From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JQOcB-0003PO-Jl
	for qemu-devel@nongnu.org; Sat, 16 Feb 2008 10:06:07 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JQOcA-0003PC-RG
	for qemu-devel@nongnu.org; Sat, 16 Feb 2008 10:06:07 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JQOcA-0003P9-MQ
	for qemu-devel@nongnu.org; Sat, 16 Feb 2008 10:06:06 -0500
Received: from rv-out-0910.google.com ([209.85.198.184])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <lreiter76@gmail.com>) id 1JQOc9-00039H-OS
	for qemu-devel@nongnu.org; Sat, 16 Feb 2008 10:06:06 -0500
Received: by rv-out-0910.google.com with SMTP id g11so2622905rvb.22
	for <qemu-devel@nongnu.org>; Sat, 16 Feb 2008 07:06:02 -0800 (PST)
Message-ID: <779506c70802160706x2734f0edy5e280ef9888a584b@mail.gmail.com>
Date: Sat, 16 Feb 2008 10:06:02 -0500
From: "Leonardo Reiter" <lreiter76@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_296_1840013.1203174362719"
Subject: [Qemu-devel] [PATCH] KQEMU error checking
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers Mailing List <qemu-devel@nongnu.org>

------=_Part_296_1840013.1203174362719
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,

in recent days I've been able to consistently panic an OpenSolaris
kernel (build 79b, 64-bit on dual-core Opteron with 4GB of RAM) by
using KQEMU and running qemu with a -m (memory) parameter greater than
about 1750.  The panic would be due to a NULL pointer dereference and
happen mainly in kqemu_init().  On Linux this does not seem to be a
problem for some reason.

Anyway, while nowhere near understanding root cause yet, I did sweep
the code and came up with a patch to check for errors of certain
internal functions - particularly errors that could eventually lead to
NULL pointer dereferences, etc.  So now either the kernel call will
fail (and userspace will deal with it accordingly), or the monitor
will just crash the running qemu process rather than panic the kernel
if one of these error situations happens.  What I discovered is that
almost, if not all of these error situations come from the return
value of the function get_vaddr() in common/common.c not being checked
by its callers.  get_vaddr() can return -1 if there is no virtual
address available, but its callers were often assuming the return
value was valid.  Particularly common/mon_get_ptep_l3() would ignore
it, and quickly lead to a kernel panic.  I did not try the non-PAE
version but I addressed it anyway with my patch.

I was able to identify 2 distinct situations that would lead to a
kernel panic, driven by the -m parameter from userspace.  The first,
if -m 1750, was likely due to mon_user_map() in common/kernel.c
ignoring the return from get_vaddr().  I am not 100% sure about that
as it was very difficult to debug this with the Solaris kernel
debugger, but that's what I believe right now.  The second and more
traceable problem came when using a value greater than or equal to
about 1800 for -m.  That would crash consistently in kqemu_init() in
common/kernel.c around line 564 where the monitor PTE pages are cloned
in each address space.  The result was that mon_get_ptep_l3() was
ignoring a -1 return value from get_vaddr(), and in turn, kqemu_init()
was also ignoring a potential NULL return value from
mon_get_ptep_l3(), leading to a dereference of a NULL pointer.

My patch below may have detected one condition that is not really an
error, in phys_page_find() of common/monitor.c.  The return of
get_vaddr() there is not actually dereferenced, so I'm not sure that
when it gets passed into set_vaddr_page_index() it's okay for it to be
-1.  Still, this situation does happen (the monitor panic) if you run
qemu -m 1500 or so (I didn't compute exact values that trigger it,
sorry), and the guest (i.e. Windows 2000) runs for a while.  Note that
the errors do not seem to be related to using -m values that are
powers of 10 instead of powers of 2 - I tried either.

While it's important that a userspace process never panic a kernel,
I'm sure some of the error checking below is not accurate or may mask
another problem that should be fixed rather than detected.  If someone
who understands the KQEMU code better than me can take a look, I would
appreciate it.  Note that I have both inlined and attached the patch
for easy handling.  The patch is against the latest KQEMU, and applies
to either the one on www.qemu.org or the one from the OpenSolaris
project cleanly.

Special thanks to Juergen Keil for helping me with the Solaris kernel
debugger (off list).

Best regards,

Leo Reiter

diff -Naur kqemu_1.0.3pre11-20070520/common/common.c
kqemu_1.0.3pre11-20070520.new/common/common.c
--- kqemu_1.0.3pre11-20070520/common/common.c	2007-05-20
07:35:07.000000000 -0400
+++ kqemu_1.0.3pre11-20070520.new/common/common.c	2008-02-15
16:29:21.000000000 -0500
@@ -252,6 +252,8 @@
         pdp_page_index = pml4e >> PAGE_SHIFT;
     }
     pdp_page = page_index_to_addr(s, pdp_page_index);
+    if (!pdp_page)
+        return NULL;

     pdpe_index = (vaddr >> 30) & 0x1ff;
     pdpe = pdp_page[pdpe_index];
@@ -267,6 +269,8 @@
         pde_page_index = pdpe >> PAGE_SHIFT;
     }
     pde_page = page_index_to_addr(s, pde_page_index);
+    if (!pde_page)
+        return NULL;

     pde_index = (vaddr >> 21) & 0x1ff;
     if (alloc == 2)
@@ -284,6 +288,8 @@
         pte_page_index = pde >> PAGE_SHIFT;
     }
     pte_page = page_index_to_addr(s, pte_page_index);
+    if (!pte_page)
+        return NULL;    /* XXX - ?? we don't dereference pte_page here */

     pte_index = (vaddr >> 12) & 0x1ff;
 #ifndef IN_MONITOR
@@ -331,6 +337,8 @@
         pde_page_index = pdpe >> PAGE_SHIFT;
     }
     pde_page = page_index_to_addr(s, pde_page_index);
+    if (!pde_page)
+        return NULL;

     pde_index = (vaddr >> 21) & 0x1ff;
     if (alloc == 2)
@@ -348,6 +356,8 @@
         pte_page_index = pde >> PAGE_SHIFT;
     }
     pte_page = page_index_to_addr(s, pte_page_index);
+    if (!pte_page)
+        return NULL;    /* XXX - ?? we don't dereference pte_page here */

     pte_index = (vaddr >> 12) & 0x1ff;
 #ifndef IN_MONITOR
@@ -387,6 +397,9 @@
         pte_page_index = pde >> PAGE_SHIFT;
     }
     pte_page = page_index_to_addr(s, pte_page_index);
+    if (!pte_page)
+        return NULL;    /* XXX - ?? we don't dereference pte_page here */
+
     pte_index = (vaddr >> PAGE_SHIFT) & PTE_MASK;
 #ifndef IN_MONITOR
     if (pvptep) {
diff -Naur kqemu_1.0.3pre11-20070520/common/kernel.c
kqemu_1.0.3pre11-20070520.new/common/kernel.c
--- kqemu_1.0.3pre11-20070520/common/kernel.c	2007-05-20
07:35:07.000000000 -0400
+++ kqemu_1.0.3pre11-20070520.new/common/kernel.c	2008-02-15
18:39:03.000000000 -0500
@@ -156,6 +156,13 @@
         return NULL;
     }
     vaddr = get_vaddr(s);
+    if (vaddr == (unsigned long) -1) {
+#ifdef DEBUG
+        kqemu_log("mon_alloc_page: vaddr=-1\n");
+#endif
+        kqemu_free_page(host_page);
+        return NULL;
+    }
     set_vaddr_page_index(s, vaddr, page_index, host_page, 0);
     /* avoid recursion during init */
     if (!s->in_page_init)
@@ -209,6 +216,13 @@
         if (!host_page)
             return NULL;
         vaddr = get_vaddr(s);
+        if (vaddr == (unsigned long) -1) {
+#ifdef DEBUG
+            kqemu_log("mon_user_map: vaddr=-1\n");
+#endif
+            kqemu_unlock_user_page(host_page);
+            return NULL;
+        }
         set_vaddr_page_index(s, vaddr, page_index, host_page, 1);
         mon_set_pte(s, vaddr, page_index,
                     PG_PRESENT_MASK | PG_GLOBAL(s) | pte_flags);
@@ -561,6 +575,13 @@
                 vaddr = s->monitor_vaddr + j;
                 pdep = mon_get_ptep_l3(s, 0, vaddr, 2, NULL);
                 pdep1 = mon_get_ptep_l3(s, i, vaddr, 2, NULL);
+		if (!pdep || !pdep1) {
+			kqemu_log("kqemu_init(): mon_get_ptep_l3(i=0,"
+					"vaddr=%08lx)=%p\n", vaddr, pdep);
+			kqemu_log("kqemu_init(): mon_get_ptep_l3(i=%d,"
+					"vaddr=%08lx)=%p\n", i, vaddr, pdep);
+			goto fail;
+		}
                 *pdep1 = *pdep;
             }
         } else {
@@ -569,6 +590,13 @@
                 vaddr = s->monitor_vaddr + j;
                 pdep = mon_get_ptep_l2(s, 0, vaddr, 2, NULL);
                 pdep1 = mon_get_ptep_l2(s, i, vaddr, 2, NULL);
+		if (!pdep || !pdep1) {
+			kqemu_log("kqemu_init(): mon_get_ptep_l2(i=0,"
+					"vaddr=%08lx)=%p\n", vaddr, pdep);
+			kqemu_log("kqemu_init(): mon_get_ptep_l2(i=%d,"
+					"vaddr=%08lx)=%p\n", i, vaddr, pdep);
+			goto fail;
+		}
                 *pdep1 = *pdep;
             }
         }
diff -Naur kqemu_1.0.3pre11-20070520/common/monitor.c
kqemu_1.0.3pre11-20070520.new/common/monitor.c
--- kqemu_1.0.3pre11-20070520/common/monitor.c	2007-05-20
07:35:07.000000000 -0400
+++ kqemu_1.0.3pre11-20070520.new/common/monitor.c	2008-02-15
17:30:19.000000000 -0500
@@ -280,7 +280,8 @@
         return NULL;
     }
     vaddr = get_vaddr(s);
-    /* XXX: check error */
+    if (vaddr == (unsigned long) -1)
+        return NULL;
     set_vaddr_page_index(s, vaddr, page_index, host_page, 0);
     mon_set_pte(s, 0, vaddr, page_index,
                 PG_PRESENT_MASK | PG_GLOBAL(s) | PG_RW_MASK);
@@ -296,10 +297,14 @@
     if (USE_PAE(s)) {
         uint64_t *ptep;
         ptep = mon_get_ptep_l3(s, as_index, vaddr, 1);
+        if (!ptep)
+            monitor_panic(s, "mon_get_ptel_l3() failed\n");
         *ptep = ((uint64_t)page_index << PAGE_SHIFT) | pte_flags;
     } else {
         uint32_t *ptep;
         ptep = mon_get_ptep_l2(s, as_index, vaddr, 1);
+        if (!ptep)
+            monitor_panic(s, "mon_get_ptep_l2() failed\n");
         *ptep = (page_index << PAGE_SHIFT) | pte_flags;
     }
     asm volatile("invlpg %0" : : "m" (*(uint8_t *)vaddr));
@@ -328,6 +333,8 @@
         if (!host_page)
             monitor_panic(s, "could not lock user page %p", (void *)l2_uaddr);
         ptr = (void *)get_vaddr(s);
+        if (ptr == (void *) -1)
+            monitor_panic(s, "phys_page_find(): vaddr=-1\n");
         set_vaddr_page_index(s, (unsigned long)ptr, paddr, host_page, 1);
         s->phys_to_ram_map_pages[l1_index] = ptr;
         mon_set_pte(s, 0, (unsigned long)ptr, paddr,
@@ -574,12 +581,16 @@
                                                        GET_AS(vaddr), addr, 0);
                 else
                     ptep = mon_get_ptep_l2(s, GET_AS(vaddr), addr, 0);
+                if (!ptep)
+                    monitor_panic(s, "ram_set_read_only(); ptep=NULL\n");
                 *ptep &= ~PG_RW_MASK;
                 asm volatile("invlpg %0" : : "m" (*(uint8_t *)addr));
             }
             if (IS_LAST_VADDR(vaddr))
                 break;
             nptep = get_ram_page_next_mapping(s, GET_AS(vaddr), addr);
+            if (!nptep)
+                monitor_panic(s, "ram_set_read_only(); nptep=NULL\n");
             vaddr = *nptep;
         }
     }

------=_Part_296_1840013.1203174362719
Content-Type: text/x-patch; name=kqerrcheck.patch
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fcqatkyz0
Content-Disposition: attachment; filename=kqerrcheck.patch

ZGlmZiAtTmF1ciBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwL2NvbW1vbi9jb21tb24uYyBrcWVt
dV8xLjAuM3ByZTExLTIwMDcwNTIwLm5ldy9jb21tb24vY29tbW9uLmMKLS0tIGtxZW11XzEuMC4z
cHJlMTEtMjAwNzA1MjAvY29tbW9uL2NvbW1vbi5jCTIwMDctMDUtMjAgMDc6MzU6MDcuMDAwMDAw
MDAwIC0wNDAwCisrKyBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwLm5ldy9jb21tb24vY29tbW9u
LmMJMjAwOC0wMi0xNSAxNjoyOToyMS4wMDAwMDAwMDAgLTA1MDAKQEAgLTI1Miw2ICsyNTIsOCBA
QAogICAgICAgICBwZHBfcGFnZV9pbmRleCA9IHBtbDRlID4+IFBBR0VfU0hJRlQ7CiAgICAgfQog
ICAgIHBkcF9wYWdlID0gcGFnZV9pbmRleF90b19hZGRyKHMsIHBkcF9wYWdlX2luZGV4KTsKKyAg
ICBpZiAoIXBkcF9wYWdlKQorICAgICAgICByZXR1cm4gTlVMTDsKIAogICAgIHBkcGVfaW5kZXgg
PSAodmFkZHIgPj4gMzApICYgMHgxZmY7CiAgICAgcGRwZSA9IHBkcF9wYWdlW3BkcGVfaW5kZXhd
OwpAQCAtMjY3LDYgKzI2OSw4IEBACiAgICAgICAgIHBkZV9wYWdlX2luZGV4ID0gcGRwZSA+PiBQ
QUdFX1NISUZUOwogICAgIH0KICAgICBwZGVfcGFnZSA9IHBhZ2VfaW5kZXhfdG9fYWRkcihzLCBw
ZGVfcGFnZV9pbmRleCk7CisgICAgaWYgKCFwZGVfcGFnZSkKKyAgICAgICAgcmV0dXJuIE5VTEw7
CiAgICAgCiAgICAgcGRlX2luZGV4ID0gKHZhZGRyID4+IDIxKSAmIDB4MWZmOwogICAgIGlmIChh
bGxvYyA9PSAyKQpAQCAtMjg0LDYgKzI4OCw4IEBACiAgICAgICAgIHB0ZV9wYWdlX2luZGV4ID0g
cGRlID4+IFBBR0VfU0hJRlQ7CiAgICAgfQogICAgIHB0ZV9wYWdlID0gcGFnZV9pbmRleF90b19h
ZGRyKHMsIHB0ZV9wYWdlX2luZGV4KTsKKyAgICBpZiAoIXB0ZV9wYWdlKQorICAgICAgICByZXR1
cm4gTlVMTDsgICAgLyogWFhYIC0gPz8gd2UgZG9uJ3QgZGVyZWZlcmVuY2UgcHRlX3BhZ2UgaGVy
ZSAqLwogICAgICAgICAKICAgICBwdGVfaW5kZXggPSAodmFkZHIgPj4gMTIpICYgMHgxZmY7CiAj
aWZuZGVmIElOX01PTklUT1IKQEAgLTMzMSw2ICszMzcsOCBAQAogICAgICAgICBwZGVfcGFnZV9p
bmRleCA9IHBkcGUgPj4gUEFHRV9TSElGVDsKICAgICB9CiAgICAgcGRlX3BhZ2UgPSBwYWdlX2lu
ZGV4X3RvX2FkZHIocywgcGRlX3BhZ2VfaW5kZXgpOworICAgIGlmICghcGRlX3BhZ2UpCisgICAg
ICAgIHJldHVybiBOVUxMOwogICAgIAogICAgIHBkZV9pbmRleCA9ICh2YWRkciA+PiAyMSkgJiAw
eDFmZjsKICAgICBpZiAoYWxsb2MgPT0gMikKQEAgLTM0OCw2ICszNTYsOCBAQAogICAgICAgICBw
dGVfcGFnZV9pbmRleCA9IHBkZSA+PiBQQUdFX1NISUZUOwogICAgIH0KICAgICBwdGVfcGFnZSA9
IHBhZ2VfaW5kZXhfdG9fYWRkcihzLCBwdGVfcGFnZV9pbmRleCk7CisgICAgaWYgKCFwdGVfcGFn
ZSkKKyAgICAgICAgcmV0dXJuIE5VTEw7ICAgIC8qIFhYWCAtID8/IHdlIGRvbid0IGRlcmVmZXJl
bmNlIHB0ZV9wYWdlIGhlcmUgKi8KICAgICAgICAgCiAgICAgcHRlX2luZGV4ID0gKHZhZGRyID4+
IDEyKSAmIDB4MWZmOwogI2lmbmRlZiBJTl9NT05JVE9SCkBAIC0zODcsNiArMzk3LDkgQEAKICAg
ICAgICAgcHRlX3BhZ2VfaW5kZXggPSBwZGUgPj4gUEFHRV9TSElGVDsKICAgICB9CiAgICAgcHRl
X3BhZ2UgPSBwYWdlX2luZGV4X3RvX2FkZHIocywgcHRlX3BhZ2VfaW5kZXgpOworICAgIGlmICgh
cHRlX3BhZ2UpCisgICAgICAgIHJldHVybiBOVUxMOyAgICAvKiBYWFggLSA/PyB3ZSBkb24ndCBk
ZXJlZmVyZW5jZSBwdGVfcGFnZSBoZXJlICovCisKICAgICBwdGVfaW5kZXggPSAodmFkZHIgPj4g
UEFHRV9TSElGVCkgJiBQVEVfTUFTSzsKICNpZm5kZWYgSU5fTU9OSVRPUgogICAgIGlmIChwdnB0
ZXApIHsKZGlmZiAtTmF1ciBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwL2NvbW1vbi9rZXJuZWwu
YyBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwLm5ldy9jb21tb24va2VybmVsLmMKLS0tIGtxZW11
XzEuMC4zcHJlMTEtMjAwNzA1MjAvY29tbW9uL2tlcm5lbC5jCTIwMDctMDUtMjAgMDc6MzU6MDcu
MDAwMDAwMDAwIC0wNDAwCisrKyBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwLm5ldy9jb21tb24v
a2VybmVsLmMJMjAwOC0wMi0xNSAxODozOTowMy4wMDAwMDAwMDAgLTA1MDAKQEAgLTE1Niw2ICsx
NTYsMTMgQEAKICAgICAgICAgcmV0dXJuIE5VTEw7CiAgICAgfQogICAgIHZhZGRyID0gZ2V0X3Zh
ZGRyKHMpOworICAgIGlmICh2YWRkciA9PSAodW5zaWduZWQgbG9uZykgLTEpIHsKKyNpZmRlZiBE
RUJVRworICAgICAgICBrcWVtdV9sb2coIm1vbl9hbGxvY19wYWdlOiB2YWRkcj0tMVxuIik7Cisj
ZW5kaWYKKyAgICAgICAga3FlbXVfZnJlZV9wYWdlKGhvc3RfcGFnZSk7CisgICAgICAgIHJldHVy
biBOVUxMOworICAgIH0KICAgICBzZXRfdmFkZHJfcGFnZV9pbmRleChzLCB2YWRkciwgcGFnZV9p
bmRleCwgaG9zdF9wYWdlLCAwKTsKICAgICAvKiBhdm9pZCByZWN1cnNpb24gZHVyaW5nIGluaXQg
Ki8KICAgICBpZiAoIXMtPmluX3BhZ2VfaW5pdCkKQEAgLTIwOSw2ICsyMTYsMTMgQEAKICAgICAg
ICAgaWYgKCFob3N0X3BhZ2UpCiAgICAgICAgICAgICByZXR1cm4gTlVMTDsKICAgICAgICAgdmFk
ZHIgPSBnZXRfdmFkZHIocyk7CisgICAgICAgIGlmICh2YWRkciA9PSAodW5zaWduZWQgbG9uZykg
LTEpIHsKKyNpZmRlZiBERUJVRworICAgICAgICAgICAga3FlbXVfbG9nKCJtb25fdXNlcl9tYXA6
IHZhZGRyPS0xXG4iKTsKKyNlbmRpZgorICAgICAgICAgICAga3FlbXVfdW5sb2NrX3VzZXJfcGFn
ZShob3N0X3BhZ2UpOworICAgICAgICAgICAgcmV0dXJuIE5VTEw7CisgICAgICAgIH0KICAgICAg
ICAgc2V0X3ZhZGRyX3BhZ2VfaW5kZXgocywgdmFkZHIsIHBhZ2VfaW5kZXgsIGhvc3RfcGFnZSwg
MSk7CiAgICAgICAgIG1vbl9zZXRfcHRlKHMsIHZhZGRyLCBwYWdlX2luZGV4LCAKICAgICAgICAg
ICAgICAgICAgICAgUEdfUFJFU0VOVF9NQVNLIHwgUEdfR0xPQkFMKHMpIHwgcHRlX2ZsYWdzKTsK
QEAgLTU2MSw2ICs1NzUsMTMgQEAKICAgICAgICAgICAgICAgICB2YWRkciA9IHMtPm1vbml0b3Jf
dmFkZHIgKyBqOwogICAgICAgICAgICAgICAgIHBkZXAgPSBtb25fZ2V0X3B0ZXBfbDMocywgMCwg
dmFkZHIsIDIsIE5VTEwpOwogICAgICAgICAgICAgICAgIHBkZXAxID0gbW9uX2dldF9wdGVwX2wz
KHMsIGksIHZhZGRyLCAyLCBOVUxMKTsKKwkJaWYgKCFwZGVwIHx8ICFwZGVwMSkgeworCQkJa3Fl
bXVfbG9nKCJrcWVtdV9pbml0KCk6IG1vbl9nZXRfcHRlcF9sMyhpPTAsIgorCQkJCQkidmFkZHI9
JTA4bHgpPSVwXG4iLCB2YWRkciwgcGRlcCk7CisJCQlrcWVtdV9sb2coImtxZW11X2luaXQoKTog
bW9uX2dldF9wdGVwX2wzKGk9JWQsIgorCQkJCQkidmFkZHI9JTA4bHgpPSVwXG4iLCBpLCB2YWRk
ciwgcGRlcCk7CisJCQlnb3RvIGZhaWw7CisJCX0KICAgICAgICAgICAgICAgICAqcGRlcDEgPSAq
cGRlcDsKICAgICAgICAgICAgIH0KICAgICAgICAgfSBlbHNlIHsKQEAgLTU2OSw2ICs1OTAsMTMg
QEAKICAgICAgICAgICAgICAgICB2YWRkciA9IHMtPm1vbml0b3JfdmFkZHIgKyBqOwogICAgICAg
ICAgICAgICAgIHBkZXAgPSBtb25fZ2V0X3B0ZXBfbDIocywgMCwgdmFkZHIsIDIsIE5VTEwpOwog
ICAgICAgICAgICAgICAgIHBkZXAxID0gbW9uX2dldF9wdGVwX2wyKHMsIGksIHZhZGRyLCAyLCBO
VUxMKTsKKwkJaWYgKCFwZGVwIHx8ICFwZGVwMSkgeworCQkJa3FlbXVfbG9nKCJrcWVtdV9pbml0
KCk6IG1vbl9nZXRfcHRlcF9sMihpPTAsIgorCQkJCQkidmFkZHI9JTA4bHgpPSVwXG4iLCB2YWRk
ciwgcGRlcCk7CisJCQlrcWVtdV9sb2coImtxZW11X2luaXQoKTogbW9uX2dldF9wdGVwX2wyKGk9
JWQsIgorCQkJCQkidmFkZHI9JTA4bHgpPSVwXG4iLCBpLCB2YWRkciwgcGRlcCk7CisJCQlnb3Rv
IGZhaWw7CisJCX0KICAgICAgICAgICAgICAgICAqcGRlcDEgPSAqcGRlcDsKICAgICAgICAgICAg
IH0KICAgICAgICAgfQpkaWZmIC1OYXVyIGtxZW11XzEuMC4zcHJlMTEtMjAwNzA1MjAvY29tbW9u
L21vbml0b3IuYyBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwLm5ldy9jb21tb24vbW9uaXRvci5j
Ci0tLSBrcWVtdV8xLjAuM3ByZTExLTIwMDcwNTIwL2NvbW1vbi9tb25pdG9yLmMJMjAwNy0wNS0y
MCAwNzozNTowNy4wMDAwMDAwMDAgLTA0MDAKKysrIGtxZW11XzEuMC4zcHJlMTEtMjAwNzA1MjAu
bmV3L2NvbW1vbi9tb25pdG9yLmMJMjAwOC0wMi0xNSAxNzozMDoxOS4wMDAwMDAwMDAgLTA1MDAK
QEAgLTI4MCw3ICsyODAsOCBAQAogICAgICAgICByZXR1cm4gTlVMTDsKICAgICB9CiAgICAgdmFk
ZHIgPSBnZXRfdmFkZHIocyk7Ci0gICAgLyogWFhYOiBjaGVjayBlcnJvciAqLworICAgIGlmICh2
YWRkciA9PSAodW5zaWduZWQgbG9uZykgLTEpCisgICAgICAgIHJldHVybiBOVUxMOyAKICAgICBz
ZXRfdmFkZHJfcGFnZV9pbmRleChzLCB2YWRkciwgcGFnZV9pbmRleCwgaG9zdF9wYWdlLCAwKTsK
ICAgICBtb25fc2V0X3B0ZShzLCAwLCB2YWRkciwgcGFnZV9pbmRleCwgCiAgICAgICAgICAgICAg
ICAgUEdfUFJFU0VOVF9NQVNLIHwgUEdfR0xPQkFMKHMpIHwgUEdfUldfTUFTSyk7CkBAIC0yOTYs
MTAgKzI5NywxNCBAQAogICAgIGlmIChVU0VfUEFFKHMpKSB7CiAgICAgICAgIHVpbnQ2NF90ICpw
dGVwOwogICAgICAgICBwdGVwID0gbW9uX2dldF9wdGVwX2wzKHMsIGFzX2luZGV4LCB2YWRkciwg
MSk7CisgICAgICAgIGlmICghcHRlcCkKKyAgICAgICAgICAgIG1vbml0b3JfcGFuaWMocywgIm1v
bl9nZXRfcHRlbF9sMygpIGZhaWxlZFxuIik7CiAgICAgICAgICpwdGVwID0gKCh1aW50NjRfdClw
YWdlX2luZGV4IDw8IFBBR0VfU0hJRlQpIHwgcHRlX2ZsYWdzOwogICAgIH0gZWxzZSB7CiAgICAg
ICAgIHVpbnQzMl90ICpwdGVwOwogICAgICAgICBwdGVwID0gbW9uX2dldF9wdGVwX2wyKHMsIGFz
X2luZGV4LCB2YWRkciwgMSk7CisgICAgICAgIGlmICghcHRlcCkKKyAgICAgICAgICAgIG1vbml0
b3JfcGFuaWMocywgIm1vbl9nZXRfcHRlcF9sMigpIGZhaWxlZFxuIik7CiAgICAgICAgICpwdGVw
ID0gKHBhZ2VfaW5kZXggPDwgUEFHRV9TSElGVCkgfCBwdGVfZmxhZ3M7CiAgICAgfQogICAgIGFz
bSB2b2xhdGlsZSgiaW52bHBnICUwIiA6IDogIm0iICgqKHVpbnQ4X3QgKil2YWRkcikpOwpAQCAt
MzI4LDYgKzMzMyw4IEBACiAgICAgICAgIGlmICghaG9zdF9wYWdlKQogICAgICAgICAgICAgbW9u
aXRvcl9wYW5pYyhzLCAiY291bGQgbm90IGxvY2sgdXNlciBwYWdlICVwIiwgKHZvaWQgKilsMl91
YWRkcik7CiAgICAgICAgIHB0ciA9ICh2b2lkICopZ2V0X3ZhZGRyKHMpOworICAgICAgICBpZiAo
cHRyID09ICh2b2lkICopIC0xKQorICAgICAgICAgICAgbW9uaXRvcl9wYW5pYyhzLCAicGh5c19w
YWdlX2ZpbmQoKTogdmFkZHI9LTFcbiIpOwogICAgICAgICBzZXRfdmFkZHJfcGFnZV9pbmRleChz
LCAodW5zaWduZWQgbG9uZylwdHIsIHBhZGRyLCBob3N0X3BhZ2UsIDEpOwogICAgICAgICBzLT5w
aHlzX3RvX3JhbV9tYXBfcGFnZXNbbDFfaW5kZXhdID0gcHRyOwogICAgICAgICBtb25fc2V0X3B0
ZShzLCAwLCAodW5zaWduZWQgbG9uZylwdHIsIHBhZGRyLCAKQEAgLTU3NCwxMiArNTgxLDE2IEBA
CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
R0VUX0FTKHZhZGRyKSwgYWRkciwgMCk7CiAgICAgICAgICAgICAgICAgZWxzZQogICAgICAgICAg
ICAgICAgICAgICBwdGVwID0gbW9uX2dldF9wdGVwX2wyKHMsIEdFVF9BUyh2YWRkciksIGFkZHIs
IDApOworICAgICAgICAgICAgICAgIGlmICghcHRlcCkKKyAgICAgICAgICAgICAgICAgICAgbW9u
aXRvcl9wYW5pYyhzLCAicmFtX3NldF9yZWFkX29ubHkoKTsgcHRlcD1OVUxMXG4iKTsKICAgICAg
ICAgICAgICAgICAqcHRlcCAmPSB+UEdfUldfTUFTSzsKICAgICAgICAgICAgICAgICBhc20gdm9s
YXRpbGUoImludmxwZyAlMCIgOiA6ICJtIiAoKih1aW50OF90ICopYWRkcikpOwogICAgICAgICAg
ICAgfQogICAgICAgICAgICAgaWYgKElTX0xBU1RfVkFERFIodmFkZHIpKQogICAgICAgICAgICAg
ICAgIGJyZWFrOwogICAgICAgICAgICAgbnB0ZXAgPSBnZXRfcmFtX3BhZ2VfbmV4dF9tYXBwaW5n
KHMsIEdFVF9BUyh2YWRkciksIGFkZHIpOworICAgICAgICAgICAgaWYgKCFucHRlcCkKKyAgICAg
ICAgICAgICAgICBtb25pdG9yX3BhbmljKHMsICJyYW1fc2V0X3JlYWRfb25seSgpOyBucHRlcD1O
VUxMXG4iKTsKICAgICAgICAgICAgIHZhZGRyID0gKm5wdGVwOwogICAgICAgICB9CiAgICAgfQo=

------=_Part_296_1840013.1203174362719--