From 9b080edfbde3c26f4780b5bae8a401b38ca0d852 Mon Sep 17 00:00:00 2001 From: Jeongik Cha Date: Mon, 4 Jul 2022 17:43:54 +0900 Subject: [PATCH 01/31] UPSTREAM: wifi: mac80211_hwsim: fix race condition in pending packet commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream. A pending packet uses a cookie as an unique key, but it can be duplicated because it didn't use atomic operators. And also, a pending packet can be null in hwsim_tx_info_frame_received_nl due to race condition with mac80211_hwsim_stop. For this, * Use an atomic type and operator for a cookie * Add a lock around the loop for pending packets Signed-off-by: Jeongik Cha Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman (cherry picked from commit eb8fc4277b628ac81db806c130a500dd48a9e524) Signed-off-by: Carlos Llamas Bug: 236994625 Change-Id: Ic6613c8869a51b5de303e40406f023af689b9d64 --- drivers/net/wireless/mac80211_hwsim.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index e963ebb1156a..10a3fdb23a1f 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -597,7 +597,7 @@ struct mac80211_hwsim_data { bool ps_poll_pending; struct dentry *debugfs; - uintptr_t pending_cookie; + atomic64_t pending_cookie; struct sk_buff_head pending; /* packets pending */ /* * Only radios in the same group can communicate together (the @@ -1204,7 +1204,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, int i; struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES]; struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES]; - uintptr_t cookie; + u64 cookie; if (data->ps != PS_DISABLED) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -1273,8 +1273,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, goto nla_put_failure; /* We create a cookie to identify this skb */ - data->pending_cookie++; - cookie = data->pending_cookie; + cookie = (u64)atomic64_inc_return(&data->pending_cookie); info->rate_driver_data[0] = (void *)cookie; if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD)) goto nla_put_failure; @@ -3514,6 +3513,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, const u8 *src; unsigned int hwsim_flags; int i; + unsigned long flags; bool found = false; if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] || @@ -3541,18 +3541,20 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, } /* look for the skb matching the cookie passed back from user */ + spin_lock_irqsave(&data2->pending.lock, flags); skb_queue_walk_safe(&data2->pending, skb, tmp) { u64 skb_cookie; txi = IEEE80211_SKB_CB(skb); - skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0]; + skb_cookie = (u64)txi->rate_driver_data[0]; if (skb_cookie == ret_skb_cookie) { - skb_unlink(skb, &data2->pending); + __skb_unlink(skb, &data2->pending); found = true; break; } } + spin_unlock_irqrestore(&data2->pending.lock, flags); /* not found */ if (!found) From 08cb67eb33769f0bcda5457b54b5e9e1c0845c3a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 11 Jul 2022 13:14:24 +0200 Subject: [PATCH 02/31] UPSTREAM: wifi: mac80211_hwsim: add back erroneously removed cast commit 58b6259d820d63c2adf1c7541b54cce5a2ae6073 upstream. The robots report that we're now casting to a differently sized integer, which is correct, and the previous patch had erroneously removed it. Reported-by: kernel test robot Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet") Signed-off-by: Johannes Berg Cc: Jeongik Cha Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d400222f49599423862010f0c7f6fee142be72d7) Signed-off-by: Carlos Llamas Bug: 236994625 Change-Id: I4b5cfa77c47d4d03b46600f0b543e27340c228c0 --- drivers/net/wireless/mac80211_hwsim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 10a3fdb23a1f..88f47d528bd6 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3546,7 +3546,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, u64 skb_cookie; txi = IEEE80211_SKB_CB(skb); - skb_cookie = (u64)txi->rate_driver_data[0]; + skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0]; if (skb_cookie == ret_skb_cookie) { __skb_unlink(skb, &data2->pending); From f18e68a2344c04d9efe4c42faa08ad0edb38f693 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 13 Jul 2022 21:16:45 +0200 Subject: [PATCH 03/31] UPSTREAM: wifi: mac80211_hwsim: use 32-bit skb cookie commit cc5250cdb43d444061412df7fae72d2b4acbdf97 upstream. We won't really have enough skbs to need a 64-bit cookie, and on 32-bit platforms storing the 64-bit cookie into the void *rate_driver_data doesn't work anyway. Switch back to using just a 32-bit cookie and uintptr_t for the type to avoid compiler warnings about all this. Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet") Signed-off-by: Johannes Berg Cc: Jeongik Cha Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 6dece5ad6e1e7d8c2bacfae606dc6f18a18c51e0) Signed-off-by: Carlos Llamas Bug: 236994625 Change-Id: I81b075297ec2248f706aebc914cd5e2783665bbc --- drivers/net/wireless/mac80211_hwsim.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 88f47d528bd6..2d1f7fb18381 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -597,7 +597,7 @@ struct mac80211_hwsim_data { bool ps_poll_pending; struct dentry *debugfs; - atomic64_t pending_cookie; + atomic_t pending_cookie; struct sk_buff_head pending; /* packets pending */ /* * Only radios in the same group can communicate together (the @@ -1204,7 +1204,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, int i; struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES]; struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES]; - u64 cookie; + uintptr_t cookie; if (data->ps != PS_DISABLED) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -1273,7 +1273,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, goto nla_put_failure; /* We create a cookie to identify this skb */ - cookie = (u64)atomic64_inc_return(&data->pending_cookie); + cookie = atomic_inc_return(&data->pending_cookie); info->rate_driver_data[0] = (void *)cookie; if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD)) goto nla_put_failure; @@ -3543,10 +3543,10 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, /* look for the skb matching the cookie passed back from user */ spin_lock_irqsave(&data2->pending.lock, flags); skb_queue_walk_safe(&data2->pending, skb, tmp) { - u64 skb_cookie; + uintptr_t skb_cookie; txi = IEEE80211_SKB_CB(skb); - skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0]; + skb_cookie = (uintptr_t)txi->rate_driver_data[0]; if (skb_cookie == ret_skb_cookie) { __skb_unlink(skb, &data2->pending); From 24220df8028a5ae16b20aa5dc175186b14252ccb Mon Sep 17 00:00:00 2001 From: Chao Yu Date: Wed, 28 Sep 2022 23:38:53 +0800 Subject: [PATCH 04/31] FROMGIT: f2fs: support recording stop_checkpoint reason into super_block This patch supports to record stop_checkpoint error into f2fs_super_block.s_stop_reason[]. Bug: 247456379 Bug: 246094874 (cherry picked from commit 93523dddd98b9838896277fa9cad238a72214f02 https: //git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev) Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Change-Id: I3e5fb355a7a7413b1e4bb4937791491ca73e6853 --- fs/f2fs/checkpoint.c | 10 +++++++--- fs/f2fs/data.c | 6 ++++-- fs/f2fs/f2fs.h | 4 +++- fs/f2fs/file.c | 11 ++++++----- fs/f2fs/gc.c | 6 ++++-- fs/f2fs/inode.c | 3 ++- fs/f2fs/segment.c | 7 +++++-- fs/f2fs/super.c | 20 ++++++++++++++++++++ include/linux/f2fs_fs.h | 17 ++++++++++++++++- 9 files changed, 67 insertions(+), 17 deletions(-) diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c index 6054f13e5c89..de2c454d6940 100644 --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -25,12 +25,16 @@ static struct kmem_cache *ino_entry_slab; struct kmem_cache *f2fs_inode_entry_slab; -void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io) +void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io, + unsigned char reason) { f2fs_build_fault_attr(sbi, 0, 0); set_ckpt_flags(sbi, CP_ERROR_FLAG); - if (!end_io) + if (!end_io) { f2fs_flush_merged_writes(sbi); + + f2fs_handle_stop(sbi, reason); + } } /* @@ -120,7 +124,7 @@ retry: if (PTR_ERR(page) == -EIO && ++count <= DEFAULT_RETRY_IO_COUNT) goto retry; - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_META_PAGE); } return page; } diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 3bac45d7a94c..867b2b72ec67 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -311,7 +311,8 @@ static void f2fs_write_end_io(struct bio *bio) mempool_free(page, sbi->write_io_dummy); if (unlikely(bio->bi_status)) - f2fs_stop_checkpoint(sbi, true); + f2fs_stop_checkpoint(sbi, true, + STOP_CP_REASON_WRITE_FAIL); continue; } @@ -327,7 +328,8 @@ static void f2fs_write_end_io(struct bio *bio) if (unlikely(bio->bi_status)) { mapping_set_error(page->mapping, -EIO); if (type == F2FS_WB_CP_DATA) - f2fs_stop_checkpoint(sbi, true); + f2fs_stop_checkpoint(sbi, true, + STOP_CP_REASON_WRITE_FAIL); } f2fs_bug_on(sbi, page->mapping == NODE_MAPPING(sbi) && diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 56b67a0d18d5..19d7d1f4c4fa 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -3482,6 +3482,7 @@ int f2fs_enable_quota_files(struct f2fs_sb_info *sbi, bool rdonly); int f2fs_quota_sync(struct super_block *sb, int type); loff_t max_file_blocks(struct inode *inode); void f2fs_quota_off_umount(struct super_block *sb); +void f2fs_handle_stop(struct f2fs_sb_info *sbi, unsigned char reason); int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover); int f2fs_sync_fs(struct super_block *sb, int sync); int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi); @@ -3631,7 +3632,8 @@ unsigned int f2fs_usable_blks_in_seg(struct f2fs_sb_info *sbi, /* * checkpoint.c */ -void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io); +void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io, + unsigned char reason); void f2fs_flush_ckpt_thread(struct f2fs_sb_info *sbi); struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 478b65efbf31..aa67c0c7caf2 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2256,7 +2256,8 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) if (ret) { if (ret == -EROFS) { ret = 0; - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, + STOP_CP_REASON_SHUTDOWN); set_sbi_flag(sbi, SBI_IS_SHUTDOWN); trace_f2fs_shutdown(sbi, in, ret); } @@ -2269,7 +2270,7 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) ret = freeze_bdev(sb->s_bdev); if (ret) goto out; - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_SHUTDOWN); set_sbi_flag(sbi, SBI_IS_SHUTDOWN); thaw_bdev(sb->s_bdev); break; @@ -2278,16 +2279,16 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) ret = f2fs_sync_fs(sb, 1); if (ret) goto out; - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_SHUTDOWN); set_sbi_flag(sbi, SBI_IS_SHUTDOWN); break; case F2FS_GOING_DOWN_NOSYNC: - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_SHUTDOWN); set_sbi_flag(sbi, SBI_IS_SHUTDOWN); break; case F2FS_GOING_DOWN_METAFLUSH: f2fs_sync_meta_pages(sbi, META, LONG_MAX, FS_META_IO); - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_SHUTDOWN); set_sbi_flag(sbi, SBI_IS_SHUTDOWN); break; case F2FS_GOING_DOWN_NEED_FSCK: diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 78e847010d2e..3bc3af6421ab 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -68,7 +68,8 @@ static int gc_thread_func(void *data) if (time_to_inject(sbi, FAULT_CHECKPOINT)) { f2fs_show_injection_info(sbi, FAULT_CHECKPOINT); - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, + STOP_CP_REASON_FAULT_INJECT); } if (!sb_start_write_trylock(sbi->sb)) { @@ -1633,7 +1634,8 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, f2fs_err(sbi, "Inconsistent segment (%u) type [%d, %d] in SSA and SIT", segno, type, GET_SUM_TYPE((&sum->footer))); set_sbi_flag(sbi, SBI_NEED_FSCK); - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, + STOP_CP_REASON_CORRUPTED_SUMMARY); goto skip; } diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index d25853c98d4a..29bf3e215f52 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -685,7 +685,8 @@ retry: cond_resched(); goto retry; } else if (err != -ENOENT) { - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, + STOP_CP_REASON_UPDATE_INODE); } return; } diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 2d29eb15a550..2ff9c9903e35 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -499,7 +499,7 @@ void f2fs_balance_fs(struct f2fs_sb_info *sbi, bool need) { if (time_to_inject(sbi, FAULT_CHECKPOINT)) { f2fs_show_injection_info(sbi, FAULT_CHECKPOINT); - f2fs_stop_checkpoint(sbi, false); + f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_FAULT_INJECT); } /* balance_fs_bg is able to be pending */ @@ -782,8 +782,11 @@ int f2fs_flush_device_cache(struct f2fs_sb_info *sbi) if (!f2fs_test_bit(i, (char *)&sbi->dirty_device)) continue; ret = __submit_flush_wait(sbi, FDEV(i).bdev); - if (ret) + if (ret) { + f2fs_stop_checkpoint(sbi, false, + STOP_CP_REASON_FLUSH_FAIL); break; + } spin_lock(&sbi->dev_lock); f2fs_clear_bit(i, (char *)&sbi->dirty_device); diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index cb049996e53b..89d90d366754 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -3642,6 +3642,26 @@ int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover) return err; } +void f2fs_handle_stop(struct f2fs_sb_info *sbi, unsigned char reason) +{ + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); + int err; + + f2fs_bug_on(sbi, reason >= MAX_STOP_REASON); + + f2fs_down_write(&sbi->sb_lock); + + if (raw_super->s_stop_reason[reason] < ((1 << BITS_PER_BYTE) - 1)) + raw_super->s_stop_reason[reason]++; + + err = f2fs_commit_super(sbi, false); + if (err) + f2fs_err(sbi, "f2fs_commit_super fails to record reason:%u err:%d", + reason, err); + + f2fs_up_write(&sbi->sb_lock); +} + static int f2fs_scan_devices(struct f2fs_sb_info *sbi) { struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h index d445150c5350..5dd1e52b8997 100644 --- a/include/linux/f2fs_fs.h +++ b/include/linux/f2fs_fs.h @@ -73,6 +73,20 @@ struct f2fs_device { __le32 total_segments; } __packed; +/* reason of stop_checkpoint */ +enum stop_cp_reason { + STOP_CP_REASON_SHUTDOWN, + STOP_CP_REASON_FAULT_INJECT, + STOP_CP_REASON_META_PAGE, + STOP_CP_REASON_WRITE_FAIL, + STOP_CP_REASON_CORRUPTED_SUMMARY, + STOP_CP_REASON_UPDATE_INODE, + STOP_CP_REASON_FLUSH_FAIL, + STOP_CP_REASON_MAX, +}; + +#define MAX_STOP_REASON 32 + struct f2fs_super_block { __le32 magic; /* Magic Number */ __le16 major_ver; /* Major Version */ @@ -116,7 +130,8 @@ struct f2fs_super_block { __u8 hot_ext_count; /* # of hot file extension */ __le16 s_encoding; /* Filename charset encoding */ __le16 s_encoding_flags; /* Filename charset encoding flags */ - __u8 reserved[306]; /* valid reserved region */ + __u8 s_stop_reason[MAX_STOP_REASON]; /* stop checkpoint reason */ + __u8 reserved[274]; /* valid reserved region */ __le32 crc; /* checksum of superblock */ } __packed; From b046e2dca512d1b5c5121e8f55bdf4f0ae660e93 Mon Sep 17 00:00:00 2001 From: Todd Kjos Date: Thu, 6 Oct 2022 18:00:02 +0000 Subject: [PATCH 05/31] ANDROID: Fix kenelci build-break for !CONFIG_PERF_EVENTS Kernelci builds were broken if !CONFIG_PERF_EVENTS since 830f0202d737 ("ANDROID: cpu/hotplug: avoid breaking Android ABI by fusing cpuhp steps") causes perf_event_init_cpu(cpu) to be reduced to "NULL(cpu)": kernel/cpu.c:1868:21: error: called object type 'void *' is not a function or function pointer Fixes: 830f0202d737 ("ANDROID: cpu/hotplug: avoid breaking Android ABI by fusing cpuhp steps") Signed-off-by: Todd Kjos Change-Id: Ifc7351f74470c87018770395af4b4f6096f0d73f --- kernel/cpu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/cpu.c b/kernel/cpu.c index 90d09bafecf6..fc15c01d61b8 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1865,7 +1865,9 @@ int __boot_cpu_id; /* Horrific hacks because we can't add more to cpuhp_hp_states. */ static int random_and_perf_prepare_fusion(unsigned int cpu) { +#ifdef CONFIG_PERF_EVENTS perf_event_init_cpu(cpu); +#endif random_prepare_cpu(cpu); return 0; } From 95f23ced41762d64b6afb579d54e5f98d5bf5c4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20M=C3=BCller?= Date: Mon, 20 Dec 2021 07:21:53 +0100 Subject: [PATCH 06/31] UPSTREAM: crypto: jitter - add oversampling of noise source The output n bits can receive more than n bits of min entropy, of course, but the fixed output of the conditioning function can only asymptotically approach the output size bits of min entropy, not attain that bound. Random maps will tend to have output collisions, which reduces the creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound). The value "64" is justified in Appendix A.4 of the current 90C draft, and aligns with NIST's in "epsilon" definition in this document, which is that a string can be considered "full entropy" if you can bound the min entropy in each bit of output to at least 1-epsilon, where epsilon is required to be <= 2^(-32). Note, this patch causes the Jitter RNG to cut its performance in half in FIPS mode because the conditioning function of the LFSR produces 64 bits of entropy in one block. The oversampling requires that additionally 64 bits of entropy are sampled from the noise source. If the conditioner is changed, such as using SHA-256, the impact of the oversampling is only one fourth, because for the 256 bit block of the conditioner, only 64 additional bits from the noise source must be sampled. This patch is derived from the user space jitterentropy-library. Signed-off-by: Stephan Mueller Reviewed-by: Simo Sorce Signed-off-by: Herbert Xu Bug: 188620248 (cherry picked from commit 908dffaf88a248e542bdae3ca174f27b8f4ccf37) Change-Id: I7ae1fe58c1b5ea5f206a8f3675f0c20e255a97ec Signed-off-by: Eric Biggers --- crypto/jitterentropy.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c index 37c4c308339e..423c55d0e165 100644 --- a/crypto/jitterentropy.c +++ b/crypto/jitterentropy.c @@ -117,6 +117,22 @@ struct rand_data { #define JENT_EHEALTH 9 /* Health test failed during initialization */ #define JENT_ERCT 10 /* RCT failed during initialization */ +/* + * The output n bits can receive more than n bits of min entropy, of course, + * but the fixed output of the conditioning function can only asymptotically + * approach the output size bits of min entropy, not attain that bound. Random + * maps will tend to have output collisions, which reduces the creditable + * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound). + * + * The value "64" is justified in Appendix A.4 of the current 90C draft, + * and aligns with NIST's in "epsilon" definition in this document, which is + * that a string can be considered "full entropy" if you can bound the min + * entropy in each bit of output to at least 1-epsilon, where epsilon is + * required to be <= 2^(-32). + */ +#define JENT_ENTROPY_SAFETY_FACTOR 64 + +#include #include "jitterentropy.h" /*************************************************************************** @@ -546,7 +562,10 @@ static int jent_measure_jitter(struct rand_data *ec) */ static void jent_gen_entropy(struct rand_data *ec) { - unsigned int k = 0; + unsigned int k = 0, safety_factor = 0; + + if (fips_enabled) + safety_factor = JENT_ENTROPY_SAFETY_FACTOR; /* priming of the ->prev_time value */ jent_measure_jitter(ec); @@ -560,7 +579,7 @@ static void jent_gen_entropy(struct rand_data *ec) * We multiply the loop value with ->osr to obtain the * oversampling rate requested by the caller */ - if (++k >= (DATA_SIZE_BITS * ec->osr)) + if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr)) break; } } From 9613bc53b51dd60b85b84b7c75cdfb7d11f2222e Mon Sep 17 00:00:00 2001 From: Todd Kjos Date: Mon, 10 Oct 2022 10:21:23 -0700 Subject: [PATCH 07/31] Revert "firmware_loader: use kernel credentials when reading firmware" This reverts commit 5a73581116362340087fad4df7e4530c4a819821. Introduces incompatible behavior in android12-5.10 which broke partner devices. Discussion this topic is in b/222166126. The new behavior should be fine for android13 and later kernels. The patch was merged into android12-5.10 with the latest LTS update. Bug: 247895237 Bug: 248989172 Signed-off-by: Todd Kjos Change-Id: Id8b617b5c91fc080c3b3cbe7ba55cd231bef5cfd --- drivers/base/firmware_loader/main.c | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a4dd500bc141..1372f40d0371 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -793,8 +793,6 @@ _request_firmware(const struct firmware **firmware_p, const char *name, size_t offset, u32 opt_flags) { struct firmware *fw = NULL; - struct cred *kern_cred = NULL; - const struct cred *old_cred; bool nondirect = false; int ret; @@ -811,18 +809,6 @@ _request_firmware(const struct firmware **firmware_p, const char *name, if (ret <= 0) /* error or already assigned */ goto out; - /* - * We are about to try to access the firmware file. Because we may have been - * called by a driver when serving an unrelated request from userland, we use - * the kernel credentials to read the file. - */ - kern_cred = prepare_kernel_cred(NULL); - if (!kern_cred) { - ret = -ENOMEM; - goto out; - } - old_cred = override_creds(kern_cred); - ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL); /* Only full reads can support decompression, platform, and sysfs. */ @@ -848,9 +834,6 @@ _request_firmware(const struct firmware **firmware_p, const char *name, } else ret = assign_fw(fw, device); - revert_creds(old_cred); - put_cred(kern_cred); - out: if (ret < 0) { fw_abort_batch_reqs(fw); From c35cda5280bad7bfc021382ddb9f30f0ab38ff54 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 19 May 2022 14:08:54 -0700 Subject: [PATCH 08/31] BACKPORT: mm: don't be stuck to rmap lock on reclaim path The rmap locks(i_mmap_rwsem and anon_vma->root->rwsem) could be contended under memory pressure if processes keep working on their vmas(e.g., fork, mmap, munmap). It makes reclaim path stuck. In our real workload traces, we see kswapd is waiting the lock for 300ms+(worst case, a sec) and it makes other processes entering direct reclaim, which were also stuck on the lock. This patch makes lru aging path try_lock mode like shink_page_list so the reclaim context will keep working with next lru pages without being stuck. if it found the rmap lock contended, it rotates the page back to head of lru in both active/inactive lrus to make them consistent behavior, which is basic starting point rather than adding more heristic. Since this patch introduces a new "contended" field as out-param along with try_lock in-param in rmap_walk_control, it's not immutable any longer if the try_lock is set so remove const keywords on rmap related functions. Since rmap walking is already expensive operation, I doubt the const would help sizable benefit( And we didn't have it until 5.17). In a heavy app workload in Android, trace shows following statistics. It almost removes rmap lock contention from reclaim path. Martin Liu reported: Before: max_dur(ms) min_dur(ms) max-min(dur)ms avg_dur(ms) sum_dur(ms) count blocked_function 1632 0 1631 151.542173 31672 209 page_lock_anon_vma_read 601 0 601 145.544681 28817 198 rmap_walk_file After: max_dur(ms) min_dur(ms) max-min(dur)ms avg_dur(ms) sum_dur(ms) count blocked_function NaN NaN NaN NaN NaN 0.0 NaN 0 0 0 0.127645 1 12 rmap_walk_file [minchan@kernel.org: add comment, per Matthew] Link: https://lkml.kernel.org/r/YnNqeB5tUf6LZ57b@google.com Link: https://lkml.kernel.org/r/20220510215423.164547-1-minchan@kernel.org Signed-off-by: Minchan Kim Acked-by: Johannes Weiner Cc: Suren Baghdasaryan Cc: Michal Hocko Cc: John Dias Cc: Tim Murray Cc: Matthew Wilcox Cc: Vladimir Davydov Cc: Martin Liu Cc: Minchan Kim Cc: Matthew Wilcox Signed-off-by: Andrew Morton Conflicts: folio->page (cherry picked from commit 6d4675e601357834dadd2ba1d803f6484596015c) Bug: 239681156 Bug: 252333201 Signed-off-by: Minchan Kim Change-Id: I0c63e0291120c8a1b5f2d83b8a7b210cb56c27a2 Signed-off-by: chenxin --- include/linux/fs.h | 5 +++++ include/linux/rmap.h | 24 ++++++++++++++++++------ mm/huge_memory.c | 2 +- mm/ksm.c | 8 +++++++- mm/memory-failure.c | 2 +- mm/page_idle.c | 6 +++--- mm/rmap.c | 43 +++++++++++++++++++++++++++++++++++++------ mm/vmscan.c | 7 ++++++- 8 files changed, 78 insertions(+), 19 deletions(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 4019e6fa3b95..8cf258fc9162 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -515,6 +515,11 @@ static inline void i_mmap_unlock_write(struct address_space *mapping) up_write(&mapping->i_mmap_rwsem); } +static inline int i_mmap_trylock_read(struct address_space *mapping) +{ + return down_read_trylock(&mapping->i_mmap_rwsem); +} + static inline void i_mmap_lock_read(struct address_space *mapping) { down_read(&mapping->i_mmap_rwsem); diff --git a/include/linux/rmap.h b/include/linux/rmap.h index 7dee138fbf0f..0a4d49ca8ccf 100644 --- a/include/linux/rmap.h +++ b/include/linux/rmap.h @@ -134,6 +134,11 @@ static inline void anon_vma_lock_read(struct anon_vma *anon_vma) down_read(&anon_vma->root->rwsem); } +static inline int anon_vma_trylock_read(struct anon_vma *anon_vma) +{ + return down_read_trylock(&anon_vma->root->rwsem); +} + static inline void anon_vma_unlock_read(struct anon_vma *anon_vma) { up_read(&anon_vma->root->rwsem); @@ -261,17 +266,14 @@ void try_to_munlock(struct page *); void remove_migration_ptes(struct page *old, struct page *new, bool locked); -/* - * Called by memory-failure.c to kill processes. - */ -struct anon_vma *page_lock_anon_vma_read(struct page *page); -void page_unlock_anon_vma_read(struct anon_vma *anon_vma); int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma); /* * rmap_walk_control: To control rmap traversing for specific needs * * arg: passed to rmap_one() and invalid_vma() + * try_lock: bail out if the rmap lock is contended + * contended: indicate the rmap traversal bailed out due to lock contention * rmap_one: executed on each vma where page is mapped * done: for checking traversing termination condition * anon_lock: for getting anon_lock by optimized way rather than default @@ -279,6 +281,8 @@ int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma); */ struct rmap_walk_control { void *arg; + bool try_lock; + bool contended; /* * Return false if page table scanning in rmap_walk should be stopped. * Otherwise, return true. @@ -286,13 +290,21 @@ struct rmap_walk_control { bool (*rmap_one)(struct page *page, struct vm_area_struct *vma, unsigned long addr, void *arg); int (*done)(struct page *page); - struct anon_vma *(*anon_lock)(struct page *page); + struct anon_vma *(*anon_lock)(struct page *page, + struct rmap_walk_control *rwc); bool (*invalid_vma)(struct vm_area_struct *vma, void *arg); }; void rmap_walk(struct page *page, struct rmap_walk_control *rwc); void rmap_walk_locked(struct page *page, struct rmap_walk_control *rwc); +/* + * Called by memory-failure.c to kill processes. + */ +struct anon_vma *page_lock_anon_vma_read(struct page *page, + struct rmap_walk_control *rwc); +void page_unlock_anon_vma_read(struct anon_vma *anon_vma); + #else /* !CONFIG_MMU */ #define anon_vma_init() do {} while (0) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index c24716571a93..d10c9c3118a8 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1481,7 +1481,7 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd) */ get_page(page); spin_unlock(vmf->ptl); - anon_vma = page_lock_anon_vma_read(page); + anon_vma = page_lock_anon_vma_read(page, NULL); /* Confirm the PMD did not change while page_table_lock was released */ spin_lock(vmf->ptl); diff --git a/mm/ksm.c b/mm/ksm.c index e2464c04ede2..2695ddbeb47e 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -2626,7 +2626,13 @@ again: struct vm_area_struct *vma; cond_resched(); - anon_vma_lock_read(anon_vma); + if (!anon_vma_trylock_read(anon_vma)) { + if (rwc->try_lock) { + rwc->contended = true; + return; + } + anon_vma_lock_read(anon_vma); + } anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root, 0, ULONG_MAX) { unsigned long addr; diff --git a/mm/memory-failure.c b/mm/memory-failure.c index aef267c6a724..4bd73d6dc18a 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -477,7 +477,7 @@ static void collect_procs_anon(struct page *page, struct list_head *to_kill, struct anon_vma *av; pgoff_t pgoff; - av = page_lock_anon_vma_read(page); + av = page_lock_anon_vma_read(page, NULL); if (av == NULL) /* Not actually mapped anymore */ return; diff --git a/mm/page_idle.c b/mm/page_idle.c index 144fb4ed961d..b5613232e881 100644 --- a/mm/page_idle.c +++ b/mm/page_idle.c @@ -92,10 +92,10 @@ static bool page_idle_clear_pte_refs_one(struct page *page, static void page_idle_clear_pte_refs(struct page *page) { /* - * Since rwc.arg is unused, rwc is effectively immutable, so we - * can make it static const to save some cycles and stack. + * Since rwc.try_lock is unused, rwc is effectively immutable, so we + * can make it static to save some cycles and stack. */ - static const struct rmap_walk_control rwc = { + static struct rmap_walk_control rwc = { .rmap_one = page_idle_clear_pte_refs_one, .anon_lock = page_lock_anon_vma_read, }; diff --git a/mm/rmap.c b/mm/rmap.c index d48141f90360..033b04704b59 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -518,9 +518,11 @@ out: * * Its a little more complex as it tries to keep the fast path to a single * atomic op -- the trylock. If we fail the trylock, we fall back to getting a - * reference like with page_get_anon_vma() and then block on the mutex. + * reference like with page_get_anon_vma() and then block on the mutex + * on !rwc->try_lock case. */ -struct anon_vma *page_lock_anon_vma_read(struct page *page) +struct anon_vma *page_lock_anon_vma_read(struct page *page, + struct rmap_walk_control *rwc) { struct anon_vma *anon_vma = NULL; struct anon_vma *root_anon_vma; @@ -553,6 +555,13 @@ struct anon_vma *page_lock_anon_vma_read(struct page *page) anon_vma = NULL; goto out; } + + if (rwc && rwc->try_lock) { + anon_vma = NULL; + rwc->contended = true; + goto out; + } + /* trylock failed, we got to sleep */ if (!atomic_inc_not_zero(&anon_vma->refcount)) { anon_vma = NULL; @@ -850,8 +859,10 @@ static bool invalid_page_referenced_vma(struct vm_area_struct *vma, void *arg) * @memcg: target memory cgroup * @vm_flags: collect encountered vma->vm_flags who actually referenced the page * - * Quick test_and_clear_referenced for all mappings to a page, - * returns the number of ptes which referenced the page. + * Quick test_and_clear_referenced for all mappings of a page, + * + * Return: The number of mappings which referenced the page. Return -1 if + * the function bailed out due to rmap lock contention. */ int page_referenced(struct page *page, int is_locked, @@ -867,6 +878,7 @@ int page_referenced(struct page *page, .rmap_one = page_referenced_one, .arg = (void *)&pra, .anon_lock = page_lock_anon_vma_read, + .try_lock = true, }; *vm_flags = 0; @@ -897,7 +909,7 @@ int page_referenced(struct page *page, if (we_locked) unlock_page(page); - return pra.referenced; + return rwc.contended ? -1 : pra.referenced; } static bool page_mkclean_one(struct page *page, struct vm_area_struct *vma, @@ -1898,7 +1910,7 @@ static struct anon_vma *rmap_walk_anon_lock(struct page *page, struct anon_vma *anon_vma; if (rwc->anon_lock) - return rwc->anon_lock(page); + return rwc->anon_lock(page, rwc); /* * Note: remove_migration_ptes() cannot use page_lock_anon_vma_read() @@ -1910,7 +1922,17 @@ static struct anon_vma *rmap_walk_anon_lock(struct page *page, if (!anon_vma) return NULL; + if (anon_vma_trylock_read(anon_vma)) + goto out; + + if (rwc->try_lock) { + anon_vma = NULL; + rwc->contended = true; + goto out; + } + anon_vma_lock_read(anon_vma); +out: return anon_vma; } @@ -2009,9 +2031,18 @@ static void rmap_walk_file(struct page *page, struct rmap_walk_control *rwc, if (!got_lock) return; } else { + if (i_mmap_trylock_read(mapping)) + goto lookup; + + if (rwc->try_lock) { + rwc->contended = true; + return; + } + i_mmap_lock_read(mapping); } } +lookup: vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff_start, pgoff_end) { unsigned long address = vma_address(page, vma); diff --git a/mm/vmscan.c b/mm/vmscan.c index 701595410992..ea87d599199e 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1045,6 +1045,10 @@ static enum page_references page_check_references(struct page *page, if (vm_flags & VM_LOCKED) return PAGEREF_RECLAIM; + /* rmap lock contention: rotate */ + if (referenced_ptes == -1) + return PAGEREF_KEEP; + if (referenced_ptes) { /* * All mapped pages start out with page table @@ -2119,8 +2123,9 @@ static void shrink_active_list(unsigned long nr_to_scan, if (bypass) goto skip_page_referenced; trace_android_vh_page_trylock_set(page); + /* Referenced or rmap lock contention: rotate */ if (page_referenced(page, 0, sc->target_mem_cgroup, - &vm_flags)) { + &vm_flags) != 0) { /* * Identify referenced, file-backed active pages and * give them one more trip around the active list. So From 3b39e91301386b04e12060b5c57d1fc1810d40c9 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Fri, 8 Jul 2022 08:40:09 +0100 Subject: [PATCH 09/31] BACKPORT: HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report commit cd11d1a6114bd4bc6450ae59f6e110ec47362126 upstream. It is possible for a malicious device to forgo submitting a Feature Report. The HID Steam driver presently makes no prevision for this and de-references the 'struct hid_report' pointer obtained from the HID devices without first checking its validity. Let's change that. Bug: 223455965 Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: linux-input@vger.kernel.org Fixes: c164d6abf3841 ("HID: add driver for Valve Steam Controller") Signed-off-by: Lee Jones Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ica12507b87309a7c46b4cab6fcfe4499cd96f45d --- drivers/hid/hid-steam.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c index a3b151b29bd7..fc616db4231b 100644 --- a/drivers/hid/hid-steam.c +++ b/drivers/hid/hid-steam.c @@ -134,6 +134,11 @@ static int steam_recv_report(struct steam_device *steam, int ret; r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; + if (!r) { + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); + return -EINVAL; + } + if (hid_report_len(r) < 64) return -EINVAL; @@ -165,6 +170,11 @@ static int steam_send_report(struct steam_device *steam, int ret; r = steam->hdev->report_enum[HID_FEATURE_REPORT].report_id_hash[0]; + if (!r) { + hid_err(steam->hdev, "No HID_FEATURE_REPORT submitted - nothing to read\n"); + return -EINVAL; + } + if (hid_report_len(r) < 64) return -EINVAL; From a3835ce695a4a7751e2f4a0128a4c30cb15463d0 Mon Sep 17 00:00:00 2001 From: Johannes Weiner Date: Mon, 3 May 2021 13:49:17 -0400 Subject: [PATCH 10/31] UPSTREAM: psi: Fix psi state corruption when schedule() races with cgroup move 4117cebf1a9f ("psi: Optimize task switch inside shared cgroups") introduced a race condition that corrupts internal psi state. This manifests as kernel warnings, sometimes followed by bogusly high IO pressure: psi: task underflow! cpu=1 t=2 tasks=[0 0 0 0] clear=c set=0 (schedule() decreasing RUNNING and ONCPU, both of which are 0) psi: incosistent task state! task=2412744:systemd cpu=17 psi_flags=e clear=3 set=0 (cgroup_move_task() clearing MEMSTALL and IOWAIT, but task is MEMSTALL | RUNNING | ONCPU) What the offending commit does is batch the two psi callbacks in schedule() to reduce the number of cgroup tree updates. When prev is deactivated and removed from the runqueue, nothing is done in psi at first; when the task switch completes, TSK_RUNNING and TSK_IOWAIT are updated along with TSK_ONCPU. However, the deactivation and the task switch inside schedule() aren't atomic: pick_next_task() may drop the rq lock for load balancing. When this happens, cgroup_move_task() can run after the task has been physically dequeued, but the psi updates are still pending. Since it looks at the task's scheduler state, it doesn't move everything to the new cgroup that the task switch that follows is about to clear from it. cgroup_move_task() will leak the TSK_RUNNING count in the old cgroup, and psi_sched_switch() will underflow it in the new cgroup. A similar thing can happen for iowait. TSK_IOWAIT is usually set when a p->in_iowait task is dequeued, but again this update is deferred to the switch. cgroup_move_task() can see an unqueued p->in_iowait task and move a non-existent TSK_IOWAIT. This results in the inconsistent task state warning, as well as a counter underflow that will result in permanent IO ghost pressure being reported. Fix this bug by making cgroup_move_task() use task->psi_flags instead of looking at the potentially mismatching scheduler state. [ We used the scheduler state historically in order to not rely on task->psi_flags for anything but debugging. But that ship has sailed anyway, and this is simpler and more robust. We previously already batched TSK_ONCPU clearing with the TSK_RUNNING update inside the deactivation call from schedule(). But that ordering was safe and didn't result in TSK_ONCPU corruption: unlike most places in the scheduler, cgroup_move_task() only checked task_current() and handled TSK_ONCPU if the task was still queued. ] bug: b/253347377 Fixes: 4117cebf1a9f ("psi: Optimize task switch inside shared cgroups") Signed-off-by: Johannes Weiner Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210503174917.38579-1-hannes@cmpxchg.org (cherry picked from commit d583d360a620e6229422b3455d0be082b8255f5e) Change-Id: Id0a292058d4bffb716d8e1496f72139e8d435410 --- kernel/sched/psi.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index f46ac0f39777..e14917cd2a1d 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -1020,7 +1020,7 @@ void psi_cgroup_free(struct cgroup *cgroup) */ void cgroup_move_task(struct task_struct *task, struct css_set *to) { - unsigned int task_flags = 0; + unsigned int task_flags; struct rq_flags rf; struct rq *rq; @@ -1035,15 +1035,31 @@ void cgroup_move_task(struct task_struct *task, struct css_set *to) rq = task_rq_lock(task, &rf); - if (task_on_rq_queued(task)) { - task_flags = TSK_RUNNING; - if (task_current(rq, task)) - task_flags |= TSK_ONCPU; - } else if (task->in_iowait) - task_flags = TSK_IOWAIT; - - if (task->in_memstall) - task_flags |= TSK_MEMSTALL; + /* + * We may race with schedule() dropping the rq lock between + * deactivating prev and switching to next. Because the psi + * updates from the deactivation are deferred to the switch + * callback to save cgroup tree updates, the task's scheduling + * state here is not coherent with its psi state: + * + * schedule() cgroup_move_task() + * rq_lock() + * deactivate_task() + * p->on_rq = 0 + * psi_dequeue() // defers TSK_RUNNING & TSK_IOWAIT updates + * pick_next_task() + * rq_unlock() + * rq_lock() + * psi_task_change() // old cgroup + * task->cgroups = to + * psi_task_change() // new cgroup + * rq_unlock() + * rq_lock() + * psi_sched_switch() // does deferred updates in new cgroup + * + * Don't rely on the scheduling state. Use psi_flags instead. + */ + task_flags = task->psi_flags; if (task_flags) psi_task_change(task, task_flags, 0); From f9a66cbe70914bcf03184e9aa787ef1d6cd3d8fd Mon Sep 17 00:00:00 2001 From: Seiya Wang Date: Thu, 13 Oct 2022 16:51:03 +0800 Subject: [PATCH 11/31] ANDROID: GKI: Update symbol list for mtk AIoT projects 2 Added functions: [A] 'function int usb_unlink_urb(struct urb*)' [A] 'function int usb_clear_halt(struct usb_device*, int)' Bug: 253387971 Signed-off-by: Seiya Wang Change-Id: If9b4d6fc9e272b07c62a8c2492e695fac957fac4 --- android/abi_gki_aarch64.xml | 917 ++++++++++++++++++------------------ android/abi_gki_aarch64_mtk | 2 + 2 files changed, 466 insertions(+), 453 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 203534259b30..f4d56bb1813c 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -5661,6 +5661,7 @@ + @@ -5788,6 +5789,7 @@ + @@ -16288,18 +16290,18 @@ - + - + - + - + - + @@ -20099,75 +20101,75 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -21385,7 +21387,7 @@ - + @@ -22108,7 +22110,7 @@ - + @@ -25066,66 +25068,66 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -30726,12 +30728,12 @@ - + - + - + @@ -44253,81 +44255,81 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -46366,21 +46368,21 @@ - + - + - + - + - + - + @@ -48023,12 +48025,12 @@ - + - + - + @@ -49631,24 +49633,24 @@ - + - + - + - + - + - + - + @@ -51386,24 +51388,24 @@ - + - + - + - + - + - + - + @@ -56801,114 +56803,114 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -60930,96 +60932,96 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -63367,12 +63369,12 @@ - + - + - + @@ -67668,36 +67670,36 @@ - + - + - + - + - + - + - + - + - + - + - + @@ -80047,24 +80049,24 @@ - + - + - + - + - + - + - + @@ -80753,81 +80755,81 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -83941,213 +83943,213 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -84788,7 +84790,7 @@ - + @@ -92179,12 +92181,12 @@ - + - + - + @@ -94503,21 +94505,21 @@ - + - + - + - + - + - + @@ -95991,12 +95993,12 @@ - + - + - + @@ -98321,27 +98323,27 @@ - + - + - + - + - + - + - + - + @@ -108367,15 +108369,15 @@ - + - + - + - + @@ -113404,18 +113406,18 @@ - + - + - + - + - + @@ -113473,15 +113475,15 @@ - + - + - + - + @@ -114442,174 +114444,174 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -115119,15 +115121,15 @@ - + - + - + - + @@ -115826,49 +115828,49 @@ - - - - + + + + - - - + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - + + + + - - - - + + + + @@ -116716,7 +116718,7 @@ - + @@ -123122,8 +123124,8 @@ - - + + @@ -129996,10 +129998,10 @@ - - - - + + + + @@ -136879,8 +136881,8 @@ - - + + @@ -139330,8 +139332,8 @@ - - + + @@ -139931,8 +139933,8 @@ - - + + @@ -139998,34 +140000,34 @@ - - - - + + + + - - - - + + + + - - - - - - + + + + + + - - - - - - - - + + + + + + + + @@ -144777,11 +144779,11 @@ - - - - - + + + + + @@ -145994,6 +145996,11 @@ + + + + + @@ -146601,6 +146608,10 @@ + + + + diff --git a/android/abi_gki_aarch64_mtk b/android/abi_gki_aarch64_mtk index ee8da67b460e..1a3cc8ff7d30 100644 --- a/android/abi_gki_aarch64_mtk +++ b/android/abi_gki_aarch64_mtk @@ -3216,6 +3216,7 @@ update_devfreq usb_add_phy_dev usb_assign_descriptors + usb_clear_halt usb_copy_descriptors usb_ep_alloc_request usb_ep_autoconfig @@ -3239,6 +3240,7 @@ usb_phy_set_charger_current usb_remove_phy usb_role_switch_set_role + usb_unlink_urb v4l2_async_notifier_add_subdev v4l2_async_notifier_cleanup v4l2_async_subdev_notifier_register From d71115b1bf5aae9f6e4599a322b2373162131d17 Mon Sep 17 00:00:00 2001 From: Charan Teja Reddy Date: Tue, 10 May 2022 01:19:57 +0530 Subject: [PATCH 12/31] UPSTREAM: dma-buf: call dma_buf_stats_setup after dmabuf is in valid list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When dma_buf_stats_setup() fails, it closes the dmabuf file which results into the calling of dma_buf_file_release() where it does list_del(&dmabuf->list_node) with out first adding it to the proper list. This is resulting into panic in the below path: __list_del_entry_valid+0x38/0xac dma_buf_file_release+0x74/0x158 __fput+0xf4/0x428 ____fput+0x14/0x24 task_work_run+0x178/0x24c do_notify_resume+0x194/0x264 work_pending+0xc/0x5f0 Fix it by moving the dma_buf_stats_setup() after dmabuf is added to the list. Fixes: bdb8d06dfefd ("dmabuf: Add the capability to expose DMA-BUF stats in sysfs") Signed-off-by: Charan Teja Reddy Tested-by: T.J. Mercier Acked-by: T.J. Mercier Cc: # 5.15.x+ Reviewed-by: Christian König Signed-off-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/1652125797-2043-1-git-send-email-quic_charante@quicinc.com (cherry picked from commit ef3a6b70507a2add2cd2e01f5eb9b54d561bacb9 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) Bug: 231929173 Change-Id: Iaefbae326175483444eaf5dbd3fdf8eb8fcca2aa --- drivers/dma-buf/dma-buf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index ea35dfb22d9e..7eb85eff194d 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -621,10 +621,6 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) file->f_mode |= FMODE_LSEEK; dmabuf->file = file; - ret = dma_buf_stats_setup(dmabuf); - if (ret) - goto err_sysfs; - mutex_init(&dmabuf->lock); INIT_LIST_HEAD(&dmabuf->attachments); @@ -632,6 +628,10 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) list_add(&dmabuf->list_node, &db_list.head); mutex_unlock(&db_list.lock); + ret = dma_buf_stats_setup(dmabuf); + if (ret) + goto err_sysfs; + return dmabuf; err_sysfs: From beaaa7bff89d9b4ee7f714f8464404aa691702d1 Mon Sep 17 00:00:00 2001 From: Charan Teja Kalla Date: Fri, 13 May 2022 16:58:16 +0530 Subject: [PATCH 13/31] UPSTREAM: dma-buf: ensure unique directory name for dmabuf stats MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dmabuf file uses get_next_ino()(through dma_buf_getfile() -> alloc_anon_inode()) to get an inode number and uses the same as a directory name under /sys/kernel/dmabuf/buffers/. This directory is used to collect the dmabuf stats and it is created through dma_buf_stats_setup(). At current, failure to create this directory entry can make the dma_buf_export() to fail. Now, as the get_next_ino() can definitely give a repetitive inode no causing the directory entry creation to fail with -EEXIST. This is a problem on the systems where dmabuf stats functionality is enabled on the production builds can make the dma_buf_export(), though the dmabuf memory is allocated successfully, to fail just because it couldn't create stats entry. This issue we are able to see on the snapdragon system within 13 days where there already exists a directory with inode no "122602" so dma_buf_stats_setup() failed with -EEXIST as it is trying to create the same directory entry. To make the dentry name as unique, use the dmabuf fs specific inode which is based on the simple atomic variable increment. There is tmpfs subsystem too which relies on its own inode generation rather than relying on the get_next_ino() for the same reason of avoiding the duplicate inodes[1]. [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=e809d5f0b5c912fe981dce738f3283b2010665f0 Signed-off-by: Charan Teja Kalla Cc: # 5.15.x+ Reviewed-by: Greg Kroah-Hartman Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/1652441296-1986-1-git-send-email-quic_charante@quicinc.com (cherry picked from commit 370704e707a5f2d3c9a1d4ed8bd8cd67507d7bb5 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) Signed-off-by: Christian König Bug: 232887194 Change-Id: If244529c4c54086fe9eb5a4e76f6e8a07eaaa6ab Signed-off-by: Charan Teja Kalla --- drivers/dma-buf/dma-buf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 7eb85eff194d..da4f934f9a44 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -486,6 +486,7 @@ EXPORT_SYMBOL_GPL(is_dma_buf_file); static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags) { + static atomic64_t dmabuf_inode = ATOMIC64_INIT(0); struct file *file; struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb); @@ -495,6 +496,13 @@ static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags) inode->i_size = dmabuf->size; inode_set_bytes(inode, dmabuf->size); + /* + * The ->i_ino acquired from get_next_ino() is not unique thus + * not suitable for using it as dentry name by dmabuf stats. + * Override ->i_ino with the unique and dmabuffs specific + * value. + */ + inode->i_ino = atomic64_add_return(1, &dmabuf_inode); file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf", flags, &dma_buf_fops); if (IS_ERR(file)) From 439fc06787e701d4ffbb1393667e4b8371238e5f Mon Sep 17 00:00:00 2001 From: Wei Liu Date: Tue, 18 Oct 2022 10:54:02 +0800 Subject: [PATCH 14/31] ANDROID: GKI: Update symbols to symbol list Update symbols to symbol list externed by oppo network group. Leaf changes summary: 4 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 4 Added functions Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 4 Added functions: [A] 'function void __rtnl_link_unregister(rtnl_link_ops*)' [A] 'function net_device* dev_get_by_index_rcu(net*, int)' [A] 'function int nf_register_net_hook(net*, const nf_hook_ops*)' [A] 'function void nf_unregister_net_hook(net*, const nf_hook_ops*)' Bug: 193384408 Signed-off-by: Wei Liu Change-Id: Ic2f3305c50f66abdd941941924a4207e751ef8a8 --- android/abi_gki_aarch64.xml | 23 +++++++++++++++++++++++ android/abi_gki_aarch64_oplus | 4 ++++ 2 files changed, 27 insertions(+) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index f4d56bb1813c..2ae53a805857 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -254,6 +254,7 @@ + @@ -1475,6 +1476,7 @@ + @@ -3680,7 +3682,9 @@ + + @@ -116982,6 +116986,10 @@ + + + + @@ -124384,6 +124392,11 @@ + + + + + @@ -135800,12 +135813,22 @@ + + + + + + + + + + diff --git a/android/abi_gki_aarch64_oplus b/android/abi_gki_aarch64_oplus index 384bdbfa612b..4479f29e3b31 100644 --- a/android/abi_gki_aarch64_oplus +++ b/android/abi_gki_aarch64_oplus @@ -408,6 +408,7 @@ dev_fwnode __dev_get_by_index dev_get_by_index + dev_get_by_index_rcu dev_get_by_name dev_get_regmap dev_get_stats @@ -1658,7 +1659,9 @@ net_ratelimit nf_ct_attach nf_ct_delete + nf_register_net_hook nf_register_net_hooks + nf_unregister_net_hook nf_unregister_net_hooks nla_find nla_memcpy @@ -2286,6 +2289,7 @@ rtc_update_irq rtc_valid_tm rtnl_is_locked + __rtnl_link_unregister rtnl_lock rtnl_unlock runqueues From 8512c353a2fab85ef5b4fedff58eafe8e5f24b84 Mon Sep 17 00:00:00 2001 From: Woogeun Lee Date: Wed, 19 Oct 2022 15:46:14 +0900 Subject: [PATCH 15/31] ANDROID: ABI: update allowed list for galaxy Leaf changes summary: 11 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 11 Added functions Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 11 Added functions: [A] 'function phy_device* fixed_phy_register(unsigned int, fixed_phy_status*, device_node*)' [A] 'function void fixed_phy_unregister(phy_device*)' [A] 'function irq_domain* irq_domain_add_simple(device_node*, unsigned int, unsigned int, const irq_domain_ops*, void*)' [A] 'function int phy_ethtool_set_wol(phy_device*, ethtool_wolinfo*)' [A] 'function int phy_register_fixup_for_uid(u32, u32, int (phy_device*)*)' [A] 'function int phy_save_page(phy_device*)' [A] 'function int phy_unregister_fixup_for_uid(u32, u32)' [A] 'function void tty_encode_baud_rate(tty_struct*, speed_t, speed_t)' [A] 'function int usb_autopm_get_interface_async(usb_interface*)' [A] 'function void usb_autopm_put_interface_async(usb_interface*)' [A] 'function int usb_interrupt_msg(usb_device*, unsigned int, void*, int, int*, int)' Bug: 254377752 Signed-off-by: Woogeun Lee Change-Id: I2b45044f68268e77b60d13e06201354311b3fad5 --- android/abi_gki_aarch64.xml | 212 +++++++++++++++++++++++---------- android/abi_gki_aarch64_galaxy | 11 ++ 2 files changed, 162 insertions(+), 61 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 2ae53a805857..86c46679066a 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -2542,6 +2542,8 @@ + + @@ -3158,6 +3160,7 @@ + @@ -4072,6 +4075,7 @@ + @@ -4097,12 +4101,14 @@ + + @@ -4112,6 +4118,7 @@ + @@ -5469,6 +5476,7 @@ + @@ -5660,8 +5668,10 @@ + + @@ -5750,6 +5760,7 @@ + @@ -24604,6 +24615,23 @@ + + + + + + + + + + + + + + + + + @@ -81107,6 +81135,7 @@ + @@ -126127,105 +126156,105 @@ - - - + + + - - - + + + - - - - - + + + + + - - - + + + - - - - - + + + + + - - - + + + - - - - - + + + + + - - + + - - - + + + - - + + - - - + + + - - - + + + - - - - + + + + - - + + - - + + - - + + - - - - + + + + - - + + - - + + - - - + + + @@ -130017,6 +130046,16 @@ + + + + + + + + + + @@ -133180,6 +133219,14 @@ + + + + + + + + @@ -137861,6 +137908,11 @@ + + + + + @@ -137993,6 +138045,12 @@ + + + + + + @@ -138020,6 +138078,10 @@ + + + + @@ -138063,6 +138125,11 @@ + + + + + @@ -145073,6 +145140,12 @@ + + + + + + @@ -145991,6 +146064,10 @@ + + + + @@ -145999,6 +146076,10 @@ + + + + @@ -146432,6 +146513,15 @@ + + + + + + + + + diff --git a/android/abi_gki_aarch64_galaxy b/android/abi_gki_aarch64_galaxy index d5358ae912e2..b9540bf8b079 100644 --- a/android/abi_gki_aarch64_galaxy +++ b/android/abi_gki_aarch64_galaxy @@ -1901,6 +1901,8 @@ find_vpid finish_wait firmware_request_nowarn + fixed_phy_register + fixed_phy_unregister fixed_size_llseek flow_keys_basic_dissector flush_dcache_page @@ -2327,6 +2329,7 @@ irq_create_mapping_affinity irq_create_of_mapping irq_dispose_mapping + irq_domain_add_simple irq_domain_alloc_irqs_parent irq_domain_create_hierarchy irq_domain_free_irqs_common @@ -3023,6 +3026,7 @@ phy_ethtool_get_link_ksettings phy_ethtool_nway_reset phy_ethtool_set_link_ksettings + phy_ethtool_set_wol phy_exit phy_find_first phy_get_pause @@ -3034,9 +3038,12 @@ phy_power_off phy_power_on phy_print_status + phy_register_fixup_for_uid + phy_save_page phy_set_mode_ext phy_start phy_stop + phy_unregister_fixup_for_uid pick_highest_pushable_task pid_nr_ns pid_task @@ -4066,6 +4073,7 @@ ttm_tt_populate ttm_tt_set_placement_caching ttm_unmap_and_unpopulate_pages + tty_encode_baud_rate tty_flip_buffer_push tty_insert_flip_string_fixed_flag tty_kref_put @@ -4214,8 +4222,10 @@ usb_asmedia_modifyflowcontrol usb_assign_descriptors usb_autopm_get_interface + usb_autopm_get_interface_async usb_autopm_get_interface_no_resume usb_autopm_put_interface + usb_autopm_put_interface_async usb_bulk_msg usb_calc_bus_time usb_choose_configuration @@ -4293,6 +4303,7 @@ usb_ifnum_to_if usb_initialize_gadget usb_interface_id + usb_interrupt_msg usb_kill_urb usb_match_id usb_match_one_id From 376aaf803fcf67287625d6ab02ab2ce2c4211ca6 Mon Sep 17 00:00:00 2001 From: Kever Yang Date: Mon, 26 Sep 2022 17:06:16 +0800 Subject: [PATCH 16/31] ANDROID: GKI: Add symbol snd_pcm_stop_xrun Leaf changes summary: 1 artifact changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 1 Added function: [A] 'function int snd_pcm_stop_xrun(snd_pcm_substream*)' Bug: 239396464 Signed-off-by: Kever Yang Change-Id: Ia80d73b3d8eb90db9cfb4bae862cacc80ced46a2 --- android/abi_gki_aarch64.xml | 11379 +++++++++++++++-------------- android/abi_gki_aarch64_rockchip | 1 + 2 files changed, 5714 insertions(+), 5666 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 86c46679066a..4cded64b7225 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -5028,6 +5028,7 @@ + @@ -7533,6 +7534,7 @@ + @@ -9319,9 +9321,9 @@ - - - + + + @@ -9342,6 +9344,7 @@ + @@ -9427,6 +9430,7 @@ + @@ -12373,7 +12377,6 @@ - @@ -12780,8 +12783,8 @@ - - + + @@ -13028,7 +13031,7 @@ - + @@ -14092,7 +14095,6 @@ - @@ -14862,9 +14864,9 @@ - + - + @@ -15603,6 +15605,12 @@ + + + + + + @@ -16097,9 +16105,6 @@ - - - @@ -16319,29 +16324,7 @@ - - - - - - - - - - - - - - - - - - - - - - - + @@ -19246,6 +19229,7 @@ + @@ -19636,7 +19620,11 @@ - + + + + + @@ -20615,6 +20603,7 @@ + @@ -20812,6 +20801,7 @@ + @@ -21252,6 +21242,14 @@ + + + + + + + + @@ -22335,7 +22333,6 @@ - @@ -23088,11 +23085,6 @@ - - - - - @@ -25302,7 +25294,7 @@ - + @@ -25341,6 +25333,7 @@ + @@ -25527,7 +25520,6 @@ - @@ -25834,23 +25826,7 @@ - - - - - - - - - - - - - - - - - + @@ -26513,7 +26489,7 @@ - + @@ -26671,7 +26647,7 @@ - + @@ -26901,6 +26877,7 @@ + @@ -26978,7 +26955,7 @@ - + @@ -27035,7 +27012,6 @@ - @@ -27412,7 +27388,6 @@ - @@ -27594,36 +27569,36 @@ - + - + - + - + - + - + - + - + - + - + - + @@ -28051,7 +28026,7 @@ - + @@ -29000,6 +28975,7 @@ + @@ -31869,6 +31845,9 @@ + + + @@ -31982,7 +31961,6 @@ - @@ -32911,9 +32889,9 @@ - - - + + + @@ -33814,6 +33792,7 @@ + @@ -34068,68 +34047,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -34644,9 +34562,10 @@ + - + @@ -35058,7 +34977,6 @@ - @@ -35261,7 +35179,7 @@ - + @@ -36902,6 +36820,10 @@ + + + + @@ -38833,6 +38755,7 @@ + @@ -39623,8 +39546,8 @@ - - + + @@ -40599,6 +40522,17 @@ + + + + + + + + + + + @@ -40879,9 +40813,9 @@ - - - + + + @@ -41414,7 +41348,6 @@ - @@ -42398,6 +42331,7 @@ + @@ -44924,6 +44858,13 @@ + + + + + + + @@ -44953,6 +44894,11 @@ + + + + + @@ -45400,12 +45346,12 @@ - - - - - - + + + + + + @@ -45536,6 +45482,7 @@ + @@ -46319,21 +46266,21 @@ - + - + - + - + - + - + @@ -48438,8 +48385,8 @@ - - + + @@ -48803,35 +48750,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -49013,7 +48932,6 @@ - @@ -49398,14 +49316,7 @@ - - - - - - - - + @@ -50053,6 +49964,11 @@ + + + + + @@ -50464,7 +50380,7 @@ - + @@ -51180,7 +51096,56 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -51522,7 +51487,6 @@ - @@ -52472,7 +52436,7 @@ - + @@ -53317,6 +53281,7 @@ + @@ -53760,6 +53725,7 @@ + @@ -53810,7 +53776,6 @@ - @@ -54012,7 +53977,6 @@ - @@ -54422,23 +54386,7 @@ - - - - - - - - - - - - - - - - - + @@ -54800,6 +54748,7 @@ + @@ -55731,9 +55680,9 @@ - - - + + + @@ -56459,7 +56408,6 @@ - @@ -57045,7 +56993,7 @@ - + @@ -57513,7 +57461,7 @@ - + @@ -58635,7 +58583,6 @@ - @@ -59773,6 +59720,7 @@ + @@ -60236,7 +60184,12 @@ - + + + + + + @@ -61461,7 +61414,44 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -62694,7 +62684,65 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -64191,6 +64239,7 @@ + @@ -64506,17 +64555,7 @@ - - - - - - - - - - - + @@ -65596,7 +65635,7 @@ - + @@ -66118,10 +66157,10 @@ - - - - + + + + @@ -66172,11 +66211,6 @@ - - - - - @@ -67417,6 +67451,11 @@ + + + + + @@ -68446,6 +68485,11 @@ + + + + + @@ -68908,7 +68952,7 @@ - + @@ -71002,7 +71046,6 @@ - @@ -71713,7 +71756,6 @@ - @@ -73454,10 +73496,9 @@ - - - + + @@ -73577,6 +73618,7 @@ + @@ -73928,6 +73970,7 @@ + @@ -74292,8 +74335,8 @@ - - + + @@ -74365,7 +74408,6 @@ - @@ -74833,7 +74875,38 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -74944,7 +75017,7 @@ - + @@ -76499,7 +76572,6 @@ - @@ -77649,6 +77721,7 @@ + @@ -79077,12 +79150,12 @@ - + - + @@ -80168,12 +80241,12 @@ - - - - - - + + + + + + @@ -81472,7 +81545,6 @@ - @@ -81712,6 +81784,7 @@ + @@ -82461,7 +82534,6 @@ - @@ -83070,7 +83142,6 @@ - @@ -83143,9 +83214,6 @@ - - - @@ -83162,6 +83230,11 @@ + + + + + @@ -83184,6 +83257,7 @@ + @@ -83644,7 +83718,7 @@ - + @@ -83720,9 +83794,17 @@ + + + + + + + + - + @@ -86875,7 +86957,6 @@ - @@ -87494,7 +87575,7 @@ - + @@ -88176,9 +88257,9 @@ - - - + + + @@ -88647,7 +88728,26 @@ - + + + + + + + + + + + + + + + + + + + + @@ -88672,7 +88772,7 @@ - + @@ -88697,7 +88797,6 @@ - @@ -88736,7 +88835,6 @@ - @@ -90209,7 +90307,7 @@ - + @@ -90857,8 +90955,8 @@ - - + + @@ -92106,14 +92204,6 @@ - - - - - - - - @@ -92559,20 +92649,7 @@ - - - - - - - - - - - - - - + @@ -93129,7 +93206,7 @@ - + @@ -93304,7 +93381,7 @@ - + @@ -93599,7 +93676,6 @@ - @@ -93740,12 +93816,12 @@ - + - + @@ -93837,6 +93913,7 @@ + @@ -95027,7 +95104,6 @@ - @@ -95314,6 +95390,7 @@ + @@ -96600,7 +96677,7 @@ - + @@ -97112,7 +97189,7 @@ - + @@ -97164,7 +97241,7 @@ - + @@ -97602,7 +97679,7 @@ - + @@ -98331,6 +98408,9 @@ + + + @@ -99593,7 +99673,6 @@ - @@ -99869,8 +99948,8 @@ - - + + @@ -100090,8 +100169,8 @@ - - + + @@ -101248,7 +101327,6 @@ - @@ -102240,14 +102318,7 @@ - - - - - - - - + @@ -103782,6 +103853,9 @@ + + + @@ -103794,9 +103868,6 @@ - - - @@ -103820,7 +103891,7 @@ - + @@ -103961,8 +104032,8 @@ - - + + @@ -104563,6 +104634,7 @@ + @@ -104831,7 +104903,6 @@ - @@ -105367,20 +105438,7 @@ - - - - - - - - - - - - - - + @@ -105439,9 +105497,6 @@ - - - @@ -107411,35 +107466,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -108901,7 +108928,6 @@ - @@ -108916,6 +108942,20 @@ + + + + + + + + + + + + + + @@ -109250,7 +109290,6 @@ - @@ -113213,6 +113252,11 @@ + + + + + @@ -113540,7 +113584,6 @@ - @@ -115329,6 +115372,7 @@ + @@ -115413,6 +115457,7 @@ + @@ -115536,11 +115581,10 @@ - - - + + @@ -116143,7 +116187,6 @@ - @@ -120542,9 +120585,9 @@ - - - + + + @@ -120555,33 +120598,33 @@ - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + - - - + + + @@ -120591,27 +120634,27 @@ - - - + + + - - - + + + - - - + + + - - - + + + @@ -120621,8 +120664,8 @@ - - + + @@ -120641,8 +120684,8 @@ - - + + @@ -120658,57 +120701,57 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + @@ -120719,16 +120762,16 @@ - - + + - - + + @@ -120756,12 +120799,12 @@ - - - - - - + + + + + + @@ -120778,9 +120821,9 @@ - - - + + + @@ -120800,25 +120843,25 @@ - - - - - + + + + + - - - + + + - - + + - - - + + + @@ -120835,15 +120878,15 @@ - - - + + + - - - + + + @@ -120856,22 +120899,22 @@ - - - - + + + + - - - - + + + + - - - - + + + + @@ -120950,20 +120993,20 @@ - - - - - + + + + + - - - - - - - + + + + + + + @@ -120972,29 +121015,29 @@ - - - + + + - - - - - - + + + + + + - - - - + + + + - - + + @@ -121036,11 +121079,11 @@ - - - - - + + + + + @@ -121060,14 +121103,14 @@ - - + + - - - - + + + + @@ -121090,15 +121133,15 @@ - - - - + + + + - - - + + + @@ -121106,11 +121149,11 @@ - - - - - + + + + + @@ -121161,21 +121204,21 @@ - - - - - + + + + + - - - - - - + + + + + + - - + + @@ -121216,18 +121259,18 @@ - - + + - - - + + + - - - + + + @@ -121260,17 +121303,17 @@ - - - - + + + + - - - - - + + + + + @@ -121281,47 +121324,47 @@ - - - - + + + + - - + + - - - + + + - - - + + + - - - + + + - - + + - - - - + + + + - - + + - - + + @@ -121331,15 +121374,15 @@ - - + + - - - - - + + + + + @@ -121352,9 +121395,9 @@ - - - + + + @@ -121363,49 +121406,49 @@ - - - - + + + + - - - - - - - + + + + + + + - - - - + + + + - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -121415,10 +121458,10 @@ - - - - + + + + @@ -121468,17 +121511,17 @@ - - + + - - + + - - - + + + @@ -121513,10 +121556,10 @@ - - - - + + + + @@ -121548,13 +121591,13 @@ - - - + + + - - + + @@ -121585,8 +121628,8 @@ - - + + @@ -121595,8 +121638,8 @@ - - + + @@ -121618,8 +121661,8 @@ - - + + @@ -121666,8 +121709,8 @@ - - + + @@ -121689,14 +121732,14 @@ - - + + - - - - + + + + @@ -121732,9 +121775,9 @@ - - - + + + @@ -121883,16 +121926,16 @@ - - + + - - + + @@ -121941,42 +121984,42 @@ - - - - + + + + - - - - + + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - + + + @@ -121997,31 +122040,31 @@ - - - - + + + + - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -122039,9 +122082,9 @@ - - - + + + @@ -122089,67 +122132,67 @@ - - - - + + + + - - - - - + + + + + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - - + + + + + + + + + + @@ -122165,16 +122208,16 @@ - - + + - - - - - - + + + + + + @@ -122195,22 +122238,22 @@ - - + + - - + + - - + + - - + + @@ -122234,23 +122277,23 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + @@ -122260,8 +122303,8 @@ - - + + @@ -122274,8 +122317,8 @@ - - + + @@ -122345,9 +122388,9 @@ - - - + + + @@ -122391,11 +122434,11 @@ - - - - - + + + + + @@ -122411,19 +122454,19 @@ - - - + + + - - - + + + - - - + + + @@ -122455,9 +122498,9 @@ - - - + + + @@ -122546,14 +122589,14 @@ - - - + + + - - - + + + @@ -122565,47 +122608,47 @@ - - - + + + - - - - + + + + - - + + - - - - - + + + + + - - - - - + + + + + - - + + - - - - + + + + - - + + @@ -122618,30 +122661,30 @@ - - + + - - + + - - + + - - - + + + - - - + + + @@ -122650,48 +122693,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + @@ -122702,8 +122745,8 @@ - - + + @@ -122821,8 +122864,8 @@ - - + + @@ -122930,28 +122973,28 @@ - - - + + + - - + + - - - - - + + + + + @@ -122962,13 +123005,13 @@ - - - - - - - + + + + + + + @@ -122979,11 +123022,11 @@ - - - - - + + + + + @@ -122995,11 +123038,11 @@ - - - - - + + + + + @@ -123018,8 +123061,8 @@ - - + + @@ -123056,10 +123099,10 @@ - - - - + + + + @@ -123097,22 +123140,22 @@ - - + + - - - - + + + + - - + + - - + + @@ -123123,9 +123166,9 @@ - - - + + + @@ -123144,15 +123187,15 @@ - - + + - - - - + + + + @@ -123163,9 +123206,9 @@ - - - + + + @@ -123226,8 +123269,8 @@ - - + + @@ -123258,18 +123301,18 @@ - - + + - - - + + + - - - + + + @@ -123281,8 +123324,8 @@ - - + + @@ -123298,9 +123341,9 @@ - - - + + + @@ -123333,12 +123376,12 @@ - - + + - - + + @@ -123349,23 +123392,23 @@ - - + + - - - + + + - - - - + + + + @@ -123380,9 +123423,9 @@ - - - + + + @@ -123401,8 +123444,8 @@ - - + + @@ -123422,58 +123465,58 @@ - - - + + + - - - + + + - - - - + + + + - - - - - + + + + + - - - - - + + + + + - + - + - - - + + + - - - - - + + + + + - - - - - + + + + + @@ -123522,16 +123565,16 @@ - - + + - - + + @@ -123566,10 +123609,10 @@ - - - - + + + + @@ -123624,42 +123667,42 @@ - - - - - - + + + + + + - - - - - - + + + + + + - - + + - - - + + + - - - + + + - + @@ -123702,10 +123745,10 @@ - - - - + + + + @@ -123713,9 +123756,9 @@ - - - + + + @@ -123725,7 +123768,7 @@ - + @@ -123750,8 +123793,8 @@ - - + + @@ -123772,22 +123815,22 @@ - - + + - - - + + + - - - + + + @@ -123837,11 +123880,11 @@ - - - - - + + + + + @@ -123849,44 +123892,44 @@ - - - - - + + + + + - - - - + + + + - - - - - + + + + + - - - - + + + + - - + + - - + + - - - - + + + + @@ -123911,8 +123954,8 @@ - - + + @@ -123937,18 +123980,18 @@ - - - + + + - - - + + + @@ -123965,9 +124008,9 @@ - - - + + + @@ -123978,11 +124021,11 @@ - - - - - + + + + + @@ -123992,11 +124035,11 @@ - - + + - + @@ -124018,17 +124061,17 @@ - - + + - - + + - - - + + + @@ -124036,22 +124079,22 @@ - - + + - - + + - - - - + + + + @@ -124059,9 +124102,9 @@ - - - + + + @@ -124092,12 +124135,12 @@ - - + + - - + + @@ -124106,7 +124149,7 @@ - + @@ -124137,11 +124180,11 @@ - - - - - + + + + + @@ -124151,17 +124194,17 @@ - - - + + + - - - - - - + + + + + + @@ -124173,12 +124216,12 @@ - - - - - - + + + + + + @@ -124215,11 +124258,11 @@ - - - - - + + + + + @@ -124229,11 +124272,11 @@ - - - - - + + + + + @@ -124265,9 +124308,9 @@ - - - + + + @@ -124278,8 +124321,8 @@ - - + + @@ -124289,9 +124332,9 @@ - - - + + + @@ -124300,11 +124343,11 @@ - - - - - + + + + + @@ -124321,12 +124364,12 @@ - - + + - - + + @@ -124343,18 +124386,18 @@ - - - - + + + + - - + + @@ -124396,54 +124439,54 @@ - - + + - - - - + + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -124465,9 +124508,9 @@ - - - + + + @@ -124480,9 +124523,9 @@ - - - + + + @@ -124504,10 +124547,10 @@ - - - - + + + + @@ -124538,15 +124581,15 @@ - - - - + + + + - - - + + + @@ -124566,8 +124609,8 @@ - - + + @@ -124583,8 +124626,8 @@ - - + + @@ -124592,13 +124635,13 @@ - - + + - - - + + + @@ -124609,9 +124652,9 @@ - - - + + + @@ -124628,16 +124671,16 @@ - - + + - - + + @@ -124662,9 +124705,9 @@ - - - + + + @@ -124758,9 +124801,9 @@ - - - + + + @@ -124773,17 +124816,17 @@ - - - - + + + + - - - - + + + + @@ -124791,10 +124834,10 @@ - - - - + + + + @@ -124802,9 +124845,9 @@ - - - + + + @@ -124829,11 +124872,11 @@ - - - - - + + + + + @@ -124905,20 +124948,20 @@ - - + + - - + + - - + + @@ -124931,8 +124974,8 @@ - - + + @@ -124954,12 +124997,12 @@ - - - - - - + + + + + + @@ -124968,40 +125011,40 @@ - - - + + + - - - - - - - + + + + + + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -125036,28 +125079,28 @@ - - - + + + - - + + - - - - + + + + - - - + + + @@ -125079,10 +125122,10 @@ - - - - + + + + @@ -125104,11 +125147,11 @@ - - - - - + + + + + @@ -125131,15 +125174,15 @@ - - - + + + - - - - + + + + @@ -125156,14 +125199,14 @@ - - - + + + - - - + + + @@ -125192,22 +125235,22 @@ - - + + - - + + - - - - + + + + @@ -125237,10 +125280,10 @@ - - - - + + + + @@ -125248,15 +125291,15 @@ - - - - + + + + - - - + + + @@ -125363,11 +125406,11 @@ - - - - - + + + + + @@ -125565,29 +125608,29 @@ - - - - + + + + - - - + + + - - - - + + + + - - - - - + + + + + @@ -125597,10 +125640,10 @@ - - - - + + + + @@ -125644,14 +125687,14 @@ - - - - - - - - + + + + + + + + @@ -125664,9 +125707,9 @@ - - - + + + @@ -125705,8 +125748,8 @@ - - + + @@ -125773,14 +125816,14 @@ - - - + + + - - - + + + @@ -125788,10 +125831,10 @@ - - - - + + + + @@ -125849,15 +125892,15 @@ - - - - + + + + - - - + + + @@ -125956,16 +125999,16 @@ - - - + + + - - - - - + + + + + @@ -126021,34 +126064,34 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - + + - - - - - + + + + + @@ -126059,12 +126102,12 @@ - - + + - - + + @@ -126173,9 +126216,9 @@ - - - + + + @@ -126197,17 +126240,17 @@ - - + + - - - + + + - - + + @@ -126215,15 +126258,15 @@ - - - + + + - - - - + + + + @@ -126234,34 +126277,34 @@ - - + + - - - - + + + + - - + + - - - + + + - - - - + + + + @@ -126273,9 +126316,9 @@ - - - + + + @@ -126283,8 +126326,8 @@ - - + + @@ -126295,15 +126338,15 @@ - + - - - - - - + + + + + + @@ -126315,13 +126358,13 @@ - - - - + + + + - - + + @@ -126341,10 +126384,10 @@ - - - - + + + + @@ -126502,46 +126545,46 @@ - - - + + + - - - + + + - - + + - - - - - + + + + + - - + + - - - + + + - - - - + + + + - - - - - + + + + + @@ -126674,8 +126717,8 @@ - - + + @@ -126719,8 +126762,8 @@ - - + + @@ -126732,8 +126775,8 @@ - - + + @@ -126744,8 +126787,8 @@ - - + + @@ -126915,9 +126958,9 @@ - - - + + + @@ -126927,62 +126970,62 @@ - - + + - - - + + + - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + @@ -127000,14 +127043,14 @@ - - - + + + - - - + + + @@ -127042,13 +127085,13 @@ - - - - - - - + + + + + + + @@ -127272,62 +127315,62 @@ - - + + - - - + + + - - + + - - - - - + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + @@ -127343,15 +127386,15 @@ - - + + - - - - - + + + + + @@ -127362,10 +127405,10 @@ - - - - + + + + @@ -127408,8 +127451,8 @@ - - + + @@ -127417,9 +127460,9 @@ - - - + + + @@ -127456,9 +127499,9 @@ - - - + + + @@ -127467,8 +127510,8 @@ - - + + @@ -127476,19 +127519,19 @@ - - - - - + + + + + - - - - - - + + + + + + @@ -127496,20 +127539,20 @@ - - + + - - + + - - + + - - + + @@ -127522,17 +127565,17 @@ - - + + - - + + - - - + + + @@ -127579,19 +127622,19 @@ - - - - - - - + + + + + + + - - - + + + @@ -127599,17 +127642,17 @@ - - - + + + - - + + @@ -127627,20 +127670,20 @@ - - + + - - + + - - + + @@ -127653,11 +127696,11 @@ - - - - - + + + + + @@ -127668,33 +127711,33 @@ - - - + + + - - - - + + + + - - - - + + + + - - + + - - + + @@ -128004,23 +128047,23 @@ - - + + - - - - + + + + - - - + + + @@ -128036,12 +128079,12 @@ - - - - - - + + + + + + @@ -128093,26 +128136,26 @@ - - - - - + + + + + - - + + - - - - + + + + - - - - + + + + @@ -128267,10 +128310,10 @@ - - - - + + + + @@ -128320,9 +128363,9 @@ - - - + + + @@ -128451,19 +128494,19 @@ - - - + + + - - - + + + - - - + + + @@ -128564,8 +128607,8 @@ - - + + @@ -128587,9 +128630,9 @@ - - - + + + @@ -128622,8 +128665,8 @@ - - + + @@ -128638,24 +128681,24 @@ - - + + - - - + + + - - - - + + + + - - - + + + @@ -128674,9 +128717,9 @@ - - - + + + @@ -128690,18 +128733,18 @@ - - + + - - - + + + - - - + + + @@ -128722,9 +128765,9 @@ - - - + + + @@ -128755,28 +128798,28 @@ - - + + - - + + - - - + + + - - - - + + + + - - - + + + @@ -128787,83 +128830,83 @@ - - - + + + - - - - + + + + - - - + + + - - + + - - - + + + - - + + - - + + - - - + + + - - + + - - - + + + - - + + - - + + - - + + - - - - + + + + - - - - + + + + @@ -128919,17 +128962,17 @@ - - + + - - + + - - - + + + @@ -128943,20 +128986,20 @@ - - + + - - + + - - + + @@ -129025,9 +129068,9 @@ - - - + + + @@ -129039,44 +129082,44 @@ - - + + - - - - - + + + + + - - - - - - - + + + + + + + - - - - + + + + - - - - + + + + - - - - - - + + + + + + @@ -129086,12 +129129,12 @@ - - - - - - + + + + + + @@ -129102,9 +129145,9 @@ - - - + + + @@ -129112,18 +129155,18 @@ - - - - + + + + - - - - - - - + + + + + + + @@ -129138,30 +129181,30 @@ - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + @@ -129197,8 +129240,8 @@ - - + + @@ -129282,20 +129325,20 @@ - - + + - - - - - - - - - - + + + + + + + + + + @@ -129304,19 +129347,19 @@ - - - + + + - - - - + + + + - - - + + + @@ -129343,40 +129386,40 @@ - - - - + + + + - - + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -129615,8 +129658,8 @@ - - + + @@ -129630,13 +129673,13 @@ - - + + - - - + + + @@ -129653,10 +129696,10 @@ - - - - + + + + @@ -129689,14 +129732,14 @@ - - - + + + - - - + + + @@ -129704,17 +129747,17 @@ - - - - + + + + - - + + @@ -129729,9 +129772,9 @@ - - - + + + @@ -129745,54 +129788,54 @@ - - - - + + + + - - + + - - + + - - + + - - - - + + + + - - - - + + + + - - + + - - + + - - - + + + - - + + @@ -129808,15 +129851,15 @@ - - - + + + - - - - + + + + @@ -129849,18 +129892,18 @@ - - - - + + + + - - - - - + + + + + @@ -129868,9 +129911,9 @@ - - - + + + @@ -129904,12 +129947,12 @@ - - + + - - + + @@ -129955,15 +129998,15 @@ - - - + + + - - - - + + + + @@ -129972,13 +130015,13 @@ - - - + + + - - + + @@ -129988,21 +130031,21 @@ - - - + + + - - - - + + + + - - - - + + + + @@ -130018,26 +130061,26 @@ - - + + - - - + + + - - + + - - - + + + @@ -130064,11 +130107,11 @@ - - + + - + @@ -130083,8 +130126,8 @@ - - + + @@ -130132,24 +130175,24 @@ - - - - + + + + - - - + + + - - + + - - - + + + @@ -130157,13 +130200,13 @@ - - + + - - - + + + @@ -130179,9 +130222,9 @@ - - - + + + @@ -130275,9 +130318,9 @@ - - - + + + @@ -130326,11 +130369,11 @@ - - - - - + + + + + @@ -130350,11 +130393,11 @@ - - - - - + + + + + @@ -130466,8 +130509,8 @@ - - + + @@ -130476,9 +130519,9 @@ - - - + + + @@ -130491,8 +130534,8 @@ - - + + @@ -130535,12 +130578,12 @@ - - + + - - + + @@ -130577,35 +130620,35 @@ - - + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + - - - + + + @@ -130617,13 +130660,13 @@ - - - + + + - - + + @@ -130666,36 +130709,36 @@ - - - - - + + + + + - - - - - + + + + + - - - - + + + + - - - + + + - - - - + + + + - - + + @@ -130738,13 +130781,13 @@ - - - - - - - + + + + + + + @@ -130769,13 +130812,13 @@ - - - + + + - - + + @@ -130811,10 +130854,10 @@ - - - - + + + + @@ -130824,12 +130867,12 @@ - - + + - - + + @@ -130840,17 +130883,17 @@ - - - - - - - + + + + + + + - - + + @@ -130867,8 +130910,8 @@ - - + + @@ -130898,15 +130941,15 @@ - - + + - - - - - + + + + + @@ -130918,8 +130961,8 @@ - - + + @@ -130945,8 +130988,8 @@ - - + + @@ -130960,20 +131003,20 @@ - - + + - + - - - + + + @@ -130990,15 +131033,15 @@ - - - - + + + + - - - + + + @@ -131011,20 +131054,20 @@ - - + + - - + + - - - + + + @@ -131034,13 +131077,13 @@ - - + + - - - + + + @@ -131054,41 +131097,41 @@ - - - - - - + + + + + + - - + + - - - - - - + + + + + + - - - - - + + + + + - - - - - - - - + + + + + + + + @@ -131102,8 +131145,8 @@ - - + + @@ -131115,18 +131158,18 @@ - - + + - - - - + + + + @@ -131150,23 +131193,23 @@ - - - + + + - - - + + + - - - + + + - - + + @@ -131179,9 +131222,9 @@ - - - + + + @@ -131189,29 +131232,29 @@ - - - - + + + + - - + + - - - - - + + + + + - - - - - - + + + + + + @@ -131255,9 +131298,9 @@ - - - + + + @@ -131266,8 +131309,8 @@ - - + + @@ -131276,9 +131319,9 @@ - - - + + + @@ -131375,8 +131418,8 @@ - - + + @@ -131403,10 +131446,10 @@ - - - - + + + + @@ -131418,25 +131461,25 @@ - - - + + + - - + + - - + + - - + + - - + + @@ -131481,10 +131524,10 @@ - - + + - + @@ -131499,22 +131542,22 @@ - - - + + + - - - + + + - - + + - - + + @@ -131571,38 +131614,38 @@ - - - - + + + + - - - - - - - - + + + + + + + + - - + + - - + + - + - - + + @@ -131613,9 +131656,9 @@ - - - + + + @@ -131630,26 +131673,26 @@ - - + + - - - - + + + + - - - - - - + + + + + + - - + + @@ -131660,33 +131703,32 @@ - - - + + - - - + + + - - + + - - - - - + + + + + - - - - + + + + @@ -131701,28 +131743,28 @@ - - - - - + + + + + - - + + - - - - - + + + + + - - - - + + + + @@ -131744,18 +131786,18 @@ - - + + - - + + - - + + @@ -131778,12 +131820,12 @@ - - + + - - + + @@ -131820,9 +131862,9 @@ - - - + + + @@ -131857,81 +131899,81 @@ - - - + + + - - - + + + - - - - + + + + - - - - - - + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -132061,12 +132103,12 @@ - - + + - - + + @@ -132109,14 +132151,14 @@ - - + + - - - - + + + + @@ -132137,36 +132179,36 @@ - - - - - + + + + + - - + + - - - + + + - - - - - - + + + + + + - - - - - - + + + + + + @@ -132177,39 +132219,39 @@ - - + + - - - + + + - - - - + + + + - - - + + + - - + + - - - + + + - - - - + + + + @@ -132235,14 +132277,14 @@ - - + + - - - - + + + + @@ -132263,12 +132305,12 @@ - - + + - - + + @@ -132284,8 +132326,8 @@ - - + + @@ -132418,21 +132460,21 @@ - - - - - + + + + + - - - - - - - - + + + + + + + + @@ -132442,8 +132484,8 @@ - - + + @@ -132466,8 +132508,8 @@ - - + + @@ -132475,9 +132517,9 @@ - - - + + + @@ -132497,24 +132539,24 @@ - - - - + + + + - - - + + + - - - - + + + + @@ -132522,50 +132564,50 @@ - - - - - - + + + + + + - - - + + + - - + + - - + + - - - - + + + + - - - + + + - - - + + + - - - + + + @@ -132581,8 +132623,8 @@ - - + + @@ -132603,8 +132645,8 @@ - - + + @@ -132619,8 +132661,8 @@ - - + + @@ -132653,20 +132695,20 @@ - - + + - - + + - - + + @@ -132703,12 +132745,12 @@ - - + + - - + + @@ -132720,34 +132762,34 @@ - - + + - - - + + + - - - - + + + + - - - - + + + + - - - + + + - - + + @@ -132832,9 +132874,9 @@ - - - + + + @@ -132995,74 +133037,74 @@ - - - + + + - - + + - - - + + + - - + + - - - - - - + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + - - - + + + - - - - + + + + - - - - + + + + @@ -133070,53 +133112,53 @@ - - - - + + + + - - - - - + + + + + - - - - + + + + - - + + - - + + - - - - - - + + + + + + - - - - - + + + + + @@ -133151,8 +133193,8 @@ - - + + @@ -133260,13 +133302,13 @@ - - - + + + - - + + @@ -133277,15 +133319,15 @@ - - - - - - - - - + + + + + + + + + @@ -133321,9 +133363,9 @@ - - - + + + @@ -133349,30 +133391,30 @@ - - - + + + - - - - + + + + - - - - + + + + - - - + + + @@ -133385,10 +133427,10 @@ - - - - + + + + @@ -133396,11 +133438,11 @@ - - - - - + + + + + @@ -133423,10 +133465,10 @@ - - - - + + + + @@ -133439,20 +133481,20 @@ - - - + + + - - - - + + + + - + - - + + @@ -133469,9 +133511,9 @@ - - - + + + @@ -133573,14 +133615,14 @@ - - - + + + - - + + @@ -133667,67 +133709,67 @@ - - + + - - - - - + + + + + - - + + - - - - - - - - - + + + + + + + + + - - + + - - - - - - - - - + + + + + + + + + - - + + - - + + - - + + - - + + - + @@ -133738,10 +133780,10 @@ - - - - + + + + @@ -133767,21 +133809,21 @@ - - - - + + + + - - - + + + - - - - + + + + @@ -133792,35 +133834,35 @@ - - - - - - - - + + + + + + + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -133852,46 +133894,46 @@ - - - - + + + + - - - + + + - - + + - - + + - - - + + + - - - - - + + + + + - - + + - - - + + + @@ -133900,35 +133942,35 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - + + - - + + @@ -133937,23 +133979,23 @@ - - - + + + - - - + + + - - - + + + @@ -133961,34 +134003,34 @@ - - - - + + + + - - - + + + - - - - + + + + - - - - + + + + - - - - - + + + + + @@ -133998,16 +134040,16 @@ - - - - + + + + - - - - + + + + @@ -134023,10 +134065,10 @@ - - - - + + + + @@ -134036,10 +134078,10 @@ - - - - + + + + @@ -134049,37 +134091,37 @@ - - - - + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -134090,9 +134132,9 @@ - - - + + + @@ -134106,11 +134148,11 @@ - - - - - + + + + + @@ -134146,11 +134188,11 @@ - - + + - + @@ -134167,15 +134209,15 @@ - - + + - - + + - - + + @@ -134195,8 +134237,8 @@ - - + + @@ -134210,8 +134252,8 @@ - - + + @@ -134223,8 +134265,8 @@ - - + + @@ -134238,18 +134280,18 @@ - - - + + + - - - - + + + + - - + + @@ -134257,10 +134299,10 @@ - - - - + + + + @@ -134273,14 +134315,14 @@ - - - - + + + + - - + + @@ -134316,18 +134358,18 @@ - - - + + + - - - + + + @@ -134338,8 +134380,8 @@ - - + + @@ -134360,10 +134402,10 @@ - - - - + + + + @@ -134373,30 +134415,30 @@ - - - - - + + + + + - - + + - - + + - - - + + + - - + + @@ -134415,11 +134457,11 @@ - - - - - + + + + + @@ -134432,8 +134474,8 @@ - - + + @@ -134450,11 +134492,11 @@ - - - - - + + + + + @@ -134493,8 +134535,8 @@ - - + + @@ -134502,25 +134544,25 @@ - - - + + + - - + + - - - - + + + + - - - - + + + + @@ -134533,9 +134575,9 @@ - - - + + + @@ -134546,13 +134588,13 @@ - - + + - - - + + + @@ -134560,50 +134602,50 @@ - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + @@ -134617,8 +134659,8 @@ - - + + @@ -134694,9 +134736,9 @@ - - - + + + @@ -134734,32 +134776,32 @@ - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + - + @@ -134772,9 +134814,9 @@ - - - + + + @@ -134854,10 +134896,10 @@ - - - - + + + + @@ -134902,13 +134944,13 @@ - - - - - - - + + + + + + + @@ -135099,12 +135141,12 @@ - - + + - - + + @@ -135116,11 +135158,11 @@ - - - - - + + + + + @@ -135161,8 +135203,8 @@ - - + + @@ -135215,8 +135257,8 @@ - - + + @@ -135228,9 +135270,9 @@ - - - + + + @@ -135241,28 +135283,28 @@ - - - + + + - - - - - - + + + + + + - - + + - - - - - + + + + + @@ -135273,9 +135315,9 @@ - - - + + + @@ -135336,8 +135378,8 @@ - - + + @@ -135376,9 +135418,9 @@ - - - + + + @@ -135438,8 +135480,8 @@ - - + + @@ -135461,12 +135503,12 @@ - - + + - - + + @@ -135500,8 +135542,8 @@ - - + + @@ -135512,9 +135554,9 @@ - - - + + + @@ -135522,47 +135564,47 @@ - - + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - - - + + + + + @@ -135570,18 +135612,18 @@ - - - - + + + + - - + + @@ -135589,14 +135631,14 @@ - - - - + + + + - - - + + + @@ -135632,17 +135674,17 @@ - - + + - - - + + + @@ -135652,9 +135694,9 @@ - - - + + + @@ -135696,12 +135738,12 @@ - - + + - - + + @@ -135715,67 +135757,67 @@ - - - + + + - - + + - - + + - - + + - - + + - - - - - + + + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -135789,19 +135831,19 @@ - - + + - - + + - - - - - + + + + + @@ -135812,41 +135854,41 @@ - - - - + + + + - - - + + + - - + + - - - - - + + + + + - - + + - - + + @@ -135865,10 +135907,10 @@ - - - - + + + + @@ -135876,10 +135918,10 @@ - - - - + + + + @@ -135900,11 +135942,11 @@ - - - - - + + + + + @@ -135921,24 +135963,24 @@ - - - - + + + + - - - - - + + + + + - - - - - + + + + + @@ -135963,10 +136005,10 @@ - - - - + + + + @@ -135980,12 +136022,12 @@ - - + + - - + + @@ -136010,18 +136052,18 @@ - - - + + + - - + + - - - + + + @@ -136045,18 +136087,18 @@ - - - - - + + + + + - - - - - + + + + + @@ -136067,19 +136109,19 @@ - - - - + + + + - - + + - - - + + + @@ -136098,14 +136140,14 @@ - - - + + + - - - + + + @@ -136131,9 +136173,9 @@ - - - + + + @@ -136146,22 +136188,22 @@ - - - - + + + + - - + + - - + + @@ -136181,43 +136223,43 @@ - - + + - - - + + + - - - + + + - - - - - + + + + + - - - + + + - - - - - + + + + + @@ -136230,9 +136272,9 @@ - - - + + + @@ -136265,14 +136307,14 @@ - - - - + + + + - - + + @@ -136283,44 +136325,44 @@ - - - - + + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -136354,16 +136396,16 @@ - - - - - - + + + + + + - - - + + + @@ -136371,9 +136413,9 @@ - - - + + + @@ -136417,33 +136459,33 @@ - - - + + + - - - + + + - - + + - - + + - - - + + + - - - - + + + + @@ -136468,9 +136510,9 @@ - - - + + + @@ -136486,32 +136528,32 @@ - - - - + + + + - - + + - - + + - - - + + + - - - + + + - - - + + + @@ -136520,9 +136562,9 @@ - - - + + + @@ -136530,74 +136572,74 @@ - - - + + + - - + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - + + - - + + - - - - + + + + @@ -136609,42 +136651,42 @@ - - - - + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - + + @@ -136659,8 +136701,8 @@ - - + + @@ -136680,8 +136722,8 @@ - - + + @@ -136695,61 +136737,61 @@ - - - - - + + + + + - - - + + + - - - - - + + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - - - + + + + + + - - - - - + + + + + - - - - + + + + @@ -136767,12 +136809,12 @@ - - - - - - + + + + + + @@ -136783,12 +136825,12 @@ - - - - - - + + + + + + @@ -136803,9 +136845,9 @@ - - - + + + @@ -136818,15 +136860,15 @@ - - + + - - - - - + + + + + @@ -136843,10 +136885,10 @@ - - - - + + + + @@ -136866,10 +136908,10 @@ - - - - + + + + @@ -136915,10 +136957,10 @@ - - - - + + + + @@ -136943,16 +136985,16 @@ - - - + + + - - + + - - + + @@ -136980,11 +137022,11 @@ - - - - - + + + + + @@ -137014,16 +137056,16 @@ - - - - - - + + + + + + - - + + @@ -137126,33 +137168,33 @@ - - + + - - + + - - - - - - + + + + + + - - - + + + - - + + @@ -137178,8 +137220,8 @@ - - + + @@ -137199,16 +137241,16 @@ - - + + - - + + - - + + @@ -137293,19 +137335,19 @@ - - - + + + - - - + + + - - - + + + @@ -137320,8 +137362,8 @@ - - + + @@ -137352,9 +137394,9 @@ - - - + + + @@ -137384,14 +137426,14 @@ - - - + + + - - - + + + @@ -137404,9 +137446,9 @@ - - - + + + @@ -137414,10 +137456,10 @@ - - - - + + + + @@ -137431,12 +137473,12 @@ - - + + - - + + @@ -137457,9 +137499,9 @@ - - - + + + @@ -137471,9 +137513,9 @@ - - - + + + @@ -137521,8 +137563,8 @@ - - + + @@ -137568,9 +137610,9 @@ - - - + + + @@ -137586,10 +137628,10 @@ - - - - + + + + @@ -137610,10 +137652,10 @@ - - - - + + + + @@ -137646,17 +137688,17 @@ - - + + - - - + + + @@ -137670,55 +137712,55 @@ - - - - + + + + - - + + - - - + + + - - + + - - + + - - - - - + + + + + - - - + + + - - - + + + - - + + - - + + - - + + @@ -137740,20 +137782,20 @@ - - - - - - + + + + + + - - + + - - + + @@ -137761,21 +137803,21 @@ - - - - - + + + + + - - - - - + + + + + - - + + @@ -137786,7 +137828,7 @@ - + @@ -137805,21 +137847,21 @@ - - - - + + + + - - - - - - - - - + + + + + + + + + @@ -137853,8 +137895,8 @@ - - + + @@ -137874,9 +137916,9 @@ - - - + + + @@ -137884,23 +137926,23 @@ - - - + + + - - - + + + - - - + + + @@ -137908,9 +137950,9 @@ - - - + + + @@ -137926,37 +137968,37 @@ - - + + - - - - + + + + - - - + + + - - + + - - - - + + + + @@ -137970,11 +138012,11 @@ - - - - - + + + + + @@ -137984,12 +138026,12 @@ - - - - - - + + + + + + @@ -138033,10 +138075,10 @@ - - - - + + + + @@ -138105,24 +138147,24 @@ - - + + - - + + - - + + @@ -138137,11 +138179,11 @@ - - - - - + + + + + @@ -138186,14 +138228,14 @@ - - - - + + + + - - - + + + @@ -138442,8 +138484,8 @@ - - + + @@ -138463,29 +138505,29 @@ - - - + + + - - + + - - + + - - + + - - + + - - + + @@ -138497,14 +138539,14 @@ - - - + + + - - - + + + @@ -138517,16 +138559,16 @@ - - - - + + + + - - - - + + + + @@ -138552,14 +138594,14 @@ - - - + + + - - - + + + @@ -138592,12 +138634,12 @@ - - + + - - + + @@ -138644,24 +138686,24 @@ - - + + - - + + - - + + - - + + @@ -138681,13 +138723,13 @@ - - + + - - - + + + @@ -138701,16 +138743,16 @@ - - - - + + + + - - - - + + + + @@ -138723,9 +138765,9 @@ - - - + + + @@ -138746,8 +138788,8 @@ - - + + @@ -138762,8 +138804,8 @@ - - + + @@ -138797,8 +138839,8 @@ - - + + @@ -138816,10 +138858,10 @@ - - - - + + + + @@ -138832,54 +138874,54 @@ - - + + - - - + + + - - + + - + - + - - - - + + + + - - - - + + + + - - - - - - - - - + + + + + + + + + - - + + - - + + @@ -138888,36 +138930,36 @@ - - - - - + + + + + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - + + + + + + @@ -138928,12 +138970,12 @@ - - - - - - + + + + + + @@ -138952,9 +138994,9 @@ - - - + + + @@ -138964,8 +139006,8 @@ - - + + @@ -138979,10 +139021,10 @@ - - - - + + + + @@ -138995,13 +139037,13 @@ - - - + + + - - + + @@ -139054,11 +139096,11 @@ - - - - - + + + + + @@ -139074,24 +139116,24 @@ - - + + - - + + - - + + - - + + @@ -139099,24 +139141,24 @@ - - + + - - + + - - + + @@ -139176,8 +139218,8 @@ - - + + @@ -139187,28 +139229,28 @@ - - - - - + + + + + - - - - - + + + + + - - - - + + + + @@ -139222,23 +139264,23 @@ - - - + + + - - + + - - - - + + + + - - + + @@ -139261,48 +139303,48 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - + + @@ -139311,7 +139353,7 @@ - + @@ -139351,17 +139393,17 @@ - + - + - - + + @@ -139380,8 +139422,8 @@ - - + + @@ -139418,8 +139460,8 @@ - - + + @@ -139435,23 +139477,23 @@ - - - - + + + + - - - + + + - - - + + + @@ -139511,8 +139553,8 @@ - - + + @@ -139553,16 +139595,16 @@ - - + + - - + + - - + + @@ -139573,8 +139615,8 @@ - - + + @@ -139597,12 +139639,12 @@ - - + + - - + + @@ -139622,8 +139664,8 @@ - - + + @@ -139742,10 +139784,10 @@ - - - - + + + + @@ -139760,20 +139802,20 @@ - - - - - - - - + + + + + + + + - - - - + + + + @@ -139781,14 +139823,14 @@ - - - + + + - - - + + + @@ -139806,8 +139848,8 @@ - - + + @@ -139819,8 +139861,8 @@ - - + + @@ -139861,8 +139903,8 @@ - - + + @@ -139913,22 +139955,22 @@ - - - - + + + + - - - - + + + + - - - - + + + + @@ -140023,8 +140065,8 @@ - - + + @@ -140032,22 +140074,22 @@ - - + + - - - - - - + + + + + + - - - - + + + + @@ -140060,9 +140102,9 @@ - - - + + + @@ -140070,9 +140112,9 @@ - - - + + + @@ -140120,13 +140162,13 @@ - - - - - - - + + + + + + + @@ -140134,28 +140176,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -140171,20 +140213,20 @@ - - - - - - + + + + + + - - - + + + - - + + @@ -140200,8 +140242,8 @@ - - + + @@ -140218,8 +140260,8 @@ - - + + @@ -140232,15 +140274,15 @@ - - - + + + - - - - + + + + @@ -140248,39 +140290,39 @@ - - - + + + - - - - + + + + - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + @@ -140288,34 +140330,34 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - + + - - + + - - + + @@ -140441,8 +140483,8 @@ - - + + @@ -140578,12 +140620,12 @@ - - + + - - + + @@ -140600,9 +140642,9 @@ - - - + + + @@ -140610,9 +140652,9 @@ - - - + + + @@ -140620,9 +140662,9 @@ - - - + + + @@ -140647,12 +140689,12 @@ - - + + - - + + @@ -140670,10 +140712,10 @@ - - - - + + + + @@ -140695,61 +140737,61 @@ - - - + + + - - - - + + + + - - - + + + - - + + - - - - - - + + + + + + - - - - + + + + - - - - - - - + + + + + + + - - - + + + - - - + + + - - - + + + @@ -140759,10 +140801,10 @@ - - - - + + + + @@ -140773,13 +140815,13 @@ - + - - - - + + + + @@ -140813,10 +140855,10 @@ - - - - + + + + @@ -140858,7 +140900,7 @@ - + @@ -140866,34 +140908,34 @@ - - + + - - + + - - + + - - - - - - + + + + + + - - - - + + + + - - + + @@ -140904,10 +140946,10 @@ - - - - + + + + @@ -140917,8 +140959,8 @@ - - + + @@ -140929,8 +140971,8 @@ - - + + @@ -140968,8 +141010,8 @@ - - + + @@ -141007,14 +141049,14 @@ - - - - - + + + + + - - + + @@ -141052,11 +141094,11 @@ - - - - - + + + + + @@ -141200,21 +141242,21 @@ - - + + - - - + + + - - + + - - + + @@ -141248,11 +141290,11 @@ - - - - - + + + + + @@ -141273,16 +141315,16 @@ - - + + - - + + - - + + @@ -141301,9 +141343,9 @@ - - - + + + @@ -141319,11 +141361,11 @@ - - - - - + + + + + @@ -141354,12 +141396,12 @@ - - - - - - + + + + + + @@ -141379,28 +141421,28 @@ - - - - + + + + - - - - + + + + - - - + + + - - - - + + + + @@ -141420,26 +141462,26 @@ - - - - + + + + - - - + + + - - - - - + + + + + - - - + + + @@ -141448,20 +141490,20 @@ - - - + + + - - - + + + - - - + + + @@ -141471,26 +141513,26 @@ - - - + + + - - - + + + - - - - + + + + - - - - + + + + @@ -141636,9 +141678,9 @@ - - - + + + @@ -141653,9 +141695,9 @@ - - - + + + @@ -141663,26 +141705,26 @@ - - + + - - - - + + + + - - + + - - + + @@ -141690,25 +141732,25 @@ - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -141720,33 +141762,33 @@ - - - - - - + + + + + + - - - - - - + + + + + + - - - - + + + + - - - + + + @@ -141754,37 +141796,37 @@ - - - + + + - - - - - + + + + + - - + + - - + + - - - + + + - - + + @@ -141795,13 +141837,13 @@ - - - - - - - + + + + + + + @@ -141833,14 +141875,14 @@ - - + + - - - - + + + + @@ -141848,10 +141890,10 @@ - - - - + + + + @@ -141859,10 +141901,10 @@ - - - - + + + + @@ -141885,10 +141927,10 @@ - - - - + + + + @@ -141904,8 +141946,8 @@ - - + + @@ -141915,29 +141957,29 @@ - + - - + + - - + + - - - - + + + + - - - - - - + + + + + + @@ -141966,13 +142008,13 @@ - - - - - - - + + + + + + + @@ -141991,10 +142033,10 @@ - - - - + + + + @@ -142011,10 +142053,10 @@ - - - - + + + + @@ -142024,30 +142066,30 @@ - - - + + + - - - - - - + + + + + + - - + + - - - - - - - + + + + + + + @@ -142064,13 +142106,13 @@ - - + + - - - + + + @@ -142089,46 +142131,46 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + - - + + @@ -142151,55 +142193,55 @@ - - - - - + + + + + - - - - - + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + @@ -142209,9 +142251,9 @@ - - - + + + @@ -142221,16 +142263,16 @@ - - - - - + + + + + - - - + + + @@ -142265,15 +142307,15 @@ - - - + + + - - - - + + + + @@ -142286,11 +142328,11 @@ - - - - - + + + + + @@ -142300,16 +142342,16 @@ - - - - - + + + + + - - - + + + @@ -142319,8 +142361,8 @@ - - + + @@ -142332,25 +142374,25 @@ - - + + - - + + - - - - - - - + + + + + + + - - + + @@ -142361,9 +142403,9 @@ - - - + + + @@ -142415,15 +142457,15 @@ - - - + + + - - - - + + + + @@ -142451,22 +142493,22 @@ - - - - - + + + + + - - - - - + + + + + - - + + @@ -142545,8 +142587,8 @@ - - + + @@ -142556,9 +142598,9 @@ - - - + + + @@ -142627,8 +142669,8 @@ - - + + @@ -142644,9 +142686,9 @@ - - - + + + @@ -142656,17 +142698,17 @@ - - - - + + + + - - - - - + + + + + @@ -142690,17 +142732,17 @@ - - + + - - - - - - - + + + + + + + @@ -142715,23 +142757,23 @@ - - + + - - - - + + + + - - - + + + - - + + @@ -142742,12 +142784,12 @@ - - - - - - + + + + + + @@ -142766,8 +142808,8 @@ - - + + @@ -142779,18 +142821,18 @@ - - - - - - + + + + + + - - - - + + + + @@ -142798,17 +142840,21 @@ - - - + + + - - + + + + + + - - + + @@ -142846,9 +142892,9 @@ - - - + + + @@ -142860,8 +142906,8 @@ - - + + @@ -142893,45 +142939,45 @@ - - - + + + - - - - + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - + + + + + - - - - - + + + + + @@ -142976,9 +143022,9 @@ - - - + + + @@ -143009,10 +143055,10 @@ - - - - + + + + @@ -143109,14 +143155,14 @@ - - - - + + + + - - + + @@ -143134,8 +143180,8 @@ - - + + @@ -143397,9 +143443,9 @@ - - - + + + @@ -143458,13 +143504,13 @@ - - - - - - - + + + + + + + @@ -143497,9 +143543,9 @@ - - - + + + @@ -143520,13 +143566,13 @@ - - - - - - - + + + + + + + @@ -143538,44 +143584,44 @@ - - - + + + - - - - + + + + - - + + - - + + - - - - - - + + + + + + - - + + - - - + + + @@ -143685,9 +143731,9 @@ - - - + + + @@ -143699,17 +143745,17 @@ - - - - - - + + + + + + - - - + + + @@ -143833,9 +143879,9 @@ - - - + + + @@ -143868,34 +143914,34 @@ - - + + - - + + - - + + - - + + - - - - + + + + - - - - - - + + + + + + @@ -143918,9 +143964,9 @@ - - - + + + @@ -143938,8 +143984,8 @@ - - + + @@ -143974,10 +144020,10 @@ - - - - + + + + @@ -143986,26 +144032,26 @@ - - - - + + + + - - - + + + - - - + + + - - - - + + + + @@ -144013,21 +144059,21 @@ - - - - + + + + - - - - - + + + + + - - - + + + @@ -144046,16 +144092,16 @@ - - - + + + - - - + + + - - + + @@ -144087,33 +144133,33 @@ - - + + - - + + - - + + - - + + - - + + - - - + + + @@ -144124,10 +144170,10 @@ - + - + @@ -144139,12 +144185,12 @@ - - + + - - + + @@ -144159,23 +144205,23 @@ - - + + - - + + - - - + + + - + - + @@ -144194,15 +144240,15 @@ - - - + + + - - - - + + + + @@ -144215,27 +144261,27 @@ - - - + + + - - - - + + + + - - - + + + - - - - + + + + @@ -144257,9 +144303,9 @@ - - - + + + @@ -144268,10 +144314,10 @@ - - - - + + + + @@ -144279,9 +144325,9 @@ - - - + + + @@ -144289,9 +144335,9 @@ - - - + + + @@ -144300,17 +144346,17 @@ - - - - + + + + - + @@ -144328,8 +144374,8 @@ - - + + @@ -144409,8 +144455,8 @@ - - + + @@ -144507,16 +144553,16 @@ - - + + - - + + @@ -144525,8 +144571,8 @@ - - + + @@ -144558,19 +144604,19 @@ - - - - - - - - - + + + + + + + + + - - + + @@ -144582,9 +144628,9 @@ - - - + + + @@ -144609,14 +144655,14 @@ - - - - + + + + - - + + @@ -144644,9 +144690,9 @@ - - - + + + @@ -144669,11 +144715,12 @@ + - - + + @@ -144708,19 +144755,19 @@ - - + + - - - - + + + + - - - + + + @@ -144738,8 +144785,8 @@ - - + + @@ -144749,24 +144796,24 @@ - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -144776,26 +144823,26 @@ - - - - + + + + - - - + + + - - - + + + - - - + + + @@ -144804,10 +144851,10 @@ - - - - + + + + @@ -144827,7 +144874,7 @@ - + @@ -144861,9 +144908,9 @@ - - - + + + @@ -145001,10 +145048,10 @@ - - - - + + + + @@ -145012,10 +145059,10 @@ - - - - + + + + @@ -145094,19 +145141,19 @@ - - - + + + - - - + + + - - - + + + @@ -145136,8 +145183,8 @@ - - + + @@ -145161,16 +145208,16 @@ - - + + - - + + @@ -145223,9 +145270,9 @@ - - - + + + @@ -145239,9 +145286,9 @@ - - - + + + @@ -145280,8 +145327,8 @@ - - + + @@ -145327,9 +145374,9 @@ - - - + + + @@ -145420,11 +145467,11 @@ - - - - - + + + + + @@ -145659,9 +145706,9 @@ - - - + + + @@ -145779,27 +145826,27 @@ - - + + - - + + - - + + - - - - - + + + + + @@ -145833,8 +145880,8 @@ - - + + @@ -145869,21 +145916,21 @@ - - + + - - + + - - + + - - - + + + @@ -145894,8 +145941,8 @@ - - + + @@ -145926,12 +145973,12 @@ - - + + - - + + @@ -145958,8 +146005,8 @@ - - + + @@ -145981,8 +146028,8 @@ - - + + @@ -146018,9 +146065,9 @@ - - - + + + @@ -146043,9 +146090,9 @@ - - - + + + @@ -146060,24 +146107,24 @@ - - + + - - + + - - + + - - + + - - + + @@ -146096,13 +146143,13 @@ - - + + - - - + + + @@ -146117,16 +146164,16 @@ - - - - - - - - - - + + + + + + + + + + @@ -146160,8 +146207,8 @@ - - + + @@ -146176,15 +146223,15 @@ - - - - + + + + - - - + + + @@ -146195,9 +146242,9 @@ - - - + + + @@ -146209,9 +146256,9 @@ - - - + + + @@ -146230,24 +146277,24 @@ - - - + + + - - - - + + + + - - - + + + @@ -146274,8 +146321,8 @@ - - + + @@ -146294,9 +146341,9 @@ - - - + + + @@ -146305,28 +146352,28 @@ - - - - + + + + - - + + - - + + - - - + + + - - - + + + @@ -146335,14 +146382,14 @@ - - - - + + + + - - + + @@ -146353,9 +146400,9 @@ - - - + + + @@ -146370,8 +146417,8 @@ - - + + @@ -146393,8 +146440,8 @@ - - + + @@ -146497,15 +146544,15 @@ - - - + + + - - - - + + + + @@ -146526,8 +146573,8 @@ - - + + @@ -146593,16 +146640,16 @@ - - + + - - + + @@ -146610,10 +146657,10 @@ - - - - + + + + @@ -146637,8 +146684,8 @@ - - + + @@ -146649,30 +146696,30 @@ - - + + - - - + + + - - - + + + - - + + - - + + @@ -146680,10 +146727,10 @@ - - - - + + + + @@ -146707,9 +146754,9 @@ - - - + + + @@ -146717,12 +146764,12 @@ - - + + - - + + @@ -146771,9 +146818,9 @@ - - - + + + @@ -146794,10 +146841,10 @@ - - - - + + + + @@ -146847,9 +146894,9 @@ - - - + + + @@ -146909,50 +146956,50 @@ - - - + + + - - - - - - + + + + + + - - - - - + + + + + - - + + - - - - + + + + - - - - - - + + + + + + - - + + @@ -147128,9 +147175,9 @@ - - - + + + @@ -147144,8 +147191,8 @@ - - + + @@ -147159,19 +147206,19 @@ - - - - + + + + - - - + + + @@ -147185,33 +147232,33 @@ - - - - - + + + + + - - - + + + - - + + - - + + - - + + - - - + + + @@ -147464,15 +147511,15 @@ - - - + + + - - - - + + + + @@ -147541,15 +147588,15 @@ - - - + + + - - - + + + @@ -147562,15 +147609,15 @@ - - - - + + + + - - - + + + @@ -147648,9 +147695,9 @@ - - - + + + @@ -147666,36 +147713,36 @@ - - - + + + - - - - - + + + + + - - - - + + + + - - - - + + + + - - - + + + - - + + @@ -147710,9 +147757,9 @@ - - - + + + @@ -147727,14 +147774,14 @@ - - - + + + - - - + + + @@ -147776,15 +147823,15 @@ - - + + - - - - - + + + + + @@ -147792,11 +147839,11 @@ - - - - - + + + + + @@ -147824,14 +147871,14 @@ - - - - - + + + + + - - + + @@ -147851,8 +147898,8 @@ - - + + @@ -147895,8 +147942,8 @@ - - + + @@ -147932,8 +147979,8 @@ - - + + @@ -148000,9 +148047,9 @@ - - - + + + @@ -148073,26 +148120,26 @@ - - - - - - - + + + + + + + - - + + - - - + + + @@ -148129,21 +148176,21 @@ - - - + + + - - - + + + - - - + + + @@ -148210,15 +148257,15 @@ - - + + - - + + @@ -148229,16 +148276,16 @@ - - - - - + + + + + - - - + + + @@ -148247,11 +148294,11 @@ - - - - - + + + + + @@ -148260,9 +148307,9 @@ - - - + + + @@ -148312,11 +148359,11 @@ - - - - - + + + + + @@ -148326,23 +148373,23 @@ - - - - + + + + - - - + + + - - + + - - + + @@ -148361,12 +148408,12 @@ - - + + - - + + @@ -148374,8 +148421,8 @@ - - + + @@ -148396,8 +148443,8 @@ - - + + @@ -148405,16 +148452,16 @@ - - - + + + - + - - + + @@ -148422,8 +148469,8 @@ - - + + @@ -148439,9 +148486,9 @@ - - - + + + @@ -148464,17 +148511,17 @@ - - - + + + - - + + @@ -148491,12 +148538,12 @@ - - - - - - + + + + + + @@ -148557,9 +148604,9 @@ - - - + + + @@ -148584,34 +148631,34 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + @@ -148621,17 +148668,17 @@ - - + + - - - - + + + + @@ -148642,26 +148689,26 @@ - - - - + + + + - - - - + + + + - - + + - - - - + + + + @@ -148672,9 +148719,9 @@ - - - + + + @@ -148706,10 +148753,10 @@ - - - - + + + + @@ -148742,9 +148789,9 @@ - - - + + + @@ -148761,15 +148808,15 @@ - - - - + + + + - - - + + + @@ -148793,12 +148840,12 @@ - - - - - - + + + + + + @@ -148820,13 +148867,13 @@ - - + + - - - + + + @@ -148843,10 +148890,10 @@ - - - - + + + + @@ -148858,47 +148905,47 @@ - - - + + + - - + + - - - - - - - + + + + + + + - - + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + diff --git a/android/abi_gki_aarch64_rockchip b/android/abi_gki_aarch64_rockchip index 5f59918af934..c1df5fc9548f 100644 --- a/android/abi_gki_aarch64_rockchip +++ b/android/abi_gki_aarch64_rockchip @@ -2626,6 +2626,7 @@ snd_pcm_fill_iec958_consumer snd_pcm_fill_iec958_consumer_hw_params snd_pcm_hw_constraint_eld + snd_pcm_stop_xrun # required by snd-soc-rk817.ko snd_soc_component_exit_regmap From 09f4246296ff4625edac926b7ac26c1412710a8f Mon Sep 17 00:00:00 2001 From: Bing Han Date: Tue, 11 Oct 2022 14:46:57 +0800 Subject: [PATCH 17/31] ANDROID: sched: add restricted hooks to replace the former hooks Fix Bug: scheduling while atomic In these vendor hooks, we will perform schedule due to competion. This will lead to kernel exception. To solve this problem, we need to add these restrcted hooks to replace the former regular vendor hooks. Bug: 234214858 Signed-off-by: Bing Han Change-Id: I151125a7119a91d1339d4790a68a6a4796d673e3 --- drivers/android/vendor_hooks.c | 6 ++++++ include/trace/hooks/mm.h | 20 ++++++++++++++++++++ mm/memory.c | 1 + mm/swap_slots.c | 6 ++++++ mm/swapfile.c | 1 + 5 files changed, 34 insertions(+) diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index d4352dfeb34d..7ac6fd6d69c8 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -431,6 +431,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_binder_read_done); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_handle_tlb_conf); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_shrink_node_memcgs); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_ra_tuning_max_page); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_handle_pte_fault_end); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_handle_pte_fault_end); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cow_user_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_swapin_add_anon_rmap); @@ -441,9 +442,13 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_count_pswpin); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_count_pswpout); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_count_swpout_vm_event); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_swap_slot_cache_active); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_drain_slots_cache_cpu); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_drain_slots_cache_cpu); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_alloc_swap_slot_cache); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_alloc_swap_slot_cache); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_free_swap_slot); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_free_swap_slot); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_get_swap_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_get_swap_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_madvise_cold_or_pageout); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_page_isolated_for_reclaim); @@ -453,6 +458,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_account_swap_pages); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_unuse_swap_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_init_swap_info_struct); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_si_swapinfo); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_alloc_si); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_alloc_si); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_free_pages); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_set_shmem_page_flag); diff --git a/include/trace/hooks/mm.h b/include/trace/hooks/mm.h index 358a89380982..3f32c876441f 100644 --- a/include/trace/hooks/mm.h +++ b/include/trace/hooks/mm.h @@ -193,6 +193,9 @@ DECLARE_HOOK(android_vh_subpage_dma_contig_alloc, DECLARE_HOOK(android_vh_ra_tuning_max_page, TP_PROTO(struct readahead_control *ractl, unsigned long *max_page), TP_ARGS(ractl, max_page)); +DECLARE_RESTRICTED_HOOK(android_rvh_handle_pte_fault_end, + TP_PROTO(struct vm_fault *vmf, unsigned long highest_memmap_pfn), + TP_ARGS(vmf, highest_memmap_pfn), 1); DECLARE_HOOK(android_vh_handle_pte_fault_end, TP_PROTO(struct vm_fault *vmf, unsigned long highest_memmap_pfn), TP_ARGS(vmf, highest_memmap_pfn)); @@ -223,16 +226,30 @@ DECLARE_HOOK(android_vh_count_swpout_vm_event, DECLARE_HOOK(android_vh_swap_slot_cache_active, TP_PROTO(bool swap_slot_cache_active), TP_ARGS(swap_slot_cache_active)); +DECLARE_RESTRICTED_HOOK(android_rvh_drain_slots_cache_cpu, + TP_PROTO(struct swap_slots_cache *cache, unsigned int type, + bool free_slots, bool *skip), + TP_ARGS(cache, type, free_slots, skip), 1); DECLARE_HOOK(android_vh_drain_slots_cache_cpu, TP_PROTO(struct swap_slots_cache *cache, unsigned int type, bool free_slots, bool *skip), TP_ARGS(cache, type, free_slots, skip)); +DECLARE_RESTRICTED_HOOK(android_rvh_alloc_swap_slot_cache, + TP_PROTO(struct swap_slots_cache *cache, int *ret, bool *skip), + TP_ARGS(cache, ret, skip), 1); DECLARE_HOOK(android_vh_alloc_swap_slot_cache, TP_PROTO(struct swap_slots_cache *cache, int *ret, bool *skip), TP_ARGS(cache, ret, skip)); +DECLARE_RESTRICTED_HOOK(android_rvh_free_swap_slot, + TP_PROTO(swp_entry_t entry, struct swap_slots_cache *cache, bool *skip), + TP_ARGS(entry, cache, skip), 1); DECLARE_HOOK(android_vh_free_swap_slot, TP_PROTO(swp_entry_t entry, struct swap_slots_cache *cache, bool *skip), TP_ARGS(entry, cache, skip)); +DECLARE_RESTRICTED_HOOK(android_rvh_get_swap_page, + TP_PROTO(struct page *page, swp_entry_t *entry, + struct swap_slots_cache *cache, bool *found), + TP_ARGS(page, entry, cache, found), 1); DECLARE_HOOK(android_vh_get_swap_page, TP_PROTO(struct page *page, swp_entry_t *entry, struct swap_slots_cache *cache, bool *found), @@ -255,6 +272,9 @@ DECLARE_HOOK(android_vh_init_swap_info_struct, DECLARE_HOOK(android_vh_si_swapinfo, TP_PROTO(struct swap_info_struct *si, bool *skip), TP_ARGS(si, skip)); +DECLARE_RESTRICTED_HOOK(android_rvh_alloc_si, + TP_PROTO(struct swap_info_struct **p, bool *skip), + TP_ARGS(p, skip), 1); DECLARE_HOOK(android_vh_alloc_si, TP_PROTO(struct swap_info_struct **p, bool *skip), TP_ARGS(p, skip)); diff --git a/mm/memory.c b/mm/memory.c index 85554eca3da9..70384a99bfcf 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4777,6 +4777,7 @@ static vm_fault_t handle_pte_fault(struct vm_fault *vmf) if (vmf->flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vmf->vma, vmf->address); } + trace_android_rvh_handle_pte_fault_end(vmf, highest_memmap_pfn); trace_android_vh_handle_pte_fault_end(vmf, highest_memmap_pfn); unlock: pte_unmap_unlock(vmf->pte, vmf->ptl); diff --git a/mm/swap_slots.c b/mm/swap_slots.c index 1392649a4d9a..43231ae6c3fd 100644 --- a/mm/swap_slots.c +++ b/mm/swap_slots.c @@ -133,6 +133,8 @@ static int alloc_swap_slot_cache(unsigned int cpu) * as kvzalloc could trigger reclaim and get_swap_page, * which can lock swap_slots_cache_mutex. */ + trace_android_rvh_alloc_swap_slot_cache(&per_cpu(swp_slots, cpu), + &ret, &skip); trace_android_vh_alloc_swap_slot_cache(&per_cpu(swp_slots, cpu), &ret, &skip); if (skip) @@ -190,6 +192,8 @@ static void drain_slots_cache_cpu(unsigned int cpu, unsigned int type, bool skip = false; cache = &per_cpu(swp_slots, cpu); + trace_android_rvh_drain_slots_cache_cpu(cache, type, + free_slots, &skip); trace_android_vh_drain_slots_cache_cpu(cache, type, free_slots, &skip); if (skip) @@ -298,6 +302,7 @@ int free_swap_slot(swp_entry_t entry) bool skip = false; cache = raw_cpu_ptr(&swp_slots); + trace_android_rvh_free_swap_slot(entry, cache, &skip); trace_android_vh_free_swap_slot(entry, cache, &skip); if (skip) return 0; @@ -335,6 +340,7 @@ swp_entry_t get_swap_page(struct page *page) bool found = false; entry.val = 0; + trace_android_rvh_get_swap_page(page, &entry, raw_cpu_ptr(&swp_slots), &found); trace_android_vh_get_swap_page(page, &entry, raw_cpu_ptr(&swp_slots), &found); if (found) goto out; diff --git a/mm/swapfile.c b/mm/swapfile.c index 677f235806c2..b3cc17423d38 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2908,6 +2908,7 @@ static struct swap_info_struct *alloc_swap_info(void) int i; bool skip = false; + trace_android_rvh_alloc_si(&p, &skip); trace_android_vh_alloc_si(&p, &skip); if (!skip) p = kvzalloc(struct_size(p, avail_lists, nr_node_ids), GFP_KERNEL); From 13a84bfa4f11d60254e9a4d584f24fa2f9bff999 Mon Sep 17 00:00:00 2001 From: Bing Han Date: Thu, 20 Oct 2022 11:32:42 +0800 Subject: [PATCH 18/31] ANDROID: GKI: Update symbols to symbol list Update symbols to symbol list externed by transsion to add restricted hooks. Leaf changes summary: 12 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 6 Added functions Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 6 Added variables 6 Added functions: [A] 'function int __traceiter_android_rvh_alloc_si(void*, swap_info_struct**, bool*)' [A] 'function int __traceiter_android_rvh_alloc_swap_slot_cache(void*, swap_slots_cache*, int*, bool*)' [A] 'function int __traceiter_android_rvh_drain_slots_cache_cpu(void*, swap_slots_cache*, unsigned int, bool, bool*)' [A] 'function int __traceiter_android_rvh_free_swap_slot(void*, swp_entry_t, swap_slots_cache*, bool*)' [A] 'function int __traceiter_android_rvh_get_swap_page(void*, page*, swp_entry_t*, swap_slots_cache*, bool*)' [A] 'function int __traceiter_android_rvh_handle_pte_fault_end(void*, vm_fault*, unsigned long int)' 6 Added variables: [A] 'tracepoint __tracepoint_android_rvh_alloc_si' [A] 'tracepoint __tracepoint_android_rvh_alloc_swap_slot_cache' [A] 'tracepoint __tracepoint_android_rvh_drain_slots_cache_cpu' [A] 'tracepoint __tracepoint_android_rvh_free_swap_slot' [A] 'tracepoint __tracepoint_android_rvh_get_swap_page' [A] 'tracepoint __tracepoint_android_rvh_handle_pte_fault_end' Bug: 234214858 Signed-off-by: Bing Han Change-Id: I24bf51683b096658b588bd3afd6b45983f78dee4 --- android/abi_gki_aarch64.xml | 11716 ++++++++++++++-------------- android/abi_gki_aarch64_transsion | 12 + 2 files changed, 5879 insertions(+), 5849 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 4cded64b7225..543e37374ea3 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -302,6 +302,8 @@ + + @@ -321,6 +323,7 @@ + @@ -333,7 +336,10 @@ + + + @@ -6231,6 +6237,8 @@ + + @@ -6256,6 +6264,7 @@ + @@ -6268,7 +6277,10 @@ + + + @@ -7534,7 +7546,6 @@ - @@ -9321,9 +9332,9 @@ - - - + + + @@ -9344,7 +9355,6 @@ - @@ -9430,7 +9440,6 @@ - @@ -12377,6 +12386,7 @@ + @@ -12783,8 +12793,8 @@ - - + + @@ -13031,7 +13041,7 @@ - + @@ -14095,6 +14105,7 @@ + @@ -14864,9 +14875,9 @@ - + - + @@ -15605,12 +15616,6 @@ - - - - - - @@ -16105,6 +16110,9 @@ + + + @@ -16324,7 +16332,29 @@ - + + + + + + + + + + + + + + + + + + + + + + + @@ -19229,7 +19259,6 @@ - @@ -19620,11 +19649,7 @@ - - - - - + @@ -20603,7 +20628,6 @@ - @@ -20801,7 +20825,6 @@ - @@ -21242,14 +21265,6 @@ - - - - - - - - @@ -22333,6 +22348,7 @@ + @@ -23085,6 +23101,11 @@ + + + + + @@ -25294,7 +25315,7 @@ - + @@ -25333,7 +25354,6 @@ - @@ -25520,6 +25540,7 @@ + @@ -25826,7 +25847,23 @@ - + + + + + + + + + + + + + + + + + @@ -26489,7 +26526,7 @@ - + @@ -26647,7 +26684,7 @@ - + @@ -26877,7 +26914,6 @@ - @@ -26955,7 +26991,7 @@ - + @@ -27012,6 +27048,7 @@ + @@ -27388,6 +27425,7 @@ + @@ -27569,36 +27607,36 @@ - + - + - + - + - + - + - + - + - + - + - + @@ -28026,7 +28064,7 @@ - + @@ -28975,7 +29013,6 @@ - @@ -31845,9 +31882,6 @@ - - - @@ -31961,6 +31995,7 @@ + @@ -32889,9 +32924,9 @@ - - - + + + @@ -33792,7 +33827,6 @@ - @@ -34047,7 +34081,68 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -34562,10 +34657,9 @@ - - + @@ -34977,6 +35071,7 @@ + @@ -35179,7 +35274,7 @@ - + @@ -36820,10 +36915,6 @@ - - - - @@ -38755,7 +38846,6 @@ - @@ -39546,8 +39636,8 @@ - - + + @@ -40522,17 +40612,6 @@ - - - - - - - - - - - @@ -40813,9 +40892,9 @@ - - - + + + @@ -41348,6 +41427,7 @@ + @@ -42331,7 +42411,6 @@ - @@ -44858,13 +44937,6 @@ - - - - - - - @@ -44894,11 +44966,6 @@ - - - - - @@ -45346,12 +45413,12 @@ - - - - - - + + + + + + @@ -45482,7 +45549,6 @@ - @@ -46266,21 +46332,21 @@ - + - + - + - + - + - + @@ -48385,8 +48451,8 @@ - - + + @@ -48750,7 +48816,35 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -48932,6 +49026,7 @@ + @@ -49316,7 +49411,14 @@ - + + + + + + + + @@ -49964,11 +50066,6 @@ - - - - - @@ -50380,7 +50477,7 @@ - + @@ -51096,56 +51193,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -51487,6 +51535,7 @@ + @@ -52436,7 +52485,7 @@ - + @@ -53281,7 +53330,6 @@ - @@ -53725,7 +53773,6 @@ - @@ -53776,6 +53823,7 @@ + @@ -53977,6 +54025,7 @@ + @@ -54386,7 +54435,23 @@ - + + + + + + + + + + + + + + + + + @@ -54748,7 +54813,6 @@ - @@ -55680,9 +55744,9 @@ - - - + + + @@ -56408,6 +56472,7 @@ + @@ -56993,7 +57058,7 @@ - + @@ -57461,7 +57526,7 @@ - + @@ -58583,6 +58648,7 @@ + @@ -59720,7 +59786,6 @@ - @@ -60184,12 +60249,7 @@ - - - - - - + @@ -61414,44 +61474,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -62684,65 +62707,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -64239,7 +64204,6 @@ - @@ -64555,7 +64519,17 @@ - + + + + + + + + + + + @@ -65635,7 +65609,7 @@ - + @@ -66157,10 +66131,10 @@ - - - - + + + + @@ -66211,6 +66185,11 @@ + + + + + @@ -67451,11 +67430,6 @@ - - - - - @@ -68485,11 +68459,6 @@ - - - - - @@ -68952,7 +68921,7 @@ - + @@ -71046,6 +71015,7 @@ + @@ -71756,6 +71726,7 @@ + @@ -73496,9 +73467,10 @@ + - - + + @@ -73618,7 +73590,6 @@ - @@ -73970,7 +73941,6 @@ - @@ -74335,8 +74305,8 @@ - - + + @@ -74408,6 +74378,7 @@ + @@ -74875,38 +74846,7 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -75017,7 +74957,7 @@ - + @@ -76572,6 +76512,7 @@ + @@ -77721,7 +77662,6 @@ - @@ -79150,12 +79090,12 @@ - + - + @@ -80241,12 +80181,12 @@ - - - - - - + + + + + + @@ -81545,6 +81485,7 @@ + @@ -81784,7 +81725,6 @@ - @@ -82534,6 +82474,7 @@ + @@ -83142,6 +83083,7 @@ + @@ -83214,6 +83156,9 @@ + + + @@ -83230,11 +83175,6 @@ - - - - - @@ -83257,7 +83197,6 @@ - @@ -83718,7 +83657,7 @@ - + @@ -83794,17 +83733,9 @@ - - - - - - - - - + @@ -86957,6 +86888,7 @@ + @@ -87575,7 +87507,7 @@ - + @@ -88257,9 +88189,9 @@ - - - + + + @@ -88728,26 +88660,7 @@ - - - - - - - - - - - - - - - - - - - - + @@ -88772,7 +88685,7 @@ - + @@ -88797,6 +88710,7 @@ + @@ -88835,6 +88749,7 @@ + @@ -90307,7 +90222,7 @@ - + @@ -90955,8 +90870,8 @@ - - + + @@ -92204,6 +92119,14 @@ + + + + + + + + @@ -92649,7 +92572,20 @@ - + + + + + + + + + + + + + + @@ -93206,7 +93142,7 @@ - + @@ -93381,7 +93317,7 @@ - + @@ -93676,6 +93612,7 @@ + @@ -93816,12 +93753,12 @@ - + - + @@ -93913,7 +93850,6 @@ - @@ -95104,6 +95040,7 @@ + @@ -95390,7 +95327,6 @@ - @@ -96677,7 +96613,7 @@ - + @@ -97189,7 +97125,7 @@ - + @@ -97241,7 +97177,7 @@ - + @@ -97679,7 +97615,7 @@ - + @@ -98408,9 +98344,6 @@ - - - @@ -99673,6 +99606,7 @@ + @@ -99948,8 +99882,8 @@ - - + + @@ -100169,8 +100103,8 @@ - - + + @@ -101327,6 +101261,7 @@ + @@ -102318,7 +102253,14 @@ - + + + + + + + + @@ -103853,9 +103795,6 @@ - - - @@ -103868,6 +103807,9 @@ + + + @@ -103891,7 +103833,7 @@ - + @@ -104032,8 +103974,8 @@ - - + + @@ -104634,7 +104576,6 @@ - @@ -104903,6 +104844,7 @@ + @@ -105438,7 +105380,20 @@ - + + + + + + + + + + + + + + @@ -105497,6 +105452,9 @@ + + + @@ -107466,7 +107424,35 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -108928,6 +108914,7 @@ + @@ -108942,20 +108929,6 @@ - - - - - - - - - - - - - - @@ -109290,6 +109263,7 @@ + @@ -113252,11 +113226,6 @@ - - - - - @@ -113584,6 +113553,7 @@ + @@ -115372,7 +115342,6 @@ - @@ -115457,7 +115426,6 @@ - @@ -115581,10 +115549,11 @@ + - - - + + + @@ -116187,6 +116156,7 @@ + @@ -116804,12 +116774,12 @@ - - + + - - + + @@ -117323,6 +117293,19 @@ + + + + + + + + + + + + + @@ -117456,6 +117439,14 @@ + + + + + + + + @@ -117534,6 +117525,21 @@ + + + + + + + + + + + + + + + @@ -117543,6 +117549,12 @@ + + + + + + @@ -117921,10 +117933,10 @@ - - - - + + + + @@ -117979,17 +117991,17 @@ - - - - + + + + - - - - - + + + + + @@ -118282,27 +118294,27 @@ - - - - - - + - + - - - - - - + + + + + + + + + + + @@ -118412,12 +118424,12 @@ - - - - - - + + + + + + @@ -118492,17 +118504,17 @@ - - - - + + + + - - - - - + + + + + @@ -118610,12 +118622,12 @@ - - - - - - + + + + + + @@ -118634,10 +118646,10 @@ - - - - + + + + @@ -118655,10 +118667,10 @@ - - - - + + + + @@ -118749,18 +118761,18 @@ - - - - - - + + + + + + - - - - + + + + @@ -118817,10 +118829,10 @@ - - - - + + + + @@ -118897,10 +118909,10 @@ - - - - + + + + @@ -118911,11 +118923,11 @@ - - - - - + + + + + @@ -119008,9 +119020,9 @@ - - - + + + @@ -119201,9 +119213,9 @@ - - - + + + @@ -119276,10 +119288,10 @@ - - - - + + + + @@ -119305,15 +119317,15 @@ - - - + + + - - - - + + + + @@ -119328,9 +119340,9 @@ - - - + + + @@ -119478,10 +119490,10 @@ - - - - + + + + @@ -119535,9 +119547,9 @@ - - - + + + @@ -119941,6 +119953,8 @@ + + @@ -119966,6 +119980,7 @@ + @@ -119978,7 +119993,10 @@ + + + @@ -120044,7 +120062,7 @@ - + @@ -120052,8 +120070,8 @@ - - + + @@ -120097,10 +120115,10 @@ - - - - + + + + @@ -120118,7 +120136,7 @@ - + @@ -120131,8 +120149,8 @@ - - + + @@ -120150,15 +120168,15 @@ - + - + - + @@ -120174,9 +120192,9 @@ - - - + + + @@ -120186,7 +120204,7 @@ - + @@ -120200,9 +120218,9 @@ - + - + @@ -120220,7 +120238,7 @@ - + @@ -120261,7 +120279,7 @@ - + @@ -120274,17 +120292,17 @@ - + - - + + - + @@ -120309,7 +120327,7 @@ - + @@ -120318,7 +120336,7 @@ - + @@ -120585,9 +120603,9 @@ - - - + + + @@ -120598,33 +120616,33 @@ - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + - - - + + + @@ -120634,27 +120652,27 @@ - - - + + + - - - + + + - - - + + + - - - + + + @@ -120664,8 +120682,8 @@ - - + + @@ -120684,8 +120702,8 @@ - - + + @@ -120701,57 +120719,57 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + @@ -120762,16 +120780,16 @@ - - + + - - + + @@ -120799,12 +120817,12 @@ - - - - - - + + + + + + @@ -120821,9 +120839,9 @@ - - - + + + @@ -120843,25 +120861,25 @@ - - - - - + + + + + - - - + + + - - + + - - - + + + @@ -120878,15 +120896,15 @@ - - - + + + - - - + + + @@ -120899,22 +120917,22 @@ - - - - + + + + - - - - + + + + - - - - + + + + @@ -120993,20 +121011,20 @@ - - - - - + + + + + - - - - - - - + + + + + + + @@ -121015,29 +121033,29 @@ - - - + + + - - - - - - + + + + + + - - - - + + + + - - + + @@ -121079,11 +121097,11 @@ - - - - - + + + + + @@ -121103,14 +121121,14 @@ - - + + - - - - + + + + @@ -121133,15 +121151,15 @@ - - - - + + + + - - - + + + @@ -121149,11 +121167,11 @@ - - - - - + + + + + @@ -121204,21 +121222,21 @@ - - - - - + + + + + - - - - - - + + + + + + - - + + @@ -121259,18 +121277,18 @@ - - + + - - - + + + - - - + + + @@ -121303,17 +121321,17 @@ - - - - + + + + - - - - - + + + + + @@ -121324,47 +121342,47 @@ - - - - + + + + - - + + - - - + + + - - - + + + - - - + + + - - + + - - - - + + + + - - + + - - + + @@ -121374,15 +121392,15 @@ - - + + - - - - - + + + + + @@ -121395,9 +121413,9 @@ - - - + + + @@ -121406,49 +121424,49 @@ - - - - + + + + - - - - - - - + + + + + + + - - - - + + + + - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -121458,10 +121476,10 @@ - - - - + + + + @@ -121511,17 +121529,17 @@ - - + + - - + + - - - + + + @@ -121556,10 +121574,10 @@ - - - - + + + + @@ -121591,13 +121609,13 @@ - - - + + + - - + + @@ -121628,8 +121646,8 @@ - - + + @@ -121638,8 +121656,8 @@ - - + + @@ -121661,8 +121679,8 @@ - - + + @@ -121709,8 +121727,8 @@ - - + + @@ -121732,14 +121750,14 @@ - - + + - - - - + + + + @@ -121775,9 +121793,9 @@ - - - + + + @@ -121926,16 +121944,16 @@ - - + + - - + + @@ -121984,42 +122002,42 @@ - - - - + + + + - - - - + + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - + + + @@ -122040,31 +122058,31 @@ - - - - + + + + - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -122082,9 +122100,9 @@ - - - + + + @@ -122132,67 +122150,67 @@ - - - - + + + + - - - - - + + + + + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - - + + + + + + + + + + @@ -122208,16 +122226,16 @@ - - + + - - - - - - + + + + + + @@ -122238,22 +122256,22 @@ - - + + - - + + - - + + - - + + @@ -122277,23 +122295,23 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + @@ -122303,8 +122321,8 @@ - - + + @@ -122317,8 +122335,8 @@ - - + + @@ -122388,9 +122406,9 @@ - - - + + + @@ -122434,11 +122452,11 @@ - - - - - + + + + + @@ -122454,19 +122472,19 @@ - - - + + + - - - + + + - - - + + + @@ -122498,9 +122516,9 @@ - - - + + + @@ -122589,14 +122607,14 @@ - - - + + + - - - + + + @@ -122608,47 +122626,47 @@ - - - + + + - - - - + + + + - - + + - - - - - + + + + + - - - - - + + + + + - - + + - - - - + + + + - - + + @@ -122661,30 +122679,30 @@ - - + + - - + + - - + + - - - + + + - - - + + + @@ -122693,48 +122711,48 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + @@ -122745,8 +122763,8 @@ - - + + @@ -122864,8 +122882,8 @@ - - + + @@ -122973,28 +122991,28 @@ - - - + + + - - + + - - - - - + + + + + @@ -123005,13 +123023,13 @@ - - - - - - - + + + + + + + @@ -123022,11 +123040,11 @@ - - - - - + + + + + @@ -123038,11 +123056,11 @@ - - - - - + + + + + @@ -123061,8 +123079,8 @@ - - + + @@ -123099,10 +123117,10 @@ - - - - + + + + @@ -123140,22 +123158,22 @@ - - + + - - - - + + + + - - + + - - + + @@ -123166,9 +123184,9 @@ - - - + + + @@ -123187,15 +123205,15 @@ - - + + - - - - + + + + @@ -123206,9 +123224,9 @@ - - - + + + @@ -123269,8 +123287,8 @@ - - + + @@ -123301,18 +123319,18 @@ - - + + - - - + + + - - - + + + @@ -123324,8 +123342,8 @@ - - + + @@ -123341,9 +123359,9 @@ - - - + + + @@ -123376,12 +123394,12 @@ - - + + - - + + @@ -123392,23 +123410,23 @@ - - + + - - - + + + - - - - + + + + @@ -123423,9 +123441,9 @@ - - - + + + @@ -123444,8 +123462,8 @@ - - + + @@ -123465,58 +123483,58 @@ - - - + + + - - - + + + - - - - + + + + - - - - - + + + + + - - - - - + + + + + - + - + - - - + + + - - - - - + + + + + - - - - - + + + + + @@ -123565,16 +123583,16 @@ - - + + - - + + @@ -123609,10 +123627,10 @@ - - - - + + + + @@ -123667,42 +123685,42 @@ - - - - - - + + + + + + - - - - - - + + + + + + - - + + - - - + + + - - - + + + - + @@ -123745,10 +123763,10 @@ - - - - + + + + @@ -123756,9 +123774,9 @@ - - - + + + @@ -123768,7 +123786,7 @@ - + @@ -123793,8 +123811,8 @@ - - + + @@ -123815,22 +123833,22 @@ - - + + - - - + + + - - - + + + @@ -123880,11 +123898,11 @@ - - - - - + + + + + @@ -123892,44 +123910,44 @@ - - - - - + + + + + - - - - + + + + - - - - - + + + + + - - - - + + + + - - + + - - + + - - - - + + + + @@ -123954,8 +123972,8 @@ - - + + @@ -123980,18 +123998,18 @@ - - - + + + - - - + + + @@ -124008,9 +124026,9 @@ - - - + + + @@ -124021,11 +124039,11 @@ - - - - - + + + + + @@ -124035,11 +124053,11 @@ - - + + - + @@ -124061,17 +124079,17 @@ - - + + - - + + - - - + + + @@ -124079,22 +124097,22 @@ - - + + - - + + - - - - + + + + @@ -124102,9 +124120,9 @@ - - - + + + @@ -124135,12 +124153,12 @@ - - + + - - + + @@ -124149,7 +124167,7 @@ - + @@ -124180,11 +124198,11 @@ - - - - - + + + + + @@ -124194,17 +124212,17 @@ - - - + + + - - - - - - + + + + + + @@ -124216,12 +124234,12 @@ - - - - - - + + + + + + @@ -124258,11 +124276,11 @@ - - - - - + + + + + @@ -124272,11 +124290,11 @@ - - - - - + + + + + @@ -124308,9 +124326,9 @@ - - - + + + @@ -124321,8 +124339,8 @@ - - + + @@ -124332,9 +124350,9 @@ - - - + + + @@ -124343,11 +124361,11 @@ - - - - - + + + + + @@ -124364,12 +124382,12 @@ - - + + - - + + @@ -124386,18 +124404,18 @@ - - - - + + + + - - + + @@ -124439,54 +124457,54 @@ - - + + - - - - + + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -124508,9 +124526,9 @@ - - - + + + @@ -124523,9 +124541,9 @@ - - - + + + @@ -124547,10 +124565,10 @@ - - - - + + + + @@ -124581,15 +124599,15 @@ - - - - + + + + - - - + + + @@ -124609,8 +124627,8 @@ - - + + @@ -124626,8 +124644,8 @@ - - + + @@ -124635,13 +124653,13 @@ - - + + - - - + + + @@ -124652,9 +124670,9 @@ - - - + + + @@ -124671,16 +124689,16 @@ - - + + - - + + @@ -124705,9 +124723,9 @@ - - - + + + @@ -124801,9 +124819,9 @@ - - - + + + @@ -124816,17 +124834,17 @@ - - - - + + + + - - - - + + + + @@ -124834,10 +124852,10 @@ - - - - + + + + @@ -124845,9 +124863,9 @@ - - - + + + @@ -124872,11 +124890,11 @@ - - - - - + + + + + @@ -124948,20 +124966,20 @@ - - + + - - + + - - + + @@ -124974,8 +124992,8 @@ - - + + @@ -124997,12 +125015,12 @@ - - - - - - + + + + + + @@ -125011,40 +125029,40 @@ - - - + + + - - - - - - - + + + + + + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -125079,28 +125097,28 @@ - - - + + + - - + + - - - - + + + + - - - + + + @@ -125122,10 +125140,10 @@ - - - - + + + + @@ -125147,11 +125165,11 @@ - - - - - + + + + + @@ -125174,15 +125192,15 @@ - - - + + + - - - - + + + + @@ -125199,14 +125217,14 @@ - - - + + + - - - + + + @@ -125235,22 +125253,22 @@ - - + + - - + + - - - - + + + + @@ -125280,10 +125298,10 @@ - - - - + + + + @@ -125291,15 +125309,15 @@ - - - - + + + + - - - + + + @@ -125406,11 +125424,11 @@ - - - - - + + + + + @@ -125608,29 +125626,29 @@ - - - - + + + + - - - + + + - - - - + + + + - - - - - + + + + + @@ -125640,10 +125658,10 @@ - - - - + + + + @@ -125687,14 +125705,14 @@ - - - - - - - - + + + + + + + + @@ -125707,9 +125725,9 @@ - - - + + + @@ -125748,8 +125766,8 @@ - - + + @@ -125816,14 +125834,14 @@ - - - + + + - - - + + + @@ -125831,10 +125849,10 @@ - - - - + + + + @@ -125892,15 +125910,15 @@ - - - - + + + + - - - + + + @@ -125999,16 +126017,16 @@ - - - + + + - - - - - + + + + + @@ -126064,34 +126082,34 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - + + - - - - - + + + + + @@ -126102,12 +126120,12 @@ - - + + - - + + @@ -126216,9 +126234,9 @@ - - - + + + @@ -126240,17 +126258,17 @@ - - + + - - - + + + - - + + @@ -126258,15 +126276,15 @@ - - - + + + - - - - + + + + @@ -126277,34 +126295,34 @@ - - + + - - - - + + + + - - + + - - - + + + - - - - + + + + @@ -126316,9 +126334,9 @@ - - - + + + @@ -126326,8 +126344,8 @@ - - + + @@ -126338,15 +126356,15 @@ - + - - - - - - + + + + + + @@ -126358,13 +126376,13 @@ - - - - + + + + - - + + @@ -126384,10 +126402,10 @@ - - - - + + + + @@ -126545,46 +126563,46 @@ - - - + + + - - - + + + - - + + - - - - - + + + + + - - + + - - - + + + - - - - + + + + - - - - - + + + + + @@ -126717,8 +126735,8 @@ - - + + @@ -126762,8 +126780,8 @@ - - + + @@ -126775,8 +126793,8 @@ - - + + @@ -126787,8 +126805,8 @@ - - + + @@ -126958,9 +126976,9 @@ - - - + + + @@ -126970,62 +126988,62 @@ - - + + - - - + + + - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + @@ -127043,14 +127061,14 @@ - - - + + + - - - + + + @@ -127085,13 +127103,13 @@ - - - - - - - + + + + + + + @@ -127315,62 +127333,62 @@ - - + + - - - + + + - - + + - - - - - + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + @@ -127386,15 +127404,15 @@ - - + + - - - - - + + + + + @@ -127405,10 +127423,10 @@ - - - - + + + + @@ -127451,8 +127469,8 @@ - - + + @@ -127460,9 +127478,9 @@ - - - + + + @@ -127499,9 +127517,9 @@ - - - + + + @@ -127510,8 +127528,8 @@ - - + + @@ -127519,19 +127537,19 @@ - - - - - + + + + + - - - - - - + + + + + + @@ -127539,20 +127557,20 @@ - - + + - - + + - - + + - - + + @@ -127565,17 +127583,17 @@ - - + + - - + + - - - + + + @@ -127622,19 +127640,19 @@ - - - - - - - + + + + + + + - - - + + + @@ -127642,17 +127660,17 @@ - - - + + + - - + + @@ -127670,20 +127688,20 @@ - - + + - - + + - - + + @@ -127696,11 +127714,11 @@ - - - - - + + + + + @@ -127711,33 +127729,33 @@ - - - + + + - - - - + + + + - - - - + + + + - - + + - - + + @@ -128047,23 +128065,23 @@ - - + + - - - - + + + + - - - + + + @@ -128079,12 +128097,12 @@ - - - - - - + + + + + + @@ -128136,26 +128154,26 @@ - - - - - + + + + + - - + + - - - - + + + + - - - - + + + + @@ -128310,10 +128328,10 @@ - - - - + + + + @@ -128363,9 +128381,9 @@ - - - + + + @@ -128494,19 +128512,19 @@ - - - + + + - - - + + + - - - + + + @@ -128607,8 +128625,8 @@ - - + + @@ -128630,9 +128648,9 @@ - - - + + + @@ -128665,8 +128683,8 @@ - - + + @@ -128681,24 +128699,24 @@ - - + + - - - + + + - - - - + + + + - - - + + + @@ -128717,9 +128735,9 @@ - - - + + + @@ -128733,18 +128751,18 @@ - - + + - - - + + + - - - + + + @@ -128765,9 +128783,9 @@ - - - + + + @@ -128798,28 +128816,28 @@ - - + + - - + + - - - + + + - - - - + + + + - - - + + + @@ -128830,83 +128848,83 @@ - - - + + + - - - - + + + + - - - + + + - - + + - - - + + + - - + + - - + + - - - + + + - - + + - - - + + + - - + + - - + + - - + + - - - - + + + + - - - - + + + + @@ -128962,17 +128980,17 @@ - - + + - - + + - - - + + + @@ -128986,20 +129004,20 @@ - - + + - - + + - - + + @@ -129068,9 +129086,9 @@ - - - + + + @@ -129082,44 +129100,44 @@ - - + + - - - - - + + + + + - - - - - - - + + + + + + + - - - - + + + + - - - - + + + + - - - - - - + + + + + + @@ -129129,12 +129147,12 @@ - - - - - - + + + + + + @@ -129145,9 +129163,9 @@ - - - + + + @@ -129155,18 +129173,18 @@ - - - - + + + + - - - - - - - + + + + + + + @@ -129181,30 +129199,30 @@ - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + @@ -129240,8 +129258,8 @@ - - + + @@ -129325,20 +129343,20 @@ - - + + - - - - - - - - - - + + + + + + + + + + @@ -129347,19 +129365,19 @@ - - - + + + - - - - + + + + - - - + + + @@ -129386,40 +129404,40 @@ - - - - + + + + - - + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -129658,8 +129676,8 @@ - - + + @@ -129673,13 +129691,13 @@ - - + + - - - + + + @@ -129696,10 +129714,10 @@ - - - - + + + + @@ -129732,14 +129750,14 @@ - - - + + + - - - + + + @@ -129747,17 +129765,17 @@ - - - - + + + + - - + + @@ -129772,9 +129790,9 @@ - - - + + + @@ -129788,54 +129806,54 @@ - - - - + + + + - - + + - - + + - - + + - - - - + + + + - - - - + + + + - - + + - - + + - - - + + + - - + + @@ -129851,15 +129869,15 @@ - - - + + + - - - - + + + + @@ -129892,18 +129910,18 @@ - - - - + + + + - - - - - + + + + + @@ -129911,9 +129929,9 @@ - - - + + + @@ -129947,12 +129965,12 @@ - - + + - - + + @@ -129998,15 +130016,15 @@ - - - + + + - - - - + + + + @@ -130015,13 +130033,13 @@ - - - + + + - - + + @@ -130031,21 +130049,21 @@ - - - + + + - - - - + + + + - - - - + + + + @@ -130061,26 +130079,26 @@ - - + + - - - + + + - - + + - - - + + + @@ -130107,11 +130125,11 @@ - - + + - + @@ -130126,14 +130144,14 @@ - - + + - - - - + + + + @@ -130175,24 +130193,24 @@ - - - - + + + + - - - + + + - - + + - - - + + + @@ -130200,13 +130218,13 @@ - - + + - - - + + + @@ -130222,9 +130240,9 @@ - - - + + + @@ -130318,9 +130336,9 @@ - - - + + + @@ -130369,11 +130387,11 @@ - - - - - + + + + + @@ -130393,11 +130411,11 @@ - - - - - + + + + + @@ -130509,8 +130527,8 @@ - - + + @@ -130519,9 +130537,9 @@ - - - + + + @@ -130534,8 +130552,8 @@ - - + + @@ -130578,12 +130596,12 @@ - - + + - - + + @@ -130620,35 +130638,35 @@ - - + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + - - - + + + @@ -130660,13 +130678,13 @@ - - - + + + - - + + @@ -130709,36 +130727,36 @@ - - - - - + + + + + - - - - - + + + + + - - - - + + + + - - - + + + - - - - + + + + - - + + @@ -130781,13 +130799,13 @@ - - - - - - - + + + + + + + @@ -130812,13 +130830,13 @@ - - - + + + - - + + @@ -130854,10 +130872,10 @@ - - - - + + + + @@ -130867,12 +130885,12 @@ - - + + - - + + @@ -130883,17 +130901,17 @@ - - - - - - - + + + + + + + - - + + @@ -130910,8 +130928,8 @@ - - + + @@ -130941,15 +130959,15 @@ - - + + - - - - - + + + + + @@ -130961,8 +130979,8 @@ - - + + @@ -130988,8 +131006,8 @@ - - + + @@ -131003,20 +131021,20 @@ - - + + - + - - - + + + @@ -131033,15 +131051,15 @@ - - - - + + + + - - - + + + @@ -131054,20 +131072,20 @@ - - + + - - + + - - - + + + @@ -131077,13 +131095,13 @@ - - + + - - - + + + @@ -131097,41 +131115,41 @@ - - - - - - + + + + + + - - + + - - - - - - + + + + + + - - - - - + + + + + - - - - - - - - + + + + + + + + @@ -131145,8 +131163,8 @@ - - + + @@ -131158,18 +131176,18 @@ - - + + - - - - + + + + @@ -131193,23 +131211,23 @@ - - - + + + - - - + + + - - - + + + - - + + @@ -131222,9 +131240,9 @@ - - - + + + @@ -131232,29 +131250,29 @@ - - - - + + + + - - + + - - - - - + + + + + - - - - - - + + + + + + @@ -131298,9 +131316,9 @@ - - - + + + @@ -131309,8 +131327,8 @@ - - + + @@ -131319,9 +131337,9 @@ - - - + + + @@ -131418,8 +131436,8 @@ - - + + @@ -131446,10 +131464,10 @@ - - - - + + + + @@ -131461,25 +131479,25 @@ - - - + + + - - + + - - + + - - + + - - + + @@ -131524,10 +131542,10 @@ - - + + - + @@ -131542,22 +131560,22 @@ - - - + + + - - - + + + - - + + - - + + @@ -131614,38 +131632,38 @@ - - - - + + + + - - - - - - - - + + + + + + + + - - + + - - + + - + - - + + @@ -131656,9 +131674,9 @@ - - - + + + @@ -131673,26 +131691,26 @@ - - + + - - - - + + + + - - - - - - + + + + + + - - + + @@ -131703,32 +131721,33 @@ + - - + + - - - + + + - - + + - - - - - + + + + + - - - - + + + + @@ -131743,28 +131762,28 @@ - - - - - + + + + + - - + + - - - - - + + + + + - - - - + + + + @@ -131786,18 +131805,18 @@ - - + + - - + + - - + + @@ -131820,12 +131839,12 @@ - - + + - - + + @@ -131862,9 +131881,9 @@ - - - + + + @@ -131899,81 +131918,81 @@ - - - + + + - - - + + + - - - - + + + + - - - - - - + + + + + + - - - - + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -132103,12 +132122,12 @@ - - + + - - + + @@ -132151,14 +132170,14 @@ - - + + - - - - + + + + @@ -132179,36 +132198,36 @@ - - - - - + + + + + - - + + - - - + + + - - - - - - + + + + + + - - - - - - + + + + + + @@ -132219,39 +132238,39 @@ - - + + - - - + + + - - - - + + + + - - - + + + - - + + - - - + + + - - - - + + + + @@ -132277,14 +132296,14 @@ - - + + - - - - + + + + @@ -132305,12 +132324,12 @@ - - + + - - + + @@ -132326,8 +132345,8 @@ - - + + @@ -132460,21 +132479,21 @@ - - - - - + + + + + - - - - - - - - + + + + + + + + @@ -132484,8 +132503,8 @@ - - + + @@ -132508,8 +132527,8 @@ - - + + @@ -132517,9 +132536,9 @@ - - - + + + @@ -132539,24 +132558,24 @@ - - - - + + + + - - - + + + - - - - + + + + @@ -132564,50 +132583,50 @@ - - - - - - + + + + + + - - - + + + - - + + - - + + - - - - + + + + - - - + + + - - - + + + - - - + + + @@ -132623,8 +132642,8 @@ - - + + @@ -132645,8 +132664,8 @@ - - + + @@ -132661,8 +132680,8 @@ - - + + @@ -132695,20 +132714,20 @@ - - + + - - + + - - + + @@ -132745,12 +132764,12 @@ - - + + - - + + @@ -132762,34 +132781,34 @@ - - + + - - - + + + - - - - + + + + - - - - + + + + - - - + + + - - + + @@ -132874,9 +132893,9 @@ - - - + + + @@ -133037,74 +133056,74 @@ - - - + + + - - + + - - - + + + - - + + - - - - - - + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + - - - + + + - - - - + + + + - - - - + + + + @@ -133112,53 +133131,53 @@ - - - - + + + + - - - - - + + + + + - - - - + + + + - - + + - - + + - - - - - - + + + + + + - - - - - + + + + + @@ -133193,8 +133212,8 @@ - - + + @@ -133302,13 +133321,13 @@ - - - + + + - - + + @@ -133319,15 +133338,15 @@ - - - - - - - - - + + + + + + + + + @@ -133363,9 +133382,9 @@ - - - + + + @@ -133391,30 +133410,30 @@ - - - + + + - - - - + + + + - - - - + + + + - - - + + + @@ -133427,10 +133446,10 @@ - - - - + + + + @@ -133438,11 +133457,11 @@ - - - - - + + + + + @@ -133465,10 +133484,10 @@ - - - - + + + + @@ -133481,20 +133500,20 @@ - - - + + + - - - - + + + + - + - - + + @@ -133511,9 +133530,9 @@ - - - + + + @@ -133615,14 +133634,14 @@ - - - + + + - - + + @@ -133709,67 +133728,67 @@ - - + + - - - - - + + + + + - - + + - - - - - - - - - + + + + + + + + + - - + + - - - - - - - - - + + + + + + + + + - - + + - - + + - - + + - - + + - + @@ -133780,10 +133799,10 @@ - - - - + + + + @@ -133809,21 +133828,21 @@ - - - - + + + + - - - + + + - - - - + + + + @@ -133834,35 +133853,35 @@ - - - - - - - - + + + + + + + + - - + + - - - + + + - - - - + + + + - - - - + + + + @@ -133894,46 +133913,46 @@ - - - - + + + + - - - + + + - - + + - - + + - - - + + + - - - - - + + + + + - - + + - - - + + + @@ -133942,35 +133961,35 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - - + + + - - + + - - + + @@ -133979,23 +133998,23 @@ - - - + + + - - - + + + - - - + + + @@ -134003,34 +134022,34 @@ - - - - + + + + - - - + + + - - - - + + + + - - - - + + + + - - - - - + + + + + @@ -134040,16 +134059,16 @@ - - - - + + + + - - - - + + + + @@ -134065,10 +134084,10 @@ - - - - + + + + @@ -134078,10 +134097,10 @@ - - - - + + + + @@ -134091,37 +134110,37 @@ - - - - + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -134132,9 +134151,9 @@ - - - + + + @@ -134148,11 +134167,11 @@ - - - - - + + + + + @@ -134188,11 +134207,11 @@ - - + + - + @@ -134209,15 +134228,15 @@ - - + + - - + + - - + + @@ -134237,8 +134256,8 @@ - - + + @@ -134252,8 +134271,8 @@ - - + + @@ -134265,8 +134284,8 @@ - - + + @@ -134280,18 +134299,18 @@ - - - + + + - - - - + + + + - - + + @@ -134299,10 +134318,10 @@ - - - - + + + + @@ -134315,14 +134334,14 @@ - - - - + + + + - - + + @@ -134358,18 +134377,18 @@ - - - + + + - - - + + + @@ -134380,8 +134399,8 @@ - - + + @@ -134402,10 +134421,10 @@ - - - - + + + + @@ -134415,30 +134434,30 @@ - - - - - + + + + + - - + + - - + + - - - + + + - - + + @@ -134457,11 +134476,11 @@ - - - - - + + + + + @@ -134474,8 +134493,8 @@ - - + + @@ -134492,11 +134511,11 @@ - - - - - + + + + + @@ -134535,8 +134554,8 @@ - - + + @@ -134544,25 +134563,25 @@ - - - + + + - - + + - - - - + + + + - - - - + + + + @@ -134575,9 +134594,9 @@ - - - + + + @@ -134588,13 +134607,13 @@ - - + + - - - + + + @@ -134602,50 +134621,50 @@ - - - + + + - - + + - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + @@ -134659,8 +134678,8 @@ - - + + @@ -134736,9 +134755,9 @@ - - - + + + @@ -134776,32 +134795,32 @@ - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + - + @@ -134814,9 +134833,9 @@ - - - + + + @@ -134896,10 +134915,10 @@ - - - - + + + + @@ -134944,13 +134963,13 @@ - - - - - - - + + + + + + + @@ -135141,12 +135160,12 @@ - - + + - - + + @@ -135158,11 +135177,11 @@ - - - - - + + + + + @@ -135203,8 +135222,8 @@ - - + + @@ -135257,8 +135276,8 @@ - - + + @@ -135270,9 +135289,9 @@ - - - + + + @@ -135283,28 +135302,28 @@ - - - + + + - - - - - - + + + + + + - - + + - - - - - + + + + + @@ -135315,9 +135334,9 @@ - - - + + + @@ -135378,8 +135397,8 @@ - - + + @@ -135418,9 +135437,9 @@ - - - + + + @@ -135480,8 +135499,8 @@ - - + + @@ -135503,12 +135522,12 @@ - - + + - - + + @@ -135542,8 +135561,8 @@ - - + + @@ -135554,9 +135573,9 @@ - - - + + + @@ -135564,47 +135583,47 @@ - - + + - - - + + + - - + + - - + + - - + + - - + + - - + + - - - - - + + + + + @@ -135612,18 +135631,18 @@ - - - - + + + + - - + + @@ -135631,14 +135650,14 @@ - - - - + + + + - - - + + + @@ -135674,17 +135693,17 @@ - - + + - - - + + + @@ -135694,9 +135713,9 @@ - - - + + + @@ -135738,12 +135757,12 @@ - - + + - - + + @@ -135757,67 +135776,67 @@ - - - + + + - - + + - - + + - - + + - - + + - - - - - + + + + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -135831,19 +135850,19 @@ - - + + - - + + - - - - - + + + + + @@ -135854,41 +135873,41 @@ - - - - + + + + - - - + + + - - + + - - - - - + + + + + - - + + - - + + @@ -135907,10 +135926,10 @@ - - - - + + + + @@ -135918,10 +135937,10 @@ - - - - + + + + @@ -135942,11 +135961,11 @@ - - - - - + + + + + @@ -135963,24 +135982,24 @@ - - - - + + + + - - - - - + + + + + - - - - - + + + + + @@ -136005,10 +136024,10 @@ - - - - + + + + @@ -136022,12 +136041,12 @@ - - + + - - + + @@ -136052,18 +136071,18 @@ - - - + + + - - + + - - - + + + @@ -136087,18 +136106,18 @@ - - - - - + + + + + - - - - - + + + + + @@ -136109,19 +136128,19 @@ - - - - + + + + - - + + - - - + + + @@ -136140,14 +136159,14 @@ - - - + + + - - - + + + @@ -136173,9 +136192,9 @@ - - - + + + @@ -136188,22 +136207,22 @@ - - - - + + + + - - + + - - + + @@ -136223,43 +136242,43 @@ - - + + - - - + + + - - - + + + - - - - - + + + + + - - - + + + - - - - - + + + + + @@ -136272,9 +136291,9 @@ - - - + + + @@ -136307,14 +136326,14 @@ - - - - + + + + - - + + @@ -136325,44 +136344,44 @@ - - - - + + + + - - - + + + - - + + - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -136396,16 +136415,16 @@ - - - - - - + + + + + + - - - + + + @@ -136413,9 +136432,9 @@ - - - + + + @@ -136459,33 +136478,33 @@ - - - + + + - - - + + + - - + + - - + + - - - + + + - - - - + + + + @@ -136510,9 +136529,9 @@ - - - + + + @@ -136528,32 +136547,32 @@ - - - - + + + + - - + + - - + + - - - + + + - - - + + + - - - + + + @@ -136562,9 +136581,9 @@ - - - + + + @@ -136572,74 +136591,74 @@ - - - + + + - - + + - - - + + + - - - + + + - - - - + + + + - - - - + + + + - - + + - - - + + + - - - + + + - - - + + + - - - - + + + + - - + + - - + + - - - - + + + + @@ -136651,42 +136670,42 @@ - - - - + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - + + @@ -136701,8 +136720,8 @@ - - + + @@ -136722,8 +136741,8 @@ - - + + @@ -136737,61 +136756,61 @@ - - - - - + + + + + - - - + + + - - - - - + + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - - - + + + + + + - - - - - + + + + + - - - - + + + + @@ -136809,12 +136828,12 @@ - - - - - - + + + + + + @@ -136825,12 +136844,12 @@ - - - - - - + + + + + + @@ -136845,9 +136864,9 @@ - - - + + + @@ -136860,15 +136879,15 @@ - - + + - - - - - + + + + + @@ -136885,10 +136904,10 @@ - - - - + + + + @@ -136908,10 +136927,10 @@ - - - - + + + + @@ -136957,10 +136976,10 @@ - - - - + + + + @@ -136985,16 +137004,16 @@ - - - + + + - - + + - - + + @@ -137022,11 +137041,11 @@ - - - - - + + + + + @@ -137056,16 +137075,16 @@ - - - - - - + + + + + + - - + + @@ -137168,33 +137187,33 @@ - - + + - - + + - - - - - - + + + + + + - - - + + + - - + + @@ -137220,8 +137239,8 @@ - - + + @@ -137241,16 +137260,16 @@ - - + + - - + + - - + + @@ -137335,19 +137354,19 @@ - - - + + + - - - + + + - - - + + + @@ -137362,8 +137381,8 @@ - - + + @@ -137394,9 +137413,9 @@ - - - + + + @@ -137426,14 +137445,14 @@ - - - + + + - - - + + + @@ -137446,9 +137465,9 @@ - - - + + + @@ -137456,10 +137475,10 @@ - - - - + + + + @@ -137473,12 +137492,12 @@ - - + + - - + + @@ -137499,9 +137518,9 @@ - - - + + + @@ -137513,9 +137532,9 @@ - - - + + + @@ -137563,8 +137582,8 @@ - - + + @@ -137610,9 +137629,9 @@ - - - + + + @@ -137628,10 +137647,10 @@ - - - - + + + + @@ -137652,10 +137671,10 @@ - - - - + + + + @@ -137688,17 +137707,17 @@ - - + + - - - + + + @@ -137712,55 +137731,55 @@ - - - - + + + + - - + + - - - + + + - - + + - - + + - - - - - + + + + + - - - + + + - - - + + + - - + + - - + + - - + + @@ -137782,20 +137801,20 @@ - - - - - - + + + + + + - - + + - - + + @@ -137803,21 +137822,21 @@ - - - - - + + + + + - - - - - + + + + + - - + + @@ -137828,7 +137847,7 @@ - + @@ -137847,21 +137866,21 @@ - - - - + + + + - - - - - - - - - + + + + + + + + + @@ -137895,8 +137914,8 @@ - - + + @@ -137916,9 +137935,9 @@ - - - + + + @@ -137926,23 +137945,23 @@ - - - + + + - - - + + + - - - + + + @@ -137950,9 +137969,9 @@ - - - + + + @@ -137968,37 +137987,37 @@ - - + + - - - - + + + + - - - + + + - - + + - - - - + + + + @@ -138012,11 +138031,11 @@ - - - - - + + + + + @@ -138026,12 +138045,12 @@ - - - - - - + + + + + + @@ -138075,10 +138094,10 @@ - - - - + + + + @@ -138147,24 +138166,24 @@ - - + + - - + + - - + + @@ -138179,11 +138198,11 @@ - - - - - + + + + + @@ -138228,14 +138247,14 @@ - - - - + + + + - - - + + + @@ -138484,8 +138503,8 @@ - - + + @@ -138505,29 +138524,29 @@ - - - + + + - - + + - - + + - - + + - - + + - - + + @@ -138539,14 +138558,14 @@ - - - + + + - - - + + + @@ -138559,16 +138578,16 @@ - - - - + + + + - - - - + + + + @@ -138594,14 +138613,14 @@ - - - + + + - - - + + + @@ -138634,12 +138653,12 @@ - - + + - - + + @@ -138686,24 +138705,24 @@ - - + + - - + + - - + + - - + + @@ -138723,13 +138742,13 @@ - - + + - - - + + + @@ -138743,16 +138762,16 @@ - - - - + + + + - - - - + + + + @@ -138765,9 +138784,9 @@ - - - + + + @@ -138788,8 +138807,8 @@ - - + + @@ -138804,8 +138823,8 @@ - - + + @@ -138839,8 +138858,8 @@ - - + + @@ -138858,10 +138877,10 @@ - - - - + + + + @@ -138874,54 +138893,54 @@ - - + + - - - + + + - - + + - + - + - - - - + + + + - - - - + + + + - - - - - - - - - + + + + + + + + + - - + + - - + + @@ -138930,36 +138949,36 @@ - - - - - + + + + + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - + + + + + + @@ -138970,12 +138989,12 @@ - - - - - - + + + + + + @@ -138994,9 +139013,9 @@ - - - + + + @@ -139006,8 +139025,8 @@ - - + + @@ -139021,10 +139040,10 @@ - - - - + + + + @@ -139037,13 +139056,13 @@ - - - + + + - - + + @@ -139096,11 +139115,11 @@ - - - - - + + + + + @@ -139116,24 +139135,24 @@ - - + + - - + + - - + + - - + + @@ -139141,24 +139160,24 @@ - - + + - - + + - - + + @@ -139218,8 +139237,8 @@ - - + + @@ -139229,28 +139248,28 @@ - - - - - + + + + + - - - - - + + + + + - - - - + + + + @@ -139264,23 +139283,23 @@ - - - + + + - - + + - - - - + + + + - - + + @@ -139303,48 +139322,48 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + - - - + + + - - + + - - + + - - + + - - + + @@ -139353,7 +139372,7 @@ - + @@ -139393,17 +139412,17 @@ - + - + - - + + @@ -139422,8 +139441,8 @@ - - + + @@ -139460,8 +139479,8 @@ - - + + @@ -139477,23 +139496,23 @@ - - - - + + + + - - - + + + - - - + + + @@ -139553,8 +139572,8 @@ - - + + @@ -139595,16 +139614,16 @@ - - + + - - + + - - + + @@ -139615,8 +139634,8 @@ - - + + @@ -139639,12 +139658,12 @@ - - + + - - + + @@ -139664,8 +139683,8 @@ - - + + @@ -139784,10 +139803,10 @@ - - - - + + + + @@ -139802,20 +139821,20 @@ - - - - - - - - + + + + + + + + - - - - + + + + @@ -139823,14 +139842,14 @@ - - - + + + - - - + + + @@ -139848,8 +139867,8 @@ - - + + @@ -139861,8 +139880,8 @@ - - + + @@ -139903,8 +139922,8 @@ - - + + @@ -139955,22 +139974,22 @@ - - - - + + + + - - - - + + + + - - - - + + + + @@ -140065,8 +140084,8 @@ - - + + @@ -140074,22 +140093,22 @@ - - + + - - - - - - + + + + + + - - - - + + + + @@ -140102,9 +140121,9 @@ - - - + + + @@ -140112,9 +140131,9 @@ - - - + + + @@ -140162,13 +140181,13 @@ - - - - - - - + + + + + + + @@ -140176,28 +140195,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -140213,20 +140232,20 @@ - - - - - - + + + + + + - - - + + + - - + + @@ -140242,8 +140261,8 @@ - - + + @@ -140260,8 +140279,8 @@ - - + + @@ -140274,15 +140293,15 @@ - - - + + + - - - - + + + + @@ -140290,39 +140309,39 @@ - - - + + + - - - - + + + + - - + + - - - + + + - - - - + + + + - - - + + + - - - + + + @@ -140330,34 +140349,34 @@ - - - - + + + + - - - - + + + + - - - - + + + + - - + + - - + + - - + + @@ -140483,8 +140502,8 @@ - - + + @@ -140620,12 +140639,12 @@ - - + + - - + + @@ -140642,9 +140661,9 @@ - - - + + + @@ -140652,9 +140671,9 @@ - - - + + + @@ -140662,9 +140681,9 @@ - - - + + + @@ -140689,12 +140708,12 @@ - - + + - - + + @@ -140712,10 +140731,10 @@ - - - - + + + + @@ -140737,61 +140756,61 @@ - - - + + + - - - - + + + + - - - + + + - - + + - - - - - - + + + + + + - - - - + + + + - - - - - - - + + + + + + + - - - + + + - - - + + + - - - + + + @@ -140801,10 +140820,10 @@ - - - - + + + + @@ -140815,13 +140834,13 @@ - + - - - - + + + + @@ -140855,10 +140874,10 @@ - - - - + + + + @@ -140900,7 +140919,7 @@ - + @@ -140908,34 +140927,34 @@ - - + + - - + + - - + + - - - - - - + + + + + + - - - - + + + + - - + + @@ -140946,10 +140965,10 @@ - - - - + + + + @@ -140959,8 +140978,8 @@ - - + + @@ -140971,8 +140990,8 @@ - - + + @@ -141010,8 +141029,8 @@ - - + + @@ -141049,14 +141068,14 @@ - - - - - + + + + + - - + + @@ -141094,11 +141113,11 @@ - - - - - + + + + + @@ -141242,21 +141261,21 @@ - - + + - - - + + + - - + + - - + + @@ -141290,11 +141309,11 @@ - - - - - + + + + + @@ -141315,16 +141334,16 @@ - - + + - - + + - - + + @@ -141343,9 +141362,9 @@ - - - + + + @@ -141361,11 +141380,11 @@ - - - - - + + + + + @@ -141396,12 +141415,12 @@ - - - - - - + + + + + + @@ -141421,28 +141440,28 @@ - - - - + + + + - - - - + + + + - - - + + + - - - - + + + + @@ -141462,26 +141481,26 @@ - - - - + + + + - - - + + + - - - - - + + + + + - - - + + + @@ -141490,20 +141509,20 @@ - - - + + + - - - + + + - - - + + + @@ -141513,26 +141532,26 @@ - - - + + + - - - + + + - - - - + + + + - - - - + + + + @@ -141678,9 +141697,9 @@ - - - + + + @@ -141695,9 +141714,9 @@ - - - + + + @@ -141705,26 +141724,26 @@ - - + + - - - - + + + + - - + + - - + + @@ -141732,25 +141751,25 @@ - - - + + + - - - + + + - - - + + + - - - - + + + + @@ -141762,33 +141781,33 @@ - - - - - - + + + + + + - - - - - - + + + + + + - - - - + + + + - - - + + + @@ -141796,37 +141815,37 @@ - - - + + + - - - - - + + + + + - - + + - - + + - - - + + + - - + + @@ -141837,13 +141856,13 @@ - - - - - - - + + + + + + + @@ -141875,14 +141894,14 @@ - - + + - - - - + + + + @@ -141890,10 +141909,10 @@ - - - - + + + + @@ -141901,10 +141920,10 @@ - - - - + + + + @@ -141927,10 +141946,10 @@ - - - - + + + + @@ -141946,8 +141965,8 @@ - - + + @@ -141957,29 +141976,29 @@ - + - - + + - - + + - - - - + + + + - - - - - - + + + + + + @@ -142008,13 +142027,13 @@ - - - - - - - + + + + + + + @@ -142033,10 +142052,10 @@ - - - - + + + + @@ -142053,10 +142072,10 @@ - - - - + + + + @@ -142066,30 +142085,30 @@ - - - + + + - - - - - - + + + + + + - - + + - - - - - - - + + + + + + + @@ -142106,13 +142125,13 @@ - - + + - - - + + + @@ -142131,46 +142150,46 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + - - + + @@ -142193,55 +142212,55 @@ - - - - - + + + + + - - - - - + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + @@ -142251,9 +142270,9 @@ - - - + + + @@ -142263,16 +142282,16 @@ - - - - - + + + + + - - - + + + @@ -142307,15 +142326,15 @@ - - - + + + - - - - + + + + @@ -142328,11 +142347,11 @@ - - - - - + + + + + @@ -142342,16 +142361,16 @@ - - - - - + + + + + - - - + + + @@ -142361,8 +142380,8 @@ - - + + @@ -142374,25 +142393,25 @@ - - + + - - + + - - - - - - - + + + + + + + - - + + @@ -142403,9 +142422,9 @@ - - - + + + @@ -142457,15 +142476,15 @@ - - - + + + - - - - + + + + @@ -142493,22 +142512,22 @@ - - - - - + + + + + - - - - - + + + + + - - + + @@ -142587,8 +142606,8 @@ - - + + @@ -142598,9 +142617,9 @@ - - - + + + @@ -142669,8 +142688,8 @@ - - + + @@ -142686,9 +142705,9 @@ - - - + + + @@ -142698,17 +142717,17 @@ - - - - + + + + - - - - - + + + + + @@ -142732,17 +142751,17 @@ - - + + - - - - - - - + + + + + + + @@ -142757,23 +142776,23 @@ - - + + - - - - + + + + - - - + + + - - + + @@ -142784,12 +142803,12 @@ - - - - - - + + + + + + @@ -142808,8 +142827,8 @@ - - + + @@ -142821,18 +142840,18 @@ - - - - - - + + + + + + - - - - + + + + @@ -142840,21 +142859,21 @@ - - - + + + - - + + - - + + @@ -142892,9 +142911,9 @@ - - - + + + @@ -142906,8 +142925,8 @@ - - + + @@ -142939,45 +142958,45 @@ - - - + + + - - - - + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - + + + + + - - - - - + + + + + @@ -143022,9 +143041,9 @@ - - - + + + @@ -143055,10 +143074,10 @@ - - - - + + + + @@ -143155,14 +143174,14 @@ - - - - + + + + - - + + @@ -143180,8 +143199,8 @@ - - + + @@ -143443,9 +143462,9 @@ - - - + + + @@ -143504,13 +143523,13 @@ - - - - - - - + + + + + + + @@ -143543,9 +143562,9 @@ - - - + + + @@ -143566,13 +143585,13 @@ - - - - - - - + + + + + + + @@ -143584,44 +143603,44 @@ - - - + + + - - - - + + + + - - + + - - + + - - - - - - + + + + + + - - + + - - - + + + @@ -143731,9 +143750,9 @@ - - - + + + @@ -143745,17 +143764,17 @@ - - - - - - + + + + + + - - - + + + @@ -143879,9 +143898,9 @@ - - - + + + @@ -143914,34 +143933,34 @@ - - + + - - + + - - + + - - + + - - - - + + + + - - - - - - + + + + + + @@ -143964,9 +143983,9 @@ - - - + + + @@ -143984,8 +144003,8 @@ - - + + @@ -144020,10 +144039,10 @@ - - - - + + + + @@ -144032,26 +144051,26 @@ - - - - + + + + - - - + + + - - - + + + - - - - + + + + @@ -144059,21 +144078,21 @@ - - - - + + + + - - - - - + + + + + - - - + + + @@ -144092,16 +144111,16 @@ - - - + + + - - - + + + - - + + @@ -144133,33 +144152,33 @@ - - + + - - + + - - + + - - + + - - + + - - - + + + @@ -144170,10 +144189,10 @@ - + - + @@ -144185,12 +144204,12 @@ - - + + - - + + @@ -144205,23 +144224,23 @@ - - + + - - + + - - - + + + - + - + @@ -144240,15 +144259,15 @@ - - - + + + - - - - + + + + @@ -144261,27 +144280,27 @@ - - - + + + - - - - + + + + - - - + + + - - - - + + + + @@ -144303,9 +144322,9 @@ - - - + + + @@ -144314,10 +144333,10 @@ - - - - + + + + @@ -144325,9 +144344,9 @@ - - - + + + @@ -144335,9 +144354,9 @@ - - - + + + @@ -144346,17 +144365,17 @@ - - - - + + + + - + @@ -144374,8 +144393,8 @@ - - + + @@ -144455,8 +144474,8 @@ - - + + @@ -144553,16 +144572,16 @@ - - + + - - + + @@ -144571,8 +144590,8 @@ - - + + @@ -144604,19 +144623,19 @@ - - - - - - - - - + + + + + + + + + - - + + @@ -144628,9 +144647,9 @@ - - - + + + @@ -144655,14 +144674,14 @@ - - - - + + + + - - + + @@ -144690,9 +144709,9 @@ - - - + + + @@ -144715,12 +144734,11 @@ - - - + + @@ -144755,19 +144773,19 @@ - - + + - - - - + + + + - - - + + + @@ -144785,8 +144803,8 @@ - - + + @@ -144796,24 +144814,24 @@ - - - - - + + + + + - - - - + + + + - - - - - + + + + + @@ -144823,26 +144841,26 @@ - - - - + + + + - - - + + + - - - + + + - - - + + + @@ -144851,10 +144869,10 @@ - - - - + + + + @@ -144874,7 +144892,7 @@ - + @@ -144908,9 +144926,9 @@ - - - + + + @@ -145048,10 +145066,10 @@ - - - - + + + + @@ -145059,10 +145077,10 @@ - - - - + + + + @@ -145141,19 +145159,19 @@ - - - + + + - - - + + + - - - + + + @@ -145183,8 +145201,8 @@ - - + + @@ -145208,16 +145226,16 @@ - - + + - - + + @@ -145270,9 +145288,9 @@ - - - + + + @@ -145286,9 +145304,9 @@ - - - + + + @@ -145327,8 +145345,8 @@ - - + + @@ -145374,9 +145392,9 @@ - - - + + + @@ -145467,11 +145485,11 @@ - - - - - + + + + + @@ -145706,9 +145724,9 @@ - - - + + + @@ -145826,27 +145844,27 @@ - - + + - - + + - - + + - - - - - + + + + + @@ -145880,8 +145898,8 @@ - - + + @@ -145916,21 +145934,21 @@ - - + + - - + + - - + + - - - + + + @@ -145941,8 +145959,8 @@ - - + + @@ -145973,12 +145991,12 @@ - - + + - - + + @@ -146005,8 +146023,8 @@ - - + + @@ -146028,8 +146046,8 @@ - - + + @@ -146065,9 +146083,9 @@ - - - + + + @@ -146090,9 +146108,9 @@ - - - + + + @@ -146107,24 +146125,24 @@ - - + + - - + + - - + + - - + + - - + + @@ -146143,13 +146161,13 @@ - - + + - - - + + + @@ -146164,16 +146182,16 @@ - - - - - - - - - - + + + + + + + + + + @@ -146207,8 +146225,8 @@ - - + + @@ -146223,15 +146241,15 @@ - - - - + + + + - - - + + + @@ -146242,9 +146260,9 @@ - - - + + + @@ -146256,9 +146274,9 @@ - - - + + + @@ -146277,24 +146295,24 @@ - - - + + + - - - - + + + + - - - + + + @@ -146321,8 +146339,8 @@ - - + + @@ -146341,9 +146359,9 @@ - - - + + + @@ -146352,28 +146370,28 @@ - - - - + + + + - - + + - - + + - - - + + + - - - + + + @@ -146382,14 +146400,14 @@ - - - - + + + + - - + + @@ -146400,9 +146418,9 @@ - - - + + + @@ -146417,8 +146435,8 @@ - - + + @@ -146440,8 +146458,8 @@ - - + + @@ -146544,15 +146562,15 @@ - - - + + + - - - - + + + + @@ -146573,8 +146591,8 @@ - - + + @@ -146640,16 +146658,16 @@ - - + + - - + + @@ -146657,10 +146675,10 @@ - - - - + + + + @@ -146684,8 +146702,8 @@ - - + + @@ -146696,30 +146714,30 @@ - - + + - - - + + + - - - + + + - - + + - - + + @@ -146727,10 +146745,10 @@ - - - - + + + + @@ -146754,9 +146772,9 @@ - - - + + + @@ -146764,12 +146782,12 @@ - - + + - - + + @@ -146818,9 +146836,9 @@ - - - + + + @@ -146841,10 +146859,10 @@ - - - - + + + + @@ -146894,9 +146912,9 @@ - - - + + + @@ -146956,50 +146974,50 @@ - - - + + + - - - - - - + + + + + + - - - - - + + + + + - - + + - - - - + + + + - - - - - - + + + + + + - - + + @@ -147175,9 +147193,9 @@ - - - + + + @@ -147191,8 +147209,8 @@ - - + + @@ -147206,19 +147224,19 @@ - - - - + + + + - - - + + + @@ -147232,33 +147250,33 @@ - - - - - + + + + + - - - + + + - - + + - - + + - - + + - - - + + + @@ -147511,15 +147529,15 @@ - - - + + + - - - - + + + + @@ -147588,15 +147606,15 @@ - - - + + + - - - + + + @@ -147609,15 +147627,15 @@ - - - - + + + + - - - + + + @@ -147695,9 +147713,9 @@ - - - + + + @@ -147713,36 +147731,36 @@ - - - + + + - - - - - + + + + + - - - - + + + + - - - - + + + + - - - + + + - - + + @@ -147757,9 +147775,9 @@ - - - + + + @@ -147774,14 +147792,14 @@ - - - + + + - - - + + + @@ -147823,15 +147841,15 @@ - - + + - - - - - + + + + + @@ -147839,11 +147857,11 @@ - - - - - + + + + + @@ -147871,14 +147889,14 @@ - - - - - + + + + + - - + + @@ -147898,8 +147916,8 @@ - - + + @@ -147942,8 +147960,8 @@ - - + + @@ -147979,8 +147997,8 @@ - - + + @@ -148047,9 +148065,9 @@ - - - + + + @@ -148120,26 +148138,26 @@ - - - - - - - + + + + + + + - - + + - - - + + + @@ -148176,21 +148194,21 @@ - - - + + + - - - + + + - - - + + + @@ -148257,15 +148275,15 @@ - - + + - - + + @@ -148276,16 +148294,16 @@ - - - - - + + + + + - - - + + + @@ -148294,11 +148312,11 @@ - - - - - + + + + + @@ -148307,9 +148325,9 @@ - - - + + + @@ -148359,11 +148377,11 @@ - - - - - + + + + + @@ -148373,23 +148391,23 @@ - - - - + + + + - - - + + + - - + + - - + + @@ -148408,12 +148426,12 @@ - - + + - - + + @@ -148421,8 +148439,8 @@ - - + + @@ -148443,8 +148461,8 @@ - - + + @@ -148452,16 +148470,16 @@ - - - + + + - + - - + + @@ -148469,8 +148487,8 @@ - - + + @@ -148486,9 +148504,9 @@ - - - + + + @@ -148511,17 +148529,17 @@ - - - + + + - - + + @@ -148538,12 +148556,12 @@ - - - - - - + + + + + + @@ -148604,9 +148622,9 @@ - - - + + + @@ -148631,34 +148649,34 @@ - - - + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - + + + @@ -148668,17 +148686,17 @@ - - + + - - - - + + + + @@ -148689,26 +148707,26 @@ - - - - + + + + - - - - + + + + - - + + - - - - + + + + @@ -148719,9 +148737,9 @@ - - - + + + @@ -148753,10 +148771,10 @@ - - - - + + + + @@ -148789,9 +148807,9 @@ - - - + + + @@ -148808,15 +148826,15 @@ - - - - + + + + - - - + + + @@ -148840,12 +148858,12 @@ - - - - - - + + + + + + @@ -148867,13 +148885,13 @@ - - + + - - - + + + @@ -148890,10 +148908,10 @@ - - - - + + + + @@ -148905,47 +148923,47 @@ - - - + + + - - + + - - - - - - - + + + + + + + - - + + - - - + + + - - - - - - - + + + + + + + - - - - - - + + + + + + diff --git a/android/abi_gki_aarch64_transsion b/android/abi_gki_aarch64_transsion index c38d29451ee4..83e28c1e1746 100644 --- a/android/abi_gki_aarch64_transsion +++ b/android/abi_gki_aarch64_transsion @@ -10,6 +10,7 @@ nr_swap_pages plist_requeue plist_del + __traceiter_android_rvh_handle_pte_fault_end __traceiter_android_vh_handle_pte_fault_end __traceiter_android_vh_cow_user_page __traceiter_android_vh_swapin_add_anon_rmap @@ -20,9 +21,13 @@ __traceiter_android_vh_count_pswpout __traceiter_android_vh_count_swpout_vm_event __traceiter_android_vh_swap_slot_cache_active + __traceiter_android_rvh_drain_slots_cache_cpu __traceiter_android_vh_drain_slots_cache_cpu + __traceiter_android_rvh_alloc_swap_slot_cache __traceiter_android_vh_alloc_swap_slot_cache + __traceiter_android_rvh_free_swap_slot __traceiter_android_vh_free_swap_slot + __traceiter_android_rvh_get_swap_page __traceiter_android_vh_get_swap_page __traceiter_android_vh_page_isolated_for_reclaim __traceiter_android_vh_inactive_is_low @@ -31,10 +36,12 @@ __traceiter_android_vh_unuse_swap_page __traceiter_android_vh_init_swap_info_struct __traceiter_android_vh_si_swapinfo + __traceiter_android_rvh_alloc_si __traceiter_android_vh_alloc_si __traceiter_android_vh_free_pages __traceiter_android_vh_set_shmem_page_flag __traceiter_android_vh_ra_tuning_max_page + __tracepoint_android_rvh_handle_pte_fault_end __tracepoint_android_vh_handle_pte_fault_end __tracepoint_android_vh_cow_user_page __tracepoint_android_vh_swapin_add_anon_rmap @@ -45,9 +52,13 @@ __tracepoint_android_vh_count_pswpout __tracepoint_android_vh_count_swpout_vm_event __tracepoint_android_vh_swap_slot_cache_active + __tracepoint_android_rvh_drain_slots_cache_cpu __tracepoint_android_vh_drain_slots_cache_cpu + __tracepoint_android_rvh_alloc_swap_slot_cache __tracepoint_android_vh_alloc_swap_slot_cache + __tracepoint_android_rvh_free_swap_slot __tracepoint_android_vh_free_swap_slot + __tracepoint_android_rvh_get_swap_page __tracepoint_android_vh_get_swap_page __tracepoint_android_vh_page_isolated_for_reclaim __tracepoint_android_vh_inactive_is_low @@ -56,6 +67,7 @@ __tracepoint_android_vh_unuse_swap_page __tracepoint_android_vh_init_swap_info_struct __tracepoint_android_vh_si_swapinfo + __tracepoint_android_rvh_alloc_si __tracepoint_android_vh_alloc_si __tracepoint_android_vh_free_pages __tracepoint_android_vh_set_shmem_page_flag From 6aeb3ccf098f1b6305f3ea504cce4b0b02860709 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 28 Sep 2022 21:56:15 +0200 Subject: [PATCH 19/31] UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Bug: 253641805 Reported-by: Soenke Huster Tested-by: Soenke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I70d3a1188609751797cbabe905028d92d1700f17 --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 6dc9b7e22b71..ccbaaa7bb4f7 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2228,7 +2228,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len; lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); From 5f6b14356a93d0700a530fffcb9163cedb937205 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 28 Sep 2022 22:01:37 +0200 Subject: [PATCH 20/31] UPSTREAM: wifi: cfg80211/mac80211: reject bad MBSSID elements commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, and the minimum is 1 since a multiple BSSID set with just one BSSID doesn't make sense (the # of BSSIDs is limited by 2^n). Limit this in the parsing in both cfg80211 and mac80211, rejecting any elements with an invalid value. This fixes potentially bad shifts in the processing of these inside the cfg80211_gen_new_bssid() function later. I found this during the investigation of CVE-2022-41674 fixed by the previous patch. Bug: 253641805 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Fixes: 78ac51f81532 ("mac80211: support multi-bssid") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I7aa0b1a425fcf3a7797e83afa8ad6dd68b283b48 --- net/mac80211/util.c | 2 ++ net/wireless/scan.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/mac80211/util.c b/net/mac80211/util.c index a1f129292ad8..11d5686893c6 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1409,6 +1409,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { if (elem->datalen < 2) continue; + if (elem->data[0] < 1 || elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 new_bssid[ETH_ALEN]; diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ccbaaa7bb4f7..a5dc69e833ea 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2093,6 +2093,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { if (elem->datalen < 4) continue; + if (elem->data[0] < 1 || (int)elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 profile_len; From 2e8c292e35cd4cfb79c70aebc620cd7c23147f6e Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 29 Sep 2022 21:50:44 +0200 Subject: [PATCH 21/31] UPSTREAM: wifi: cfg80211: ensure length byte is present before access commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Bug: 254180332 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I6ece37c57ca56462566adbcac6def6b35dc5b799 --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index a5dc69e833ea..1b3ae8ce1113 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2); From 05a01222953204c840ff8dc52a36838fae49386c Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 30 Sep 2022 23:44:23 +0200 Subject: [PATCH 22/31] UPSTREAM: wifi: cfg80211: fix BSS refcounting bugs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Bug: 253642015 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I408bf72ca59b6ffbe2aba460f3e9326bf1c94eec --- net/wireless/scan.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 1b3ae8ce1113..d7b92cb2b610 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev, lockdep_assert_held(&rdev->bss_lock); bss->refcount++; - if (bss->pub.hidden_beacon_bss) { - bss = container_of(bss->pub.hidden_beacon_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } - if (bss->pub.transmitted_bss) { - bss = container_of(bss->pub.transmitted_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } + + if (bss->pub.hidden_beacon_bss) + bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; + + if (bss->pub.transmitted_bss) + bss_from_pub(bss->pub.transmitted_bss)->refcount++; } static inline void bss_ref_put(struct cfg80211_registered_device *rdev, @@ -1736,6 +1730,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, new->refcount = 1; INIT_LIST_HEAD(&new->hidden_list); INIT_LIST_HEAD(&new->pub.nontrans_list); + /* we'll set this later if it was non-NULL */ + new->pub.transmitted_bss = NULL; if (rcu_access_pointer(tmp->pub.proberesp_ies)) { hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); @@ -1973,10 +1969,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, spin_lock_bh(&rdev->bss_lock); if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, &res->pub)) { - if (__cfg80211_unlink_bss(rdev, res)) + if (__cfg80211_unlink_bss(rdev, res)) { rdev->bss_generation++; + res = NULL; + } } spin_unlock_bh(&rdev->bss_lock); + + if (!res) + return NULL; } trace_cfg80211_return_bss(&res->pub); From 50e27143a5f7e4f602ac79a0d3c74b585b8ea419 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Sat, 1 Oct 2022 00:01:44 +0200 Subject: [PATCH 23/31] UPSTREAM: wifi: cfg80211: avoid nontransmitted BSS list corruption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Bug: 253642088 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: If83261f8b711f5ad0ce922abea2c35fedbc36c39 --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index d7b92cb2b610..d1e338b85a82 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, rcu_read_unlock(); + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0; From 241426b24bf959b261a7c5a2eb46535ae7de4b65 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 15:10:09 +0200 Subject: [PATCH 24/31] UPSTREAM: wifi: mac80211_hwsim: avoid mac80211 warning on bad rate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. If the tool on the other side (e.g. wmediumd) gets confused about the rate, we hit a warning in mac80211. Silence that by effectively duplicating the check here and dropping the frame silently (in mac80211 it's dropped with the warning). Bug: 254180332 Reported-by: Sönke Huster Tested-by: Sönke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ieb3a258b998aca815efc5d09492ce66e461b5b88 --- drivers/net/wireless/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 2d1f7fb18381..07935e9671dd 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3681,6 +3681,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, rx_status.band = channel->band; rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); + if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) + goto out; rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); hdr = (void *)skb->data; From 3ea906ba30ebfbfba7e72dea6a5982966d2daa67 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 21:24:10 +0200 Subject: [PATCH 25/31] UPSTREAM: wifi: mac80211: fix crash in beacon protection for P2P-device MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Bug: 253642089 Reported-by: Sönke Huster Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ie3336b950136e26debbe835f97ad450d03f6baad --- net/mac80211/rx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index e991abb45f68..97a63b940482 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1975,10 +1975,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + - NUM_DEFAULT_BEACON_KEYS) { - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, - skb->len); + NUM_DEFAULT_BEACON_KEYS) { + if (rx->sdata->dev) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, + skb->len); return RX_DROP_MONITOR; /* unexpected BIP keyidx */ } @@ -2126,7 +2127,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) /* either the frame has been decrypted or will be dropped */ status->flag |= RX_FLAG_DECRYPTED; - if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) + if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && + rx->sdata->dev)) cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, skb->data, skb->len); From d6e68e31b8db0f1de585904b9b99070c22f1ac1f Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 23:11:43 +0200 Subject: [PATCH 26/31] UPSTREAM: wifi: cfg80211: update hidden BSSes to avoid WARN_ON MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. When updating beacon elements in a non-transmitted BSS, also update the hidden sub-entries to the same beacon elements, so that a future update through other paths won't trigger a WARN_ON(). The warning is triggered because the beacon elements in the hidden BSSes that are children of the BSS should always be the same as in the parent. Bug: 254180332 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Iea4669ba97b926dfa67e9592b3a263d3f18508e5 --- net/wireless/scan.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index d1e338b85a82..22d169923261 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1602,6 +1602,23 @@ struct cfg80211_non_tx_bss { u8 bssid_index; }; +static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, + const struct cfg80211_bss_ies *new_ies, + const struct cfg80211_bss_ies *old_ies) +{ + struct cfg80211_internal_bss *bss; + + /* Assign beacon IEs to all sub entries */ + list_for_each_entry(bss, &known->hidden_list, hidden_list) { + const struct cfg80211_bss_ies *ies; + + ies = rcu_access_pointer(bss->pub.beacon_ies); + WARN_ON(ies != old_ies); + + rcu_assign_pointer(bss->pub.beacon_ies, new_ies); + } +} + static bool cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, struct cfg80211_internal_bss *known, @@ -1625,7 +1642,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); } else if (rcu_access_pointer(new->pub.beacon_ies)) { const struct cfg80211_bss_ies *old; - struct cfg80211_internal_bss *bss; if (known->pub.hidden_beacon_bss && !list_empty(&known->hidden_list)) { @@ -1653,16 +1669,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, if (old == rcu_access_pointer(known->pub.ies)) rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); - /* Assign beacon IEs to all sub entries */ - list_for_each_entry(bss, &known->hidden_list, hidden_list) { - const struct cfg80211_bss_ies *ies; - - ies = rcu_access_pointer(bss->pub.beacon_ies); - WARN_ON(ies != old); - - rcu_assign_pointer(bss->pub.beacon_ies, - new->pub.beacon_ies); - } + cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); @@ -2309,6 +2316,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, } else { old = rcu_access_pointer(nontrans_bss->beacon_ies); rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); + cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), + new_ies, old); rcu_assign_pointer(nontrans_bss->ies, new_ies); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); From 9ed9ab8ca922a763c7eed04aade6bf6d56b16def Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:48 +0200 Subject: [PATCH 27/31] UPSTREAM: mac80211: mlme: find auth challenge directly There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Bug: 254180332 Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones (cherry picked from commit 66dacdbc2e830e1187bf0f1171ca257d816ab7e3) Change-Id: Ife49cbad96bb43064449d93b8f8ada9db24be540 --- net/mac80211/ieee80211_i.h | 2 -- net/mac80211/mlme.c | 11 ++++++----- net/mac80211/util.c | 4 ---- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index bcc94cc1b620..e11f6d3fbd2b 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1485,7 +1485,6 @@ struct ieee802_11_elems { const u8 *supp_rates; const u8 *ds_params; const struct ieee80211_tim_ie *tim; - const u8 *challenge; const u8 *rsn; const u8 *rsnx; const u8 *erp_info; @@ -1538,7 +1537,6 @@ struct ieee802_11_elems { u8 ssid_len; u8 supp_rates_len; u8 tim_len; - u8 challenge_len; u8 rsn_len; u8 rsnx_len; u8 ext_supp_rates_len; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 3988403064ab..9e70cb86b420 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata, { struct ieee80211_local *local = sdata->local; struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data; + const struct element *challenge; u8 *pos; - struct ieee802_11_elems elems; u32 tx_flags = 0; pos = mgmt->u.auth.variable; - ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, auth_data->bss->bssid); - if (!elems.challenge) + challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, + len - (pos - (u8 *)mgmt)); + if (!challenge) return; auth_data->expected_transaction = 4; drv_mgd_prepare_tx(sdata->local, sdata, 0); @@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata, tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS | IEEE80211_TX_INTFL_MLME_CONN_TX; ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, - elems.challenge - 2, elems.challenge_len + 2, + (void *)challenge, + challenge->datalen + sizeof(*challenge), auth_data->bss->bssid, auth_data->bss->bssid, auth_data->key, auth_data->key_len, auth_data->key_idx, tx_flags); diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 11d5686893c6..e6b5d164a0ee 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, } else elem_parse_failed = true; break; - case WLAN_EID_CHALLENGE: - elems->challenge = pos; - elems->challenge_len = elen; - break; case WLAN_EID_VENDOR_SPECIFIC: if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && pos[2] == 0xf2) { From 173913b365bcfa2676720507ce6385851fd72bec Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:49 +0200 Subject: [PATCH 28/31] UPSTREAM: wifi: mac80211: don't parse mbssid in assoc response This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Bug: 254180332 Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones (cherry picked from commit 353b5c8d4bea712774ccc631782ed8cc3630528a) Change-Id: Ie554c036923c94b125035141a3bffafc129a5aa6 --- net/mac80211/mlme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 9e70cb86b420..0163b835f608 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, } capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info); ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (elems->aid_resp) aid = le16_to_cpu(elems->aid_resp->aid); @@ -3708,7 +3708,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, return; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && elems.timeout_int && From d61d7ebf6f563e45357027d1943d466e6872cf05 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:50 +0200 Subject: [PATCH 29/31] UPSTREAM: wifi: mac80211: fix MBSSID parsing use-after-free Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Bug: 253642087 Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I68b07f5850a7ef363d631043d01f58a08aea9274 --- net/mac80211/ieee80211_i.h | 2 ++ net/mac80211/mlme.c | 6 +++++- net/mac80211/scan.c | 2 ++ net/mac80211/util.c | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index e11f6d3fbd2b..63499db5c63d 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1551,6 +1551,8 @@ struct ieee802_11_elems { u8 country_elem_len; u8 bssid_index_len; + void *nontx_profile; + /* whether a parse error occurred while retrieving these elements */ bool parse_error; }; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 0163b835f608..c52b8eb7fb8a 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, sdata_info(sdata, "AP bug: VHT operation missing from AssocResp\n"); } + kfree(bss_elems.nontx_profile); } /* @@ -4045,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, ifmgd->assoc_data->timeout = jiffies; ifmgd->assoc_data->timeout_started = true; run_again(sdata, ifmgd->assoc_data->timeout); + kfree(elems.nontx_profile); return; } @@ -4222,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, ieee80211_report_disconnect(sdata, deauth_buf, sizeof(deauth_buf), true, WLAN_REASON_DEAUTH_LEAVING); - return; + goto free; } if (sta && elems.opmode_notif) @@ -4237,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, elems.cisco_dtpc_elem); ieee80211_bss_info_change_notify(sdata, changed); +free: + kfree(elems.nontx_profile); } void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata, diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 887f945bb12d..edd84f367880 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee80211_local *local, rx_status, beacon); } + kfree(elems.nontx_profile); + return bss; } diff --git a/net/mac80211/util.c b/net/mac80211/util.c index e6b5d164a0ee..7fa6efa8b83c 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, nontransmitted_profile, nontransmitted_profile_len); + if (!nontransmitted_profile_len) { + nontransmitted_profile_len = 0; + kfree(nontransmitted_profile); + nontransmitted_profile = NULL; + } } crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, @@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count = elems->bssid_index->dtim_count; - kfree(nontransmitted_profile); + elems->nontx_profile = nontransmitted_profile; return crc; } From 5aec776ef8c9319df4938fa87e8f2df018426960 Mon Sep 17 00:00:00 2001 From: "T.J. Mercier" Date: Tue, 24 May 2022 23:36:36 +0000 Subject: [PATCH 30/31] BACKPORT: ANDROID: dma-buf: Move sysfs work out of DMA-BUF export path Recently, we noticed an issue where a process went into direct reclaim while holding the kernfs rw semaphore for sysfs in write (exclusive) mode. This caused processes who were doing DMA-BUF exports and releases to go into uninterruptible sleep since they needed to acquire the same semaphore for the DMA-BUF sysfs entry creation/deletion. In order to avoid blocking DMA-BUF export for an indeterminate amount of time while another process is holding the sysfs rw semaphore in exclusive mode, this patch moves the per-buffer sysfs file creation to the default work queue. Note that this can lead to a short-term inaccuracy in the dmabuf sysfs statistics, but this is a tradeoff to prevent the hot path from being blocked. A work_struct is added to dma_buf to achieve this, but as it is unioned with the kobject in the sysfs_entry, dma_buf does not increase in size. Fixes: bdb8d06dfefd ("dmabuf: Add the capability to expose DMA-BUF stats in sysfs") Originally-by: Hridya Valsaraju Signed-off-by: T.J. Mercier Bug: 206979019 Bug: 254192604 Link: https://lore.kernel.org/lkml/CABdmKX2dNYhgOYdrrJU6-jt6F=LjCidbKhR6t4F7yaa0SPr+-A@mail.gmail.com/T/ Conflicts: include/linux/dma-buf.h 1. The android12-5.10 KMI is frozen, and the modification to struct dma_buf_sysfs_entry in the original patch triggers ABI check failures. Instead of an anonymous union, use the existing struct kobject directly as a work_struct with type punning. (cherry picked from commit fc02d3582a6668bfff235c78f601fca0a15125da https://android.git.corp.google.com/kernel/common android13-5.10) Signed-off-by: T.J. Mercier Change-Id: Ic0386849b6b248b0a72215633fc1a50782455bac --- drivers/dma-buf/dma-buf-sysfs-stats.c | 66 +++++++++++++++++++++------ 1 file changed, 52 insertions(+), 14 deletions(-) diff --git a/drivers/dma-buf/dma-buf-sysfs-stats.c b/drivers/dma-buf/dma-buf-sysfs-stats.c index 2389a363bd3a..3c7bb2baf8da 100644 --- a/drivers/dma-buf/dma-buf-sysfs-stats.c +++ b/drivers/dma-buf/dma-buf-sysfs-stats.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "dma-buf-sysfs-stats.h" @@ -135,10 +136,51 @@ void dma_buf_uninit_sysfs_statistics(void) kset_unregister(dma_buf_stats_kset); } +static void sysfs_add_workfn(struct work_struct *work) +{ + /* The ABI would have to change for this to be false, but let's be paranoid. */ + _Static_assert(sizeof(struct kobject) >= sizeof(struct work_struct), + "kobject is smaller than work_struct"); + + struct dma_buf_sysfs_entry *sysfs_entry = + container_of((struct kobject *)work, struct dma_buf_sysfs_entry, kobj); + struct dma_buf *dmabuf = sysfs_entry->dmabuf; + + /* + * A dmabuf is ref-counted via its file member. If this handler holds the only + * reference to the dmabuf, there is no need for sysfs kobject creation. This is an + * optimization and a race; when the reference count drops to 1 immediately after + * this check it is not harmful as the sysfs entry will still get cleaned up in + * dma_buf_stats_teardown, which won't get called until the final dmabuf reference + * is released, and that can't happen until the end of this function. + */ + if (file_count(dmabuf->file) > 1) { + /* + * kobject_init_and_add expects kobject to be zero-filled, but we have populated it + * to trigger this work function. + */ + memset(&dmabuf->sysfs_entry->kobj, 0, sizeof(dmabuf->sysfs_entry->kobj)); + dmabuf->sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset; + if (kobject_init_and_add(&dmabuf->sysfs_entry->kobj, &dma_buf_ktype, NULL, + "%lu", file_inode(dmabuf->file)->i_ino)) { + kobject_put(&dmabuf->sysfs_entry->kobj); + dmabuf->sysfs_entry = NULL; + } + } else { + /* + * Free the sysfs_entry and reset the pointer so dma_buf_stats_teardown doesn't + * attempt to operate on it. + */ + kfree(dmabuf->sysfs_entry); + dmabuf->sysfs_entry = NULL; + } + dma_buf_put(dmabuf); +} + int dma_buf_stats_setup(struct dma_buf *dmabuf) { struct dma_buf_sysfs_entry *sysfs_entry; - int ret; + struct work_struct *work; if (!dmabuf || !dmabuf->file) return -EINVAL; @@ -148,25 +190,21 @@ int dma_buf_stats_setup(struct dma_buf *dmabuf) return -EINVAL; } - sysfs_entry = kzalloc(sizeof(struct dma_buf_sysfs_entry), GFP_KERNEL); + sysfs_entry = kmalloc(sizeof(struct dma_buf_sysfs_entry), GFP_KERNEL); if (!sysfs_entry) return -ENOMEM; - sysfs_entry->kobj.kset = dma_buf_per_buffer_stats_kset; sysfs_entry->dmabuf = dmabuf; - dmabuf->sysfs_entry = sysfs_entry; - /* create the directory for buffer stats */ - ret = kobject_init_and_add(&sysfs_entry->kobj, &dma_buf_ktype, NULL, - "%lu", file_inode(dmabuf->file)->i_ino); - if (ret) - goto err_sysfs_dmabuf; + /* + * The use of kobj as a work_struct is an ugly hack + * to avoid an ABI break in this frozen kernel. + */ + work = (struct work_struct *)&dmabuf->sysfs_entry->kobj; + INIT_WORK(work, sysfs_add_workfn); + get_dma_buf(dmabuf); /* This reference will be dropped in sysfs_add_workfn. */ + schedule_work(work); return 0; - -err_sysfs_dmabuf: - kobject_put(&sysfs_entry->kobj); - dmabuf->sysfs_entry = NULL; - return ret; } From af699fd6a21c46be1764ddf04c577e26fdba2687 Mon Sep 17 00:00:00 2001 From: Peifeng Li Date: Tue, 25 Oct 2022 17:20:35 +0800 Subject: [PATCH 31/31] ANDROID: vendor_hook: skip trace_android_vh_page_trylock_set when ignore_references is true Avoid async-reclaim to cause to reclaim-delay when ignore_references is true. Bug: 240003372 Signed-off-by: Peifeng Li Change-Id: Iaf50bd4ac53f748da0dac93324c6d94de11e01e9 --- mm/vmscan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/vmscan.c b/mm/vmscan.c index ea87d599199e..5f63e7d30bca 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1352,8 +1352,8 @@ static unsigned int shrink_page_list(struct list_head *page_list, if (unlikely(PageTransHuge(page))) flags |= TTU_SPLIT_HUGE_PMD; - - trace_android_vh_page_trylock_set(page); + if (!ignore_references) + trace_android_vh_page_trylock_set(page); if (!try_to_unmap(page, flags)) { stat->nr_unmap_fail += nr_pages; if (!was_swapbacked && PageSwapBacked(page))