b5a0 0000000000000008 ffff80035dde5e80
[395954.225920] 7e60: ffff80035dde5e80 ffff80035dde64f0 ffff80034db07e80 ffff20000808b580
[395954.233833] 7e80: 0000000000000000 ffff200008083618 0000000000000000 00006003f67fc000
[395954.241746] 7ea0: ffffffffffffffff 000000000078d790 0000000060000000 00006003f6813000
[395954.249659] 7ec0: 0000ffffa685f708 0000000000000001 0000000000000001 0000000000000000
[395954.257569] 7ee0: 0000000000000002 0000000000000000
[395954.262530] [<ffff200008083388>] el0_ia+0x18/0x1c
[395954.267433] Mem-Info:
[395954.269806] active_anon:3308476 inactive_anon:100 isolated_anon:0
[395954.269806]  active_file:98 inactive_file:570 isolated_file:0
[395954.269806]  unevictable:0 dirty:0 writeback:0 unstable:0
[395954.269806]  slab_reclaimable:15503 slab_unreclaimable:143557
[395954.269806]  mapped:264 shmem:155 pagetables:10329 bounce:0
[395954.269806]  free:66173 free_pcp:470 free_cma:0
[395954.303371] Node 0 active_anon:13233904kB inactive_anon:400kB active_file:392kB inactive_file:3320kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:1836kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12728320kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395954.331169] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395954.363335] lowmem_reserve[]: 0 9958 9958
[395954.367625] Node 0 Normal free:212516kB min:32224kB low:42420kB high:52616kB active_anon:9244644kB inactive_anon:400kB active_file:548kB inactive_file:3828kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59084kB slab_unreclaimable:563912kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:1840kB local_pcp:0kB free_cma:0kB
[395954.401710] lowmem_reserve[]: 0 0 0
[395954.405298] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395954.421698] Node 0 Normal: 1840*4kB (UMEH) 1740*8kB (MEH) 496*16kB (ME) 47*32kB (UME) 25*64kB (MEH) 3*128kB (UME) 2*256kB (UE) 1*512kB (E) 2*1024kB (UE) 61*2048kB (UME) 12*4096kB (M) = 209856kB
[395954.439058] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395954.447582] 2104 total pagecache pages
[395954.451421] 0 pages in swap cache
[395954.454817] Swap cache stats: add 0, delete 0, find 0/0
[395954.460130] Free swap  = 0kB
[395954.463090] Total swap = 0kB
[395954.466057] 4194304 pages RAM
[395954.469111] 0 pages HighMem/MovableOnly
[395954.473035] 629760 pages reserved
[395954.476436] 4096 pages cma reserved
[395954.480151] qemu-system-aar invoked oom-killer: gfp_mask=0x0(), nodemask=(null),  order=0, oom_score_adj=0
[395954.489898] qemu-system-aar cpuset=/ mems_allowed=0
[395954.494879] CPU: 5 PID: 2358 Comm: qemu-system-aar Not tainted 4.11.0-rc6-next-20170411-dirty #7044
[395954.504003] Hardware name: AMD Seattle (Rev.B0) Development Board (Overdrive) (DT)
[395954.511651] Call trace:
[395954.514184] [<ffff20000808c358>] dump_backtrace+0x0/0x3a8
[395954.519668] [<ffff20000808c860>] show_stack+0x20/0x30
[395954.524802] [<ffff2000085a86f0>] dump_stack+0xbc/0xec
[395954.529939] [<ffff2000082d66f8>] dump_header+0xd8/0x328
[395954.535248] [<ffff200008215078>] oom_kill_process+0x400/0x6b0
[395954.541078] [<ffff200008215864>] out_of_memory+0x1ec/0x7c0
[395954.546648] [<ffff200008215efc>] pagefault_out_of_memory+0xc4/0xd0
[395954.552911] [<ffff2000080a3a40>] do_page_fault+0x4a8/0x4b0
[395954.558478] [<ffff200008081444>] do_mem_abort+0xa4/0x138
[395954.563872] Exception stack(0xffff80034db07dc0 to 0xffff80034db07ef0)
[395954.570397] 7dc0: 0000000000000000 00006003f67fc000 ffffffffffffffff 00000000004109b0
[395954.578310] 7de0: 0000000060000000 0000000000000020 0000000082000007 00000000004109b0
[395954.586224] 7e00: 0000000041b58ab3 ffff20000955d370 ffff2000080813a0 0000000000000124
[395954.594137] 7e20: 0000000000000049 ffff200008f44000 ffff80034db07e40 ffff200008085f60
[395954.602051] 7e40: ffff80034db07e80 ffff20000808b5a0 0000000000000008 ffff80035dde5e80
[395954.609965] 7e60: ffff80035dde5e80 ffff80035dde64f0 ffff80034db07e80 ffff20000808b580
[395954.617878] 7e80: 0000000000000000 ffff200008083618 0000000000000000 00006003f67fc000
[395954.625791] 7ea0: ffffffffffffffff 000000000078d790 0000000060000000 00006003f6813000
[395954.633704] 7ec0: 0000ffffa685f708 0000000000000001 0000000000000001 0000000000000000
[395954.641614] 7ee0: 0000000000000002 0000000000000000
[395954.646575] [<ffff200008083388>] el0_ia+0x18/0x1c
[395954.651396] Mem-Info:
[395954.653772] active_anon:3308476 inactive_anon:100 isolated_anon:0
[395954.653772]  active_file:98 inactive_file:2390 isolated_file:0
[395954.653772]  unevictable:0 dirty:0 writeback:0 unstable:0
[395954.653772]  slab_reclaimable:15503 slab_unreclaimable:143634
[395954.653772]  mapped:1694 shmem:155 pagetables:10329 bounce:0
[395954.653772]  free:64244 free_pcp:379 free_cma:0
[395954.687511] Node 0 active_anon:13233904kB inactive_anon:400kB active_file:392kB inactive_file:9820kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:7036kB dirty:0kB writeback:0kB shmem:620kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12728320kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
[395954.715375] Node 0 DMA free:50620kB min:12828kB low:16884kB high:20940kB active_anon:3989600kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:4194304kB managed:4060788kB mlocked:0kB slab_reclaimable:2928kB slab_unreclaimable:10648kB kernel_stack:0kB pagetables:3600kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[395954.747565] lowmem_reserve[]: 0 9958 9958
[395954.751679] Node 0 Normal free:204900kB min:32224kB low:42420kB high:52616kB active_anon:9244220kB inactive_anon:400kB active_file:548kB inactive_file:10328kB unevictable:0kB writepending:0kB present:12582912kB managed:10197388kB mlocked:0kB slab_reclaimable:59620kB slab_unreclaimable:564176kB kernel_stack:4032kB pagetables:37716kB bounce:0kB free_pcp:1548kB local_pcp:244kB free_cma:0kB
[395954.786024] lowmem_reserve[]: 0 0 0
[395954.789615] Node 0 DMA: 531*4kB (UME) 210*8kB (UME) 114*16kB (UME) 34*32kB (ME) 18*64kB (UME) 34*128kB (UME) 46*256kB (UM) 14*512kB (UM) 7*1024kB (UM) 0*2048kB 3*4096kB (M) = 50620kB
[395954.806097] Node 0 Normal: 600*4kB (UMEH) 1772*8kB (UMEH) 496*16kB (UME) 53*32kB (UME) 25*64kB (UMH) 3*128kB (UME) 1*256kB (U) 1*512kB (U) 1*1024kB (E) 61*2048kB (UME) 12*4096kB (M) = 204064kB
[395954.823477] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[395954.832055] 3171 total pagecache pages
[395954.835933] 0 pages in swap cache
[395954.839343] Swap cache stats: add 0, delete 0, find 0/0
[395954.844670] Free swap  = 0kB
[395954.847642] Total swap = 0kB
[395954.850614] 4194304 pages RAM
[395954.853671] 0 pages HighMem/MovableOnly
[395954.857603] 629760 pages reserved
[395954.861023] 4096 pages cma reserved
[395954.864611] [ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
[395954.873281] [ 1447]     0  1447      714       74       5       3        0             0 upstart-udev-br
[395954.882868] [ 1450]     0  1450     2758      187       7       3        0         -1000 systemd-udevd
[395954.892294] [ 1833]     0  1833      632       46       5       3        0             0 upstart-socket-
[395954.901882] [ 1847]     0  1847      708       63       5       3        0             0 rpcbind
[395954.910766] [ 1879]   106  1879      737      114       5       3        0             0 rpc.statd
[395954.919856] [ 1984]     0  1984      636       54       5       4        0             0 upstart-file-br
[395954.929462] [ 2000]   103  2000     1152      120       6       3        0             0 dbus-daemon
[395954.938701] [ 2006]     0  2006      720       49       6       3        0             0 rpc.idmapd
[395954.947858] [ 2008]   101  2008    56308      201      12       3        0             0 rsyslogd
[395954.957164] [ 2014]     0  2014    58414      289      16       3        0             0 ModemManager
[395954.966503] [ 2032]     0  2032     1222       87       6       3        0             0 systemd-logind
[395954.976004] [ 2050]     0  2050    61456      371      18       3        0             0 NetworkManager
[395954.985531] [ 2068]     0  2068      587       39       5       3        0             0 getty
[395954.994255] [ 2071]     0  2071    57242      173      14       3        0             0 polkitd
[395955.003154] [ 2075]     0  2075      587       40       5       3        0             0 getty
[395955.011878] [ 2078]     0  2078      587       39       5       3        0             0 getty
[395955.020595] [ 2079]     0  2079      587       38       5       3        0             0 getty
[395955.029322] [ 2081]     0  2081      587       40       5       3        0             0 getty
[395955.038135] [ 2101]     0  2101     2061      163       8       4        0         -1000 sshd
[395955.046800] [ 2102]     0  2102      793       57       6       3        0             0 cron
[395955.055432] [ 2159]     0  2159      542       38       5       3        0             0 getty
[395955.064149] [ 2161]     0  2161      587       40       5       3        0             0 getty
[395955.072884] [ 2171]     0  2171     1356      575       6       4        0             0 dhclient
[395955.081874] [ 2175] 65534  2175      845       58       5       3        0             0 dnsmasq
[395955.090981] [ 2265]     0  2265     3249      261      10       3        0             0 sshd
[395955.099760] [ 2278]  1000  2278     3249      262       9       3        0             0 sshd
[395955.108420] [ 2279]  1000  2279      920      176       5       3        0             0 bash
[395955.117050] [ 2289]  1000  2289      862       63       5       3        0             0 screen
[395955.125870] [ 2290]  1000  2290     1063      286       5       3        0             0 screen
[395955.134674] [ 2291]  1000  2291      930      186       5       3        0             0 bash
[395955.143321] [ 2301]  1000  2301     1190      864       6       3        0             0 htop
[395955.151951] [ 2302]  1000  2302      940      197       5       3        0             0 bash
[395955.160595] [ 2358]  1000  2358   447461        0      76       5        0             0 qemu-system-aar
[395955.170175] [ 2359]  1000  2359   449502    45509     166       4        0             0 qemu-system-aar
[395955.180310] [ 2360]  1000  2360   447461    43753     160       5        0             0 qemu-system-aar
[395955.190467] [ 2361]  1000  2361   447461    46180     161       4        0             0 qemu-system-aar
[395955.200204] [ 2362]  1000  2362   447461    44522     160       5        0             0 qemu-system-aar
[395955.209834] [ 2363]  1000  2363   447461    44311     161       4        0             0 qemu-system-aar
[395955.219818] [ 4600]  1000  4600    19468    13943      42       5        0             0 syz-manager
[395955.229412] [ 4915]  1000  4915    16364     1278      28       3        0             0 qemu-system-aar
[395955.239707] [ 4917]  1000  4917    16364     1196      27       3        0             0 qemu-system-aar
[395955.249837] [ 4918]  1000  4918    16364     1473      28       3        0             0 qemu-system-aar
[395955.260569] [ 4919]  1000  4919    16364     1692      28       3        0             0 qemu-system-aar
[395955.270871] [ 4920]  1000  4920    16364      942      30       3        0             0 qemu-system-aar
[395955.280762] [ 4922]  1000  4922    14028      751      21       3        0             0 qemu-system-aar
[395955.290372] Out of memory: Kill process 2361 (qemu-system-aar) score 13 or sacrifice child
[395955.298858] Killed process 2361 (qemu-system-aar) total-vm:1789844kB, anon-rss:184576kB, file-rss:144kB, shmem-rss:0kB
[395955.324751] oom_reaper: reaped process 2361 (qemu-system-aar), now anon-rss:0kB, file-rss:20kB, shmem-rss:0kB

Thanks,
Mark.