From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-1992793-1525122354-2-12576127572123554482 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.25, MAILING_LIST_MULTI -1, RCVD_IN_DNSWL_HI -5, LANGUAGES unknown, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US', FromHeader='com', MailFrom='org' X-Spam-charsets: from='UTF-8', cc='UTF-8', plain='UTF-8' X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t= 1525122354; b=Hn+8Z1VIPkOjiyxlF7giEDjsWMDUw1TP1EQ1sqzWqh6Sr/GSde 4AkVQ8GAxUzmT8sqzQWc85FmAHobMorePHtkRonlMOYChmAKpL+U1e80U93TZT3P JbYOYGIy6ov5YOjZHTGawo5b4bnWVdQ9JEIJlo9KVZV4kRkSML5uCJdsirZprjCj DWvxOGhxBE+KuVaxX8BGuQ1JR77WOkJZcTNWjn9VxCSZ8G2iOAUO3bCrRBGObuDm 8jK1qcWJ9W8BOHnihaTenqhHpWiJTJAy/nQxEZmmvKycf0f0A6GINk4bsK5L2I5K 96jtXGUosUp1eO0GRmyLUpPjb7vObasp+JTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:in-reply-to:references :content-type:content-transfer-encoding:sender:list-id; s=fm2; t=1525122354; bh=h46RxqpI5+c5mJo9Jt6cch3Esm3jV5x0Xalzd0+s9Iw=; b= IDo70aDw5ZDCJ025S7twK+crMfPX0PTi1gl+9WvP81XqkBNQlefB1L/f1Tld/pqC aGmELBV4LqNnPFd8zIDJZSzy/d0mTcsdmdneww4vg1NalmmYF6WdK9dTp5s4f45i WNY5jkCtLnt4kxlsxyoW5cln0DdPmxT6NUb4wH8bG/EHDPxTbIAGWlRch0d4F+KL T3FicayVn/a016nm8n1zaxzEr6xiA1/Iidj2cEsS1DDdVoH+n1jJTGf/p5uzIji9 bDyfJXN/TMH/sF7fLdvcpUcUXZLXZXdxrN57YboGj0lFk7XUCvliNvf4g8+RVLsF UEsperRTbqtpvXrvQukILw== ARC-Authentication-Results: i=1; mx6.messagingengine.com; arc=none (no signatures found); dkim=pass (2048-bit rsa key sha256) header.d=messagingengine.com header.i=@messagingengine.com header.b=nkPNCZwN x-bits=2048 x-keytype=rsa x-algorithm=sha256 x-selector=fm2; dmarc=none (p=none,has-list-id=yes,d=none) header.from=invisiblethingslab.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=invisiblethingslab.com header.result=pass header_is_org_domain=yes; x-vs=clean score=-95 state=0 Authentication-Results: mx6.messagingengine.com; arc=none (no signatures found); dkim=pass (2048-bit rsa key sha256) header.d=messagingengine.com header.i=@messagingengine.com header.b=nkPNCZwN x-bits=2048 x-keytype=rsa x-algorithm=sha256 x-selector=fm2; dmarc=none (p=none,has-list-id=yes,d=none) header.from=invisiblethingslab.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=invisiblethingslab.com header.result=pass header_is_org_domain=yes; x-vs=clean score=-95 state=0 X-ME-VSCategory: clean X-CM-Envelope: MS4wfOIN8P4ldHF149B+BFaduQ65riEO0r/tfgUA0M5UPQsfUVyICY1rP1bvTL117IVbsHGJIOiBR4jF8Wk1Zxsqsd13kotn+tiSgGOcAUv2GqTiC1Vhg3wm bLJ95gNDItQrZhDB/RTGbvQa/oYYbBHepoy0zGh3ELJv9p22tjEjaYZviL6wxtI3fjtWw1TzmhyqKPNGD9oiblFI7w8u46MT6VKY1OH3K0UE7Q7Xz0Ry0G5J X-CM-Analysis: v=2.3 cv=FKU1Odgs c=1 sm=1 tr=0 a=UK1r566ZdBxH71SXbqIOeA==:117 a=UK1r566ZdBxH71SXbqIOeA==:17 a=IkcTkHD0fZMA:10 a=Kd1tUaAdevIA:10 a=VwQbUJbxAAAA:8 a=vkfgAjWNAAAA:8 a=HO5iXwqbJkv3iYM9twsA:9 a=QEXdDO2ut3YA:10 a=AjGcO6oz07-iQ99wixmX:22 a=s88AYcEWOXMFsoP9cgP2:22 X-ME-CMScore: 0 X-ME-CMCategory: none Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755397AbeD3VFa (ORCPT ); Mon, 30 Apr 2018 17:05:30 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48497 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755115AbeD3VDA (ORCPT ); Mon, 30 Apr 2018 17:03:00 -0400 X-ME-Sender: From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= To: xen-devel@lists.xenproject.org Cc: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , stable@vger.kernel.org, Boris Ostrovsky , Juergen Gross , netdev@vger.kernel.org (open list:NETWORKING DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 2/6] xen-netfront: copy response out of shared buffer before accessing it Date: Mon, 30 Apr 2018 23:01:46 +0200 Message-Id: <98a855dceb47dbebd9c87e024084f14a5cb127f7.1525122026.git-series.marmarek@invisiblethingslab.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: MIME-Version: 1.0 In-Reply-To: References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: Make local copy of the response, otherwise backend might modify it while frontend is already processing it - leading to time of check / time of use issue. This is complementary to XSA155. Cc: stable@vger.kernel.org Signed-off-by: Marek Marczykowski-Górecki --- drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 4dd0668..dc99763 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -387,13 +387,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) rmb(); /* Ensure we see responses up to 'rp'. */ for (cons = queue->tx.rsp_cons; cons != prod; cons++) { - struct xen_netif_tx_response *txrsp; + struct xen_netif_tx_response txrsp; - txrsp = RING_GET_RESPONSE(&queue->tx, cons); - if (txrsp->status == XEN_NETIF_RSP_NULL) + RING_COPY_RESPONSE(&queue->tx, cons, &txrsp); + if (txrsp.status == XEN_NETIF_RSP_NULL) continue; - id = txrsp->id; + id = txrsp.id; skb = queue->tx_skbs[id].skb; if (unlikely(gnttab_query_foreign_access( queue->grant_tx_ref[id]) != 0)) { @@ -741,7 +741,7 @@ static int xennet_get_extras(struct netfront_queue *queue, RING_IDX rp) { - struct xen_netif_extra_info *extra; + struct xen_netif_extra_info extra; struct device *dev = &queue->info->netdev->dev; RING_IDX cons = queue->rx.rsp_cons; int err = 0; @@ -757,24 +757,23 @@ static int xennet_get_extras(struct netfront_queue *queue, break; } - extra = (struct xen_netif_extra_info *) - RING_GET_RESPONSE(&queue->rx, ++cons); + RING_COPY_RESPONSE(&queue->rx, ++cons, &extra); - if (unlikely(!extra->type || - extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) { + if (unlikely(!extra.type || + extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) { if (net_ratelimit()) dev_warn(dev, "Invalid extra type: %d\n", - extra->type); + extra.type); err = -EINVAL; } else { - memcpy(&extras[extra->type - 1], extra, - sizeof(*extra)); + memcpy(&extras[extra.type - 1], &extra, + sizeof(extra)); } skb = xennet_get_rx_skb(queue, cons); ref = xennet_get_rx_ref(queue, cons); xennet_move_rx_slot(queue, skb, ref); - } while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE); + } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE); queue->rx.rsp_cons = cons; return err; @@ -784,28 +783,28 @@ static int xennet_get_responses(struct netfront_queue *queue, struct netfront_rx_info *rinfo, RING_IDX rp, struct sk_buff_head *list) { - struct xen_netif_rx_response *rx = &rinfo->rx; + struct xen_netif_rx_response rx = rinfo->rx; struct xen_netif_extra_info *extras = rinfo->extras; struct device *dev = &queue->info->netdev->dev; RING_IDX cons = queue->rx.rsp_cons; struct sk_buff *skb = xennet_get_rx_skb(queue, cons); grant_ref_t ref = xennet_get_rx_ref(queue, cons); - int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD); + int max = MAX_SKB_FRAGS + (rx.status <= RX_COPY_THRESHOLD); int slots = 1; int err = 0; unsigned long ret; - if (rx->flags & XEN_NETRXF_extra_info) { + if (rx.flags & XEN_NETRXF_extra_info) { err = xennet_get_extras(queue, extras, rp); cons = queue->rx.rsp_cons; } for (;;) { - if (unlikely(rx->status < 0 || - rx->offset + rx->status > XEN_PAGE_SIZE)) { + if (unlikely(rx.status < 0 || + rx.offset + rx.status > XEN_PAGE_SIZE)) { if (net_ratelimit()) dev_warn(dev, "rx->offset: %u, size: %d\n", - rx->offset, rx->status); + rx.offset, rx.status); xennet_move_rx_slot(queue, skb, ref); err = -EINVAL; goto next; @@ -819,7 +818,7 @@ static int xennet_get_responses(struct netfront_queue *queue, if (ref == GRANT_INVALID_REF) { if (net_ratelimit()) dev_warn(dev, "Bad rx response id %d.\n", - rx->id); + rx.id); err = -EINVAL; goto next; } @@ -832,7 +831,7 @@ static int xennet_get_responses(struct netfront_queue *queue, __skb_queue_tail(list, skb); next: - if (!(rx->flags & XEN_NETRXF_more_data)) + if (!(rx.flags & XEN_NETRXF_more_data)) break; if (cons + slots == rp) { @@ -842,7 +841,7 @@ static int xennet_get_responses(struct netfront_queue *queue, break; } - rx = RING_GET_RESPONSE(&queue->rx, cons + slots); + RING_COPY_RESPONSE(&queue->rx, cons + slots, &rx); skb = xennet_get_rx_skb(queue, cons + slots); ref = xennet_get_rx_ref(queue, cons + slots); slots++; @@ -898,9 +897,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, struct sk_buff *nskb; while ((nskb = __skb_dequeue(list))) { - struct xen_netif_rx_response *rx = - RING_GET_RESPONSE(&queue->rx, ++cons); + struct xen_netif_rx_response rx; skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; + RING_COPY_RESPONSE(&queue->rx, ++cons, &rx); if (shinfo->nr_frags == MAX_SKB_FRAGS) { unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; @@ -911,7 +910,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS); skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), - rx->offset, rx->status, PAGE_SIZE); + rx.offset, rx.status, PAGE_SIZE); skb_shinfo(nskb)->nr_frags = 0; kfree_skb(nskb); @@ -1007,7 +1006,7 @@ static int xennet_poll(struct napi_struct *napi, int budget) i = queue->rx.rsp_cons; work_done = 0; while ((i != rp) && (work_done < budget)) { - memcpy(rx, RING_GET_RESPONSE(&queue->rx, i), sizeof(*rx)); + RING_COPY_RESPONSE(&queue->rx, i, rx); memset(extras, 0, sizeof(rinfo.extras)); err = xennet_get_responses(queue, &rinfo, rp, &tmpq); -- git-series 0.9.1 From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Subject: [PATCH 2/6] xen-netfront: copy response out of shared buffer before accessing it Date: Mon, 30 Apr 2018 23:01:46 +0200 Message-ID: <98a855dceb47dbebd9c87e024084f14a5cb127f7.1525122026.git-series.marmarek@invisiblethingslab.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Cc: Juergen Gross , "open list:NETWORKING DRIVERS" , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , stable@vger.kernel.org, open list , Boris Ostrovsky To: xen-devel@lists.xenproject.org Return-path: In-Reply-To: In-Reply-To: References: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" List-Id: netdev.vger.kernel.org TWFrZSBsb2NhbCBjb3B5IG9mIHRoZSByZXNwb25zZSwgb3RoZXJ3aXNlIGJhY2tlbmQgbWlnaHQg bW9kaWZ5IGl0IHdoaWxlCmZyb250ZW5kIGlzIGFscmVhZHkgcHJvY2Vzc2luZyBpdCAtIGxlYWRp bmcgdG8gdGltZSBvZiBjaGVjayAvIHRpbWUgb2YKdXNlIGlzc3VlLgoKVGhpcyBpcyBjb21wbGVt ZW50YXJ5IHRvIFhTQTE1NS4KCkNjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnClNpZ25lZC1vZmYt Ynk6IE1hcmVrIE1hcmN6eWtvd3NraS1Hw7NyZWNraSA8bWFybWFyZWtAaW52aXNpYmxldGhpbmdz bGFiLmNvbT4KLS0tCiBkcml2ZXJzL25ldC94ZW4tbmV0ZnJvbnQuYyB8IDUxICsrKysrKysrKysr KysrKysrKystLS0tLS0tLS0tLS0tLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDI1IGluc2VydGlv bnMoKyksIDI2IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3hlbi1uZXRm cm9udC5jIGIvZHJpdmVycy9uZXQveGVuLW5ldGZyb250LmMKaW5kZXggNGRkMDY2OC4uZGM5OTc2 MyAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQveGVuLW5ldGZyb250LmMKKysrIGIvZHJpdmVycy9u ZXQveGVuLW5ldGZyb250LmMKQEAgLTM4NywxMyArMzg3LDEzIEBAIHN0YXRpYyB2b2lkIHhlbm5l dF90eF9idWZfZ2Moc3RydWN0IG5ldGZyb250X3F1ZXVlICpxdWV1ZSkKIAkJcm1iKCk7IC8qIEVu c3VyZSB3ZSBzZWUgcmVzcG9uc2VzIHVwIHRvICdycCcuICovCiAKIAkJZm9yIChjb25zID0gcXVl dWUtPnR4LnJzcF9jb25zOyBjb25zICE9IHByb2Q7IGNvbnMrKykgewotCQkJc3RydWN0IHhlbl9u ZXRpZl90eF9yZXNwb25zZSAqdHhyc3A7CisJCQlzdHJ1Y3QgeGVuX25ldGlmX3R4X3Jlc3BvbnNl IHR4cnNwOwogCi0JCQl0eHJzcCA9IFJJTkdfR0VUX1JFU1BPTlNFKCZxdWV1ZS0+dHgsIGNvbnMp OwotCQkJaWYgKHR4cnNwLT5zdGF0dXMgPT0gWEVOX05FVElGX1JTUF9OVUxMKQorCQkJUklOR19D T1BZX1JFU1BPTlNFKCZxdWV1ZS0+dHgsIGNvbnMsICZ0eHJzcCk7CisJCQlpZiAodHhyc3Auc3Rh dHVzID09IFhFTl9ORVRJRl9SU1BfTlVMTCkKIAkJCQljb250aW51ZTsKIAotCQkJaWQgID0gdHhy c3AtPmlkOworCQkJaWQgID0gdHhyc3AuaWQ7CiAJCQlza2IgPSBxdWV1ZS0+dHhfc2tic1tpZF0u c2tiOwogCQkJaWYgKHVubGlrZWx5KGdudHRhYl9xdWVyeV9mb3JlaWduX2FjY2VzcygKIAkJCQlx dWV1ZS0+Z3JhbnRfdHhfcmVmW2lkXSkgIT0gMCkpIHsKQEAgLTc0MSw3ICs3NDEsNyBAQCBzdGF0 aWMgaW50IHhlbm5ldF9nZXRfZXh0cmFzKHN0cnVjdCBuZXRmcm9udF9xdWV1ZSAqcXVldWUsCiAJ CQkgICAgIFJJTkdfSURYIHJwKQogCiB7Ci0Jc3RydWN0IHhlbl9uZXRpZl9leHRyYV9pbmZvICpl eHRyYTsKKwlzdHJ1Y3QgeGVuX25ldGlmX2V4dHJhX2luZm8gZXh0cmE7CiAJc3RydWN0IGRldmlj ZSAqZGV2ID0gJnF1ZXVlLT5pbmZvLT5uZXRkZXYtPmRldjsKIAlSSU5HX0lEWCBjb25zID0gcXVl dWUtPnJ4LnJzcF9jb25zOwogCWludCBlcnIgPSAwOwpAQCAtNzU3LDI0ICs3NTcsMjMgQEAgc3Rh dGljIGludCB4ZW5uZXRfZ2V0X2V4dHJhcyhzdHJ1Y3QgbmV0ZnJvbnRfcXVldWUgKnF1ZXVlLAog CQkJYnJlYWs7CiAJCX0KIAotCQlleHRyYSA9IChzdHJ1Y3QgeGVuX25ldGlmX2V4dHJhX2luZm8g KikKLQkJCVJJTkdfR0VUX1JFU1BPTlNFKCZxdWV1ZS0+cngsICsrY29ucyk7CisJCVJJTkdfQ09Q WV9SRVNQT05TRSgmcXVldWUtPnJ4LCArK2NvbnMsICZleHRyYSk7CiAKLQkJaWYgKHVubGlrZWx5 KCFleHRyYS0+dHlwZSB8fAotCQkJICAgICBleHRyYS0+dHlwZSA+PSBYRU5fTkVUSUZfRVhUUkFf VFlQRV9NQVgpKSB7CisJCWlmICh1bmxpa2VseSghZXh0cmEudHlwZSB8fAorCQkJICAgICBleHRy YS50eXBlID49IFhFTl9ORVRJRl9FWFRSQV9UWVBFX01BWCkpIHsKIAkJCWlmIChuZXRfcmF0ZWxp bWl0KCkpCiAJCQkJZGV2X3dhcm4oZGV2LCAiSW52YWxpZCBleHRyYSB0eXBlOiAlZFxuIiwKLQkJ CQkJZXh0cmEtPnR5cGUpOworCQkJCQlleHRyYS50eXBlKTsKIAkJCWVyciA9IC1FSU5WQUw7CiAJ CX0gZWxzZSB7Ci0JCQltZW1jcHkoJmV4dHJhc1tleHRyYS0+dHlwZSAtIDFdLCBleHRyYSwKLQkJ CSAgICAgICBzaXplb2YoKmV4dHJhKSk7CisJCQltZW1jcHkoJmV4dHJhc1tleHRyYS50eXBlIC0g MV0sICZleHRyYSwKKwkJCSAgICAgICBzaXplb2YoZXh0cmEpKTsKIAkJfQogCiAJCXNrYiA9IHhl bm5ldF9nZXRfcnhfc2tiKHF1ZXVlLCBjb25zKTsKIAkJcmVmID0geGVubmV0X2dldF9yeF9yZWYo cXVldWUsIGNvbnMpOwogCQl4ZW5uZXRfbW92ZV9yeF9zbG90KHF1ZXVlLCBza2IsIHJlZik7Ci0J fSB3aGlsZSAoZXh0cmEtPmZsYWdzICYgWEVOX05FVElGX0VYVFJBX0ZMQUdfTU9SRSk7CisJfSB3 aGlsZSAoZXh0cmEuZmxhZ3MgJiBYRU5fTkVUSUZfRVhUUkFfRkxBR19NT1JFKTsKIAogCXF1ZXVl LT5yeC5yc3BfY29ucyA9IGNvbnM7CiAJcmV0dXJuIGVycjsKQEAgLTc4NCwyOCArNzgzLDI4IEBA IHN0YXRpYyBpbnQgeGVubmV0X2dldF9yZXNwb25zZXMoc3RydWN0IG5ldGZyb250X3F1ZXVlICpx dWV1ZSwKIAkJCQlzdHJ1Y3QgbmV0ZnJvbnRfcnhfaW5mbyAqcmluZm8sIFJJTkdfSURYIHJwLAog CQkJCXN0cnVjdCBza19idWZmX2hlYWQgKmxpc3QpCiB7Ci0Jc3RydWN0IHhlbl9uZXRpZl9yeF9y ZXNwb25zZSAqcnggPSAmcmluZm8tPnJ4OworCXN0cnVjdCB4ZW5fbmV0aWZfcnhfcmVzcG9uc2Ug cnggPSByaW5mby0+cng7CiAJc3RydWN0IHhlbl9uZXRpZl9leHRyYV9pbmZvICpleHRyYXMgPSBy aW5mby0+ZXh0cmFzOwogCXN0cnVjdCBkZXZpY2UgKmRldiA9ICZxdWV1ZS0+aW5mby0+bmV0ZGV2 LT5kZXY7CiAJUklOR19JRFggY29ucyA9IHF1ZXVlLT5yeC5yc3BfY29uczsKIAlzdHJ1Y3Qgc2tf YnVmZiAqc2tiID0geGVubmV0X2dldF9yeF9za2IocXVldWUsIGNvbnMpOwogCWdyYW50X3JlZl90 IHJlZiA9IHhlbm5ldF9nZXRfcnhfcmVmKHF1ZXVlLCBjb25zKTsKLQlpbnQgbWF4ID0gTUFYX1NL Ql9GUkFHUyArIChyeC0+c3RhdHVzIDw9IFJYX0NPUFlfVEhSRVNIT0xEKTsKKwlpbnQgbWF4ID0g TUFYX1NLQl9GUkFHUyArIChyeC5zdGF0dXMgPD0gUlhfQ09QWV9USFJFU0hPTEQpOwogCWludCBz bG90cyA9IDE7CiAJaW50IGVyciA9IDA7CiAJdW5zaWduZWQgbG9uZyByZXQ7CiAKLQlpZiAocngt PmZsYWdzICYgWEVOX05FVFJYRl9leHRyYV9pbmZvKSB7CisJaWYgKHJ4LmZsYWdzICYgWEVOX05F VFJYRl9leHRyYV9pbmZvKSB7CiAJCWVyciA9IHhlbm5ldF9nZXRfZXh0cmFzKHF1ZXVlLCBleHRy YXMsIHJwKTsKIAkJY29ucyA9IHF1ZXVlLT5yeC5yc3BfY29uczsKIAl9CiAKIAlmb3IgKDs7KSB7 Ci0JCWlmICh1bmxpa2VseShyeC0+c3RhdHVzIDwgMCB8fAotCQkJICAgICByeC0+b2Zmc2V0ICsg cngtPnN0YXR1cyA+IFhFTl9QQUdFX1NJWkUpKSB7CisJCWlmICh1bmxpa2VseShyeC5zdGF0dXMg PCAwIHx8CisJCQkgICAgIHJ4Lm9mZnNldCArIHJ4LnN0YXR1cyA+IFhFTl9QQUdFX1NJWkUpKSB7 CiAJCQlpZiAobmV0X3JhdGVsaW1pdCgpKQogCQkJCWRldl93YXJuKGRldiwgInJ4LT5vZmZzZXQ6 ICV1LCBzaXplOiAlZFxuIiwKLQkJCQkJIHJ4LT5vZmZzZXQsIHJ4LT5zdGF0dXMpOworCQkJCQkg cngub2Zmc2V0LCByeC5zdGF0dXMpOwogCQkJeGVubmV0X21vdmVfcnhfc2xvdChxdWV1ZSwgc2ti LCByZWYpOwogCQkJZXJyID0gLUVJTlZBTDsKIAkJCWdvdG8gbmV4dDsKQEAgLTgxOSw3ICs4MTgs NyBAQCBzdGF0aWMgaW50IHhlbm5ldF9nZXRfcmVzcG9uc2VzKHN0cnVjdCBuZXRmcm9udF9xdWV1 ZSAqcXVldWUsCiAJCWlmIChyZWYgPT0gR1JBTlRfSU5WQUxJRF9SRUYpIHsKIAkJCWlmIChuZXRf cmF0ZWxpbWl0KCkpCiAJCQkJZGV2X3dhcm4oZGV2LCAiQmFkIHJ4IHJlc3BvbnNlIGlkICVkLlxu IiwKLQkJCQkJIHJ4LT5pZCk7CisJCQkJCSByeC5pZCk7CiAJCQllcnIgPSAtRUlOVkFMOwogCQkJ Z290byBuZXh0OwogCQl9CkBAIC04MzIsNyArODMxLDcgQEAgc3RhdGljIGludCB4ZW5uZXRfZ2V0 X3Jlc3BvbnNlcyhzdHJ1Y3QgbmV0ZnJvbnRfcXVldWUgKnF1ZXVlLAogCQlfX3NrYl9xdWV1ZV90 YWlsKGxpc3QsIHNrYik7CiAKIG5leHQ6Ci0JCWlmICghKHJ4LT5mbGFncyAmIFhFTl9ORVRSWEZf bW9yZV9kYXRhKSkKKwkJaWYgKCEocnguZmxhZ3MgJiBYRU5fTkVUUlhGX21vcmVfZGF0YSkpCiAJ CQlicmVhazsKIAogCQlpZiAoY29ucyArIHNsb3RzID09IHJwKSB7CkBAIC04NDIsNyArODQxLDcg QEAgc3RhdGljIGludCB4ZW5uZXRfZ2V0X3Jlc3BvbnNlcyhzdHJ1Y3QgbmV0ZnJvbnRfcXVldWUg KnF1ZXVlLAogCQkJYnJlYWs7CiAJCX0KIAotCQlyeCA9IFJJTkdfR0VUX1JFU1BPTlNFKCZxdWV1 ZS0+cngsIGNvbnMgKyBzbG90cyk7CisJCVJJTkdfQ09QWV9SRVNQT05TRSgmcXVldWUtPnJ4LCBj b25zICsgc2xvdHMsICZyeCk7CiAJCXNrYiA9IHhlbm5ldF9nZXRfcnhfc2tiKHF1ZXVlLCBjb25z ICsgc2xvdHMpOwogCQlyZWYgPSB4ZW5uZXRfZ2V0X3J4X3JlZihxdWV1ZSwgY29ucyArIHNsb3Rz KTsKIAkJc2xvdHMrKzsKQEAgLTg5OCw5ICs4OTcsOSBAQCBzdGF0aWMgUklOR19JRFggeGVubmV0 X2ZpbGxfZnJhZ3Moc3RydWN0IG5ldGZyb250X3F1ZXVlICpxdWV1ZSwKIAlzdHJ1Y3Qgc2tfYnVm ZiAqbnNrYjsKIAogCXdoaWxlICgobnNrYiA9IF9fc2tiX2RlcXVldWUobGlzdCkpKSB7Ci0JCXN0 cnVjdCB4ZW5fbmV0aWZfcnhfcmVzcG9uc2UgKnJ4ID0KLQkJCVJJTkdfR0VUX1JFU1BPTlNFKCZx dWV1ZS0+cngsICsrY29ucyk7CisJCXN0cnVjdCB4ZW5fbmV0aWZfcnhfcmVzcG9uc2Ugcng7CiAJ CXNrYl9mcmFnX3QgKm5mcmFnID0gJnNrYl9zaGluZm8obnNrYiktPmZyYWdzWzBdOworCQlSSU5H X0NPUFlfUkVTUE9OU0UoJnF1ZXVlLT5yeCwgKytjb25zLCAmcngpOwogCiAJCWlmIChzaGluZm8t Pm5yX2ZyYWdzID09IE1BWF9TS0JfRlJBR1MpIHsKIAkJCXVuc2lnbmVkIGludCBwdWxsX3RvID0g TkVURlJPTlRfU0tCX0NCKHNrYiktPnB1bGxfdG87CkBAIC05MTEsNyArOTEwLDcgQEAgc3RhdGlj IFJJTkdfSURYIHhlbm5ldF9maWxsX2ZyYWdzKHN0cnVjdCBuZXRmcm9udF9xdWV1ZSAqcXVldWUs CiAJCUJVR19PTihzaGluZm8tPm5yX2ZyYWdzID49IE1BWF9TS0JfRlJBR1MpOwogCiAJCXNrYl9h ZGRfcnhfZnJhZyhza2IsIHNoaW5mby0+bnJfZnJhZ3MsIHNrYl9mcmFnX3BhZ2UobmZyYWcpLAot CQkJCXJ4LT5vZmZzZXQsIHJ4LT5zdGF0dXMsIFBBR0VfU0laRSk7CisJCQkJcngub2Zmc2V0LCBy eC5zdGF0dXMsIFBBR0VfU0laRSk7CiAKIAkJc2tiX3NoaW5mbyhuc2tiKS0+bnJfZnJhZ3MgPSAw OwogCQlrZnJlZV9za2IobnNrYik7CkBAIC0xMDA3LDcgKzEwMDYsNyBAQCBzdGF0aWMgaW50IHhl bm5ldF9wb2xsKHN0cnVjdCBuYXBpX3N0cnVjdCAqbmFwaSwgaW50IGJ1ZGdldCkKIAlpID0gcXVl dWUtPnJ4LnJzcF9jb25zOwogCXdvcmtfZG9uZSA9IDA7CiAJd2hpbGUgKChpICE9IHJwKSAmJiAo d29ya19kb25lIDwgYnVkZ2V0KSkgewotCQltZW1jcHkocngsIFJJTkdfR0VUX1JFU1BPTlNFKCZx dWV1ZS0+cngsIGkpLCBzaXplb2YoKnJ4KSk7CisJCVJJTkdfQ09QWV9SRVNQT05TRSgmcXVldWUt PnJ4LCBpLCByeCk7CiAJCW1lbXNldChleHRyYXMsIDAsIHNpemVvZihyaW5mby5leHRyYXMpKTsK IAogCQllcnIgPSB4ZW5uZXRfZ2V0X3Jlc3BvbnNlcyhxdWV1ZSwgJnJpbmZvLCBycCwgJnRtcHEp OwotLSAKZ2l0LXNlcmllcyAwLjkuMQoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KWGVuLWRldmVsIG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVu cHJvamVjdC5vcmcKaHR0cHM6Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZv L3hlbi1kZXZlbA==