[PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[Mykyta Yatsenko]

From: Mykyta Yatsenko <yatsenko@meta.com>

cancel_and_free() uses xchg(&ptr, NULL) to steal the cb/ctx pointer.
For non-preallocated maps, the element is freed via bpf_mem_cache_free()
making it immediately available for reuse. Between the xchg and the
free, a concurrent BPF program sees NULL, treats it as first use,
allocates a new cb/ctx, and stores it via cmpxchg. The allocation is
then orphaned when the element is freed, causing a memory leak.

Use BPF_PTR_POISON instead of NULL in the xchg so that concurrent
readers can distinguish "being destroyed" from "never initialized"
and refuse to allocate. For preallocated maps, clear the poison
before recycled elements are handed back to BPF programs.

Fixes: 1bfbc267ec91 ("bpf: Enable bpf_timer and bpf_wq in any context")
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
 include/linux/bpf.h   | 30 ++++++++++++++++++++++++++++++
 kernel/bpf/arraymap.c |  4 ++--
 kernel/bpf/hashtab.c  |  5 +++++
 kernel/bpf/helpers.c  | 25 +++++++++++++------------
 4 files changed, 50 insertions(+), 14 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index cd9b96434904..90006a910dd6 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -671,6 +671,36 @@ static inline bool bpf_map_has_internal_structs(struct bpf_map *map)
 
 void bpf_map_free_internal_structs(struct bpf_map *map, void *obj);
 
+/*
+ * Clear special fields (timer/wq/task_work) poisoned by cancel_and_free()
+ * in recycled map elements.
+ *
+ * Uses WRITE_ONCE to match the READ_ONCE/xchg/cmpxchg used by concurrent
+ * readers on the underlying pointer (bpf_async_kern.cb / bpf_task_work_kern.ctx).
+ */
+static inline void bpf_obj_init_special_fields(const struct btf_record *rec, void *obj)
+{
+	void **p;
+
+	if (IS_ERR_OR_NULL(rec))
+		return;
+
+	if (rec->timer_off >= 0) {
+		p = obj + rec->timer_off;
+		WRITE_ONCE(*p, NULL);
+	}
+
+	if (rec->wq_off >= 0) {
+		p = obj + rec->wq_off;
+		WRITE_ONCE(*p, NULL);
+	}
+
+	if (rec->task_work_off >= 0) {
+		p = obj + rec->task_work_off;
+		WRITE_ONCE(*p, NULL);
+	}
+}
+
 int bpf_dynptr_from_file_sleepable(struct file *file, u32 flags,
 				   struct bpf_dynptr *ptr__uninit);
 
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 67e9e811de3a..0ef68e5c4c90 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -386,7 +386,6 @@ static long array_map_update_elem(struct bpf_map *map, void *key, void *value,
 	if (array->map.map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
 		val = this_cpu_ptr(array->pptrs[index & array->index_mask]);
 		copy_map_value(map, val, value);
-		bpf_obj_free_fields(array->map.record, val);
 	} else {
 		val = array->value +
 			(u64)array->elem_size * (index & array->index_mask);
@@ -394,8 +393,9 @@ static long array_map_update_elem(struct bpf_map *map, void *key, void *value,
 			copy_map_value_locked(map, val, value, false);
 		else
 			copy_map_value(map, val, value);
-		bpf_obj_free_fields(array->map.record, val);
 	}
+	bpf_obj_free_fields(array->map.record, val);
+	bpf_obj_init_special_fields(array->map.record, val);
 	return 0;
 }
 
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 3b9d297a53be..7e93ece61296 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -300,6 +300,8 @@ static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key,
 		bpf_map_inc_elem_count(&htab->map);
 		l = container_of(node, struct htab_elem, lru_node);
 		memcpy(l->key, key, htab->map.key_size);
+		bpf_obj_init_special_fields(htab->map.record,
+					    htab_elem_value(l, htab->map.key_size));
 		return l;
 	}
 
@@ -1033,6 +1035,9 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
 	}
 
 	memcpy(l_new->key, key, key_size);
+	/* Clear special fields poisoned by cancel_and_free() in recycled elements */
+	bpf_obj_init_special_fields(htab->map.record, htab_elem_value(l_new, key_size));
+
 	if (percpu) {
 		if (prealloc) {
 			pptr = htab_elem_get_ptr(l_new, key_size);
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 7ac32798eb04..4e95bc085578 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1477,7 +1477,7 @@ static int __bpf_async_set_callback(struct bpf_async_kern *async, void *callback
 	struct bpf_async_cb *cb;
 
 	cb = READ_ONCE(async->cb);
-	if (!cb)
+	if (!cb || cb == BPF_PTR_POISON)
 		return -EINVAL;
 
 	return bpf_async_update_prog_callback(cb, prog, callback_fn);
@@ -1511,7 +1511,7 @@ BPF_CALL_3(bpf_timer_start, struct bpf_async_kern *, async, u64, nsecs, u64, fla
 		return -EINVAL;
 
 	t = READ_ONCE(async->timer);
-	if (!t || !READ_ONCE(t->cb.prog))
+	if (!t || (void *)t == BPF_PTR_POISON || !READ_ONCE(t->cb.prog))
 		return -EINVAL;
 
 	if (flags & BPF_F_TIMER_ABS)
@@ -1557,7 +1557,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_async_kern *, async)
 		return -EOPNOTSUPP;
 
 	t = READ_ONCE(async->timer);
-	if (!t)
+	if (!t || (void *)t == BPF_PTR_POISON)
 		return -EINVAL;
 
 	cur_t = this_cpu_read(hrtimer_running);
@@ -1669,11 +1669,8 @@ static void bpf_async_cancel_and_free(struct bpf_async_kern *async)
 {
 	struct bpf_async_cb *cb;
 
-	if (!READ_ONCE(async->cb))
-		return;
-
-	cb = xchg(&async->cb, NULL);
-	if (!cb)
+	cb = xchg(&async->cb, BPF_PTR_POISON);
+	if (!cb || cb == BPF_PTR_POISON)
 		return;
 
 	bpf_async_update_prog_callback(cb, NULL, NULL);
@@ -3183,7 +3180,7 @@ __bpf_kfunc int bpf_wq_start(struct bpf_wq *wq, unsigned int flags)
 		return -EINVAL;
 
 	w = READ_ONCE(async->work);
-	if (!w || !READ_ONCE(w->cb.prog))
+	if (!w || (void *)w == BPF_PTR_POISON || !READ_ONCE(w->cb.prog))
 		return -EINVAL;
 
 	if (!refcount_inc_not_zero(&w->cb.refcnt))
@@ -4267,6 +4264,8 @@ static struct bpf_task_work_ctx *bpf_task_work_fetch_ctx(struct bpf_task_work *t
 	struct bpf_task_work_ctx *ctx, *old_ctx;
 
 	ctx = READ_ONCE(twk->ctx);
+	if (ctx == BPF_PTR_POISON)
+		return ERR_PTR(-EINVAL);
 	if (ctx)
 		return ctx;
 
@@ -4285,6 +4284,8 @@ static struct bpf_task_work_ctx *bpf_task_work_fetch_ctx(struct bpf_task_work *t
 		 * memory and try to reuse already set context.
 		 */
 		bpf_mem_free(&bpf_global_ma, ctx);
+		if (old_ctx == BPF_PTR_POISON)
+			return ERR_PTR(-EINVAL);
 		return old_ctx;
 	}
 
@@ -4476,7 +4477,7 @@ __bpf_kfunc int bpf_timer_cancel_async(struct bpf_timer *timer)
 	int ret;
 
 	cb = READ_ONCE(async->cb);
-	if (!cb)
+	if (!cb || cb == BPF_PTR_POISON)
 		return -EINVAL;
 
 	/*
@@ -4517,8 +4518,8 @@ void bpf_task_work_cancel_and_free(void *val)
 	struct bpf_task_work_ctx *ctx;
 	enum bpf_task_work_state state;
 
-	ctx = xchg(&twk->ctx, NULL);
-	if (!ctx)
+	ctx = xchg(&twk->ctx, BPF_PTR_POISON);
+	if (!ctx || ctx == BPF_PTR_POISON)
 		return;
 
 	state = xchg(&ctx->state, BPF_TW_FREED);
-- 
2.53.0

Re: [PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[Puranjay Mohan]

Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> writes:

> From: Mykyta Yatsenko <yatsenko@meta.com>
>
> cancel_and_free() uses xchg(&ptr, NULL) to steal the cb/ctx pointer.
> For non-preallocated maps, the element is freed via bpf_mem_cache_free()
> making it immediately available for reuse. Between the xchg and the
> free, a concurrent BPF program sees NULL, treats it as first use,
> allocates a new cb/ctx, and stores it via cmpxchg. The allocation is
> then orphaned when the element is freed, causing a memory leak.
>
> Use BPF_PTR_POISON instead of NULL in the xchg so that concurrent
> readers can distinguish "being destroyed" from "never initialized"
> and refuse to allocate. For preallocated maps, clear the poison
> before recycled elements are handed back to BPF programs.
>
> Fixes: 1bfbc267ec91 ("bpf: Enable bpf_timer and bpf_wq in any context")
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
> ---
>  include/linux/bpf.h   | 30 ++++++++++++++++++++++++++++++
>  kernel/bpf/arraymap.c |  4 ++--
>  kernel/bpf/hashtab.c  |  5 +++++
>  kernel/bpf/helpers.c  | 25 +++++++++++++------------
>  4 files changed, 50 insertions(+), 14 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index cd9b96434904..90006a910dd6 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -671,6 +671,36 @@ static inline bool bpf_map_has_internal_structs(struct bpf_map *map)
>  
>  void bpf_map_free_internal_structs(struct bpf_map *map, void *obj);
>  
> +/*
> + * Clear special fields (timer/wq/task_work) poisoned by cancel_and_free()
> + * in recycled map elements.
> + *
> + * Uses WRITE_ONCE to match the READ_ONCE/xchg/cmpxchg used by concurrent
> + * readers on the underlying pointer (bpf_async_kern.cb / bpf_task_work_kern.ctx).
> + */
> +static inline void bpf_obj_init_special_fields(const struct btf_record *rec, void *obj)
> +{
> +	void **p;
> +
> +	if (IS_ERR_OR_NULL(rec))
> +		return;
> +
> +	if (rec->timer_off >= 0) {
> +		p = obj + rec->timer_off;
> +		WRITE_ONCE(*p, NULL);
> +	}
> +
> +	if (rec->wq_off >= 0) {
> +		p = obj + rec->wq_off;
> +		WRITE_ONCE(*p, NULL);
> +	}
> +
> +	if (rec->task_work_off >= 0) {
> +		p = obj + rec->task_work_off;
> +		WRITE_ONCE(*p, NULL);
> +	}
> +}
> +
>  int bpf_dynptr_from_file_sleepable(struct file *file, u32 flags,
>  				   struct bpf_dynptr *ptr__uninit);
>  
> diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
> index 67e9e811de3a..0ef68e5c4c90 100644
> --- a/kernel/bpf/arraymap.c
> +++ b/kernel/bpf/arraymap.c
> @@ -386,7 +386,6 @@ static long array_map_update_elem(struct bpf_map *map, void *key, void *value,
>  	if (array->map.map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
>  		val = this_cpu_ptr(array->pptrs[index & array->index_mask]);
>  		copy_map_value(map, val, value);
> -		bpf_obj_free_fields(array->map.record, val);
>  	} else {
>  		val = array->value +
>  			(u64)array->elem_size * (index & array->index_mask);
> @@ -394,8 +393,9 @@ static long array_map_update_elem(struct bpf_map *map, void *key, void *value,
>  			copy_map_value_locked(map, val, value, false);
>  		else
>  			copy_map_value(map, val, value);
> -		bpf_obj_free_fields(array->map.record, val);
>  	}
> +	bpf_obj_free_fields(array->map.record, val);
> +	bpf_obj_init_special_fields(array->map.record, val);
>  	return 0;
>  }
>  
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 3b9d297a53be..7e93ece61296 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -300,6 +300,8 @@ static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key,
>  		bpf_map_inc_elem_count(&htab->map);
>  		l = container_of(node, struct htab_elem, lru_node);
>  		memcpy(l->key, key, htab->map.key_size);
> +		bpf_obj_init_special_fields(htab->map.record,
> +					    htab_elem_value(l, htab->map.key_size));
>  		return l;
>  	}
>  
> @@ -1033,6 +1035,9 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
>  	}
>  
>  	memcpy(l_new->key, key, key_size);
> +	/* Clear special fields poisoned by cancel_and_free() in recycled elements */
> +	bpf_obj_init_special_fields(htab->map.record, htab_elem_value(l_new, key_size));
> +
>  	if (percpu) {
>  		if (prealloc) {
>  			pptr = htab_elem_get_ptr(l_new, key_size);
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 7ac32798eb04..4e95bc085578 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -1477,7 +1477,7 @@ static int __bpf_async_set_callback(struct bpf_async_kern *async, void *callback
>  	struct bpf_async_cb *cb;
>  
>  	cb = READ_ONCE(async->cb);
> -	if (!cb)
> +	if (!cb || cb == BPF_PTR_POISON)
>  		return -EINVAL;
>  
>  	return bpf_async_update_prog_callback(cb, prog, callback_fn);
> @@ -1511,7 +1511,7 @@ BPF_CALL_3(bpf_timer_start, struct bpf_async_kern *, async, u64, nsecs, u64, fla
>  		return -EINVAL;
>  
>  	t = READ_ONCE(async->timer);
> -	if (!t || !READ_ONCE(t->cb.prog))
> +	if (!t || (void *)t == BPF_PTR_POISON || !READ_ONCE(t->cb.prog))
>  		return -EINVAL;
>  
>  	if (flags & BPF_F_TIMER_ABS)
> @@ -1557,7 +1557,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_async_kern *, async)
>  		return -EOPNOTSUPP;
>  
>  	t = READ_ONCE(async->timer);
> -	if (!t)
> +	if (!t || (void *)t == BPF_PTR_POISON)
>  		return -EINVAL;
>  
>  	cur_t = this_cpu_read(hrtimer_running);
> @@ -1669,11 +1669,8 @@ static void bpf_async_cancel_and_free(struct bpf_async_kern *async)
>  {
>  	struct bpf_async_cb *cb;
>  
> -	if (!READ_ONCE(async->cb))
> -		return;

This check can be left so that we don't do xchg() if async->cb is NULL

> -	cb = xchg(&async->cb, NULL);
> -	if (!cb)
> +	cb = xchg(&async->cb, BPF_PTR_POISON);
> +	if (!cb || cb == BPF_PTR_POISON)
>  		return;
>  
>  	bpf_async_update_prog_callback(cb, NULL, NULL);
> @@ -3183,7 +3180,7 @@ __bpf_kfunc int bpf_wq_start(struct bpf_wq *wq, unsigned int flags)
>  		return -EINVAL;
>  
>  	w = READ_ONCE(async->work);
> -	if (!w || !READ_ONCE(w->cb.prog))
> +	if (!w || (void *)w == BPF_PTR_POISON || !READ_ONCE(w->cb.prog))
>  		return -EINVAL;
>  
>  	if (!refcount_inc_not_zero(&w->cb.refcnt))
> @@ -4267,6 +4264,8 @@ static struct bpf_task_work_ctx *bpf_task_work_fetch_ctx(struct bpf_task_work *t
>  	struct bpf_task_work_ctx *ctx, *old_ctx;
>  
>  	ctx = READ_ONCE(twk->ctx);
> +	if (ctx == BPF_PTR_POISON)
> +		return ERR_PTR(-EINVAL);
>  	if (ctx)
>  		return ctx;
>  
> @@ -4285,6 +4284,8 @@ static struct bpf_task_work_ctx *bpf_task_work_fetch_ctx(struct bpf_task_work *t
>  		 * memory and try to reuse already set context.
>  		 */
>  		bpf_mem_free(&bpf_global_ma, ctx);
> +		if (old_ctx == BPF_PTR_POISON)
> +			return ERR_PTR(-EINVAL);
>  		return old_ctx;
>  	}
>  
> @@ -4476,7 +4477,7 @@ __bpf_kfunc int bpf_timer_cancel_async(struct bpf_timer *timer)
>  	int ret;
>  
>  	cb = READ_ONCE(async->cb);
> -	if (!cb)
> +	if (!cb || cb == BPF_PTR_POISON)
>  		return -EINVAL;
>  
>  	/*
> @@ -4517,8 +4518,8 @@ void bpf_task_work_cancel_and_free(void *val)
>  	struct bpf_task_work_ctx *ctx;
>  	enum bpf_task_work_state state;
>  
> -	ctx = xchg(&twk->ctx, NULL);
> -	if (!ctx)
> +	ctx = xchg(&twk->ctx, BPF_PTR_POISON);
> +	if (!ctx || ctx == BPF_PTR_POISON)

Should we create a helper macro for the repeated !ptr || (void *)ptr ==
BPF_PTR_POISON pattern

>  		return;
>  
>  	state = xchg(&ctx->state, BPF_TW_FREED);
> -- 
> 2.53.0

Re: [PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[kernel test robot]

Hi Mykyta,

kernel test robot noticed the following build warnings:

[auto build test WARNING on bpf-next/master]

url:    https://github.com/intel-lab-lkp/linux/commits/Mykyta-Yatsenko/bpf-Fix-special-fields-mem-leak-for-non-prealloc-maps/20260216-211513
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
patch link:    https://lore.kernel.org/r/20260216131341.1285427-1-mykyta.yatsenko5%40gmail.com
patch subject: [PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps
config: parisc-randconfig-r112-20260217 (https://download.01.org/0day-ci/archive/20260217/202602170623.VkzXTazv-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 9.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260217/202602170623.VkzXTazv-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602170623.VkzXTazv-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
   kernel/bpf/helpers.c:1212:21: sparse: sparse: incorrect type in assignment (different address spaces) @@     expected unsigned long long ( *[usertype] callback_fn )( ... ) @@     got void [noderef] __rcu * @@
   kernel/bpf/helpers.c:1212:21: sparse:     expected unsigned long long ( *[usertype] callback_fn )( ... )
   kernel/bpf/helpers.c:1212:21: sparse:     got void [noderef] __rcu *
   kernel/bpf/helpers.c:2601:18: sparse: sparse: symbol 'bpf_task_release_dtor' was not declared. Should it be static?
   kernel/bpf/helpers.c:2631:18: sparse: sparse: symbol 'bpf_cgroup_release_dtor' was not declared. Should it be static?
   kernel/bpf/helpers.c: note: in included file (through arch/parisc/include/asm/atomic.h, include/linux/atomic.h, arch/parisc/include/asm/bitops.h, ...):
>> arch/parisc/include/asm/cmpxchg.h:32:39: sparse: sparse: cast truncates bits from constant value (eb9f becomes 9f)
>> arch/parisc/include/asm/cmpxchg.h:32:39: sparse: sparse: cast truncates bits from constant value (eb9f becomes 9f)

vim +32 arch/parisc/include/asm/cmpxchg.h

9e5228ce0b9619 Paul Gortmaker    2012-04-01  22  
9e5228ce0b9619 Paul Gortmaker    2012-04-01  23  /* optimizer better get rid of switch since size is a constant */
9e5228ce0b9619 Paul Gortmaker    2012-04-01  24  static inline unsigned long
068550631fbe0b Andrzej Hajda     2023-01-18  25  __arch_xchg(unsigned long x, volatile void *ptr, int size)
9e5228ce0b9619 Paul Gortmaker    2012-04-01  26  {
9e5228ce0b9619 Paul Gortmaker    2012-04-01  27  	switch (size) {
9e5228ce0b9619 Paul Gortmaker    2012-04-01  28  #ifdef CONFIG_64BIT
2a7d4eed5720d1 John David Anglin 2020-10-02  29  	case 8: return __xchg64(x, (volatile unsigned long *) ptr);
9e5228ce0b9619 Paul Gortmaker    2012-04-01  30  #endif
2a7d4eed5720d1 John David Anglin 2020-10-02  31  	case 4: return __xchg32((int) x, (volatile int *) ptr);
2a7d4eed5720d1 John David Anglin 2020-10-02 @32  	case 1: return __xchg8((char) x, (volatile char *) ptr);
9e5228ce0b9619 Paul Gortmaker    2012-04-01  33  	}
9e5228ce0b9619 Paul Gortmaker    2012-04-01  34  	__xchg_called_with_bad_pointer();
9e5228ce0b9619 Paul Gortmaker    2012-04-01  35  	return x;
9e5228ce0b9619 Paul Gortmaker    2012-04-01  36  }
9e5228ce0b9619 Paul Gortmaker    2012-04-01  37  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[Varun R Mallya]

Hey Mykyta! I saw that you haven't really come back to this in a while.
Is it alright if I try to continue with the patch ? Since it's mostly minor changes
that are left, I'll try to get it to pass CI and implement the reviews
Puranjay gave. Is it alright if I submit a v3 ?

Re: [PATCH bpf-next v2] bpf: Fix special fields mem leak for non-prealloc maps

[Kumar Kartikeya Dwivedi]

On Tue, 17 Mar 2026 at 10:30, Varun R Mallya <varunrmallya@gmail.com> wrote:
>
> Hey Mykyta! I saw that you haven't really come back to this in a while.
> Is it alright if I try to continue with the patch ? Since it's mostly minor changes
> that are left, I'll try to get it to pass CI and implement the reviews
> Puranjay gave. Is it alright if I submit a v3 ?
>

It was superseded by
https://lore.kernel.org/bpf/20260227224806.646888-1-memxor@gmail.com.