It looks like gcc 11.1 or glib 2.68.1 breaks ntpsec with seccomp enabled, during crash i get Bad system call and nothing more informative, recompiling of ntpsec doesnt help, if i compile it without seccomp it works fine. Im gonna try to revert glib and gcc one by one later to find exact culprit, reverting gcc takes a while and doesnt have an hour+ right now :) Reproducible: Always Actual Results: 2021-04-28T08:25:08 ntpd[2442]: INIT: ntpd ntpsec-1.2.0 2021-04-28T06:22:40Z: Starting 2021-04-28T08:25:08 ntpd[2442]: INIT: Command line: /usr/sbin/ntpd -p /run/ntpd.pid -g -u ntp:ntp -d 10 2021-04-28T08:25:08 ntpd[2442]: INIT: precision = 0.063 usec (-24) 2021-04-28T08:25:08 ntpd[2442]: INIT: successfully locked into RAM 2021-04-28T08:25:08 ntpd[2442]: CONFIG: readconfig: parsing file: /etc/ntp.conf 2021-04-28T08:25:08 ntpd[2442]: CONFIG: readconfig: parsing directory: /etc/ntp.d 2021-04-28T08:25:08 ntpd[2442]: INIT: Using SO_TIMESTAMPNS 2021-04-28T08:25:08 ntpd[2442]: IO: Listen normally on 0 lo 127.0.0.1:123 2021-04-28T08:25:08 ntpd[2442]: IO: Listen normally on 1 wan 84.255.207.212:123 2021-04-28T08:25:08 ntpd[2442]: IO: Listen normally on 2 lan 10.0.0.1:123 2021-04-28T08:25:08 ntpd[2442]: IO: Listen normally on 3 lo [::1]:123 2021-04-28T08:25:08 ntpd[2442]: IO: Listen normally on 4 lan [2a01:260:4085:1000::1]:123 2021-04-28T08:25:08 ntpd[2442]: IO: Listening on routing socket on fd #21 for interface updates 2021-04-28T08:25:08 ntpd[2442]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes 2021-04-28T08:25:08 ntpd[2442]: INIT: OpenSSL 1.1.1k 25 Mar 2021, 101010bf 2021-04-28T08:25:08 ntpd[2442]: NTSs: starting NTS-KE server listening on port 4460 2021-04-28T08:25:08 ntpd[2442]: NTSs: OpenSSL security level is 1 2021-04-28T08:25:08 ntpd[2442]: NTSs: starting NTS-KE server listening on port 4460 2021-04-28T08:25:08 ntpd[2442]: NTSs: listen4 worked 2021-04-28T08:25:08 ntpd[2442]: NTSs: listen6 worked 2021-04-28T08:25:08 ntpd[2442]: NTSc: Using system default root certificates. 2021-04-28T08:25:08 ntpd[2442]: INIT: sandbox: seccomp enabled. 2021-04-28T08:25:08 ntpd[2442]: NTSs: loaded certificate (chain) from /etc/acme-sh/mihgroup.net_ecc/fullchain.cer 2021-04-28T08:25:08 ntpd[2442]: NTSs: loaded private key from /etc/acme-sh/mihgroup.net_ecc/mihgroup.net.key 2021-04-28T08:25:08 ntpd[2442]: NTSs: Private Key OK 2021-04-28T08:25:09 ntpd[2442]: DNS: dns_probe: 10, cast_flags:1, flags:20901 Bad system call Portage 3.0.18 (python 3.8.9-final-0, default/linux/amd64/17.1/hardened, gcc-11.1.0, glibc-2.33, 5.12.0-gentoo x86_64) ================================================================= System uname: Linux-5.12.0-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_X5670_@_2.93GHz-with-glibc2.2.5 KiB Mem: 12268380 total, 472936 free KiB Swap: 16777684 total, 16748500 free Timestamp of repository gentoo: Wed, 28 Apr 2021 06:05:21 +0000 Head commit of repository gentoo: c8ed3fb48e4b37564ff7341e3ac79986ae05067d sh bash 5.1_p4 ld GNU ld (Gentoo 2.36.1 p3) 2.36.1 app-shells/bash: 5.1_p4::gentoo dev-lang/perl: 5.32.1::gentoo dev-lang/python: 3.8.9::gentoo dev-util/cmake: 3.20.1::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.7-r2::gentoo sys-apps/openrc: 0.43.3::gentoo sys-apps/sandbox: 2.23::gentoo sys-devel/autoconf: 2.69-r5::gentoo sys-devel/automake: 1.16.3-r1::gentoo sys-devel/binutils: 2.36.1-r1::gentoo sys-devel/gcc: 11.1.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.12::gentoo (virtual/os-headers) sys-libs/glibc: 2.33::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo.git priority: -1000 sync-git-verify-commit-signature: true local location: /var/db/repos/local masters: gentoo ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -pipe -O3 -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php8.0/ext-active/ /etc/php/cgi-php8.0/ext-active/ /etc/php/cli-php8.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -pipe -O3 -fomit-frame-pointer" DISTDIR="/var/cache/distfiles" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-march=native -pipe -O3 -fomit-frame-pointer" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -pipe -O3 -fomit-frame-pointer" GENTOO_MIRRORS="https://mirror.netcologne.de/gentoo/ https://ftp.halifax.rwth-aachen.de/gentoo/ https://mirror.yandex.ru/gentoo-distfiles/" LANG="sl_SI.utf8" LDFLAGS="-Wl,-O3 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=gnu" LINGUAS="en sl" MAKEOPTS="-j12 -l12" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl acpi amd64 apache2 apng berkdb bittorrent btrfs bzip2 caps cgi cli client corefonts crypt curl dhcp dlz dovecot-sasl eap exif expat experimental extraengine fontconfig ftp gd gdbm glib gmp gssapi gzip hardened http2 iconv icu idn intl iptables ipv6 ithreads jpeg kerberos lcms libglvnd libtirpc lz4 lzma lzo managesieve mp3 multilib mysql mysqli ncurses nls nping nptl openmp openssl pam pci pcntl pcre pcre16 pcre32 pdo perl pie png posix python rar readline rpc rtmp samba seccomp server session sieve slang smtp soap sockets socks5 split-usr sqlite ssh ssl ssp suexec tcpd threads tiff tracepath truetype udev unicode urandom usb vhosts webui x264 x265 xattr xml xmlreader xmlrpc xmlwriter xslt xtpax xvid xz zip zlib zstd" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias authn_dbd authn_socache authz_dbd cache_socache dbd http2 proxy proxy_html proxy_http proxy_http2 proxy_wstunnel xml2enc" APACHE2_MPMS="event" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en sl" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-0" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_8" PYTHON_TARGETS="python3_8" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="geoip" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS
Its defiantly not glib, reverting it doesnt do anything, so i guess its gcc.
I have no idea what actual culprit is... i also reverted back to gcc 10.3 and i still get this error :/ it defiantly was still working after kernel & headers update to 5.12 ~2 days ago and it doesnt now...
Created attachment 703182 [details] strace i attached strace if it helps, im to dumb for this :)
seccomp usually breaks when new syscalls start being used. That is most of the time is brought in by glibc update. I think it's a pread64: # strace -f /usr/sbin/ntpd -p ntpd.pid -g -u ntp:ntp -d 10 [pid 1098885] pread64(4, <unfinished ...> [pid 1098884] ioctl(3, SIOCGIFINDEX, {ifr_name="br0" <unfinished ...> [pid 1098885] <... pread64 resumed>"\2\0\0\220\0\0\0\0\360d\0050\35\177\0\0006", 48, 97920) = 17 [pid 1098884] <... ioctl resumed>, ifr_ifindex=4}) = 0 [pid 1098885] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f1d30766fca, si_syscall=__NR_pread64, si_arch=AUDIT_ARCH_X86_64} --- [pid 1098885] +++ killed by SIGSYS +++ +++ killed by SIGSYS +++ Bad system call
If you are curious of precise caller gdb shows it as: ``` # LANG=C gdb --quiet --args /usr/sbin/ntpd -p ntpd.pid -g -u ntp:ntp -d 10 Reading symbols from /usr/sbin/ntpd... Reading symbols from /usr/lib/debug//usr/sbin/ntpd.debug... (gdb) run Starting program: /usr/sbin/ntpd -p ntpd.pid -g -u ntp:ntp -d 10 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". 2021-04-28T23:23:29 ntpd[3472866]: INIT: ntpd ntpsec-1.2.0 2021-04-28T22:18:29Z: Starting 2021-04-28T23:23:29 ntpd[3472866]: INIT: Command line: /usr/sbin/ntpd -p ntpd.pid -g -u ntp:ntp -d 10 2021-04-28T23:23:29 ntpd[3472866]: INIT: precision = 0.063 usec (-24) 2021-04-28T23:23:29 ntpd[3472866]: INIT: successfully locked into RAM 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: readconfig: parsing file: /etc/ntp.conf 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: readconfig: parsing directory: /etc/ntp.d 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: restrict nopeer ignored 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: restrict nopeer ignored 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: restrict nopeer ignored 2021-04-28T23:23:29 ntpd[3472866]: CONFIG: restrict nopeer ignored 2021-04-28T23:23:29 ntpd[3472866]: INIT: Using SO_TIMESTAMPNS 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen and drop on 0 v6wildcard [::]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 2 lo 127.0.0.1:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 3 br0 10.0.0.1:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 4 wl0 192.168.1.200:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 5 lo [::1]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 6 br0 [fd02::b838:dff:fe71:8a1a]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 7 br0 [fe80::c2c0:c0ff:fec0:c0c0%4]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 8 wl0 [fd01::20d:81ff:fea9:990]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 9 wl0 [fe80::960c:6dff:fee2:47a1%8]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 10 he-ipv6 [2001:470:1f1c:3e6::2]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listen normally on 11 he-ipv6 [fe80::c0a8:1c8%9]:123 2021-04-28T23:23:29 ntpd[3472866]: IO: Listening on routing socket on fd #28 for interface updates 2021-04-28T23:23:29 ntpd[3472866]: SYNC: Found 10 servers, suggest minsane at least 3 2021-04-28T23:23:29 ntpd[3472866]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes 2021-04-28T23:23:29 ntpd[3472866]: INIT: OpenSSL 1.1.1k 25 Mar 2021, 101010bf 2021-04-28T23:23:29 ntpd[3472866]: NTSc: Using system default root certificates. 2021-04-28T23:23:29 ntpd[3472866]: INIT: sandbox: seccomp enabled. 2021-04-28T23:23:29 ntpd[3472866]: statistics directory /var/NTP/ does not exist or is unwriteable, error No such file or directory 2021-04-28T23:23:30 ntpd[3472866]: DNS: dns_probe: 10, cast_flags:1, flags:20901 [New Thread 0x7ffff7839640 (LWP 3472880)] Thread 2 "ntpd" received signal SIGSYS, Bad system call. [Switching to Thread 0x7ffff7839640 (LWP 3472880)] bt __GI___pread64_nocancel (fd=5, buf=0x7ffff78384a0, count=48, offset=97960) at ../sysdeps/unix/sysv/linux/pread64_nocancel.c:26 26 ../sysdeps/unix/sysv/linux/pread64_nocancel.c: No such file or directory. (gdb) bt #0 __GI___pread64_nocancel (fd=5, buf=0x7ffff78384a0, count=48, offset=97960) at ../sysdeps/unix/sysv/linux/pread64_nocancel.c:26 #1 0x00007ffff7fd2a88 in open_verify (name=name@entry=0x7ffff0001390 "/usr/lib/gcc/x86_64-pc-linux-gnu/12.0.0/libgcc_s.so.1", fbp=fbp@entry=0x7ffff78385b0, loader=<optimized out>, whatcode=whatcode@entry=8, found_other_class=found_other_class@entry=0x7ffff783859f, free_name=free_name@entry=false, mode=-1879048190, fd=5) at dl-load.c:1805 #2 0x00007ffff7fd5e85 in _dl_map_object (loader=loader@entry=0x7ffff7ad2000, name=<optimized out>, name@entry=0x7ffff7ac7b2f "libgcc_s.so.1", type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048190, nsid=<optimized out>) at dl-load.c:2224 #3 0x00007ffff7fdfdf4 in dl_open_worker (a=a@entry=0x7ffff7838b00) at dl-open.c:526 #4 0x00007ffff7a24b50 in __GI__dl_catch_exception (exception=0x7ffff7838ae0, operate=0x7ffff7fdfd50 <dl_open_worker>, args=0x7ffff7838b00) at /tmp/portage-tmpdir/portage/sys-libs/glibc-2.33/work/glibc-2.33/elf/dl-error-skeleton.c:208 #5 0x00007ffff7fdf967 in _dl_open (file=0x7ffff7ac7b2f "libgcc_s.so.1", mode=-2147483646, caller_dlopen=0x7ffff7ac456b <pthread_cancel_init+43>, nsid=-2, argc=8, argv=0x7ffff7838ae0, env=0x7fffffffe5c0) at dl-open.c:858 #6 0x00007ffff7a23ffd in do_dlopen (ptr=ptr@entry=0x7ffff7838d50) at dl-libc.c:96 #7 0x00007ffff7a24b50 in __GI__dl_catch_exception (exception=exception@entry=0x7ffff7838cd0, operate=operate@entry=0x7ffff7a23fc0 <do_dlopen>, args=args@entry=0x7ffff7838d50) at /tmp/portage-tmpdir/portage/sys-libs/glibc-2.33/work/glibc-2.33/elf/dl-error-skeleton.c:208 #8 0x00007ffff7a24c0f in __GI__dl_catch_error (objname=objname@entry=0x7ffff7838d28, errstring=errstring@entry=0x7ffff7838d30, mallocedp=mallocedp@entry=0x7ffff7838d27, operate=operate@entry=0x7ffff7a23fc0 <do_dlopen>, args=args@entry=0x7ffff7838d50) at /tmp/portage-tmpdir/portage/sys-libs/glibc-2.33/work/glibc-2.33/elf/dl-error-skeleton.c:227 #9 0x00007ffff7a240d7 in dlerror_run (operate=operate@entry=0x7ffff7a23fc0 <do_dlopen>, args=args@entry=0x7ffff7838d50) at dl-libc.c:46 #10 0x00007ffff7a24166 in __GI___libc_dlopen_mode (name=name@entry=0x7ffff7ac7b2f "libgcc_s.so.1", mode=mode@entry=-2147483646) at dl-libc.c:195 #11 0x00007ffff7ac456b in pthread_cancel_init () at ../sysdeps/nptl/unwind-forcedunwind.c:53 #12 0x00007ffff7ac4784 in _Unwind_ForcedUnwind (exc=0x7ffff7839cb0, stop=stop@entry=0x7ffff7ac2af0 <unwind_stop>, stop_argument=0x7ffff7838e70) at ../sysdeps/nptl/unwind-forcedunwind.c:127 #13 0x00007ffff7ac2c60 in __GI___pthread_unwind (buf=<optimized out>) at unwind.c:131 #14 0x00007ffff7abaf9c in __do_cancel () at /tmp/portage-tmpdir/portage/sys-libs/glibc-2.33/work/glibc-2.33/nptl/pthreadP.h:307 #15 __pthread_exit (value=<optimized out>) at pthread_exit.c:28 #16 0x000055555557008c in dns_lookup () #17 0x00007ffff7ab9cde in start_thread (arg=0x7ffff7839640) at pthread_create.c:473 #18 0x00007ffff79efaef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 ``` Which is a glibc's shared library loader as a response to name services resolution.
Created attachment 712923 [details, diff] proposed patch to add syscall to ntpsec It would be most convenient if you could apply this patch to NTPsec and check if it resolves the issue. If it does then the patch can be applied upstream for the release after next.
(In reply to James Browning from comment #6) > Created attachment 712923 [details, diff] [details, diff] > proposed patch to add syscall to ntpsec > > It would be most convenient if you could apply this patch to NTPsec and > check if it resolves the issue. If it does then the patch can be applied > upstream for the release after next. seems to work after i modified it a bit with proper tabs and lines...
Created attachment 712929 [details, diff] this is a modified patch that directly works with gentoo ebuilds and prior patches
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a87107cfff01e74e3519624360dbd72a60a1fdd9 commit a87107cfff01e74e3519624360dbd72a60a1fdd9 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-10 21:09:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-10 21:09:31 +0000 net-misc/ntpsec: add seccomp patch from upstream Closes: https://bugs.gentoo.org/786228 Closes: https://bugs.gentoo.org/705128 Signed-off-by: Sam James <sam@gentoo.org> net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch | 19 +++++++++++++++++++ ...{ntpsec-1.2.0-r1.ebuild => ntpsec-1.2.0-r2.ebuild} | 5 +++-- 2 files changed, 22 insertions(+), 2 deletions(-)
That patch does not fix it, it lacks pread64 so custom patch is still needed. As it looks even 1.2.1 still does not have this fix.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=540ea2504d870d6ff28f61b3b399d178c7ae4df8 commit 540ea2504d870d6ff28f61b3b399d178c7ae4df8 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-11 06:38:33 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-11 06:38:33 +0000 net-misc/ntpsec: add additional pread64 syscall patch Closes: https://bugs.gentoo.org/786228 Signed-off-by: Sam James <sam@gentoo.org> net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch | 11 +++++++++++ .../ntpsec/{ntpsec-1.2.0-r2.ebuild => ntpsec-1.2.0-r3.ebuild} | 1 + 2 files changed, 12 insertions(+)