From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6906EC433DB for ; Tue, 5 Jan 2021 06:49:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1A80322482 for ; Tue, 5 Jan 2021 06:49:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726558AbhAEGtB (ORCPT ); Tue, 5 Jan 2021 01:49:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725966AbhAEGtA (ORCPT ); Tue, 5 Jan 2021 01:49:00 -0500 Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33F58C061796 for ; Mon, 4 Jan 2021 22:48:20 -0800 (PST) Received: by mail-lf1-x134.google.com with SMTP id a12so70216118lfl.6 for ; Mon, 04 Jan 2021 22:48:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OpxZsk9jJXP2U2C3iXiY0AGX43J+hhnzXoyfUqqDyT8=; b=HV5OYzJgzdKgjV9ln/TJArILsakLGNM5bDtgfkhefjmw5Rjatol/WFLS8x5J9vBayF NNbDlXIhYKxeTK84AQs6308kIYuhgja4K2FcvnPEMnE6qP1yFaPaExh7FApoQ8dH2ygl sAhG0WYQfKUUVgjCWKTlwEl68DmiJlL7vOaf4CZo55hQoLXojOnMwdenbRd+dHhjEVE9 FxW5PXJoF10b3h1rYCPSxF8mje4wd8ClYJx31klEpPZpHKWmFNCp9rSFVjLdtGhOoQs7 BVFqEOjq/CEobKvNG6SnrwpShUKMGI3gAxo9/Gx7s0lzsz7uCT+EUAak2F4ixcgJO5lw 93QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OpxZsk9jJXP2U2C3iXiY0AGX43J+hhnzXoyfUqqDyT8=; b=fkdUhzJbffG3DnF6l+uZIJbGYpKDydGpXVzNBuYrMkVRMJFPIaboEwNMG57oBigXdh HjPDVO04bYf/gdKMq6nhWosjZEUpGtCvWAFuiXhH87SNxv/3E+SK0PAqYaURybkB1DbQ TFZrH7GNUEc/eDdgkIYSrLZzWMEjlFPGAFb2Q7m44SkuKoHihEfFdwN/44dt1mM1maOY 4uqUpGAtrmZ7I91U7qyln0jyC5m+v6sTTXjrlYKvvaIzPJ1yw/TzvH8/MqH23TRFNgyj J+AK8ko8mHks6tAHFGQIwjQAzP4cqQj5kUHwg+6asgqcfknTMPzw+Tfp1DwWe4/VIL4J PcXA== X-Gm-Message-State: AOAM532CZPPjwApcHdigW8QGeDnCICdvfmqhjbFnDL/3VqWO6DGU2Yxo h5fuX92t4fTxz1rm9BTwgt/nu9ytZYpSpdgOzkHJdw== X-Google-Smtp-Source: ABdhPJww36k15/BzfzFNtkEkRVVb1J7oNB6wbeGsjMWSPdmmxrY7TpN0ZzAMFQcC6cOlpcf5nxALWSLSOVFaPwQ1AgI= X-Received: by 2002:a2e:9dc1:: with SMTP id x1mr35175313ljj.32.1609829298531; Mon, 04 Jan 2021 22:48:18 -0800 (PST) MIME-Version: 1.0 References: <1609760177-6083-1-git-send-email-charante@codeaurora.org> <0dcbf9c5-3c28-0f57-0069-3fe5dc3aa7f6@gmail.com> In-Reply-To: <0dcbf9c5-3c28-0f57-0069-3fe5dc3aa7f6@gmail.com> From: Sumit Semwal Date: Tue, 5 Jan 2021 12:18:07 +0530 Message-ID: Subject: Re: [Linaro-mm-sig] [PATCH] dmabuf: fix use-after-free of dmabuf's file->f_inode To: Christian Koenig Cc: Charan Teja Reddy , Arnd Bergmann , "open list:DMA BUFFER SHARING FRAMEWORK" , DRI mailing list , Linaro MM SIG , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Charan, On Mon, 4 Jan 2021 at 17:22, Christian K=C3=B6nig wrote: > > Am 04.01.21 um 12:36 schrieb Charan Teja Reddy: > > It is observed 'use-after-free' on the dmabuf's file->f_inode with the > > race between closing the dmabuf file and reading the dmabuf's debug > > info. > > > > Consider the below scenario where P1 is closing the dma_buf file > > and P2 is reading the dma_buf's debug info in the system: > > > > P1 P2 > > dma_buf_debug_show() > > dma_buf_put() > > __fput() > > file->f_op->release() > > dput() > > .... > > dentry_unlink_inode() > > iput(dentry->d_inode) > > (where the inode is freed) > > mutex_lock(&db_list.lock) > > read 'dma_buf->file->f_inode' > > (the same inode is freed by P1) > > mutex_unlock(&db_list.lock) > > dentry->d_op->d_release()--> > > dma_buf_release() > > ..... > > mutex_lock(&db_list.lock) > > removes the dmabuf from the list > > mutex_unlock(&db_list.lock) > > > > In the above scenario, when dma_buf_put() is called on a dma_buf, it > > first frees the dma_buf's file->f_inode(=3Ddentry->d_inode) and then > > removes this dma_buf from the system db_list. In between P2 traversing > > the db_list tries to access this dma_buf's file->f_inode that was freed > > by P1 which is a use-after-free case. > > > > Since, __fput() calls f_op->release first and then later calls the > > d_op->d_release, move the dma_buf's db_list removal from d_release() to > > f_op->release(). This ensures that dma_buf's file->f_inode is not > > accessed after it is released. > > > > Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dent= ry_ops") > > Signed-off-by: Charan Teja Reddy > > Not an expert on the debugfs stuff in DMA-buf, but the explanation > sounds perfectly correct to me. > > Acked-by: Christian K=C3=B6nig Thanks for your fix; I will queue it up in the fixes branch. Can you please also send it to be queued to 5.4+ stable branches? > > > --- > > drivers/dma-buf/dma-buf.c | 21 +++++++++++++++++---- > > 1 file changed, 17 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index 0eb80c1..a14dcbb 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -76,10 +76,6 @@ static void dma_buf_release(struct dentry *dentry) > > > > dmabuf->ops->release(dmabuf); > > > > - mutex_lock(&db_list.lock); > > - list_del(&dmabuf->list_node); > > - mutex_unlock(&db_list.lock); > > - > > if (dmabuf->resv =3D=3D (struct dma_resv *)&dmabuf[1]) > > dma_resv_fini(dmabuf->resv); > > > > @@ -88,6 +84,22 @@ static void dma_buf_release(struct dentry *dentry) > > kfree(dmabuf); > > } > > > > +static int dma_buf_file_release(struct inode *inode, struct file *file= ) > > +{ > > + struct dma_buf *dmabuf; > > + > > + if (!is_dma_buf_file(file)) > > + return -EINVAL; > > + > > + dmabuf =3D file->private_data; > > + > > + mutex_lock(&db_list.lock); > > + list_del(&dmabuf->list_node); > > + mutex_unlock(&db_list.lock); > > + > > + return 0; > > +} > > + > > static const struct dentry_operations dma_buf_dentry_ops =3D { > > .d_dname =3D dmabuffs_dname, > > .d_release =3D dma_buf_release, > > @@ -413,6 +425,7 @@ static void dma_buf_show_fdinfo(struct seq_file *m,= struct file *file) > > } > > > > static const struct file_operations dma_buf_fops =3D { > > + .release =3D dma_buf_file_release, > > .mmap =3D dma_buf_mmap_internal, > > .llseek =3D dma_buf_llseek, > > .poll =3D dma_buf_poll, > Best, Sumit. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EE1FC433E0 for ; Tue, 5 Jan 2021 06:48:22 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BAB3622482 for ; Tue, 5 Jan 2021 06:48:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BAB3622482 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A6CB189948; Tue, 5 Jan 2021 06:48:20 +0000 (UTC) Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by gabe.freedesktop.org (Postfix) with ESMTPS id 3345189948 for ; Tue, 5 Jan 2021 06:48:20 +0000 (UTC) Received: by mail-lf1-x133.google.com with SMTP id o13so70227714lfr.3 for ; Mon, 04 Jan 2021 22:48:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OpxZsk9jJXP2U2C3iXiY0AGX43J+hhnzXoyfUqqDyT8=; b=HV5OYzJgzdKgjV9ln/TJArILsakLGNM5bDtgfkhefjmw5Rjatol/WFLS8x5J9vBayF NNbDlXIhYKxeTK84AQs6308kIYuhgja4K2FcvnPEMnE6qP1yFaPaExh7FApoQ8dH2ygl sAhG0WYQfKUUVgjCWKTlwEl68DmiJlL7vOaf4CZo55hQoLXojOnMwdenbRd+dHhjEVE9 FxW5PXJoF10b3h1rYCPSxF8mje4wd8ClYJx31klEpPZpHKWmFNCp9rSFVjLdtGhOoQs7 BVFqEOjq/CEobKvNG6SnrwpShUKMGI3gAxo9/Gx7s0lzsz7uCT+EUAak2F4ixcgJO5lw 93QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OpxZsk9jJXP2U2C3iXiY0AGX43J+hhnzXoyfUqqDyT8=; b=Bn05+lZ27UV8jAdiu8sxILsdEmv4UX63O9xrbxYbPs5eg1a1RcVTDFmDPASoOUbtzM ka83ZjEVkiJbVjAPNBcPZ/CYx2Jev/6FslLjn5ynUQWo2LskLRQcS/ygXH1uIbdWAl2i rKMfO35umRnjX5OqIYUq0Sa8NzRK6lWgPccoAPIplgi+AWwmjFvs+TMG8665tTExYeMy 1Rbxqh6uJeHW6TQxmyXjj1DxO9rU3jYf+gkZ+biOJT1Slzr4x0oBYp4AsLNngUyCVkse jZ+V1hCFXXCOy0UAq430BWYcyGXXjnsuEIsPtT+YCAEkoT3fxw7PsZ5+DE2l0mXjzkSO 6dNA== X-Gm-Message-State: AOAM530arrSD3C3aGj2gQQG1JIpZJsxlbg4DiO2GgoeVmTTU0Fi6qbdW UF99HiPjn05J3wsC2Yk+bqkmkF8B4UdxZvF2ANuCiw== X-Google-Smtp-Source: ABdhPJww36k15/BzfzFNtkEkRVVb1J7oNB6wbeGsjMWSPdmmxrY7TpN0ZzAMFQcC6cOlpcf5nxALWSLSOVFaPwQ1AgI= X-Received: by 2002:a2e:9dc1:: with SMTP id x1mr35175313ljj.32.1609829298531; Mon, 04 Jan 2021 22:48:18 -0800 (PST) MIME-Version: 1.0 References: <1609760177-6083-1-git-send-email-charante@codeaurora.org> <0dcbf9c5-3c28-0f57-0069-3fe5dc3aa7f6@gmail.com> In-Reply-To: <0dcbf9c5-3c28-0f57-0069-3fe5dc3aa7f6@gmail.com> From: Sumit Semwal Date: Tue, 5 Jan 2021 12:18:07 +0530 Message-ID: Subject: Re: [Linaro-mm-sig] [PATCH] dmabuf: fix use-after-free of dmabuf's file->f_inode To: Christian Koenig X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arnd Bergmann , LKML , DRI mailing list , Linaro MM SIG , Charan Teja Reddy , "open list:DMA BUFFER SHARING FRAMEWORK" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" SGkgQ2hhcmFuLAoKT24gTW9uLCA0IEphbiAyMDIxIGF0IDE3OjIyLCBDaHJpc3RpYW4gS8O2bmln Cjxja29lbmlnLmxlaWNodHp1bWVya2VuQGdtYWlsLmNvbT4gd3JvdGU6Cj4KPiBBbSAwNC4wMS4y MSB1bSAxMjozNiBzY2hyaWViIENoYXJhbiBUZWphIFJlZGR5Ogo+ID4gSXQgaXMgb2JzZXJ2ZWQg J3VzZS1hZnRlci1mcmVlJyBvbiB0aGUgZG1hYnVmJ3MgZmlsZS0+Zl9pbm9kZSB3aXRoIHRoZQo+ ID4gcmFjZSBiZXR3ZWVuIGNsb3NpbmcgdGhlIGRtYWJ1ZiBmaWxlIGFuZCByZWFkaW5nIHRoZSBk bWFidWYncyBkZWJ1Zwo+ID4gaW5mby4KPiA+Cj4gPiBDb25zaWRlciB0aGUgYmVsb3cgc2NlbmFy aW8gd2hlcmUgUDEgaXMgY2xvc2luZyB0aGUgZG1hX2J1ZiBmaWxlCj4gPiBhbmQgUDIgaXMgcmVh ZGluZyB0aGUgZG1hX2J1ZidzIGRlYnVnIGluZm8gaW4gdGhlIHN5c3RlbToKPiA+Cj4gPiBQMSAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUDIKPiA+ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG1hX2J1Zl9kZWJ1Z19zaG93KCkKPiA+IGRt YV9idWZfcHV0KCkKPiA+ICAgIF9fZnB1dCgpCj4gPiAgICAgIGZpbGUtPmZfb3AtPnJlbGVhc2Uo KQo+ID4gICAgICBkcHV0KCkKPiA+ICAgICAgLi4uLgo+ID4gICAgICAgIGRlbnRyeV91bmxpbmtf aW5vZGUoKQo+ID4gICAgICAgICAgaXB1dChkZW50cnktPmRfaW5vZGUpCj4gPiAgICAgICAgICAo d2hlcmUgdGhlIGlub2RlIGlzIGZyZWVkKQo+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBtdXRleF9sb2NrKCZkYl9saXN0LmxvY2spCj4gPiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIHJlYWQgJ2RtYV9idWYtPmZpbGUtPmZfaW5vZGUnCj4gPiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICh0aGUgc2FtZSBpbm9kZSBpcyBm cmVlZCBieSBQMSkKPiA+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbXV0 ZXhfdW5sb2NrKCZkYl9saXN0LmxvY2spCj4gPiAgICAgICAgZGVudHJ5LT5kX29wLT5kX3JlbGVh c2UoKS0tPgo+ID4gICAgICAgICAgZG1hX2J1Zl9yZWxlYXNlKCkKPiA+ICAgICAgICAgICAgLi4u Li4KPiA+ICAgICAgICAgICAgbXV0ZXhfbG9jaygmZGJfbGlzdC5sb2NrKQo+ID4gICAgICAgICAg ICByZW1vdmVzIHRoZSBkbWFidWYgZnJvbSB0aGUgbGlzdAo+ID4gICAgICAgICAgICBtdXRleF91 bmxvY2soJmRiX2xpc3QubG9jaykKPiA+Cj4gPiBJbiB0aGUgYWJvdmUgc2NlbmFyaW8sIHdoZW4g ZG1hX2J1Zl9wdXQoKSBpcyBjYWxsZWQgb24gYSBkbWFfYnVmLCBpdAo+ID4gZmlyc3QgZnJlZXMg dGhlIGRtYV9idWYncyBmaWxlLT5mX2lub2RlKD1kZW50cnktPmRfaW5vZGUpIGFuZCB0aGVuCj4g PiByZW1vdmVzIHRoaXMgZG1hX2J1ZiBmcm9tIHRoZSBzeXN0ZW0gZGJfbGlzdC4gSW4gYmV0d2Vl biBQMiB0cmF2ZXJzaW5nCj4gPiB0aGUgZGJfbGlzdCB0cmllcyB0byBhY2Nlc3MgdGhpcyBkbWFf YnVmJ3MgZmlsZS0+Zl9pbm9kZSB0aGF0IHdhcyBmcmVlZAo+ID4gYnkgUDEgd2hpY2ggaXMgYSB1 c2UtYWZ0ZXItZnJlZSBjYXNlLgo+ID4KPiA+IFNpbmNlLCBfX2ZwdXQoKSBjYWxscyBmX29wLT5y ZWxlYXNlIGZpcnN0IGFuZCB0aGVuIGxhdGVyIGNhbGxzIHRoZQo+ID4gZF9vcC0+ZF9yZWxlYXNl LCBtb3ZlIHRoZSBkbWFfYnVmJ3MgZGJfbGlzdCByZW1vdmFsIGZyb20gZF9yZWxlYXNlKCkgdG8K PiA+IGZfb3AtPnJlbGVhc2UoKS4gVGhpcyBlbnN1cmVzIHRoYXQgZG1hX2J1ZidzIGZpbGUtPmZf aW5vZGUgaXMgbm90Cj4gPiBhY2Nlc3NlZCBhZnRlciBpdCBpcyByZWxlYXNlZC4KPiA+Cj4gPiBG aXhlczogNGFiNTljM2M2MzhjICgiZG1hLWJ1ZjogTW92ZSBkbWFfYnVmX3JlbGVhc2UoKSBmcm9t IGZvcHMgdG8gZGVudHJ5X29wcyIpCj4gPiBTaWduZWQtb2ZmLWJ5OiBDaGFyYW4gVGVqYSBSZWRk eSA8Y2hhcmFudGVAY29kZWF1cm9yYS5vcmc+Cj4KPiBOb3QgYW4gZXhwZXJ0IG9uIHRoZSBkZWJ1 Z2ZzIHN0dWZmIGluIERNQS1idWYsIGJ1dCB0aGUgZXhwbGFuYXRpb24KPiBzb3VuZHMgcGVyZmVj dGx5IGNvcnJlY3QgdG8gbWUuCj4KPiBBY2tlZC1ieTogQ2hyaXN0aWFuIEvDtm5pZyA8Y2hyaXN0 aWFuLmtvZW5pZ0BhbWQuY29tPgoKVGhhbmtzIGZvciB5b3VyIGZpeDsgSSB3aWxsIHF1ZXVlIGl0 IHVwIGluIHRoZSBmaXhlcyBicmFuY2guIENhbiB5b3UKcGxlYXNlIGFsc28gc2VuZCBpdCB0byBi ZSBxdWV1ZWQgdG8gNS40KyBzdGFibGUgYnJhbmNoZXM/Cgo+Cj4gPiAtLS0KPiA+ICAgZHJpdmVy cy9kbWEtYnVmL2RtYS1idWYuYyB8IDIxICsrKysrKysrKysrKysrKysrLS0tLQo+ID4gICAxIGZp bGUgY2hhbmdlZCwgMTcgaW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKPiA+Cj4gPiBkaWZm IC0tZ2l0IGEvZHJpdmVycy9kbWEtYnVmL2RtYS1idWYuYyBiL2RyaXZlcnMvZG1hLWJ1Zi9kbWEt YnVmLmMKPiA+IGluZGV4IDBlYjgwYzEuLmExNGRjYmIgMTAwNjQ0Cj4gPiAtLS0gYS9kcml2ZXJz L2RtYS1idWYvZG1hLWJ1Zi5jCj4gPiArKysgYi9kcml2ZXJzL2RtYS1idWYvZG1hLWJ1Zi5jCj4g PiBAQCAtNzYsMTAgKzc2LDYgQEAgc3RhdGljIHZvaWQgZG1hX2J1Zl9yZWxlYXNlKHN0cnVjdCBk ZW50cnkgKmRlbnRyeSkKPiA+Cj4gPiAgICAgICBkbWFidWYtPm9wcy0+cmVsZWFzZShkbWFidWYp Owo+ID4KPiA+IC0gICAgIG11dGV4X2xvY2soJmRiX2xpc3QubG9jayk7Cj4gPiAtICAgICBsaXN0 X2RlbCgmZG1hYnVmLT5saXN0X25vZGUpOwo+ID4gLSAgICAgbXV0ZXhfdW5sb2NrKCZkYl9saXN0 LmxvY2spOwo+ID4gLQo+ID4gICAgICAgaWYgKGRtYWJ1Zi0+cmVzdiA9PSAoc3RydWN0IGRtYV9y ZXN2ICopJmRtYWJ1ZlsxXSkKPiA+ICAgICAgICAgICAgICAgZG1hX3Jlc3ZfZmluaShkbWFidWYt PnJlc3YpOwo+ID4KPiA+IEBAIC04OCw2ICs4NCwyMiBAQCBzdGF0aWMgdm9pZCBkbWFfYnVmX3Jl bGVhc2Uoc3RydWN0IGRlbnRyeSAqZGVudHJ5KQo+ID4gICAgICAga2ZyZWUoZG1hYnVmKTsKPiA+ ICAgfQo+ID4KPiA+ICtzdGF0aWMgaW50IGRtYV9idWZfZmlsZV9yZWxlYXNlKHN0cnVjdCBpbm9k ZSAqaW5vZGUsIHN0cnVjdCBmaWxlICpmaWxlKQo+ID4gK3sKPiA+ICsgICAgIHN0cnVjdCBkbWFf YnVmICpkbWFidWY7Cj4gPiArCj4gPiArICAgICBpZiAoIWlzX2RtYV9idWZfZmlsZShmaWxlKSkK PiA+ICsgICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7Cj4gPiArCj4gPiArICAgICBkbWFidWYg PSBmaWxlLT5wcml2YXRlX2RhdGE7Cj4gPiArCj4gPiArICAgICBtdXRleF9sb2NrKCZkYl9saXN0 LmxvY2spOwo+ID4gKyAgICAgbGlzdF9kZWwoJmRtYWJ1Zi0+bGlzdF9ub2RlKTsKPiA+ICsgICAg IG11dGV4X3VubG9jaygmZGJfbGlzdC5sb2NrKTsKPiA+ICsKPiA+ICsgICAgIHJldHVybiAwOwo+ ID4gK30KPiA+ICsKPiA+ICAgc3RhdGljIGNvbnN0IHN0cnVjdCBkZW50cnlfb3BlcmF0aW9ucyBk bWFfYnVmX2RlbnRyeV9vcHMgPSB7Cj4gPiAgICAgICAuZF9kbmFtZSA9IGRtYWJ1ZmZzX2RuYW1l LAo+ID4gICAgICAgLmRfcmVsZWFzZSA9IGRtYV9idWZfcmVsZWFzZSwKPiA+IEBAIC00MTMsNiAr NDI1LDcgQEAgc3RhdGljIHZvaWQgZG1hX2J1Zl9zaG93X2ZkaW5mbyhzdHJ1Y3Qgc2VxX2ZpbGUg Km0sIHN0cnVjdCBmaWxlICpmaWxlKQo+ID4gICB9Cj4gPgo+ID4gICBzdGF0aWMgY29uc3Qgc3Ry dWN0IGZpbGVfb3BlcmF0aW9ucyBkbWFfYnVmX2ZvcHMgPSB7Cj4gPiArICAgICAucmVsZWFzZSAg ICAgICAgPSBkbWFfYnVmX2ZpbGVfcmVsZWFzZSwKPiA+ICAgICAgIC5tbWFwICAgICAgICAgICA9 IGRtYV9idWZfbW1hcF9pbnRlcm5hbCwKPiA+ICAgICAgIC5sbHNlZWsgICAgICAgICA9IGRtYV9i dWZfbGxzZWVrLAo+ID4gICAgICAgLnBvbGwgICAgICAgICAgID0gZG1hX2J1Zl9wb2xsLAo+CgpC ZXN0LApTdW1pdC4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3Jn Cmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVs Cg==