From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9CC9171E47; Fri, 5 Apr 2024 18:19:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712341163; cv=none; b=SiityV3gQX6hh3X1GR/PFkUXgNk/uG5RQuPtc26T3epjPBQYI/b2Er+rJ2Ko4F672avpZvsoxkdgy8vflCRefJsB3HToQHWP7mtOPgQWHg4fwunhmzPMYSoxqvxyT6aWZ5gWYyFVcf2SlwoOGMjTOkGMuV2CEyQQTeCl/IacYxo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712341163; c=relaxed/simple; bh=QCgEPH4wUkS+9dfZeNb/0z4fye0/PiFdlQxjbFRrVxU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kn8TJ15EeDfztgvmZwVjzfSODonZMViEY+3HZ8C4PgPvDBdvh7yx/66H/FX8zG/o+eiTkyp7HOJmKOo5XVFk8Fh4tI3gtFMoJ+cIrQv57hpr2M4Jep2uKl9hCiDfZivmNjMLRdQPtWz6xMXnHfNMPUndHbD1P1ct3T69Rs+d6gU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=i0B2OSKK; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="i0B2OSKK" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To: Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=78zodIlf2id93sGgo87RUv6tjv4oQ4pNi83y08mn66s=; b=i0B2OSKKQ+YnkGLQ7fe+OSdfRU XcZvIyYdwQj4pbTuMMQ9CO5AY0fZl5Gnq93sDigw0Qyg59kyL+y6ayxo2+y5rYz8E4tsOAC44QQGI CQUAKeaQXCpN9nbUy6q12VP79A4e7A2qH5gjT93NxGYK91z5ONa2Wxs0aDS4EXfHzhRXP16hLxF/H 7Gu2gYvmkBp/77WCASD9rLbVyK79lh3Dtq6dMdDKDxIjT0VtUl8OhyqBpyaShGjpLBNAJ8OM42gMX B+D4JXbo0yqGGSs9IeL+3XL/qAxsow0Djc8GntmOzBj3Ndv0QBOjo645RvO3oQg197pongk5ktcjC Gj1Kq83Q==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:46188) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rso9g-0002jG-0U; Fri, 05 Apr 2024 19:19:12 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.94.2) (envelope-from ) id 1rso9e-0001a9-79; Fri, 05 Apr 2024 19:19:10 +0100 Date: Fri, 5 Apr 2024 19:19:10 +0100 From: "Russell King (Oracle)" To: Andrii Nakryiko Cc: Alexei Starovoitov , Puranjay Mohan , Mark Rutland , Andrew Morton , linux-arm-kernel , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) Message-ID: References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: Russell King (Oracle) On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote: > On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov > wrote: > > > > On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle) > > wrote: > > > > > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote: > > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote: > > > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton wrote: > > > > > > > > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot wrote: > > > > > > > > > > > > > Hello, > > > > > > > > > > > > Thanks. Cc: bpf@vger.kernel.org > > > > > > > > > > I suspect the issue is not on bpf side. > > > > > Looks like the bug is somewhere in arm32 bits. > > > > > copy_from_kernel_nofault() is called from lots of places. > > > > > bpf is just one user that is easy for syzbot to fuzz. > > > > > Interestingly arm defines copy_from_kernel_nofault_allowed() > > > > > that should have filtered out user addresses. > > > > > In this case ffffffe9 is probably a kernel address? > > > > > > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL). > > > > > > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL. > > > > > > > > > But the kernel is doing a write? > > > > > Which makes no sense, since copy_from_kernel_nofault is probe reading. > > > > > > > > It makes perfect sense; the read from 'src' happened, then the kernel tries to > > > > write the result to 'dst', and that aligns with the disassembly in the report > > > > below, which I beleive is: > > > > > > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere > > > > c: e3530000 cmp r3, #0 > > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst' > > > > > > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL). > > > > > > > > Are you certain that BPF is passing a sane value for 'dst'? Where does that > > > > come from in the first place? > > > > > > It looks to me like it gets passed in from the BPF program, and the > > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that > > > means for validation purposes, I've no idea, I'm not a BPF hacker. > > > > > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed > > > an arbitary destination address, that would be a huge security hole. > > > > If that's the case that's indeed a giant security hole, > > but I doubt it. We would be crashing other archs as well. > > I cannot really tell whether arm32 JIT is on. > > If it is, it's likely a bug there. > > Puranjay, > > could you please take a look. > > > > I dumped the BPF program that repro.c is loading, it works on x86-64 > and there is nothing special there. We are probe-reading 5 bytes from > somewhere into the stack. Everything is unaligned here, but stays > within a well-defined memory slot. > > Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere > there (but then it would be JIT, not verifier itself) > > 0: (7a) *(u64 *)(r10 -8) = 896542069 > 1: (bf) r1 = r10 > 2: (07) r1 += -7 > 3: (b7) r2 = 5 > 4: (bf) r3 = (s8)r1 > 5: (85) call bpf_probe_read_kernel#-72390 Before jumping to conclusions, let's try to unravel what's going on here. We're calling bpf_probe_read_kernel(), and the arguments to this are: void *dst ; r1 u32 size ; r2 const void *unsafe_ptr ; r3 The problem that has been reported is that the _store_ in copy_from_kernel_nofault(). Thus it's the destination pointer that's the proble, and thus that is the value that ends up in r1. What we can also see in the dump is that the address being read from is the same as the address being written, and these are both 0xffffffe9 or -22. This would mean that both r3 and r1 contain the same value. Unwinding the code further, r1 comes from r10 - 7. So r10 probably was -15. Neither of these are valid stack addresses on 32-bit ARM. Now, to repeat the same question. Is the BPF JIT on for this test? This is a crucial piece of information, because it tells us whether we need to look at the JIT or whether there's a problem with the BPF interpreter. Please answer this question. The next question to BPF people is... what is r10? Is that supposed to be the read-only frame pointer? If so, why is it called r10 and not something more readable? I'm guessing that the definition is BPF_REG_FP, but I'm grasping at straws here (BPF people, fix your debug so people who don't know BPF inside out can understand it!) If the BPF JIT is being used, I think the next thing which needs to happen is that the BPF JIT debug needs to be enabled. If /proc/sys/net/core/bpf_jit_enable contains a value greater than 1, then the ARM assembly will be hexdumped. One of the annoying things is going to be piecing the hexdump together, converting it into a form that can then be turned into a binary file, to then be disassembled by objdump. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 89607C67861 for ; Fri, 5 Apr 2024 18:19:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4ltrzVg0zURTnkghs6GFy65Be65B0eaItBRFvhUJtac=; b=fy0Aj4KUs1sTO2 i9kmd4TVsl9/GaMS+GUHE9VBaaSTmDJonm++1aEaGwgLSzPeI88QGM5d0Lp7MZfVX/rbnJxoXowIT TkqWcjETkwx3hyOtMeOdOyBsKlfLLaUSruKttQDAlj2ukQRodpqkG1Bu1m4yjd97Gbu0wtgB/0VHE 5Mlj9A1aZtS4AC+3N/kZcis3f9+BP6dDDzqIXeBhj8SAu7C+RrfiBUo0nVbIQgNkCy73EcSVKOTz+ 2rYs8Zq0DwfMgTkJE8lDkDwRH0mMY6oyusObFhOBxk9NDspc2y1y9bmpTXFbfFC2+25iaAmRjhmT3 OCdOlhHdUqf4zJp9gByg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rso9s-00000008QKV-0jeT; Fri, 05 Apr 2024 18:19:24 +0000 Received: from pandora.armlinux.org.uk ([2001:4d48:ad52:32c8:5054:ff:fe00:142]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rso9o-00000008QIz-2gy9 for linux-arm-kernel@lists.infradead.org; Fri, 05 Apr 2024 18:19:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To: Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=78zodIlf2id93sGgo87RUv6tjv4oQ4pNi83y08mn66s=; b=i0B2OSKKQ+YnkGLQ7fe+OSdfRU XcZvIyYdwQj4pbTuMMQ9CO5AY0fZl5Gnq93sDigw0Qyg59kyL+y6ayxo2+y5rYz8E4tsOAC44QQGI CQUAKeaQXCpN9nbUy6q12VP79A4e7A2qH5gjT93NxGYK91z5ONa2Wxs0aDS4EXfHzhRXP16hLxF/H 7Gu2gYvmkBp/77WCASD9rLbVyK79lh3Dtq6dMdDKDxIjT0VtUl8OhyqBpyaShGjpLBNAJ8OM42gMX B+D4JXbo0yqGGSs9IeL+3XL/qAxsow0Djc8GntmOzBj3Ndv0QBOjo645RvO3oQg197pongk5ktcjC Gj1Kq83Q==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:46188) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rso9g-0002jG-0U; Fri, 05 Apr 2024 19:19:12 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.94.2) (envelope-from ) id 1rso9e-0001a9-79; Fri, 05 Apr 2024 19:19:10 +0100 Date: Fri, 5 Apr 2024 19:19:10 +0100 From: "Russell King (Oracle)" To: Andrii Nakryiko Cc: Alexei Starovoitov , Puranjay Mohan , Mark Rutland , Andrew Morton , linux-arm-kernel , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) Message-ID: References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240405_111920_732187_5D1925D2 X-CRM114-Status: GOOD ( 44.08 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org T24gRnJpLCBBcHIgMDUsIDIwMjQgYXQgMTA6NTA6MzBBTSAtMDcwMCwgQW5kcmlpIE5ha3J5aWtv IHdyb3RlOgo+IE9uIEZyaSwgQXByIDUsIDIwMjQgYXQgOTozMOKAr0FNIEFsZXhlaSBTdGFyb3Zv aXRvdgo+IDxhbGV4ZWkuc3Rhcm92b2l0b3ZAZ21haWwuY29tPiB3cm90ZToKPiA+Cj4gPiBPbiBG cmksIEFwciA1LCAyMDI0IGF0IDQ6MzbigK9BTSBSdXNzZWxsIEtpbmcgKE9yYWNsZSkKPiA+IDxs aW51eEBhcm1saW51eC5vcmcudWs+IHdyb3RlOgo+ID4gPgo+ID4gPiBPbiBGcmksIEFwciAwNSwg MjAyNCBhdCAxMjowMjozNlBNICswMTAwLCBNYXJrIFJ1dGxhbmQgd3JvdGU6Cj4gPiA+ID4gT24g VGh1LCBBcHIgMDQsIDIwMjQgYXQgMDM6NTc6MDRQTSAtMDcwMCwgQWxleGVpIFN0YXJvdm9pdG92 IHdyb3RlOgo+ID4gPiA+ID4gT24gV2VkLCBBcHIgMywgMjAyNCBhdCA2OjU24oCvUE0gQW5kcmV3 IE1vcnRvbiA8YWtwbUBsaW51eC1mb3VuZGF0aW9ub3JnPiB3cm90ZToKPiA+ID4gPiA+ID4KPiA+ ID4gPiA+ID4gT24gTW9uLCAwMSBBcHIgMjAyNCAyMjoxOToyNSAtMDcwMCBzeXpib3QgPHN5emJv dCsxODY1MjI2NzBlNjcyMjY5MmQ4NkBzeXprYWxsZXIuYXBwc3BvdG1haWwuY29tPiB3cm90ZToK PiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiBIZWxsbywKPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4g VGhhbmtzLiAgQ2M6IGJwZkB2Z2VyLmtlcm5lbC5vcmcKPiA+ID4gPiA+Cj4gPiA+ID4gPiBJIHN1 c3BlY3QgdGhlIGlzc3VlIGlzIG5vdCBvbiBicGYgc2lkZS4KPiA+ID4gPiA+IExvb2tzIGxpa2Ug dGhlIGJ1ZyBpcyBzb21ld2hlcmUgaW4gYXJtMzIgYml0cy4KPiA+ID4gPiA+IGNvcHlfZnJvbV9r ZXJuZWxfbm9mYXVsdCgpIGlzIGNhbGxlZCBmcm9tIGxvdHMgb2YgcGxhY2VzLgo+ID4gPiA+ID4g YnBmIGlzIGp1c3Qgb25lIHVzZXIgdGhhdCBpcyBlYXN5IGZvciBzeXpib3QgdG8gZnV6ei4KPiA+ ID4gPiA+IEludGVyZXN0aW5nbHkgYXJtIGRlZmluZXMgY29weV9mcm9tX2tlcm5lbF9ub2ZhdWx0 X2FsbG93ZWQoKQo+ID4gPiA+ID4gdGhhdCBzaG91bGQgaGF2ZSBmaWx0ZXJlZCBvdXQgdXNlciBh ZGRyZXNzZXMuCj4gPiA+ID4gPiBJbiB0aGlzIGNhc2UgZmZmZmZmZTkgaXMgcHJvYmFibHkgYSBr ZXJuZWwgYWRkcmVzcz8KPiA+ID4gPgo+ID4gPiA+IEl0J3MgYXQgdGhlIGVuZCBvZiB0aGUga2Vy bmVsIHJhbmdlLCBhbmQgaXQncyBFUlJfUFRSKC1FSU5WQUwpLgo+ID4gPiA+Cj4gPiA+ID4gMHhm ZmZmZmZlOSBpcyAtMHgxNiwgd2hpY2ggaXMgLTIyLCB3aGljaCBpcyAtRUlOVkFMLgo+ID4gPiA+ Cj4gPiA+ID4gPiBCdXQgdGhlIGtlcm5lbCBpcyBkb2luZyBhIHdyaXRlPwo+ID4gPiA+ID4gV2hp Y2ggbWFrZXMgbm8gc2Vuc2UsIHNpbmNlIGNvcHlfZnJvbV9rZXJuZWxfbm9mYXVsdCBpcyBwcm9i ZSByZWFkaW5nLgo+ID4gPiA+Cj4gPiA+ID4gSXQgbWFrZXMgcGVyZmVjdCBzZW5zZTsgdGhlIHJl YWQgZnJvbSAnc3JjJyBoYXBwZW5lZCwgdGhlbiB0aGUga2VybmVsIHRyaWVzIHRvCj4gPiA+ID4g d3JpdGUgdGhlIHJlc3VsdCB0byAnZHN0JywgYW5kIHRoYXQgYWxpZ25zIHdpdGggdGhlIGRpc2Fz c2VtYmx5IGluIHRoZSByZXBvcnQKPiA+ID4gPiBiZWxvdywgd2hpY2ggSSBiZWxlaXZlIGlzOgo+ ID4gPiA+Cj4gPiA+ID4gICAgICA4OiBlNDk0MjAwMCAgICAgICAgbGRyICAgICByMiwgW3I0XSwg IzAgIDwtLSBSZWFkIG9mICdzcmMnLCBmYXVsdCBmaXh1cCBpcyBlbHNld2hlcmUKPiA+ID4gPiAg ICAgIGM6IGUzNTMwMDAwICAgICAgICBjbXAgICAgIHIzLCAjMAo+ID4gPiA+ICAgKiAxMDogZTU4 NTIwMDAgICAgICAgIHN0ciAgICAgcjIsIFtyNV0gICAgICA8LS0gV3JpdGUgdG8gJ2RzdCcKPiA+ ID4gPgo+ID4gPiA+IEFzIGFib3ZlLCBpdCBsb29rcyBsaWtlICdkc3QnIGlzIEVSUl9QVFIoLUVJ TlZBTCkuCj4gPiA+ID4KPiA+ID4gPiBBcmUgeW91IGNlcnRhaW4gdGhhdCBCUEYgaXMgcGFzc2lu ZyBhIHNhbmUgdmFsdWUgZm9yICdkc3QnPyBXaGVyZSBkb2VzIHRoYXQKPiA+ID4gPiBjb21lIGZy b20gaW4gdGhlIGZpcnN0IHBsYWNlPwo+ID4gPgo+ID4gPiBJdCBsb29rcyB0byBtZSBsaWtlIGl0 IGdldHMgcGFzc2VkIGluIGZyb20gdGhlIEJQRiBwcm9ncmFtLCBhbmQgdGhlCj4gPiA+ICJ0eXBl IiBmb3IgdGhlIGFyZ3VtZW50IGlzIHNldCB0byBBUkdfUFRSX1RPX1VOSU5JVF9NRU0uIFdoYXQg dGhhdAo+ID4gPiBtZWFucyBmb3IgdmFsaWRhdGlvbiBwdXJwb3NlcywgSSd2ZSBubyBpZGVhLCBJ J20gbm90IGEgQlBGIGhhY2tlci4KPiA+ID4KPiA+ID4gT2J2aW91c2x5LCBpZiBCUEYgaXMgYWxs b3dpbmcgY29weV9mcm9tX2tlcm5lbF9ub2ZhdWx0KCkgdG8gYmUgcGFzc2VkCj4gPiA+IGFuIGFy Yml0YXJ5IGRlc3RpbmF0aW9uIGFkZHJlc3MsIHRoYXQgd291bGQgYmUgYSBodWdlIHNlY3VyaXR5 IGhvbGUuCj4gPgo+ID4gSWYgdGhhdCdzIHRoZSBjYXNlIHRoYXQncyBpbmRlZWQgYSBnaWFudCBz ZWN1cml0eSBob2xlLAo+ID4gYnV0IEkgZG91YnQgaXQuIFdlIHdvdWxkIGJlIGNyYXNoaW5nIG90 aGVyIGFyY2hzIGFzIHdlbGwuCj4gPiBJIGNhbm5vdCByZWFsbHkgdGVsbCB3aGV0aGVyIGFybTMy IEpJVCBpcyBvbi4KPiA+IElmIGl0IGlzLCBpdCdzIGxpa2VseSBhIGJ1ZyB0aGVyZS4KPiA+IFB1 cmFuamF5LAo+ID4gY291bGQgeW91IHBsZWFzZSB0YWtlIGEgbG9vay4KPiA+Cj4gCj4gSSBkdW1w ZWQgdGhlIEJQRiBwcm9ncmFtIHRoYXQgcmVwcm8uYyBpcyBsb2FkaW5nLCBpdCB3b3JrcyBvbiB4 ODYtNjQKPiBhbmQgdGhlcmUgaXMgbm90aGluZyBzcGVjaWFsIHRoZXJlLiBXZSBhcmUgcHJvYmUt cmVhZGluZyA1IGJ5dGVzIGZyb20KPiBzb21ld2hlcmUgaW50byB0aGUgc3RhY2suIEV2ZXJ5dGhp bmcgaXMgdW5hbGlnbmVkIGhlcmUsIGJ1dCBzdGF5cwo+IHdpdGhpbiBhIHdlbGwtZGVmaW5lZCBt ZW1vcnkgc2xvdC4KPiAKPiBOb3RlIHRoZSByMyA9IChzOClyMSwgdGhhdCdzIGEgbmV3LWlzaCB0 aGluZywgbWF5YmUgYnVnIGlzIHNvbWV3aGVyZQo+IHRoZXJlIChidXQgdGhlbiBpdCB3b3VsZCBi ZSBKSVQsIG5vdCB2ZXJpZmllciBpdHNlbGYpCj4gCj4gICAgMDogKDdhKSAqKHU2NCAqKShyMTAg LTgpID0gODk2NTQyMDY5Cj4gICAgMTogKGJmKSByMSA9IHIxMAo+ICAgIDI6ICgwNykgcjEgKz0g LTcKPiAgICAzOiAoYjcpIHIyID0gNQo+ICAgIDQ6IChiZikgcjMgPSAoczgpcjEKPiAgICA1OiAo ODUpIGNhbGwgYnBmX3Byb2JlX3JlYWRfa2VybmVsIy03MjM5MAoKQmVmb3JlIGp1bXBpbmcgdG8g Y29uY2x1c2lvbnMsIGxldCdzIHRyeSB0byB1bnJhdmVsIHdoYXQncyBnb2luZyBvbgpoZXJlLgoK V2UncmUgY2FsbGluZyBicGZfcHJvYmVfcmVhZF9rZXJuZWwoKSwgYW5kIHRoZSBhcmd1bWVudHMg dG8gdGhpcyBhcmU6CgoJdm9pZCAqZHN0CQk7IHIxCgl1MzIgc2l6ZQkJOyByMgoJY29uc3Qgdm9p ZCAqdW5zYWZlX3B0cgk7IHIzCgpUaGUgcHJvYmxlbSB0aGF0IGhhcyBiZWVuIHJlcG9ydGVkIGlz IHRoYXQgdGhlIF9zdG9yZV8gaW4KY29weV9mcm9tX2tlcm5lbF9ub2ZhdWx0KCkuIFRodXMgaXQn cyB0aGUgZGVzdGluYXRpb24gcG9pbnRlciB0aGF0J3MKdGhlIHByb2JsZSwgYW5kIHRodXMgdGhh dCBpcyB0aGUgdmFsdWUgdGhhdCBlbmRzIHVwIGluIHIxLgoKV2hhdCB3ZSBjYW4gYWxzbyBzZWUg aW4gdGhlIGR1bXAgaXMgdGhhdCB0aGUgYWRkcmVzcyBiZWluZyByZWFkIGZyb20KaXMgdGhlIHNh bWUgYXMgdGhlIGFkZHJlc3MgYmVpbmcgd3JpdHRlbiwgYW5kIHRoZXNlIGFyZSBib3RoCjB4ZmZm ZmZmZTkgb3IgLTIyLiBUaGlzIHdvdWxkIG1lYW4gdGhhdCBib3RoIHIzIGFuZCByMSBjb250YWlu IHRoZQpzYW1lIHZhbHVlLgoKVW53aW5kaW5nIHRoZSBjb2RlIGZ1cnRoZXIsIHIxIGNvbWVzIGZy b20gcjEwIC0gNy4gU28gcjEwIHByb2JhYmx5CndhcyAtMTUuCgpOZWl0aGVyIG9mIHRoZXNlIGFy ZSB2YWxpZCBzdGFjayBhZGRyZXNzZXMgb24gMzItYml0IEFSTS4KCk5vdywgdG8gcmVwZWF0IHRo ZSBzYW1lIHF1ZXN0aW9uLiBJcyB0aGUgQlBGIEpJVCBvbiBmb3IgdGhpcyB0ZXN0PwpUaGlzIGlz IGEgY3J1Y2lhbCBwaWVjZSBvZiBpbmZvcm1hdGlvbiwgYmVjYXVzZSBpdCB0ZWxscyB1cyB3aGV0 aGVyCndlIG5lZWQgdG8gbG9vayBhdCB0aGUgSklUIG9yIHdoZXRoZXIgdGhlcmUncyBhIHByb2Js ZW0gd2l0aCB0aGUKQlBGIGludGVycHJldGVyLiBQbGVhc2UgYW5zd2VyIHRoaXMgcXVlc3Rpb24u CgpUaGUgbmV4dCBxdWVzdGlvbiB0byBCUEYgcGVvcGxlIGlzLi4uIHdoYXQgaXMgcjEwPyBJcyB0 aGF0IHN1cHBvc2VkCnRvIGJlIHRoZSByZWFkLW9ubHkgZnJhbWUgcG9pbnRlcj8gSWYgc28sIHdo eSBpcyBpdCBjYWxsZWQgcjEwIGFuZApub3Qgc29tZXRoaW5nIG1vcmUgcmVhZGFibGU/IEknbSBn dWVzc2luZyB0aGF0IHRoZSBkZWZpbml0aW9uIGlzCkJQRl9SRUdfRlAsIGJ1dCBJJ20gZ3Jhc3Bp bmcgYXQgc3RyYXdzIGhlcmUgKEJQRiBwZW9wbGUsIGZpeCB5b3VyCmRlYnVnIHNvIHBlb3BsZSB3 aG8gZG9uJ3Qga25vdyBCUEYgaW5zaWRlIG91dCBjYW4gdW5kZXJzdGFuZCBpdCEpCgpJZiB0aGUg QlBGIEpJVCBpcyBiZWluZyB1c2VkLCBJIHRoaW5rIHRoZSBuZXh0IHRoaW5nIHdoaWNoIG5lZWRz IHRvCmhhcHBlbiBpcyB0aGF0IHRoZSBCUEYgSklUIGRlYnVnIG5lZWRzIHRvIGJlIGVuYWJsZWQu IElmCi9wcm9jL3N5cy9uZXQvY29yZS9icGZfaml0X2VuYWJsZSBjb250YWlucyBhIHZhbHVlIGdy ZWF0ZXIgdGhhbiAxLAp0aGVuIHRoZSBBUk0gYXNzZW1ibHkgd2lsbCBiZSBoZXhkdW1wZWQuIE9u ZSBvZiB0aGUgYW5ub3lpbmcgdGhpbmdzCmlzIGdvaW5nIHRvIGJlIHBpZWNpbmcgdGhlIGhleGR1 bXAgdG9nZXRoZXIsIGNvbnZlcnRpbmcgaXQgaW50byBhCmZvcm0gdGhhdCBjYW4gdGhlbiBiZSB0 dXJuZWQgaW50byBhIGJpbmFyeSBmaWxlLCB0byB0aGVuIGJlCmRpc2Fzc2VtYmxlZCBieSBvYmpk dW1wLgoKLS0gClJNSydzIFBhdGNoIHN5c3RlbTogaHR0cHM6Ly93d3cuYXJtbGludXgub3JnLnVr L2RldmVsb3Blci9wYXRjaGVzLwpGVFRQIGlzIGhlcmUhIDgwTWJwcyBkb3duIDEwTWJwcyB1cC4g RGVjZW50IGNvbm5lY3Rpdml0eSBhdCBsYXN0IQoKX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18KbGludXgtYXJtLWtlcm5lbCBtYWlsaW5nIGxpc3QKbGludXgt YXJtLWtlcm5lbEBsaXN0cy5pbmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3Jn L21haWxtYW4vbGlzdGluZm8vbGludXgtYXJtLWtlcm5lbAo=