From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25A6EC433EF for ; Mon, 25 Oct 2021 08:21:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 019E560F46 for ; Mon, 25 Oct 2021 08:21:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231264AbhJYIX5 (ORCPT ); Mon, 25 Oct 2021 04:23:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229928AbhJYIX4 (ORCPT ); Mon, 25 Oct 2021 04:23:56 -0400 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55642C061745 for ; Mon, 25 Oct 2021 01:21:34 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id y26so7677413lfa.11 for ; Mon, 25 Oct 2021 01:21:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kempniu.pl; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J1eGsGvSupt9keTxPYnbOs6SIupFozzDdx1fHvMuh2A=; b=Kc2WfddgrbdOM5M6itU0cenw9rjcU6/6XnRDC8Zwv7sQi9ycnqZhBft49kEbo9YykX Ral/IUibv2TT6eBr721BhIi/oUar/vSxay6ecQmMZ2pSC3kw7AkzLjJ0TtBMclhJeAAm zXj0BD6RpSTa6Pn8JlBDLdCtdExWgdcp+j8e4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J1eGsGvSupt9keTxPYnbOs6SIupFozzDdx1fHvMuh2A=; b=NraYRuxLdx/HRY/IKOlGuZZRBZRYVxkL8YqVmrG/dbjxOj+PzEAE6VpLiUd4yaE2I6 TVnawYZ38f72irrFbELgO0Of6+T7LxAsRYohTe73m801R/8Viv3f2CHpfn38S+HDoqHT lbEpdjP/8WNKNusvTbW9v3rBoMxZP2tQ5/0PpSF0JQluie7BB+TpJzsZg7CohJ1IyjA3 3wVG1NDNowsupzhTQQmoHTijfTp4CE4zjJI0wymCg+kxsMWuywHovkNDhIKB4a3f7OHM XouL6XlAct06nMMWHWS2+/P7x72VUanUt5uTTaNOX5B0DLyc1mc7RvDbOHKOgnXCtSRW eqdw== X-Gm-Message-State: AOAM532Md+S2nq2PwDr1Khj0Q/zHddya0ABF1ipQFbxn7e2+zHzYKOBd p75o6I06wxqJ4CjqFhTDMVKEfaOszW34BQ== X-Google-Smtp-Source: ABdhPJxrsjGQLvgUzp7Jvo+PWFDeMkRjiBjcN4X8rgX4SKtcLuMxjqbB305MCTHD7Lz67nn3YMC7RA== X-Received: by 2002:a05:6512:39d1:: with SMTP id k17mr766967lfu.79.1635150092678; Mon, 25 Oct 2021 01:21:32 -0700 (PDT) Received: from larwa.hq.kempniu.pl ([2001:470:64df:111::e02]) by smtp.gmail.com with ESMTPSA id n13sm239189lfi.127.2021.10.25.01.21.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Oct 2021 01:21:32 -0700 (PDT) From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= To: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra Cc: Boris Brezillon , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] mtdchar: prevent unbounded allocation in MEMWRITE ioctl Date: Mon, 25 Oct 2021 10:21:04 +0200 Message-Id: <20211025082104.8017-1-kernel@kempniu.pl> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the mtdchar_write_ioctl() function, memdup_user() is called with its 'len' parameter set to verbatim values provided by user space via a struct mtd_write_req. Both the 'len' and 'ooblen' fields of that structure are 64-bit unsigned integers, which means the MEMWRITE ioctl can trigger unbounded kernel memory allocation requests. Fix by iterating over the buffers provided by user space in a loop, processing at most mtd->erasesize bytes in each iteration. Adopt some checks from mtd_check_oob_ops() to retain backward user space compatibility. Suggested-by: Boris Brezillon Signed-off-by: Michał Kępień --- Fixing this problem was suggested last month, during a discussion about a new MEMREAD ioctl. [1] [2] My primary objective was to not break user space, i.e. to not change externally visible behavior compared to the current code. The main problem I faced was that splitting the input data into chunks makes the MEMWRITE ioctl a _wrapper_ for mtd_write_oob() rather than a direct _interface_ to it and yet from the user space perspective it still needs to behave as if nothing changed. Despite my efforts, the patch does _not_ retain absolute backward compatibility and I do not know whether this is acceptable. Specifically, multi-eraseblock-sized writes (requiring multiple loop iterations to be processed) which succeeded with the original code _may_ now return errors and/or write different contents to the device than the original code, depending on the MTD mode of operation requested and on whether the start offset is page-aligned. The documentation for struct mtd_oob_ops warns about even multi-page write requests, but... Example: MTD device parameters: - mtd->writesize = 2048 - mtd->erasesize = 131072 - 64 bytes of raw OOB space per page struct mtd_write_req req = { .start = 2048, .len = 262144, .ooblen = 64, .usr_data = ..., .usr_oob = ..., .mode = MTD_OPS_RAW, }; (This is a 128-page write with OOB data supplied for just one page.) Current mtdchar_write_ioctl() returns 0 for this request and writes 128 pages of data and 1 page's worth of OOB data (64 bytes) to the MTD device. Patched mtdchar_write_ioctl() may return an error because the original request gets split into two chunks (): <131072, 64> <131072, 0> and the second chunk with zero OOB data length may make the MTD driver unhappy in raw mode (resulting in only the first 64 pages of data and 1 page's worth of OOB data getting written to the MTD device). Is an ioctl like this considered a "degenerate" one and therefore acceptable to break or not? At any rate, the revised code feels brittle to me and I would not be particularly surprised if I missed more cases in which it produces different results than the original code. I keep on wondering whether the benefits of this change are worth the extra code complexity, but fortunately it is not my call to make :) Perhaps I am missing something and my proposal can be simplified? Or maybe the way I approached this is completely wrong? Any thoughts on this are welcome. As the outcome of the discussion around this patch will have a significant influence on the shape of the v2 of the MEMREAD ioctl, I decided to submit this one first as a standalone patch. [1] https://lists.infradead.org/pipermail/linux-mtd/2021-September/088485.html [2] https://lists.infradead.org/pipermail/linux-mtd/2021-September/088544.html drivers/mtd/mtdchar.c | 93 ++++++++++++++++++++++++++++++++----------- 1 file changed, 70 insertions(+), 23 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 155e991d9d75..a3afc390e254 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -578,9 +578,10 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, { struct mtd_info *master = mtd_get_master(mtd); struct mtd_write_req req; - struct mtd_oob_ops ops = {}; const void __user *usr_data, *usr_oob; - int ret; + uint8_t *datbuf = NULL, *oobbuf = NULL; + size_t datbuf_len, oobbuf_len; + int ret = 0; if (copy_from_user(&req, argp, sizeof(req))) return -EFAULT; @@ -590,33 +591,79 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, if (!master->_write_oob) return -EOPNOTSUPP; - ops.mode = req.mode; - ops.len = (size_t)req.len; - ops.ooblen = (size_t)req.ooblen; - ops.ooboffs = 0; - - if (usr_data) { - ops.datbuf = memdup_user(usr_data, ops.len); - if (IS_ERR(ops.datbuf)) - return PTR_ERR(ops.datbuf); - } else { - ops.datbuf = NULL; + + if (!usr_data) + req.len = 0; + + if (!usr_oob) + req.ooblen = 0; + + if (req.start + req.len > mtd->size) + return -EINVAL; + + datbuf_len = min_t(size_t, req.len, mtd->erasesize); + if (datbuf_len > 0) { + datbuf = kmalloc(datbuf_len, GFP_KERNEL); + if (!datbuf) + return -ENOMEM; } - if (usr_oob) { - ops.oobbuf = memdup_user(usr_oob, ops.ooblen); - if (IS_ERR(ops.oobbuf)) { - kfree(ops.datbuf); - return PTR_ERR(ops.oobbuf); + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize); + if (oobbuf_len > 0) { + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL); + if (!oobbuf) { + kfree(datbuf); + return -ENOMEM; } - } else { - ops.oobbuf = NULL; } - ret = mtd_write_oob(mtd, (loff_t)req.start, &ops); + while (req.len > 0 || (!usr_data && req.ooblen > 0)) { + struct mtd_oob_ops ops = { + .mode = req.mode, + .len = min_t(size_t, req.len, datbuf_len), + .ooblen = min_t(size_t, req.ooblen, oobbuf_len), + .datbuf = req.len ? datbuf : NULL, + .oobbuf = req.ooblen ? oobbuf : NULL, + }; - kfree(ops.datbuf); - kfree(ops.oobbuf); + /* + * For writes which are not OOB-only, adjust the amount of OOB + * data written according to the number of data pages written. + * This is necessary to prevent OOB data from being skipped + * over in data+OOB writes requiring multiple mtd_write_oob() + * calls to be completed. + */ + if (ops.len > 0 && ops.ooblen > 0) { + u32 oob_per_page = mtd_oobavail(mtd, &ops); + uint32_t pages_to_write = mtd_div_by_ws(ops.len, mtd); + + if (mtd_mod_by_ws(req.start + ops.len, mtd)) + pages_to_write++; + + ops.ooblen = min_t(size_t, ops.ooblen, + pages_to_write * oob_per_page); + } + + if (copy_from_user(datbuf, usr_data, ops.len) || + copy_from_user(oobbuf, usr_oob, ops.ooblen)) { + ret = -EFAULT; + break; + } + + ret = mtd_write_oob(mtd, req.start, &ops); + if (ret) + break; + + req.start += ops.retlen; + req.len -= ops.retlen; + usr_data += ops.retlen; + + req.ooblen -= ops.oobretlen; + usr_oob += ops.oobretlen; + } + + kfree(datbuf); + kfree(oobbuf); return ret; } -- 2.33.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0C7AC433FE for ; Mon, 25 Oct 2021 08:22:19 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8129F60EE9 for ; Mon, 25 Oct 2021 08:22:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8129F60EE9 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=kempniu.pl Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=WAAETPaUOdnqrJgmcqmz7w+z5fOosGhdqAFy4KGntZw=; b=nV21+GErLS4B6S eyF7LTCL9tTPjaeNsZ/P2Yg3ana7QTpZ2HiR/ihfAdqpMQGGU1FiGBcPYzXqb/SibDXF9PPvKBa7e HC0aP6mSYoESBUVPiCYWKtLRd18uAQyp3NME3X5Bmjn+jsUchubE/f7WGCNRrvaulSosBtdK62LyE vkqU4qyCAocxEPPdDHjNduc+DjVWQk+xrKuXBABGk9y5U2Xd+/N0cMCQlNoxDDTfreWt0aPEfPZhb iyMfB+1YwExyYR7xjWZWbdaZQwpPwIUne5eoUlvMJ3zNg/hrLmUUsgfo+M5XFDeAtFsrDJmcxUjeV D5bFDDwdnbAf4TwHmTdQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mevEh-00FmOJ-Ke; Mon, 25 Oct 2021 08:21:39 +0000 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mevEd-00FmLV-GY for linux-mtd@lists.infradead.org; Mon, 25 Oct 2021 08:21:37 +0000 Received: by mail-lf1-x135.google.com with SMTP id p16so10741387lfa.2 for ; Mon, 25 Oct 2021 01:21:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kempniu.pl; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J1eGsGvSupt9keTxPYnbOs6SIupFozzDdx1fHvMuh2A=; b=Kc2WfddgrbdOM5M6itU0cenw9rjcU6/6XnRDC8Zwv7sQi9ycnqZhBft49kEbo9YykX Ral/IUibv2TT6eBr721BhIi/oUar/vSxay6ecQmMZ2pSC3kw7AkzLjJ0TtBMclhJeAAm zXj0BD6RpSTa6Pn8JlBDLdCtdExWgdcp+j8e4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J1eGsGvSupt9keTxPYnbOs6SIupFozzDdx1fHvMuh2A=; b=vJ5ZqbaEimKgbAUs7zVDU2BCsv4mfNewJvxefHCRUg8az5i8BEM+c8/QOBT326FJPM eysvnct3/zPstxn9lFH97jhsXrCBOCF86HpI+67SOqNAv8jyE4OV5NBEGatDj438GWsd aqHSrlOF2nzGc0N6lDdyuutjFFJB05Qv0JcjxemGLcyfg+lLFawrJMoZGkZUsV0cUw4G HQDAABFCrc+qtBdWp8hO0Lu3HNJ3sW1b7r/IZyPIOBP84qNJJJteMSejWrJXACPTZPEN N286kWBja7j9GYd+KBhzCs4aCN/chVRi0PPGKkY37lchAX0Z1vHtWq2e60ry/TDttb4L CteA== X-Gm-Message-State: AOAM530bocbmop7AhQkRVI1EAHG2TTSGzZzqltUMtj5AayiPxYOId+mV 20ixAo+Pk9s1E7zUVSFzzubTSA== X-Google-Smtp-Source: ABdhPJxrsjGQLvgUzp7Jvo+PWFDeMkRjiBjcN4X8rgX4SKtcLuMxjqbB305MCTHD7Lz67nn3YMC7RA== X-Received: by 2002:a05:6512:39d1:: with SMTP id k17mr766967lfu.79.1635150092678; Mon, 25 Oct 2021 01:21:32 -0700 (PDT) Received: from larwa.hq.kempniu.pl ([2001:470:64df:111::e02]) by smtp.gmail.com with ESMTPSA id n13sm239189lfi.127.2021.10.25.01.21.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Oct 2021 01:21:32 -0700 (PDT) From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= To: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra Cc: Boris Brezillon , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] mtdchar: prevent unbounded allocation in MEMWRITE ioctl Date: Mon, 25 Oct 2021 10:21:04 +0200 Message-Id: <20211025082104.8017-1-kernel@kempniu.pl> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211025_012135_685864_57C5F03B X-CRM114-Status: GOOD ( 30.52 ) X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org SW4gdGhlIG10ZGNoYXJfd3JpdGVfaW9jdGwoKSBmdW5jdGlvbiwgbWVtZHVwX3VzZXIoKSBpcyBj YWxsZWQgd2l0aCBpdHMKJ2xlbicgcGFyYW1ldGVyIHNldCB0byB2ZXJiYXRpbSB2YWx1ZXMgcHJv dmlkZWQgYnkgdXNlciBzcGFjZSB2aWEgYQpzdHJ1Y3QgbXRkX3dyaXRlX3JlcS4gIEJvdGggdGhl ICdsZW4nIGFuZCAnb29ibGVuJyBmaWVsZHMgb2YgdGhhdApzdHJ1Y3R1cmUgYXJlIDY0LWJpdCB1 bnNpZ25lZCBpbnRlZ2Vycywgd2hpY2ggbWVhbnMgdGhlIE1FTVdSSVRFIGlvY3RsCmNhbiB0cmln Z2VyIHVuYm91bmRlZCBrZXJuZWwgbWVtb3J5IGFsbG9jYXRpb24gcmVxdWVzdHMuCgpGaXggYnkg aXRlcmF0aW5nIG92ZXIgdGhlIGJ1ZmZlcnMgcHJvdmlkZWQgYnkgdXNlciBzcGFjZSBpbiBhIGxv b3AsCnByb2Nlc3NpbmcgYXQgbW9zdCBtdGQtPmVyYXNlc2l6ZSBieXRlcyBpbiBlYWNoIGl0ZXJh dGlvbi4gIEFkb3B0IHNvbWUKY2hlY2tzIGZyb20gbXRkX2NoZWNrX29vYl9vcHMoKSB0byByZXRh aW4gYmFja3dhcmQgdXNlciBzcGFjZQpjb21wYXRpYmlsaXR5LgoKU3VnZ2VzdGVkLWJ5OiBCb3Jp cyBCcmV6aWxsb24gPGJvcmlzLmJyZXppbGxvbkBjb2xsYWJvcmEuY29tPgpTaWduZWQtb2ZmLWJ5 OiBNaWNoYcWCIEvEmXBpZcWEIDxrZXJuZWxAa2VtcG5pdS5wbD4KLS0tCkZpeGluZyB0aGlzIHBy b2JsZW0gd2FzIHN1Z2dlc3RlZCBsYXN0IG1vbnRoLCBkdXJpbmcgYSBkaXNjdXNzaW9uIGFib3V0 CmEgbmV3IE1FTVJFQUQgaW9jdGwuIFsxXSBbMl0KCk15IHByaW1hcnkgb2JqZWN0aXZlIHdhcyB0 byBub3QgYnJlYWsgdXNlciBzcGFjZSwgaS5lLiB0byBub3QgY2hhbmdlCmV4dGVybmFsbHkgdmlz aWJsZSBiZWhhdmlvciBjb21wYXJlZCB0byB0aGUgY3VycmVudCBjb2RlLiAgVGhlIG1haW4KcHJv YmxlbSBJIGZhY2VkIHdhcyB0aGF0IHNwbGl0dGluZyB0aGUgaW5wdXQgZGF0YSBpbnRvIGNodW5r cyBtYWtlcyB0aGUKTUVNV1JJVEUgaW9jdGwgYSBfd3JhcHBlcl8gZm9yIG10ZF93cml0ZV9vb2Io KSByYXRoZXIgdGhhbiBhIGRpcmVjdApfaW50ZXJmYWNlXyB0byBpdCBhbmQgeWV0IGZyb20gdGhl IHVzZXIgc3BhY2UgcGVyc3BlY3RpdmUgaXQgc3RpbGwgbmVlZHMKdG8gYmVoYXZlIGFzIGlmIG5v dGhpbmcgY2hhbmdlZC4KCkRlc3BpdGUgbXkgZWZmb3J0cywgdGhlIHBhdGNoIGRvZXMgX25vdF8g cmV0YWluIGFic29sdXRlIGJhY2t3YXJkCmNvbXBhdGliaWxpdHkgYW5kIEkgZG8gbm90IGtub3cg d2hldGhlciB0aGlzIGlzIGFjY2VwdGFibGUuClNwZWNpZmljYWxseSwgbXVsdGktZXJhc2VibG9j ay1zaXplZCB3cml0ZXMgKHJlcXVpcmluZyBtdWx0aXBsZSBsb29wCml0ZXJhdGlvbnMgdG8gYmUg cHJvY2Vzc2VkKSB3aGljaCBzdWNjZWVkZWQgd2l0aCB0aGUgb3JpZ2luYWwgY29kZSBfbWF5Xwpu b3cgcmV0dXJuIGVycm9ycyBhbmQvb3Igd3JpdGUgZGlmZmVyZW50IGNvbnRlbnRzIHRvIHRoZSBk ZXZpY2UgdGhhbiB0aGUKb3JpZ2luYWwgY29kZSwgZGVwZW5kaW5nIG9uIHRoZSBNVEQgbW9kZSBv ZiBvcGVyYXRpb24gcmVxdWVzdGVkIGFuZCBvbgp3aGV0aGVyIHRoZSBzdGFydCBvZmZzZXQgaXMg cGFnZS1hbGlnbmVkLiAgVGhlIGRvY3VtZW50YXRpb24gZm9yIHN0cnVjdAptdGRfb29iX29wcyB3 YXJucyBhYm91dCBldmVuIG11bHRpLXBhZ2Ugd3JpdGUgcmVxdWVzdHMsIGJ1dC4uLgoKRXhhbXBs ZToKCiAgICBNVEQgZGV2aWNlIHBhcmFtZXRlcnM6CgogICAgICAtIG10ZC0+d3JpdGVzaXplID0g MjA0OAogICAgICAtIG10ZC0+ZXJhc2VzaXplID0gMTMxMDcyCiAgICAgIC0gNjQgYnl0ZXMgb2Yg cmF3IE9PQiBzcGFjZSBwZXIgcGFnZQoKICAgIHN0cnVjdCBtdGRfd3JpdGVfcmVxIHJlcSA9IHsK ICAgICAgICAuc3RhcnQgPSAyMDQ4LAogICAgICAgIC5sZW4gPSAyNjIxNDQsCiAgICAgICAgLm9v YmxlbiA9IDY0LAogICAgICAgIC51c3JfZGF0YSA9IC4uLiwKICAgICAgICAudXNyX29vYiA9IC4u LiwKICAgICAgICAubW9kZSA9IE1URF9PUFNfUkFXLAogICAgfTsKCiAgICAoVGhpcyBpcyBhIDEy OC1wYWdlIHdyaXRlIHdpdGggT09CIGRhdGEgc3VwcGxpZWQgZm9yIGp1c3Qgb25lIHBhZ2UuKQoK ICAgIEN1cnJlbnQgbXRkY2hhcl93cml0ZV9pb2N0bCgpIHJldHVybnMgMCBmb3IgdGhpcyByZXF1 ZXN0IGFuZCB3cml0ZXMKICAgIDEyOCBwYWdlcyBvZiBkYXRhIGFuZCAxIHBhZ2UncyB3b3J0aCBv ZiBPT0IgZGF0YSAoNjQgYnl0ZXMpIHRvIHRoZQogICAgTVREIGRldmljZS4KCiAgICBQYXRjaGVk IG10ZGNoYXJfd3JpdGVfaW9jdGwoKSBtYXkgcmV0dXJuIGFuIGVycm9yIGJlY2F1c2UgdGhlCiAg ICBvcmlnaW5hbCByZXF1ZXN0IGdldHMgc3BsaXQgaW50byB0d28gY2h1bmtzICg8ZGF0YV9sZW4s IG9vYl9sZW4+KToKCiAgICAgICAgPDEzMTA3MiwgNjQ+CiAgICAgICAgPDEzMTA3MiwgMD4KCiAg ICBhbmQgdGhlIHNlY29uZCBjaHVuayB3aXRoIHplcm8gT09CIGRhdGEgbGVuZ3RoIG1heSBtYWtl IHRoZSBNVEQKICAgIGRyaXZlciB1bmhhcHB5IGluIHJhdyBtb2RlIChyZXN1bHRpbmcgaW4gb25s eSB0aGUgZmlyc3QgNjQgcGFnZXMgb2YKICAgIGRhdGEgYW5kIDEgcGFnZSdzIHdvcnRoIG9mIE9P QiBkYXRhIGdldHRpbmcgd3JpdHRlbiB0byB0aGUgTVRECiAgICBkZXZpY2UpLgoKICAgIElzIGFu IGlvY3RsIGxpa2UgdGhpcyBjb25zaWRlcmVkIGEgImRlZ2VuZXJhdGUiIG9uZSBhbmQgdGhlcmVm b3JlCiAgICBhY2NlcHRhYmxlIHRvIGJyZWFrIG9yIG5vdD8KCkF0IGFueSByYXRlLCB0aGUgcmV2 aXNlZCBjb2RlIGZlZWxzIGJyaXR0bGUgdG8gbWUgYW5kIEkgd291bGQgbm90IGJlCnBhcnRpY3Vs YXJseSBzdXJwcmlzZWQgaWYgSSBtaXNzZWQgbW9yZSBjYXNlcyBpbiB3aGljaCBpdCBwcm9kdWNl cwpkaWZmZXJlbnQgcmVzdWx0cyB0aGFuIHRoZSBvcmlnaW5hbCBjb2RlLgoKSSBrZWVwIG9uIHdv bmRlcmluZyB3aGV0aGVyIHRoZSBiZW5lZml0cyBvZiB0aGlzIGNoYW5nZSBhcmUgd29ydGggdGhl CmV4dHJhIGNvZGUgY29tcGxleGl0eSwgYnV0IGZvcnR1bmF0ZWx5IGl0IGlzIG5vdCBteSBjYWxs IHRvIG1ha2UgOikKUGVyaGFwcyBJIGFtIG1pc3Npbmcgc29tZXRoaW5nIGFuZCBteSBwcm9wb3Nh bCBjYW4gYmUgc2ltcGxpZmllZD8gIE9yCm1heWJlIHRoZSB3YXkgSSBhcHByb2FjaGVkIHRoaXMg aXMgY29tcGxldGVseSB3cm9uZz8gIEFueSB0aG91Z2h0cyBvbgp0aGlzIGFyZSB3ZWxjb21lLgoK QXMgdGhlIG91dGNvbWUgb2YgdGhlIGRpc2N1c3Npb24gYXJvdW5kIHRoaXMgcGF0Y2ggd2lsbCBo YXZlIGEKc2lnbmlmaWNhbnQgaW5mbHVlbmNlIG9uIHRoZSBzaGFwZSBvZiB0aGUgdjIgb2YgdGhl IE1FTVJFQUQgaW9jdGwsIEkKZGVjaWRlZCB0byBzdWJtaXQgdGhpcyBvbmUgZmlyc3QgYXMgYSBz dGFuZGFsb25lIHBhdGNoLgoKWzFdIGh0dHBzOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9waXBlcm1h aWwvbGludXgtbXRkLzIwMjEtU2VwdGVtYmVyLzA4ODQ4NS5odG1sClsyXSBodHRwczovL2xpc3Rz LmluZnJhZGVhZC5vcmcvcGlwZXJtYWlsL2xpbnV4LW10ZC8yMDIxLVNlcHRlbWJlci8wODg1NDQu aHRtbAoKIGRyaXZlcnMvbXRkL210ZGNoYXIuYyB8IDkzICsrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrLS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA3MCBpbnNlcnRpb25zKCspLCAy MyBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL210ZC9tdGRjaGFyLmMgYi9kcml2 ZXJzL210ZC9tdGRjaGFyLmMKaW5kZXggMTU1ZTk5MWQ5ZDc1Li5hM2FmYzM5MGUyNTQgMTAwNjQ0 Ci0tLSBhL2RyaXZlcnMvbXRkL210ZGNoYXIuYworKysgYi9kcml2ZXJzL210ZC9tdGRjaGFyLmMK QEAgLTU3OCw5ICs1NzgsMTAgQEAgc3RhdGljIGludCBtdGRjaGFyX3dyaXRlX2lvY3RsKHN0cnVj dCBtdGRfaW5mbyAqbXRkLAogewogCXN0cnVjdCBtdGRfaW5mbyAqbWFzdGVyID0gbXRkX2dldF9t YXN0ZXIobXRkKTsKIAlzdHJ1Y3QgbXRkX3dyaXRlX3JlcSByZXE7Ci0Jc3RydWN0IG10ZF9vb2Jf b3BzIG9wcyA9IHt9OwogCWNvbnN0IHZvaWQgX191c2VyICp1c3JfZGF0YSwgKnVzcl9vb2I7Ci0J aW50IHJldDsKKwl1aW50OF90ICpkYXRidWYgPSBOVUxMLCAqb29iYnVmID0gTlVMTDsKKwlzaXpl X3QgZGF0YnVmX2xlbiwgb29iYnVmX2xlbjsKKwlpbnQgcmV0ID0gMDsKIAogCWlmIChjb3B5X2Zy b21fdXNlcigmcmVxLCBhcmdwLCBzaXplb2YocmVxKSkpCiAJCXJldHVybiAtRUZBVUxUOwpAQCAt NTkwLDMzICs1OTEsNzkgQEAgc3RhdGljIGludCBtdGRjaGFyX3dyaXRlX2lvY3RsKHN0cnVjdCBt dGRfaW5mbyAqbXRkLAogCiAJaWYgKCFtYXN0ZXItPl93cml0ZV9vb2IpCiAJCXJldHVybiAtRU9Q Tk9UU1VQUDsKLQlvcHMubW9kZSA9IHJlcS5tb2RlOwotCW9wcy5sZW4gPSAoc2l6ZV90KXJlcS5s ZW47Ci0Jb3BzLm9vYmxlbiA9IChzaXplX3QpcmVxLm9vYmxlbjsKLQlvcHMub29ib2ZmcyA9IDA7 Ci0KLQlpZiAodXNyX2RhdGEpIHsKLQkJb3BzLmRhdGJ1ZiA9IG1lbWR1cF91c2VyKHVzcl9kYXRh LCBvcHMubGVuKTsKLQkJaWYgKElTX0VSUihvcHMuZGF0YnVmKSkKLQkJCXJldHVybiBQVFJfRVJS KG9wcy5kYXRidWYpOwotCX0gZWxzZSB7Ci0JCW9wcy5kYXRidWYgPSBOVUxMOworCisJaWYgKCF1 c3JfZGF0YSkKKwkJcmVxLmxlbiA9IDA7CisKKwlpZiAoIXVzcl9vb2IpCisJCXJlcS5vb2JsZW4g PSAwOworCisJaWYgKHJlcS5zdGFydCArIHJlcS5sZW4gPiBtdGQtPnNpemUpCisJCXJldHVybiAt RUlOVkFMOworCisJZGF0YnVmX2xlbiA9IG1pbl90KHNpemVfdCwgcmVxLmxlbiwgbXRkLT5lcmFz ZXNpemUpOworCWlmIChkYXRidWZfbGVuID4gMCkgeworCQlkYXRidWYgPSBrbWFsbG9jKGRhdGJ1 Zl9sZW4sIEdGUF9LRVJORUwpOworCQlpZiAoIWRhdGJ1ZikKKwkJCXJldHVybiAtRU5PTUVNOwog CX0KIAotCWlmICh1c3Jfb29iKSB7Ci0JCW9wcy5vb2JidWYgPSBtZW1kdXBfdXNlcih1c3Jfb29i LCBvcHMub29ibGVuKTsKLQkJaWYgKElTX0VSUihvcHMub29iYnVmKSkgewotCQkJa2ZyZWUob3Bz LmRhdGJ1Zik7Ci0JCQlyZXR1cm4gUFRSX0VSUihvcHMub29iYnVmKTsKKwlvb2JidWZfbGVuID0g bWluX3Qoc2l6ZV90LCByZXEub29ibGVuLCBtdGQtPmVyYXNlc2l6ZSk7CisJaWYgKG9vYmJ1Zl9s ZW4gPiAwKSB7CisJCW9vYmJ1ZiA9IGttYWxsb2Mob29iYnVmX2xlbiwgR0ZQX0tFUk5FTCk7CisJ CWlmICghb29iYnVmKSB7CisJCQlrZnJlZShkYXRidWYpOworCQkJcmV0dXJuIC1FTk9NRU07CiAJ CX0KLQl9IGVsc2UgewotCQlvcHMub29iYnVmID0gTlVMTDsKIAl9CiAKLQlyZXQgPSBtdGRfd3Jp dGVfb29iKG10ZCwgKGxvZmZfdClyZXEuc3RhcnQsICZvcHMpOworCXdoaWxlIChyZXEubGVuID4g MCB8fCAoIXVzcl9kYXRhICYmIHJlcS5vb2JsZW4gPiAwKSkgeworCQlzdHJ1Y3QgbXRkX29vYl9v cHMgb3BzID0geworCQkJLm1vZGUgPSByZXEubW9kZSwKKwkJCS5sZW4gPSBtaW5fdChzaXplX3Qs IHJlcS5sZW4sIGRhdGJ1Zl9sZW4pLAorCQkJLm9vYmxlbiA9IG1pbl90KHNpemVfdCwgcmVxLm9v Ymxlbiwgb29iYnVmX2xlbiksCisJCQkuZGF0YnVmID0gcmVxLmxlbiA/IGRhdGJ1ZiA6IE5VTEws CisJCQkub29iYnVmID0gcmVxLm9vYmxlbiA/IG9vYmJ1ZiA6IE5VTEwsCisJCX07CiAKLQlrZnJl ZShvcHMuZGF0YnVmKTsKLQlrZnJlZShvcHMub29iYnVmKTsKKwkJLyoKKwkJICogRm9yIHdyaXRl cyB3aGljaCBhcmUgbm90IE9PQi1vbmx5LCBhZGp1c3QgdGhlIGFtb3VudCBvZiBPT0IKKwkJICog ZGF0YSB3cml0dGVuIGFjY29yZGluZyB0byB0aGUgbnVtYmVyIG9mIGRhdGEgcGFnZXMgd3JpdHRl bi4KKwkJICogVGhpcyBpcyBuZWNlc3NhcnkgdG8gcHJldmVudCBPT0IgZGF0YSBmcm9tIGJlaW5n IHNraXBwZWQKKwkJICogb3ZlciBpbiBkYXRhK09PQiB3cml0ZXMgcmVxdWlyaW5nIG11bHRpcGxl IG10ZF93cml0ZV9vb2IoKQorCQkgKiBjYWxscyB0byBiZSBjb21wbGV0ZWQuCisJCSAqLworCQlp ZiAob3BzLmxlbiA+IDAgJiYgb3BzLm9vYmxlbiA+IDApIHsKKwkJCXUzMiBvb2JfcGVyX3BhZ2Ug PSBtdGRfb29iYXZhaWwobXRkLCAmb3BzKTsKKwkJCXVpbnQzMl90IHBhZ2VzX3RvX3dyaXRlID0g bXRkX2Rpdl9ieV93cyhvcHMubGVuLCBtdGQpOworCisJCQlpZiAobXRkX21vZF9ieV93cyhyZXEu c3RhcnQgKyBvcHMubGVuLCBtdGQpKQorCQkJCXBhZ2VzX3RvX3dyaXRlKys7CisKKwkJCW9wcy5v b2JsZW4gPSBtaW5fdChzaXplX3QsIG9wcy5vb2JsZW4sCisJCQkJCSAgIHBhZ2VzX3RvX3dyaXRl ICogb29iX3Blcl9wYWdlKTsKKwkJfQorCisJCWlmIChjb3B5X2Zyb21fdXNlcihkYXRidWYsIHVz cl9kYXRhLCBvcHMubGVuKSB8fAorCQkgICAgY29weV9mcm9tX3VzZXIob29iYnVmLCB1c3Jfb29i LCBvcHMub29ibGVuKSkgeworCQkJcmV0ID0gLUVGQVVMVDsKKwkJCWJyZWFrOworCQl9CisKKwkJ cmV0ID0gbXRkX3dyaXRlX29vYihtdGQsIHJlcS5zdGFydCwgJm9wcyk7CisJCWlmIChyZXQpCisJ CQlicmVhazsKKworCQlyZXEuc3RhcnQgKz0gb3BzLnJldGxlbjsKKwkJcmVxLmxlbiAtPSBvcHMu cmV0bGVuOworCQl1c3JfZGF0YSArPSBvcHMucmV0bGVuOworCisJCXJlcS5vb2JsZW4gLT0gb3Bz Lm9vYnJldGxlbjsKKwkJdXNyX29vYiArPSBvcHMub29icmV0bGVuOworCX0KKworCWtmcmVlKGRh dGJ1Zik7CisJa2ZyZWUob29iYnVmKTsKIAogCXJldHVybiByZXQ7CiB9Ci0tIAoyLjMzLjEKCgpf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTGlu dXggTVREIGRpc2N1c3Npb24gbWFpbGluZyBsaXN0Cmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3Jn L21haWxtYW4vbGlzdGluZm8vbGludXgtbXRkLwo=