Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: handle invalid dinode in ocfs2_group_extend<br /> <br /> [BUG]<br /> kernel BUG at fs/ocfs2/resize.c:308!<br /> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br /> RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308<br /> Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe<br /> Call Trace:<br /> ...<br /> ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl fs/ioctl.c:583 [inline]<br /> __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583<br /> x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ...<br /> <br /> [CAUSE]<br /> ocfs2_group_extend() assumes that the global bitmap inode block<br /> returned from ocfs2_inode_lock() has already been validated and<br /> BUG_ONs when the signature is not a dinode. That assumption is too<br /> strong for crafted filesystems because the JBD2-managed buffer path<br /> can bypass structural validation and return an invalid dinode to the<br /> resize ioctl.<br /> <br /> [FIX]<br /> Validate the dinode explicitly in ocfs2_group_extend(). If the global<br /> bitmap buffer does not contain a valid dinode, report filesystem<br /> corruption with ocfs2_error() and fail the resize operation instead of<br /> crashing the kernel.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY<br /> <br /> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,<br /> as documented in mm/filemap.c:<br /> <br /> "If our return value has VM_FAULT_RETRY set, it&amp;#39;s because the mmap_lock<br /> may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."<br /> <br /> When this happens, a concurrent munmap() can call remove_vma() and free<br /> the vm_area_struct via RCU. The saved &amp;#39;vma&amp;#39; pointer in ocfs2_fault() then<br /> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call<br /> dereferences it -- a use-after-free.<br /> <br /> Fix this by saving ip_blkno as a plain integer before calling<br /> filemap_fault(), and removing vma from the trace event. Since<br /> ip_blkno is copied by value before the lock can be dropped, it<br /> remains valid regardless of what happens to the vma or inode<br /> afterward.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix possible deadlock between unlink and dio_end_io_write<br /> <br /> ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,<br /> while in ocfs2_dio_end_io_write, it acquires these locks in reverse order.<br /> This creates an ABBA lock ordering violation on lock classes<br /> ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and<br /> ocfs2_file_ip_alloc_sem_key.<br /> <br /> Lock Chain #0 (orphan dir inode_lock -&gt; ip_alloc_sem):<br /> ocfs2_unlink<br /> ocfs2_prepare_orphan_dir<br /> ocfs2_lookup_lock_orphan_dir<br /> inode_lock(orphan_dir_inode) ip_alloc_sem) orphan dir inode_lock):<br /> ocfs2_dio_end_io_write<br /> down_write(&amp;oi-&gt;ip_alloc_sem)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION<br /> <br /> Drop the WARN in sev_pin_memory() on npages overflowing an int, as the<br /> WARN is comically trivially to trigger from userspace, e.g. by doing:<br /> <br /> struct kvm_enc_region range = {<br /> .addr = 0,<br /> .size = -1ul,<br /> };<br /> <br /> __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &amp;range);<br /> <br /> Note, the checks in sev_mem_enc_register_region() that presumably exist to<br /> verify the incoming address+size are completely worthless, as both "addr"<br /> and "size" are u64s and SEV is 64-bit only, i.e. they _can&amp;#39;t_ be greater<br /> than ULONG_MAX. That wart will be cleaned up in the near future.<br /> <br /> if (range-&gt;addr &gt; ULONG_MAX || range-&gt;size &gt; ULONG_MAX)<br /> return -EINVAL;<br /> <br /> Opportunistically add a comment to explain why the code calculates the<br /> number of pages the "hard" way, e.g. instead of just shifting @ulen.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish<br /> <br /> Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as<br /> allowing userspace to manipulate and/or run a vCPU while its state is being<br /> synchronized would at best corrupt vCPU state, and at worst crash the host<br /> kernel.<br /> <br /> Opportunistically assert that vcpu-&gt;mutex is held when synchronizing its<br /> VMSA (the SEV-ES path already locks vCPUs).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm-&gt;lock<br /> <br /> Take and hold kvm-&gt;lock for before checking sev_guest() in<br /> sev_mem_enc_register_region(), as sev_guest() isn&amp;#39;t stable unless kvm-&gt;lock<br /> is held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can&amp;#39;t<br /> rollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add to<br /> a not-yet-initialized sev-&gt;regions_list, e.g. triggering a #GP<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE<br /> Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024<br /> RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83<br /> Code: 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00<br /> RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256<br /> RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000<br /> RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000<br /> RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000<br /> R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000<br /> R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000<br /> FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371<br /> kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363<br /> __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f34e9f7e9a9<br /> Code: 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9<br /> RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007<br /> RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8<br /> <br /> <br /> with a syzlang reproducer that looks like:<br /> <br /> syz_kvm_add_vcpu$x86(0x0, &amp;(0x7f0000000040)={0x0, &amp;(0x7f0000000180)=ANY=[], 0x70}) (async)<br /> syz_kvm_add_vcpu$x86(0x0, &amp;(0x7f0000000080)={0x0, &amp;(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async)<br /> r0 = openat$kvm(0xffffffffffffff9c, &amp;(0x7f0000000200), 0x0, 0x0)<br /> r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)<br /> r2 = openat$kvm(0xffffffffffffff9c, &amp;(0x7f0000000240), 0x0, 0x0)<br /> r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)<br /> ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &amp;(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async)<br /> ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &amp;(0x7f0000000280)={[...], 0x5}) (async)<br /> ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async)<br /> r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)<br /> openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)<br /> ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &amp;(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &amp;(0x7f0000001000/0x2000)=nil}) (async)<br /> r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)<br /> close(r0) (async)<br /> openat$kvm(0xffffffffffffff9c, &amp;(0x7f0000000000), 0x8000, 0x0) (async)<br /> ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &amp;(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async)<br /> ioctl$KVM_RUN(r5, 0xae80, 0x0)<br /> <br /> Opportunistically use guard() to avoid having to define a new error label<br /> and goto usage.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU<br /> <br /> Reject synchronizing vCPU state to its associated VMSA if the vCPU has<br /> already been launched, i.e. if the VMSA has already been encrypted. On a<br /> host with SNP enabled, accessing guest-private memory generates an RMP #PF<br /> and panics the host.<br /> <br /> BUG: unable to handle page fault for address: ff1276cbfdf36000<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x80000003) - RMP violation<br /> PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163<br /> SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]<br /> Oops: Oops: 0003 [#1] SMP NOPTI<br /> CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023<br /> RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]<br /> Call Trace:<br /> <br /> snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]<br /> snp_launch_finish+0xb6/0x380 [kvm_amd]<br /> sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]<br /> kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]<br /> kvm_vm_ioctl+0x3fd/0xcc0 [kvm]<br /> __x64_sys_ioctl+0xa3/0x100<br /> x64_sys_call+0xfe0/0x2350<br /> do_syscall_64+0x81/0x10f0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7ffff673287d<br /> <br /> <br /> Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM:<br /> Provide support to launch and run an SEV-ES guest"), but has only been<br /> actively dangerous for the host since SNP support was added. With SEV-ES,<br /> KVM would "just" clobber guest state, which is totally fine from a host<br /> kernel perspective since userspace can clobber guest state any time before<br /> sev_launch_update_vmsa().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: call -&gt;free_folio() directly in folio_unmap_invalidate()<br /> <br /> We can only call filemap_free_folio() if we have a reference to (or hold a<br /> lock on) the mapping. Otherwise, we&amp;#39;ve already removed the folio from the<br /> mapping so it no longer pins the mapping and the mapping can be removed,<br /> causing a use-after-free when accessing mapping-&gt;a_ops.<br /> <br /> Follow the same pattern as __remove_mapping() and load the free_folio<br /> function pointer before dropping the lock on the mapping. That lets us<br /> make filemap_free_folio() static as this was the only caller outside<br /> filemap.c.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: em28xx: fix use-after-free in em28xx_v4l2_open()<br /> <br /> em28xx_v4l2_open() reads dev-&gt;v4l2 without holding dev-&gt;lock,<br /> creating a race with em28xx_v4l2_init()&amp;#39;s error path and<br /> em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct<br /> and set dev-&gt;v4l2 to NULL under dev-&gt;lock.<br /> <br /> This race leads to two issues:<br /> - use-after-free in v4l2_fh_init() when accessing vdev-&gt;ctrl_handler,<br /> since the video_device is embedded in the freed em28xx_v4l2 struct.<br /> - NULL pointer dereference in em28xx_resolution_set() when accessing<br /> v4l2-&gt;norm, since dev-&gt;v4l2 has been set to NULL.<br /> <br /> Fix this by moving the mutex_lock() before the dev-&gt;v4l2 read and<br /> adding a NULL check for dev-&gt;v4l2 under the lock.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: fix use-after-free in encoder release path<br /> <br /> The fops_vcodec_release() function frees the context structure (ctx)<br /> without first cancelling any pending or running work in ctx-&gt;encode_work.<br /> This creates a race window where the workqueue handler (mtk_venc_worker)<br /> may still be accessing the context memory after it has been freed.<br /> <br /> Race condition:<br /> <br /> CPU 0 (release path) CPU 1 (workqueue)<br /> --------------------- ------------------<br /> fops_vcodec_release()<br /> v4l2_m2m_ctx_release()<br /> v4l2_m2m_cancel_job()<br /> // waits for m2m job "done"<br /> mtk_venc_worker()<br /> v4l2_m2m_job_finish()<br /> // m2m job "done"<br /> // BUT worker still running!<br /> // post-job_finish access:<br /> other ctx dereferences<br /> // UAF if ctx already freed<br /> // returns (job "done")<br /> kfree(ctx) // ctx freed<br /> <br /> Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job<br /> lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.<br /> After v4l2_m2m_job_finish() is called, the m2m framework considers<br /> the job complete and v4l2_m2m_ctx_release() returns, but the worker<br /> function continues executing and may still access ctx.<br /> <br /> The work is queued during encode operations via:<br /> queue_work(ctx-&gt;dev-&gt;encode_workqueue, &amp;ctx-&gt;encode_work)<br /> The worker function accesses ctx-&gt;m2m_ctx, ctx-&gt;dev, and other ctx<br /> fields even after calling v4l2_m2m_job_finish().<br /> <br /> This vulnerability was confirmed with KASAN by running an instrumented<br /> test module that widens the post-job_finish race window. KASAN detected:<br /> <br /> BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180<br /> Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12<br /> <br /> Workqueue: mtk_vcodec_enc_wq mtk_venc_worker<br /> <br /> Allocated by task 47:<br /> __kasan_kmalloc+0x7f/0x90<br /> fops_vcodec_open+0x85/0x1a0<br /> <br /> Freed by task 47:<br /> __kasan_slab_free+0x43/0x70<br /> kfree+0xee/0x3a0<br /> fops_vcodec_release+0xb7/0x190<br /> <br /> Fix this by calling cancel_work_sync(&amp;ctx-&gt;encode_work) before kfree(ctx).<br /> This ensures the workqueue handler is both cancelled (if pending) and<br /> synchronized (waits for any running handler to complete) before the<br /> context is freed.<br /> <br /> Placement rationale: The fix is placed after v4l2_ctrl_handler_free()<br /> and before list_del_init(&amp;ctx-&gt;list). At this point, all m2m operations<br /> are done (v4l2_m2m_ctx_release() has returned), and we need to ensure<br /> the workqueue is synchronized before removing ctx from the list and<br /> freeing it.<br /> <br /> Note: The open error path does NOT need cancel_work_sync() because<br /> INIT_WORK() only initializes the work structure - it does not schedule<br /> it. Work is only scheduled later during device_run() operations.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: vidtv: fix nfeeds state corruption on start_streaming failure<br /> <br /> syzbot reported a memory leak in vidtv_psi_service_desc_init [1].<br /> <br /> When vidtv_start_streaming() fails inside vidtv_start_feed(), the<br /> nfeeds counter is left incremented even though no feed was actually<br /> started. This corrupts the driver state: subsequent start_feed calls<br /> see nfeeds &gt; 1 and skip starting the mux, while stop_feed calls<br /> eventually try to stop a non-existent stream.<br /> <br /> This state corruption can also lead to memory leaks, since the mux<br /> and channel resources may be partially allocated during a failed<br /> start_streaming but never cleaned up, as the stop path finds<br /> dvb-&gt;streaming == false and returns early.<br /> <br /> Fix by decrementing nfeeds back when start_streaming fails, keeping<br /> the counter in sync with the actual number of active feeds.<br /> <br /> [1]<br /> BUG: memory leak<br /> unreferenced object 0xffff888145b50820 (size 32):<br /> comm "syz.0.17", pid 6068, jiffies 4294944486<br /> backtrace (crc 90a0c7d4):<br /> vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288<br /> vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83<br /> vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524<br /> vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518<br /> vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]<br /> vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()<br /> <br /> cgwb_release_workfn() calls css_put(wb-&gt;blkcg_css) and then later accesses<br /> wb-&gt;blkcg_css again via blkcg_unpin_online(). If css_put() drops the last<br /> reference, the blkcg can be freed asynchronously (css_free_rwork_fn -&gt;<br /> blkcg_css_free -&gt; kfree) before blkcg_unpin_online() dereferences the<br /> pointer to access blkcg-&gt;online_pin, resulting in a use-after-free:<br /> <br /> BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)<br /> Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531<br /> Workqueue: cgwb_release cgwb_release_workfn<br /> Call Trace:<br /> <br /> blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)<br /> cgwb_release_workfn (mm/backing-dev.c:629)<br /> process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)<br /> <br /> Freed by task 1016:<br /> kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)<br /> css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)<br /> process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)<br /> <br /> ** Stack based on commit 66672af7a095 ("Add linux-next specific files<br /> for 20260410")<br /> <br /> I am seeing this crash sporadically in Meta fleet across multiple kernel<br /> versions. A full reproducer is available at:<br /> https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh<br /> <br /> (The race window is narrow. To make it easily reproducible, inject a<br /> msleep(100) between css_put() and blkcg_unpin_online() in<br /> cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the<br /> reproducer triggers the splat reliably in less than a second.)<br /> <br /> Fix this by moving blkcg_unpin_online() before css_put(), so the<br /> cgwb&amp;#39;s CSS reference keeps the blkcg alive while blkcg_unpin_online()<br /> accesses it.