[u-boot,v3,01/39] regmap: fix a serious pointer casting bug

Message ID	20210316122609.6523-2-marek.behun@nic.cz
State	Superseded
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz> To: u-boot@lists.denx.de, Simon Glass <sjg@chromium.org>, Heiko Schocher <hs@denx.de>, Patrick Delaunay <patrick.delaunay@st.com>, Patrice CHOTARD <patrice.chotard@foss.st.com>, Miquel Raynal <miquel.raynal@bootlin.com>, Tom Rini <trini@konsulko.com>, =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>, Stefan Roese <sr@denx.de>, Heinrich Schuchardt <xypron.glpk@gmx.de>, Alexander Graf <agraf@csgraf.de>, Marek Vasut <marex@denx.de>, Neil Armstrong <narmstrong@baylibre.com>, Ryder Lee <ryder.lee@mediatek.com>, Adam Ford <aford173@gmail.com>, Bin Meng <bmeng.cn@gmail.com>, Harald Seiler <hws@denx.de>, Tim Harvey <tharvey@gateworks.com> Cc: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz> Subject: [PATCH u-boot v3 01/39] regmap: fix a serious pointer casting bug Date: Tue, 16 Mar 2021 13:25:31 +0100 Message-Id: <20210316122609.6523-2-marek.behun@nic.cz> In-Reply-To: <20210316122609.6523-1-marek.behun@nic.cz> References: <20210316122609.6523-1-marek.behun@nic.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	U-Boot LTO (Sandbox + Some ARM boards) \| expand [u-boot,v3,00/39] U-Boot LTO (Sandbox + Some ARM boards) [u-boot,v3,01/39] regmap: fix a serious pointer casting bug [u-boot,v3,02/39] api: fix a potential serious bug caused by undef CONFIG_SYS_64BIT_LBA [u-boot,v3,03/39] checkpatch: require quotes around section name in the __section() macro [u-boot,v3,04/39] treewide: Convert macro and uses of __section(foo) to __section("foo") [u-boot,v3,05/39] compiler.h: align the __ADDRESSABLE macro with Linux' version [u-boot,v3,06/39] linker_lists: prepare macros to avoid code repetition [u-boot,v3,07/39] test/py: improve regular expression for ut subtest symbol matcher [u-boot,v3,08/39] linker_lists: declare lists and entries as __ADDRESSABLE for LTO [u-boot,v3,09/39] string: make memcpy(), memset(), memcmp() and memmove() visible for LTO [u-boot,v3,10/39] efi_loader: fix warning when linking with LTO [u-boot,v3,11/39] efi_loader: add Sphinx doc for __efi_runtime and __efi_runtime_data [u-boot,v3,12/39] efi_loader: add macro for const EFI runtime data [u-boot,v3,13/39] efi_selftest: compiler flags for efi_selftest_miniapp_exception.o [u-boot,v3,14/39] lib: crc32: put the crc_table variable into efi_runtime_rodata section [u-boot,v3,15/39] Makefile, Makefile.spl: cosmetic change [u-boot,v3,16/39] build: use thin archives instead of incremental linking [u-boot,v3,17/39] build: support building with Link Time Optimizations [u-boot,v3,18/39] build: link with --build-id=none [u-boot,v3,19/39] sandbox: errno: avoid conflict with libc's errno [u-boot,v3,20/39] sandbox: use sections instead of symbols for getopt array boundaries [u-boot,v3,21/39] sandbox: make LTO available [u-boot,v3,22/39] sandbox: enable LTO by default [u-boot,v3,23/39] ARM: global_data: make set_gd() work for armv5 and armv6 [u-boot,v3,24/39] ARM: make gd a function call for LTO and set via set_gd() [u-boot,v3,25/39] ARM: fix LTO build for some thumb-interwork cases [u-boot,v3,26/39] ARM: fix LTO for imx28_xea [u-boot,v3,27/39] ARM: fix LTO for apf27 [u-boot,v3,28/39] ARM: fix LTO for keystone [u-boot,v3,29/39] ARM: kona: fix clk_bsc_enable() type mismatch for LTO [u-boot,v3,30/39] ARM: imx8m: fix imx_eqos_txclk_set_rate() type mismatch for LTO [u-boot,v3,31/39] ARM: fix LTO for seaboard [u-boot,v3,32/39] ARM: fix LTO for rockchip and samsung [u-boot,v3,33/39] ARM: omap3: fix LTO for DM3730 (and possibly other omap3 boards) [u-boot,v3,34/39] armv8: SPL: discard relocation information [u-boot,v3,35/39] ata: ahci: fix ahci_link_up() type mismatch for LTO [u-boot,v3,36/39] ARM: make LTO available [u-boot,v3,37/39] ARM: don't use -ffunction-sections/-fdata-sections with LTO build [u-boot,v3,38/39] ARM: don't use --gc-sections with LTO when using private libgcc [u-boot,v3,39/39] ARM: enable LTO for some boards

Message ID

20210316122609.6523-2-marek.behun@nic.cz

State

Superseded

Delegated to:

Tom Rini

Headers

From: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz>
To: u-boot@lists.denx.de, Simon Glass <sjg@chromium.org>,
 Heiko Schocher <hs@denx.de>, Patrick Delaunay <patrick.delaunay@st.com>,
 Patrice CHOTARD <patrice.chotard@foss.st.com>,
 Miquel Raynal <miquel.raynal@bootlin.com>, Tom Rini <trini@konsulko.com>,
	=?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>, Stefan Roese <sr@denx.de>,
 Heinrich Schuchardt <xypron.glpk@gmx.de>, Alexander Graf <agraf@csgraf.de>,
 Marek Vasut <marex@denx.de>, Neil Armstrong <narmstrong@baylibre.com>,
 Ryder Lee <ryder.lee@mediatek.com>, Adam Ford <aford173@gmail.com>,
 Bin Meng <bmeng.cn@gmail.com>, Harald Seiler <hws@denx.de>,
 Tim Harvey <tharvey@gateworks.com>
Cc: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz>
Subject: [PATCH u-boot v3 01/39] regmap: fix a serious pointer casting bug
Date: Tue, 16 Mar 2021 13:25:31 +0100
Message-Id: <20210316122609.6523-2-marek.behun@nic.cz>
In-Reply-To: <20210316122609.6523-1-marek.behun@nic.cz>
References: <20210316122609.6523-1-marek.behun@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

U-Boot LTO (Sandbox + Some ARM boards) | expand

Commit Message

Marek Behún March 16, 2021, 12:25 p.m. UTC

There is a serious bug in regmap_read() and regmap_write() functions
where an uint pointer is cast to (void *) which is then cast to (u8 *),
(u16 *), (u32 *) or (u64 *), depending on register width of the map.

For example given a regmap with 16-bit register width the code
	int val = 0x12340000;
	regmap_read(map, 0, &val);
only changes the lower 16 bits of val on little-endian machines.
The upper 16 bits will remain 0x1234.

Nobody noticed this probably because this bug can be triggered with
regmap_write() only on big-endian architectures (which are not used by
many people anymore), and on little endian this bug has consequences
only if register width is 8 or 16 bits and also the memory place to
which regmap_read() should store it's result has non-zero upper bits,
which it seems doesn't happen anywhere in U-Boot normally. CI managed to
trigger this bug in unit test of dm_test_devm_regmap_field when compiled
for sandbox_defconfig using LTO.

Fix this simply by taking into account that regmap_raw_read() and
regmap_raw_write() behave as if the data given to these functions were
in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
regmap_read() also zero out the space so that we don't get invalid
result if regmap_raw_read() does not fill the whole object.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
---
 drivers/core/regmap.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

Comments

Pratyush Yadav March 16, 2021, 1:58 p.m. UTC | #1

On 16/03/21 01:25PM, Marek Behún wrote:
> There is a serious bug in regmap_read() and regmap_write() functions
> where an uint pointer is cast to (void *) which is then cast to (u8 *),
> (u16 *), (u32 *) or (u64 *), depending on register width of the map.
> 
> For example given a regmap with 16-bit register width the code
> 	int val = 0x12340000;
> 	regmap_read(map, 0, &val);
> only changes the lower 16 bits of val on little-endian machines.
> The upper 16 bits will remain 0x1234.
> 
> Nobody noticed this probably because this bug can be triggered with
> regmap_write() only on big-endian architectures (which are not used by
> many people anymore), and on little endian this bug has consequences
> only if register width is 8 or 16 bits and also the memory place to
> which regmap_read() should store it's result has non-zero upper bits,
> which it seems doesn't happen anywhere in U-Boot normally. CI managed to
> trigger this bug in unit test of dm_test_devm_regmap_field when compiled
> for sandbox_defconfig using LTO.
> 
> Fix this simply by taking into account that regmap_raw_read() and
> regmap_raw_write() behave as if the data given to these functions were
> in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
> regmap_read() also zero out the space so that we don't get invalid
> result if regmap_raw_read() does not fill the whole object.
> 
> Signed-off-by: Marek Behún <marek.behun@nic.cz>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Heiko Schocher <hs@denx.de>
> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> ---
>  drivers/core/regmap.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
> index b51ce108c1..5d37006fff 100644
> --- a/drivers/core/regmap.c
> +++ b/drivers/core/regmap.c
> @@ -435,7 +435,16 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
>  
>  int regmap_read(struct regmap *map, uint offset, uint *valp)
>  {
> -	return regmap_raw_read(map, offset, valp, map->width);
> +	int res;
> +
> +	*valp = 0;
> +	res = regmap_raw_read(map, offset, valp, map->width);
> +	if (res)
> +		return res;
> +
> +	*valp = le32_to_cpu(*valp);

Looks like I'm a bit late to the party and Simon has already applied 
this patch. Anyway, I don't see why this is correct. regmap_raw_read() 
calls regmap_raw_read_range(), which calls the helpers __read_16(), 
__read_32() and so on.

Take __read_16() for example. It takes the regmap's endianness and then 
based on that calls in_le16() or in_be16(). These calls translate to 
le16_to_cpu(__raw_readw(a)) or be16_to_cpu(__raw_readw(a)). Or the 
regmap is native endian in which case it is a simple readw(a).

In all 3 cases the value returned is in cpu endianness. But you claim 
that "regmap_raw_read() and regmap_raw_write() behave as if the data 
given to these functions were in little-endian format".

This is fine on a little endian cpu but on a big endian cpu you would 
reverse the byte order, no? Same for writes.

> +
> +	return 0;
>  }
>  
>  static inline void __write_8(u8 *addr, const u8 *val,
> @@ -546,6 +555,8 @@ int regmap_raw_write(struct regmap *map, uint offset, const void *val,
>  
>  int regmap_write(struct regmap *map, uint offset, uint val)
>  {
> +	val = cpu_to_le32(val);
> +
>  	return regmap_raw_write(map, offset, &val, map->width);
>  }
>  
> -- 
> 2.26.2
>

Marek Behún March 16, 2021, 2:15 p.m. UTC | #2

On Tue, 16 Mar 2021 19:28:46 +0530
Pratyush Yadav <p.yadav@ti.com> wrote:

> On 16/03/21 01:25PM, Marek Behún wrote:
> > There is a serious bug in regmap_read() and regmap_write() functions
> > where an uint pointer is cast to (void *) which is then cast to (u8 *),
> > (u16 *), (u32 *) or (u64 *), depending on register width of the map.
> > 
> > For example given a regmap with 16-bit register width the code
> > 	int val = 0x12340000;
> > 	regmap_read(map, 0, &val);
> > only changes the lower 16 bits of val on little-endian machines.
> > The upper 16 bits will remain 0x1234.
> > 
> > Nobody noticed this probably because this bug can be triggered with
> > regmap_write() only on big-endian architectures (which are not used by
> > many people anymore), and on little endian this bug has consequences
> > only if register width is 8 or 16 bits and also the memory place to
> > which regmap_read() should store it's result has non-zero upper bits,
> > which it seems doesn't happen anywhere in U-Boot normally. CI managed to
> > trigger this bug in unit test of dm_test_devm_regmap_field when compiled
> > for sandbox_defconfig using LTO.
> > 
> > Fix this simply by taking into account that regmap_raw_read() and
> > regmap_raw_write() behave as if the data given to these functions were
> > in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
> > regmap_read() also zero out the space so that we don't get invalid
> > result if regmap_raw_read() does not fill the whole object.
> > 
> > Signed-off-by: Marek Behún <marek.behun@nic.cz>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > Reviewed-by: Heiko Schocher <hs@denx.de>
> > Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> > ---
> >  drivers/core/regmap.c | 13 ++++++++++++-
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
> > index b51ce108c1..5d37006fff 100644
> > --- a/drivers/core/regmap.c
> > +++ b/drivers/core/regmap.c
> > @@ -435,7 +435,16 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
> >  
> >  int regmap_read(struct regmap *map, uint offset, uint *valp)
> >  {
> > -	return regmap_raw_read(map, offset, valp, map->width);
> > +	int res;
> > +
> > +	*valp = 0;
> > +	res = regmap_raw_read(map, offset, valp, map->width);
> > +	if (res)
> > +		return res;
> > +
> > +	*valp = le32_to_cpu(*valp);  
> 
> Looks like I'm a bit late to the party and Simon has already applied 
> this patch.

Where did he apply? I don't see it applied in u-boot-dm.

> Anyway, I don't see why this is correct. regmap_raw_read() 
> calls regmap_raw_read_range(), which calls the helpers __read_16(), 
> __read_32() and so on.
> 
> Take __read_16() for example. It takes the regmap's endianness and then 
> based on that calls in_le16() or in_be16(). These calls translate to 
> le16_to_cpu(__raw_readw(a)) or be16_to_cpu(__raw_readw(a)). Or the 
> regmap is native endian in which case it is a simple readw(a).
> 
> In all 3 cases the value returned is in cpu endianness. But you claim 
> that "regmap_raw_read() and regmap_raw_write() behave as if the data 
> given to these functions were in little-endian format".
> 
> This is fine on a little endian cpu but on a big endian cpu you would 
> reverse the byte order, no? Same for writes.

I made a mistake.

Somehow I thought that le32_to_cpu() will fix this, because it will
move the read bytes into the correct position. But somehow I forgot that
it will also reverse the byte order /o\ :D

I shall fix this and send a new version :D

Pratyush Yadav March 16, 2021, 3:29 p.m. UTC | #3

On 16/03/21 03:15PM, Marek Behun wrote:
> On Tue, 16 Mar 2021 19:28:46 +0530
> Pratyush Yadav <p.yadav@ti.com> wrote:
> 
> > On 16/03/21 01:25PM, Marek Behún wrote:
> > > There is a serious bug in regmap_read() and regmap_write() functions
> > > where an uint pointer is cast to (void *) which is then cast to (u8 *),
> > > (u16 *), (u32 *) or (u64 *), depending on register width of the map.
> > > 
> > > For example given a regmap with 16-bit register width the code
> > > 	int val = 0x12340000;
> > > 	regmap_read(map, 0, &val);
> > > only changes the lower 16 bits of val on little-endian machines.
> > > The upper 16 bits will remain 0x1234.
> > > 
> > > Nobody noticed this probably because this bug can be triggered with
> > > regmap_write() only on big-endian architectures (which are not used by
> > > many people anymore), and on little endian this bug has consequences
> > > only if register width is 8 or 16 bits and also the memory place to
> > > which regmap_read() should store it's result has non-zero upper bits,
> > > which it seems doesn't happen anywhere in U-Boot normally. CI managed to
> > > trigger this bug in unit test of dm_test_devm_regmap_field when compiled
> > > for sandbox_defconfig using LTO.
> > > 
> > > Fix this simply by taking into account that regmap_raw_read() and
> > > regmap_raw_write() behave as if the data given to these functions were
> > > in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
> > > regmap_read() also zero out the space so that we don't get invalid
> > > result if regmap_raw_read() does not fill the whole object.
> > > 
> > > Signed-off-by: Marek Behún <marek.behun@nic.cz>
> > > Reviewed-by: Simon Glass <sjg@chromium.org>
> > > Reviewed-by: Heiko Schocher <hs@denx.de>
> > > Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> > > ---
> > >  drivers/core/regmap.c | 13 ++++++++++++-
> > >  1 file changed, 12 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
> > > index b51ce108c1..5d37006fff 100644
> > > --- a/drivers/core/regmap.c
> > > +++ b/drivers/core/regmap.c
> > > @@ -435,7 +435,16 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
> > >  
> > >  int regmap_read(struct regmap *map, uint offset, uint *valp)
> > >  {
> > > -	return regmap_raw_read(map, offset, valp, map->width);
> > > +	int res;
> > > +
> > > +	*valp = 0;
> > > +	res = regmap_raw_read(map, offset, valp, map->width);
> > > +	if (res)
> > > +		return res;
> > > +
> > > +	*valp = le32_to_cpu(*valp);  
> > 
> > Looks like I'm a bit late to the party and Simon has already applied 
> > this patch.
> 
> Where did he apply? I don't see it applied in u-boot-dm.

  Message-ID: <CAPnjgZ3rE-UGjBk+sHasZy=aFbPRg3yxyG8OyAihX6yRUG3tgg@mail.gmail.com>

The quoting is off but look at the last line, it says "applied to 
u-boot-dm/next".

Marek Behún March 16, 2021, 3:52 p.m. UTC | #4

On Tue, 16 Mar 2021 20:59:55 +0530
Pratyush Yadav <p.yadav@ti.com> wrote:

> On 16/03/21 03:15PM, Marek Behun wrote:
> > On Tue, 16 Mar 2021 19:28:46 +0530
> > Pratyush Yadav <p.yadav@ti.com> wrote:
> >   
> > > On 16/03/21 01:25PM, Marek Behún wrote:  
> > > > There is a serious bug in regmap_read() and regmap_write() functions
> > > > where an uint pointer is cast to (void *) which is then cast to (u8 *),
> > > > (u16 *), (u32 *) or (u64 *), depending on register width of the map.
> > > > 
> > > > For example given a regmap with 16-bit register width the code
> > > > 	int val = 0x12340000;
> > > > 	regmap_read(map, 0, &val);
> > > > only changes the lower 16 bits of val on little-endian machines.
> > > > The upper 16 bits will remain 0x1234.
> > > > 
> > > > Nobody noticed this probably because this bug can be triggered with
> > > > regmap_write() only on big-endian architectures (which are not used by
> > > > many people anymore), and on little endian this bug has consequences
> > > > only if register width is 8 or 16 bits and also the memory place to
> > > > which regmap_read() should store it's result has non-zero upper bits,
> > > > which it seems doesn't happen anywhere in U-Boot normally. CI managed to
> > > > trigger this bug in unit test of dm_test_devm_regmap_field when compiled
> > > > for sandbox_defconfig using LTO.
> > > > 
> > > > Fix this simply by taking into account that regmap_raw_read() and
> > > > regmap_raw_write() behave as if the data given to these functions were
> > > > in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
> > > > regmap_read() also zero out the space so that we don't get invalid
> > > > result if regmap_raw_read() does not fill the whole object.
> > > > 
> > > > Signed-off-by: Marek Behún <marek.behun@nic.cz>
> > > > Reviewed-by: Simon Glass <sjg@chromium.org>
> > > > Reviewed-by: Heiko Schocher <hs@denx.de>
> > > > Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> > > > ---
> > > >  drivers/core/regmap.c | 13 ++++++++++++-
> > > >  1 file changed, 12 insertions(+), 1 deletion(-)
> > > > 
> > > > diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
> > > > index b51ce108c1..5d37006fff 100644
> > > > --- a/drivers/core/regmap.c
> > > > +++ b/drivers/core/regmap.c
> > > > @@ -435,7 +435,16 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
> > > >  
> > > >  int regmap_read(struct regmap *map, uint offset, uint *valp)
> > > >  {
> > > > -	return regmap_raw_read(map, offset, valp, map->width);
> > > > +	int res;
> > > > +
> > > > +	*valp = 0;
> > > > +	res = regmap_raw_read(map, offset, valp, map->width);
> > > > +	if (res)
> > > > +		return res;
> > > > +
> > > > +	*valp = le32_to_cpu(*valp);    
> > > 
> > > Looks like I'm a bit late to the party and Simon has already applied 
> > > this patch.  
> > 
> > Where did he apply? I don't see it applied in u-boot-dm.  
> 
>   Message-ID: <CAPnjgZ3rE-UGjBk+sHasZy=aFbPRg3yxyG8OyAihX6yRUG3tgg@mail.gmail.com>
> 
> The quoting is off but look at the last line, it says "applied to 
> u-boot-dm/next".
> 

Ah, my mail client failed to parse that mail.
Simon, will you drop the patch or shall I write a fix?

Marek

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index b51ce108c1..5d37006fff 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -435,7 +435,16 @@  int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
 
 int regmap_read(struct regmap *map, uint offset, uint *valp)
 {
-	return regmap_raw_read(map, offset, valp, map->width);
+	int res;
+
+	*valp = 0;
+	res = regmap_raw_read(map, offset, valp, map->width);
+	if (res)
+		return res;
+
+	*valp = le32_to_cpu(*valp);
+
+	return 0;
 }
 
 static inline void __write_8(u8 *addr, const u8 *val,
@@ -546,6 +555,8 @@  int regmap_raw_write(struct regmap *map, uint offset, const void *val,
 
 int regmap_write(struct regmap *map, uint offset, uint val)
 {
+	val = cpu_to_le32(val);
+
 	return regmap_raw_write(map, offset, &val, map->width);
 }

[u-boot,v3,01/39] regmap: fix a serious pointer casting bug

Commit Message

Comments

Patch