From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBC7D80622; Tue, 9 Apr 2024 10:03:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712657011; cv=none; b=XPh9EdFGkOYIsJgJ/Gs0a0wvGgFLSRLMFmvuoxRnN3TXk+N9p3d9rQRUOQ13Tqs0tcxeHMeD34FoUPpoL3+64VjaPI5uK2S4KekyzsD52H3siPxWRvYnkBxtNvhGBRhZkZbsUvytHwOemwbb0fscpbJMUIBfU64ngLP7AoykKq0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712657011; c=relaxed/simple; bh=7AjdPQ0FlCjsfvvV5eTPiyoqGmSy4+kLRz35LJWj8nU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=fGlUkGp0uLPoedMaEZ3DLtl/tZ39d604rwYmfUd4/dT82EB3jYcAFRVD7QogzArvG68euk8cV9XL4WZakYznAq2dXNnAXeab9hgDTCwZnok6wHA1ZpDqqZizVPx2AjUiLNK2fIWHZYxr9rVb8Y/npKvQiq+NPyS3KodfFXfKLP0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=a4yMUaEq; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="a4yMUaEq" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-415523d9824so55251945e9.3; Tue, 09 Apr 2024 03:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712657008; x=1713261808; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VjADMTPZqcstz8lVC2gm5IpQDMR3KXmVjspn4JhSPv0=; b=a4yMUaEqnPMwhkDWKJgafpA3+xRoSUUnAhh4k+pdjpm/xM0IW1IGeevmE/iiPu+582 L8VD6u0K0aiQYAtBRW6SeeVtF7KkOSXedmwvJMOmmQOy3E4zHt79QtbgFy/V2Gy6PUwP LdwGQwFLCnh6CH4F1gJ7ot1iLlDTsY3UpJnhdAEuKzX1nOL4RdbT2dBnzq2g0nr2DLim S8GDGdaub/bdmHxwUJVMJ7BYmGaLXqJGABCJNOz/k9rXNPrty239co6HjwfEiwNvI7A7 EEIi5mF0teF9JHqVpjf6rsVGr92ZrQ4qWyICgyHOWPVnqLqpSfN/sFqc/W49Y87+kBht fI3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712657008; x=1713261808; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VjADMTPZqcstz8lVC2gm5IpQDMR3KXmVjspn4JhSPv0=; b=vNM1JcMN60maLlOVoY4j1auj8ltr5yYgv/t8fW0cQIthai3hnR9A4C7zQ9jWwEwTzN r3f3uPVw811d68IrjXNiFiDVl8yRTZt2PmlGpIEB/ere90yHsYp+HVvaq6KUCrEjTnRk /+qsT2Ap1fBsJPRbdOopCByuS3s1gqsw71LI0ZBxJrq9fAoK971v52U4M9YpYk7pAGNt G4r4TM3Pp8NoPhy3tBuMiH2ZYrqAXzz9OJdMqW1jZvk6UAnfAQDJYDWZUnskeNT8m/Dp 4d7tpoYBSi4Ue+GlYbmnhvAGK0m+0TzYfpB+npnswUO08/wRSs4AbBjUE9ubwIGrOsr3 GXYw== X-Forwarded-Encrypted: i=1; AJvYcCUZj+LPEYoX0nSBytMZrD21flO5vzidLhROqviB4GUbUlZfl9Er33PsVUMWXfB+VL0AaTBFnugNy8pFm7k+MzBT8WbdKv9Kyu1HvctXRtWJ+mj/CUEtIndVbs7saHL6kJs8 X-Gm-Message-State: AOJu0YxPCKhWXu8+S2J9zpzQNRlp3RqOm0OWQAClDP8ohXEJRco6M2/A OHb9TKcr4ETWYh9Av2e6DmbdDMWF1Tb45aLrAlWl1By7P/bo2h8k X-Google-Smtp-Source: AGHT+IFRgJDyiXvcoHUn5ECDGcIlw7ghQjN+ItwK0q590NBLs0v9v5Kf2Zqi2OSo/0F9WOd+9CIqSQ== X-Received: by 2002:a05:600c:19d1:b0:416:8efd:1645 with SMTP id u17-20020a05600c19d100b004168efd1645mr3810151wmq.7.1712657007887; Tue, 09 Apr 2024 03:03:27 -0700 (PDT) Received: from localhost (54-240-197-231.amazon.com. [54.240.197.231]) by smtp.gmail.com with ESMTPSA id u10-20020a05600c19ca00b0041632fcf272sm14159656wmq.22.2024.04.09.03.03.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2024 03:03:27 -0700 (PDT) From: Puranjay Mohan To: syzbot Cc: Andrii Nakryiko , Alexei Starovoitov , Mark Rutland , Andrew Morton , linux-arm-kernel , "Russell King (Oracle)" , LKML , linux-mm , syzkaller-bugs , bpf Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) In-Reply-To: References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> Date: Tue, 09 Apr 2024 10:03:01 +0000 Message-ID: Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Russell King (Oracle)" writes: > On Tue, Apr 09, 2024 at 07:45:54AM +0000, Puranjay Mohan wrote: >> "Russell King (Oracle)" writes: >>=20 >> > On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote: >> >> On Fri, Apr 5, 2024 at 9:30=E2=80=AFAM Alexei Starovoitov >> >> wrote: >> >> > >> >> > On Fri, Apr 5, 2024 at 4:36=E2=80=AFAM Russell King (Oracle) >> >> > wrote: >> >> > > >> >> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote: >> >> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wr= ote: >> >> > > > > On Wed, Apr 3, 2024 at 6:56=E2=80=AFPM Andrew Morton wrote: >> >> > > > > > >> >> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot wrote: >> >> > > > > > >> >> > > > > > > Hello, >> >> > > > > > >> >> > > > > > Thanks. Cc: bpf@vger.kernel.org >> >> > > > > >> >> > > > > I suspect the issue is not on bpf side. >> >> > > > > Looks like the bug is somewhere in arm32 bits. >> >> > > > > copy_from_kernel_nofault() is called from lots of places. >> >> > > > > bpf is just one user that is easy for syzbot to fuzz. >> >> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed() >> >> > > > > that should have filtered out user addresses. >> >> > > > > In this case ffffffe9 is probably a kernel address? >> >> > > > >> >> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL). >> >> > > > >> >> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL. >> >> > > > >> >> > > > > But the kernel is doing a write? >> >> > > > > Which makes no sense, since copy_from_kernel_nofault is probe= reading. >> >> > > > >> >> > > > It makes perfect sense; the read from 'src' happened, then the = kernel tries to >> >> > > > write the result to 'dst', and that aligns with the disassembly= in the report >> >> > > > below, which I beleive is: >> >> > > > >> >> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src'= , fault fixup is elsewhere >> >> > > > c: e3530000 cmp r3, #0 >> >> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst' >> >> > > > >> >> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL). >> >> > > > >> >> > > > Are you certain that BPF is passing a sane value for 'dst'? Whe= re does that >> >> > > > come from in the first place? >> >> > > >> >> > > It looks to me like it gets passed in from the BPF program, and t= he >> >> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that >> >> > > means for validation purposes, I've no idea, I'm not a BPF hacker. >> >> > > >> >> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be pa= ssed >> >> > > an arbitary destination address, that would be a huge security ho= le. >> >> > >> >> > If that's the case that's indeed a giant security hole, >> >> > but I doubt it. We would be crashing other archs as well. >> >> > I cannot really tell whether arm32 JIT is on. >> >> > If it is, it's likely a bug there. >> >> > Puranjay, >> >> > could you please take a look. >> >> > >> >>=20 >> >> I dumped the BPF program that repro.c is loading, it works on x86-64 >> >> and there is nothing special there. We are probe-reading 5 bytes from >> >> somewhere into the stack. Everything is unaligned here, but stays >> >> within a well-defined memory slot. >> >>=20 >> >> Note the r3 =3D (s8)r1, that's a new-ish thing, maybe bug is somewhere >> >> there (but then it would be JIT, not verifier itself) >> >>=20 >> >> 0: (7a) *(u64 *)(r10 -8) =3D 896542069 >> >> 1: (bf) r1 =3D r10 >> >> 2: (07) r1 +=3D -7 >> >> 3: (b7) r2 =3D 5 >> >> 4: (bf) r3 =3D (s8)r1 >> >> 5: (85) call bpf_probe_read_kernel#-72390 >> > >>=20 >> I have started looking into this, the issue only reproduces when the JIT >> is enabled. With the interpreter, it works fine. >>=20 >> I used GDB to dump the JITed BPF program: >>=20 >> 0xbf00012c: push {r4, r5, r6, r7, r8, r9, r11, lr} >> 0xbf000130: mov r11, sp >> 0xbf000134: mov r3, #0 >> 0xbf000138: sub r2, sp, #80 @ 0x50 >> 0xbf00013c: sub sp, sp, #88 @ 0x58 >> 0xbf000140: strd r2, [r11, #-64] @ 0xffffffc0 >> 0xbf000144: mov r2, #0 >> 0xbf000148: strd r2, [r11, #-72] @ 0xffffffb8 >> 0xbf00014c: mov r2, r0 >> 0xbf000150: movw r8, #9589 @ 0x2575 >> 0xbf000154: movt r8, #13680 @ 0x3570 >> 0xbf000158: mov r9, #0 >> 0xbf00015c: ldr r6, [r11, #-64] @ 0xffffffc0 >> 0xbf000160: str r8, [r6, #-8] >> 0xbf000164: str r9, [r6, #-4] >> 0xbf000168: ldrd r2, [r11, #-64] @ 0xffffffc0 >> 0xbf00016c: movw r8, #65529 @ 0xfff9 >> 0xbf000170: movt r8, #65535 @ 0xffff >> 0xbf000174: movw r9, #65535 @ 0xffff >> 0xbf000178: movt r9, #65535 @ 0xffff >> 0xbf00017c: adds r2, r2, r8 >> 0xbf000180: adc r3, r3, r9 >> 0xbf000184: mov r6, #5 >> 0xbf000188: mov r7, #0 >> 0xbf00018c: strd r6, [r11, #-8] >> 0xbf000190: ldrd r6, [r11, #-16] > > Up to this point, it looks correct. r2/r3 contain the stack pointer > which corresponds to the instruction at "2:" > >> 0xbf000194: lsl r2, r2, #24 >> 0xbf000198: asr r2, r2, #24 >> 0xbf00019c: str r2, [r11, #-16] > > This then narrows the 64-bit pointer down to just 8!!! bits, but this > is what the instruction at "4:" is asking for. However, it looks like > it's happening to BPF's "r1" rather than "r3" and this is probably > where the problem lies. > > I haven't got time to analyse this further this morning - I'm only > around sporadically today. I'll try to look deeper at this later on. > > --=20 > RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ > FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last! I found the problem. The implementation of Sign extended move is broken, it clobbers the source register. I have sent a patch to fix it and also fixed another issue that I saw: https://lore.kernel.org/bpf/20240409095038.26356-1-puranjay@kernel.org/ I have manually tested with the reproducer but let's try to rerun the reproducer through syzbot: #syz test: https://github.com/puranjaymohan/linux.git arm32_movsx_fix From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 31FFFC67861 for ; Tue, 9 Apr 2024 10:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:References :In-Reply-To:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=pTmkWxSdKK5D1hYtF6tbT5NYykFXNKFqo6fiK6ONqJY=; b=nw0zhuzwv6lDd+ 3baphM7HyVUOiR7/rgvWrzPsMs5divIVifk/DQPki17/0A0CiC783KN43QKaIxyAZ/dowUlOLrNvH ZTRHCaKFSPGLdmNwj6FUULNA7lw99tfyrMHC2Lih42BloKfOEM07Q3CmCaR8MgKflc0Gq0NuumVul YxlXoQ5UfVBhX4K41Vzok4WYfb3v5uojJGC9yoeSl8qiYzZhQp9pz+KnVUBNmB4WXgvZ99qcbDitU C6K7Zuftf0gTfhzcG1YYPF02Xh2AhtrJgaFITcuSRdz/BMTudF8pP1bc7dAmno6TnoDeERoKQynY+ a4dTSPHJgoOEm+WQJdDA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1ru8KE-00000001KzG-2W6Q; Tue, 09 Apr 2024 10:03:34 +0000 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1ru8KB-00000001KwF-0D4b for linux-arm-kernel@lists.infradead.org; Tue, 09 Apr 2024 10:03:32 +0000 Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-416b5f6813cso1584165e9.0 for ; Tue, 09 Apr 2024 03:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712657008; x=1713261808; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VjADMTPZqcstz8lVC2gm5IpQDMR3KXmVjspn4JhSPv0=; b=QmkujFd2dc0gNMSwNTL1zgAXLAaXyxaeI7fonj766prMF2NhDcyGTsERIYX7lWVtVR eaUtcJrkPKAtrSXv0MRTtTSpD3LxjOQ+KHzd5j7bTjlUbRiqF1BrBtT7MwJ/axaLRlQa 77ECn72ZJc1tuJFlSM5M31B8CQdevoznGkRMFwQIenzPzczbbRej6AqszUxr3GiAm+zh d2OMeklyKg9E6nheLDS5KVr0okZK2DDFe75utCbau+6qNALqaDkxhcrVPaJlzVgTCYhF +v9dz3MNvrO9JxcDAdXXpsTtyP5rBqob7Z6b38WXiJB9/60cL9kUJOztnEbgmqRvDJri 0QPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712657008; x=1713261808; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VjADMTPZqcstz8lVC2gm5IpQDMR3KXmVjspn4JhSPv0=; b=sxxH4FGLitOwrSnsB1Dl5WXqcADTc0M3LEXqt1vDYp05ntGgUbfeJXk4LBB547WS2z rfy3T5iRXQ1Htz68gTGuPmtDebp1YQjneWSvto73blW0rJpAgxNEweF1ze2TD/T9Yfhm +XUgOP1NVkeYmm+bJOaw751bKmG+xSnb/c3jzx4T+T53pVTVhvnFIRQSwtfbRqrShzl9 6sSUuSRbYl+ZlY8xAHXhs0PLilJOz0yQQxIUvzIpq2+0z2PEctnkmE1HXtc1sxD4khH+ RQHzWJ8SzevL2Xj3P6ejy1ZqbKfXH1qT3N5EPuUdprNEqtJDBNEuOhTa/4x8z7dByEmx OpIg== X-Forwarded-Encrypted: i=1; AJvYcCXYClwu4NNcStEy9HwrtkozkjsyCgtSqjM42nxeyhuHwA80AXybxmsKZj5rUKeVdmFthea6WHSmRQpdlS9FADwE8Vp2pHCnNXeNU/mac2PIQMr/Uz0= X-Gm-Message-State: AOJu0YwNZW5wxSuYbuSSDv6e6vucKClO7SYEX3gJD5QSniOvyqgWh0OQ v8bLXCpN4fvcRC2+v2kdbh5g80X/RhrGfX8EaeTCmPJTYCiW+ekq X-Google-Smtp-Source: AGHT+IFRgJDyiXvcoHUn5ECDGcIlw7ghQjN+ItwK0q590NBLs0v9v5Kf2Zqi2OSo/0F9WOd+9CIqSQ== X-Received: by 2002:a05:600c:19d1:b0:416:8efd:1645 with SMTP id u17-20020a05600c19d100b004168efd1645mr3810151wmq.7.1712657007887; Tue, 09 Apr 2024 03:03:27 -0700 (PDT) Received: from localhost (54-240-197-231.amazon.com. [54.240.197.231]) by smtp.gmail.com with ESMTPSA id u10-20020a05600c19ca00b0041632fcf272sm14159656wmq.22.2024.04.09.03.03.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2024 03:03:27 -0700 (PDT) From: Puranjay Mohan To: syzbot Cc: Andrii Nakryiko , Alexei Starovoitov , Mark Rutland , Andrew Morton , linux-arm-kernel , "Russell King (Oracle)" , LKML , linux-mm , syzkaller-bugs , bpf Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) In-Reply-To: References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> Date: Tue, 09 Apr 2024 10:03:01 +0000 Message-ID: MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240409_030331_139849_FF6A1607 X-CRM114-Status: GOOD ( 44.52 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org IlJ1c3NlbGwgS2luZyAoT3JhY2xlKSIgPGxpbnV4QGFybWxpbnV4Lm9yZy51az4gd3JpdGVzOgoK PiBPbiBUdWUsIEFwciAwOSwgMjAyNCBhdCAwNzo0NTo1NEFNICswMDAwLCBQdXJhbmpheSBNb2hh biB3cm90ZToKPj4gIlJ1c3NlbGwgS2luZyAoT3JhY2xlKSIgPGxpbnV4QGFybWxpbnV4Lm9yZy51 az4gd3JpdGVzOgo+PiAKPj4gPiBPbiBGcmksIEFwciAwNSwgMjAyNCBhdCAxMDo1MDozMEFNIC0w NzAwLCBBbmRyaWkgTmFrcnlpa28gd3JvdGU6Cj4+ID4+IE9uIEZyaSwgQXByIDUsIDIwMjQgYXQg OTozMOKAr0FNIEFsZXhlaSBTdGFyb3ZvaXRvdgo+PiA+PiA8YWxleGVpLnN0YXJvdm9pdG92QGdt YWlsLmNvbT4gd3JvdGU6Cj4+ID4+ID4KPj4gPj4gPiBPbiBGcmksIEFwciA1LCAyMDI0IGF0IDQ6 MzbigK9BTSBSdXNzZWxsIEtpbmcgKE9yYWNsZSkKPj4gPj4gPiA8bGludXhAYXJtbGludXgub3Jn LnVrPiB3cm90ZToKPj4gPj4gPiA+Cj4+ID4+ID4gPiBPbiBGcmksIEFwciAwNSwgMjAyNCBhdCAx MjowMjozNlBNICswMTAwLCBNYXJrIFJ1dGxhbmQgd3JvdGU6Cj4+ID4+ID4gPiA+IE9uIFRodSwg QXByIDA0LCAyMDI0IGF0IDAzOjU3OjA0UE0gLTA3MDAsIEFsZXhlaSBTdGFyb3ZvaXRvdiB3cm90 ZToKPj4gPj4gPiA+ID4gPiBPbiBXZWQsIEFwciAzLCAyMDI0IGF0IDY6NTbigK9QTSBBbmRyZXcg TW9ydG9uIDxha3BtQGxpbnV4LWZvdW5kYXRpb25vcmc+IHdyb3RlOgo+PiA+PiA+ID4gPiA+ID4K Pj4gPj4gPiA+ID4gPiA+IE9uIE1vbiwgMDEgQXByIDIwMjQgMjI6MTk6MjUgLTA3MDAgc3l6Ym90 IDxzeXpib3QrMTg2NTIyNjcwZTY3MjI2OTJkODZAc3l6a2FsbGVyLmFwcHNwb3RtYWlsLmNvbT4g d3JvdGU6Cj4+ID4+ID4gPiA+ID4gPgo+PiA+PiA+ID4gPiA+ID4gPiBIZWxsbywKPj4gPj4gPiA+ ID4gPiA+Cj4+ID4+ID4gPiA+ID4gPiBUaGFua3MuICBDYzogYnBmQHZnZXIua2VybmVsLm9yZwo+ PiA+PiA+ID4gPiA+Cj4+ID4+ID4gPiA+ID4gSSBzdXNwZWN0IHRoZSBpc3N1ZSBpcyBub3Qgb24g YnBmIHNpZGUuCj4+ID4+ID4gPiA+ID4gTG9va3MgbGlrZSB0aGUgYnVnIGlzIHNvbWV3aGVyZSBp biBhcm0zMiBiaXRzLgo+PiA+PiA+ID4gPiA+IGNvcHlfZnJvbV9rZXJuZWxfbm9mYXVsdCgpIGlz IGNhbGxlZCBmcm9tIGxvdHMgb2YgcGxhY2VzLgo+PiA+PiA+ID4gPiA+IGJwZiBpcyBqdXN0IG9u ZSB1c2VyIHRoYXQgaXMgZWFzeSBmb3Igc3l6Ym90IHRvIGZ1enouCj4+ID4+ID4gPiA+ID4gSW50 ZXJlc3RpbmdseSBhcm0gZGVmaW5lcyBjb3B5X2Zyb21fa2VybmVsX25vZmF1bHRfYWxsb3dlZCgp Cj4+ID4+ID4gPiA+ID4gdGhhdCBzaG91bGQgaGF2ZSBmaWx0ZXJlZCBvdXQgdXNlciBhZGRyZXNz ZXMuCj4+ID4+ID4gPiA+ID4gSW4gdGhpcyBjYXNlIGZmZmZmZmU5IGlzIHByb2JhYmx5IGEga2Vy bmVsIGFkZHJlc3M/Cj4+ID4+ID4gPiA+Cj4+ID4+ID4gPiA+IEl0J3MgYXQgdGhlIGVuZCBvZiB0 aGUga2VybmVsIHJhbmdlLCBhbmQgaXQncyBFUlJfUFRSKC1FSU5WQUwpLgo+PiA+PiA+ID4gPgo+ PiA+PiA+ID4gPiAweGZmZmZmZmU5IGlzIC0weDE2LCB3aGljaCBpcyAtMjIsIHdoaWNoIGlzIC1F SU5WQUwuCj4+ID4+ID4gPiA+Cj4+ID4+ID4gPiA+ID4gQnV0IHRoZSBrZXJuZWwgaXMgZG9pbmcg YSB3cml0ZT8KPj4gPj4gPiA+ID4gPiBXaGljaCBtYWtlcyBubyBzZW5zZSwgc2luY2UgY29weV9m cm9tX2tlcm5lbF9ub2ZhdWx0IGlzIHByb2JlIHJlYWRpbmcuCj4+ID4+ID4gPiA+Cj4+ID4+ID4g PiA+IEl0IG1ha2VzIHBlcmZlY3Qgc2Vuc2U7IHRoZSByZWFkIGZyb20gJ3NyYycgaGFwcGVuZWQs IHRoZW4gdGhlIGtlcm5lbCB0cmllcyB0bwo+PiA+PiA+ID4gPiB3cml0ZSB0aGUgcmVzdWx0IHRv ICdkc3QnLCBhbmQgdGhhdCBhbGlnbnMgd2l0aCB0aGUgZGlzYXNzZW1ibHkgaW4gdGhlIHJlcG9y dAo+PiA+PiA+ID4gPiBiZWxvdywgd2hpY2ggSSBiZWxlaXZlIGlzOgo+PiA+PiA+ID4gPgo+PiA+ PiA+ID4gPiAgICAgIDg6IGU0OTQyMDAwICAgICAgICBsZHIgICAgIHIyLCBbcjRdLCAjMCAgPC0t IFJlYWQgb2YgJ3NyYycsIGZhdWx0IGZpeHVwIGlzIGVsc2V3aGVyZQo+PiA+PiA+ID4gPiAgICAg IGM6IGUzNTMwMDAwICAgICAgICBjbXAgICAgIHIzLCAjMAo+PiA+PiA+ID4gPiAgICogMTA6IGU1 ODUyMDAwICAgICAgICBzdHIgICAgIHIyLCBbcjVdICAgICAgPC0tIFdyaXRlIHRvICdkc3QnCj4+ ID4+ID4gPiA+Cj4+ID4+ID4gPiA+IEFzIGFib3ZlLCBpdCBsb29rcyBsaWtlICdkc3QnIGlzIEVS Ul9QVFIoLUVJTlZBTCkuCj4+ID4+ID4gPiA+Cj4+ID4+ID4gPiA+IEFyZSB5b3UgY2VydGFpbiB0 aGF0IEJQRiBpcyBwYXNzaW5nIGEgc2FuZSB2YWx1ZSBmb3IgJ2RzdCc/IFdoZXJlIGRvZXMgdGhh dAo+PiA+PiA+ID4gPiBjb21lIGZyb20gaW4gdGhlIGZpcnN0IHBsYWNlPwo+PiA+PiA+ID4KPj4g Pj4gPiA+IEl0IGxvb2tzIHRvIG1lIGxpa2UgaXQgZ2V0cyBwYXNzZWQgaW4gZnJvbSB0aGUgQlBG IHByb2dyYW0sIGFuZCB0aGUKPj4gPj4gPiA+ICJ0eXBlIiBmb3IgdGhlIGFyZ3VtZW50IGlzIHNl dCB0byBBUkdfUFRSX1RPX1VOSU5JVF9NRU0uIFdoYXQgdGhhdAo+PiA+PiA+ID4gbWVhbnMgZm9y IHZhbGlkYXRpb24gcHVycG9zZXMsIEkndmUgbm8gaWRlYSwgSSdtIG5vdCBhIEJQRiBoYWNrZXIu Cj4+ID4+ID4gPgo+PiA+PiA+ID4gT2J2aW91c2x5LCBpZiBCUEYgaXMgYWxsb3dpbmcgY29weV9m cm9tX2tlcm5lbF9ub2ZhdWx0KCkgdG8gYmUgcGFzc2VkCj4+ID4+ID4gPiBhbiBhcmJpdGFyeSBk ZXN0aW5hdGlvbiBhZGRyZXNzLCB0aGF0IHdvdWxkIGJlIGEgaHVnZSBzZWN1cml0eSBob2xlLgo+ PiA+PiA+Cj4+ID4+ID4gSWYgdGhhdCdzIHRoZSBjYXNlIHRoYXQncyBpbmRlZWQgYSBnaWFudCBz ZWN1cml0eSBob2xlLAo+PiA+PiA+IGJ1dCBJIGRvdWJ0IGl0LiBXZSB3b3VsZCBiZSBjcmFzaGlu ZyBvdGhlciBhcmNocyBhcyB3ZWxsLgo+PiA+PiA+IEkgY2Fubm90IHJlYWxseSB0ZWxsIHdoZXRo ZXIgYXJtMzIgSklUIGlzIG9uLgo+PiA+PiA+IElmIGl0IGlzLCBpdCdzIGxpa2VseSBhIGJ1ZyB0 aGVyZS4KPj4gPj4gPiBQdXJhbmpheSwKPj4gPj4gPiBjb3VsZCB5b3UgcGxlYXNlIHRha2UgYSBs b29rLgo+PiA+PiA+Cj4+ID4+IAo+PiA+PiBJIGR1bXBlZCB0aGUgQlBGIHByb2dyYW0gdGhhdCBy ZXByby5jIGlzIGxvYWRpbmcsIGl0IHdvcmtzIG9uIHg4Ni02NAo+PiA+PiBhbmQgdGhlcmUgaXMg bm90aGluZyBzcGVjaWFsIHRoZXJlLiBXZSBhcmUgcHJvYmUtcmVhZGluZyA1IGJ5dGVzIGZyb20K Pj4gPj4gc29tZXdoZXJlIGludG8gdGhlIHN0YWNrLiBFdmVyeXRoaW5nIGlzIHVuYWxpZ25lZCBo ZXJlLCBidXQgc3RheXMKPj4gPj4gd2l0aGluIGEgd2VsbC1kZWZpbmVkIG1lbW9yeSBzbG90Lgo+ PiA+PiAKPj4gPj4gTm90ZSB0aGUgcjMgPSAoczgpcjEsIHRoYXQncyBhIG5ldy1pc2ggdGhpbmcs IG1heWJlIGJ1ZyBpcyBzb21ld2hlcmUKPj4gPj4gdGhlcmUgKGJ1dCB0aGVuIGl0IHdvdWxkIGJl IEpJVCwgbm90IHZlcmlmaWVyIGl0c2VsZikKPj4gPj4gCj4+ID4+ICAgIDA6ICg3YSkgKih1NjQg KikocjEwIC04KSA9IDg5NjU0MjA2OQo+PiA+PiAgICAxOiAoYmYpIHIxID0gcjEwCj4+ID4+ICAg IDI6ICgwNykgcjEgKz0gLTcKPj4gPj4gICAgMzogKGI3KSByMiA9IDUKPj4gPj4gICAgNDogKGJm KSByMyA9IChzOClyMQo+PiA+PiAgICA1OiAoODUpIGNhbGwgYnBmX3Byb2JlX3JlYWRfa2VybmVs Iy03MjM5MAo+PiA+Cj4+IAo+PiBJIGhhdmUgc3RhcnRlZCBsb29raW5nIGludG8gdGhpcywgdGhl IGlzc3VlIG9ubHkgcmVwcm9kdWNlcyB3aGVuIHRoZSBKSVQKPj4gaXMgZW5hYmxlZC4gV2l0aCB0 aGUgaW50ZXJwcmV0ZXIsIGl0IHdvcmtzIGZpbmUuCj4+IAo+PiBJIHVzZWQgR0RCIHRvIGR1bXAg dGhlIEpJVGVkIEJQRiBwcm9ncmFtOgo+PiAKPj4gICAgMHhiZjAwMDEyYzogIHB1c2ggICAge3I0 LCByNSwgcjYsIHI3LCByOCwgcjksIHIxMSwgbHJ9Cj4+ICAgIDB4YmYwMDAxMzA6ICBtb3YgICAg IHIxMSwgc3AKPj4gICAgMHhiZjAwMDEzNDogIG1vdiAgICAgcjMsICMwCj4+ICAgIDB4YmYwMDAx Mzg6ICBzdWIgICAgIHIyLCBzcCwgIzgwICAgICBAIDB4NTAKPj4gICAgMHhiZjAwMDEzYzogIHN1 YiAgICAgc3AsIHNwLCAjODggICAgIEAgMHg1OAo+PiAgICAweGJmMDAwMTQwOiAgc3RyZCAgICBy MiwgW3IxMSwgIy02NF0gQCAweGZmZmZmZmMwCj4+ICAgIDB4YmYwMDAxNDQ6ICBtb3YgICAgIHIy LCAjMAo+PiAgICAweGJmMDAwMTQ4OiAgc3RyZCAgICByMiwgW3IxMSwgIy03Ml0gQCAweGZmZmZm ZmI4Cj4+ICAgIDB4YmYwMDAxNGM6ICBtb3YgICAgIHIyLCByMAo+PiAgICAweGJmMDAwMTUwOiAg bW92dyAgICByOCwgIzk1ODkgICAgICAgQCAweDI1NzUKPj4gICAgMHhiZjAwMDE1NDogIG1vdnQg ICAgcjgsICMxMzY4MCAgICAgIEAgMHgzNTcwCj4+ICAgIDB4YmYwMDAxNTg6ICBtb3YgICAgIHI5 LCAjMAo+PiAgICAweGJmMDAwMTVjOiAgbGRyICAgICByNiwgW3IxMSwgIy02NF0gQCAweGZmZmZm ZmMwCj4+ICAgIDB4YmYwMDAxNjA6ICBzdHIgICAgIHI4LCBbcjYsICMtOF0KPj4gICAgMHhiZjAw MDE2NDogIHN0ciAgICAgcjksIFtyNiwgIy00XQo+PiAgICAweGJmMDAwMTY4OiAgbGRyZCAgICBy MiwgW3IxMSwgIy02NF0gQCAweGZmZmZmZmMwCj4+ICAgIDB4YmYwMDAxNmM6ICBtb3Z3ICAgIHI4 LCAjNjU1MjkgICAgICBAIDB4ZmZmOQo+PiAgICAweGJmMDAwMTcwOiAgbW92dCAgICByOCwgIzY1 NTM1ICAgICAgQCAweGZmZmYKPj4gICAgMHhiZjAwMDE3NDogIG1vdncgICAgcjksICM2NTUzNSAg ICAgIEAgMHhmZmZmCj4+ICAgIDB4YmYwMDAxNzg6ICBtb3Z0ICAgIHI5LCAjNjU1MzUgICAgICBA IDB4ZmZmZgo+PiAgICAweGJmMDAwMTdjOiAgYWRkcyAgICByMiwgcjIsIHI4Cj4+ICAgIDB4YmYw MDAxODA6ICBhZGMgICAgIHIzLCByMywgcjkKPj4gICAgMHhiZjAwMDE4NDogIG1vdiAgICAgcjYs ICM1Cj4+ICAgIDB4YmYwMDAxODg6ICBtb3YgICAgIHI3LCAjMAo+PiAgICAweGJmMDAwMThjOiAg c3RyZCAgICByNiwgW3IxMSwgIy04XQo+PiAgICAweGJmMDAwMTkwOiAgbGRyZCAgICByNiwgW3Ix MSwgIy0xNl0KPgo+IFVwIHRvIHRoaXMgcG9pbnQsIGl0IGxvb2tzIGNvcnJlY3QuIHIyL3IzIGNv bnRhaW4gdGhlIHN0YWNrIHBvaW50ZXIKPiB3aGljaCBjb3JyZXNwb25kcyB0byB0aGUgaW5zdHJ1 Y3Rpb24gYXQgIjI6Igo+Cj4+ICAgIDB4YmYwMDAxOTQ6ICBsc2wgICAgIHIyLCByMiwgIzI0Cj4+ ICAgIDB4YmYwMDAxOTg6ICBhc3IgICAgIHIyLCByMiwgIzI0Cj4+ICAgIDB4YmYwMDAxOWM6ICBz dHIgICAgIHIyLCBbcjExLCAjLTE2XQo+Cj4gVGhpcyB0aGVuIG5hcnJvd3MgdGhlIDY0LWJpdCBw b2ludGVyIGRvd24gdG8ganVzdCA4ISEhIGJpdHMsIGJ1dCB0aGlzCj4gaXMgd2hhdCB0aGUgaW5z dHJ1Y3Rpb24gYXQgIjQ6IiBpcyBhc2tpbmcgZm9yLiBIb3dldmVyLCBpdCBsb29rcyBsaWtlCj4g aXQncyBoYXBwZW5pbmcgdG8gQlBGJ3MgInIxIiByYXRoZXIgdGhhbiAicjMiIGFuZCB0aGlzIGlz IHByb2JhYmx5Cj4gd2hlcmUgdGhlIHByb2JsZW0gbGllcy4KPgo+IEkgaGF2ZW4ndCBnb3QgdGlt ZSB0byBhbmFseXNlIHRoaXMgZnVydGhlciB0aGlzIG1vcm5pbmcgLSBJJ20gb25seQo+IGFyb3Vu ZCBzcG9yYWRpY2FsbHkgdG9kYXkuIEknbGwgdHJ5IHRvIGxvb2sgZGVlcGVyIGF0IHRoaXMgbGF0 ZXIgb24uCj4KPiAtLSAKPiBSTUsncyBQYXRjaCBzeXN0ZW06IGh0dHBzOi8vd3d3LmFybWxpbnV4 Lm9yZy51ay9kZXZlbG9wZXIvcGF0Y2hlcy8KPiBGVFRQIGlzIGhlcmUhIDgwTWJwcyBkb3duIDEw TWJwcyB1cC4gRGVjZW50IGNvbm5lY3Rpdml0eSBhdCBsYXN0IQoKSSBmb3VuZCB0aGUgcHJvYmxl bS4gVGhlIGltcGxlbWVudGF0aW9uIG9mIFNpZ24gZXh0ZW5kZWQgbW92ZSBpcyBicm9rZW4sCml0 IGNsb2JiZXJzIHRoZSBzb3VyY2UgcmVnaXN0ZXIuIEkgaGF2ZSBzZW50IGEgcGF0Y2ggdG8gZml4 IGl0IGFuZCBhbHNvCmZpeGVkIGFub3RoZXIgaXNzdWUgdGhhdCBJIHNhdzoKaHR0cHM6Ly9sb3Jl Lmtlcm5lbC5vcmcvYnBmLzIwMjQwNDA5MDk1MDM4LjI2MzU2LTEtcHVyYW5qYXlAa2VybmVsLm9y Zy8KCkkgaGF2ZSBtYW51YWxseSB0ZXN0ZWQgd2l0aCB0aGUgcmVwcm9kdWNlciBidXQgbGV0J3Mg dHJ5IHRvIHJlcnVuIHRoZQpyZXByb2R1Y2VyIHRocm91Z2ggc3l6Ym90OgoKI3N5eiB0ZXN0OiBo dHRwczovL2dpdGh1Yi5jb20vcHVyYW5qYXltb2hhbi9saW51eC5naXQgYXJtMzJfbW92c3hfZml4 CgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpsaW51eC1h cm0ta2VybmVsIG1haWxpbmcgbGlzdApsaW51eC1hcm0ta2VybmVsQGxpc3RzLmluZnJhZGVhZC5v cmcKaHR0cDovL2xpc3RzLmluZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0aW5mby9saW51eC1hcm0t a2VybmVsCg==