)]}'
{
  "log": [
    {
      "commit": "482159dc9981163724c5eb3e5fbbfc5d95e709f1",
      "tree": "50fce437e582f9eb3f9844ee22ec4415c412fe65",
      "parents": [
        "d9a1c8fd2bb7290f0f20d3919947a9dff8ec805d"
      ],
      "author": {
        "name": "Willy Tarreau",
        "email": "w@1wt.eu",
        "time": "Mon Jan 18 16:36:09 2016 +0100"
      },
      "committer": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Mon May 23 21:13:07 2016 -0500"
      },
      "message": "pipe: limit the per-user amount of pages allocated in pipes\n\nOn no-so-small systems, it is possible for a single process to cause an\nOOM condition by filling large pipes with data that are never read. A\ntypical process filling 4000 pipes with 1 MB of data will use 4 GB of\nmemory. On small systems it may be tricky to set the pipe max size to\nprevent this from happening.\n\nThis patch makes it possible to enforce a per-user soft limit above\nwhich new pipes will be limited to a single page, effectively limiting\nthem to 4 kB each, as well as a hard limit above which no new pipes may\nbe created for this user. This has the effect of protecting the system\nagainst memory abuse without hurting other users, and still allowing\npipes to work correctly though with less data at once.\n\nThe limit are controlled by two new sysctls : pipe-user-pages-soft, and\npipe-user-pages-hard. Both may be disabled by setting them to zero. The\ndefault soft limit allows the default number of FDs per process (1024)\nto create pipes of the default size (64kB), thus reaching a limit of 64MB\nbefore starting to create only smaller pipes. With 256 processes limited\nto 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB \u003d\n1084 MB of memory allocated for a user. The hard limit is disabled by\ndefault to avoid breaking existing applications that make intensive use\nof pipes (eg: for splicing).\n\nReported-by: socketpair@gmail.com\nReported-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nMitigates: CVE-2013-4312 (Linux 2.0+)\nSuggested-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Willy Tarreau \u003cw@1wt.eu\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n\nConflicts:\n\tDocumentation/sysctl/fs.txt\n\tfs/pipe.c\n\tinclude/linux/sched.h\n\nChange-Id: Ic7c678af18129943e16715fdaa64a97a7f0854be\n"
    },
    {
      "commit": "7d1db3b4bf74cce126755dfb4475632b82fcb95c",
      "tree": "93c3d320898d4c6eb0900e629f985256761e5cfb",
      "parents": [
        "332797a68d7a269225c47de2bb4e581eea5bcb47"
      ],
      "author": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Mon May 23 11:34:02 2016 -0500"
      },
      "committer": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Mon May 23 12:01:42 2016 -0500"
      },
      "message": "f2fs: Squashed update of f2fs-stable\n\nhttps://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-stable.git\nBranch: linux-3.4.y\nUp to and including:\n  Revert \"f2fs: use cryptoapi crc32 functions\"\n  5b2523fc731f68cb48ca3d82f3ef2952a61ae5ba\n\nChange-Id: I062d186a7525d6a2ac431f811e5ca550c41ecf0f\n"
    },
    {
      "commit": "abd7a6fdf5c96e661e4520ec1cf718b9378f1342",
      "tree": "196b1c60ccc0499fe92e3a531576e6c6c18198c0",
      "parents": [
        "86f24e99598f298b78759616dfa9e8fcca0d3688",
        "3389604d77540abf738b486d650c1745b2d663ca"
      ],
      "author": {
        "name": "David Hays",
        "email": "dhays90@gmail.com",
        "time": "Mon Apr 11 13:09:16 2016 -0700"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Mon Apr 11 13:39:17 2016 -0700"
      },
      "message": "Merge tag \u0027v3.4.111\u0027 into cm-13.0\n\nThis is the 3.4.111 stable release\n\nConflicts:\n    fs/file_table.c\n    include/net/sock.h\n\nChange-Id: Ic65a8a4450b508018d5c092b420ebb23df0daef6\n"
    },
    {
      "commit": "40570888be8087838c543f165e0d309b9869f526",
      "tree": "8e9f2607b6c80133b461d192c135ddb796a58f51",
      "parents": [
        "5317d9af12a59e83a6f173eac3808cc21f6e9d2b"
      ],
      "author": {
        "name": "Ben Zhang",
        "email": "benzh@chromium.org",
        "time": "Thu Apr 03 14:47:18 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Mar 21 09:17:57 2016 +0800"
      },
      "message": "kernel/watchdog.c: touch_nmi_watchdog should only touch local cpu not every one\n\ncommit 62572e29bc530b38921ef6059088b4788a9832a5 upstream.\n\nI ran into a scenario where while one cpu was stuck and should have\npanic\u0027d because of the NMI watchdog, it didn\u0027t.  The reason was another\ncpu was spewing stack dumps on to the console.  Upon investigation, I\nnoticed that when writing to the console and also when dumping the\nstack, the watchdog is touched.\n\nThis causes all the cpus to reset their NMI watchdog flags and the\n\u0027stuck\u0027 cpu just spins forever.\n\nThis change causes the semantics of touch_nmi_watchdog to be changed\nslightly.  Previously, I accidentally changed the semantics and we\nnoticed there was a codepath in which touch_nmi_watchdog could be\ntouched from a preemtible area.  That caused a BUG() to happen when\nCONFIG_DEBUG_PREEMPT was enabled.  I believe it was the acpi code.\n\nMy attempt here re-introduces the change to have the\ntouch_nmi_watchdog() code only touch the local cpu instead of all of the\ncpus.  But instead of using __get_cpu_var(), I use the\n__raw_get_cpu_var() version.\n\nThis avoids the preemption problem.  However my reasoning wasn\u0027t because\nI was trying to be lazy.  Instead I rationalized it as, well if\npreemption is enabled then interrupts should be enabled to and the NMI\nwatchdog will have no reason to trigger.  So it won\u0027t matter if the\nwrong cpu is touched because the percpu interrupt counters the NMI\nwatchdog uses should still be incrementing.\n\nDon said:\n\n: I\u0027m ok with this patch, though it does alter the behaviour of how\n: touch_nmi_watchdog works.  For the most part I don\u0027t think most callers\n: need to touch all of the watchdogs (on each cpu).  Perhaps a corner case\n: will pop up (the scheduler??  to mimic touch_all_softlockup_watchdogs() ).\n:\n: But this does address an issue where if a system is locked up and one cpu\n: is spewing out useful debug messages (or error messages), the hard lockup\n: will fail to go off.  We have seen this on RHEL also.\n\nSigned-off-by: Don Zickus \u003cdzickus@redhat.com\u003e\nSigned-off-by: Ben Zhang \u003cbenzh@chromium.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "40ba03f35bd6eaffff36856f033beef348d4485b",
      "tree": "65f3dc5e2c11c7c1f8b988fe6f9b3024c98bcd20",
      "parents": [
        "d86129c5c06c65e38408012ec32dba84c8fe5f3a"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Thu Jun 11 10:32:01 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Mar 21 09:17:51 2016 +0800"
      },
      "message": "perf: Fix fasync handling on inherited events\n\ncommit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream.\n\nVince reported that the fasync signal stuff doesn\u0027t work proper for\ninherited events. So fix that.\n\nInstalling fasync allocates memory and sets filp-\u003ef_flags |\u003d FASYNC,\nwhich upon the demise of the file descriptor ensures the allocation is\nfreed and state is updated.\n\nNow for perf, we can have the events stick around for a while after the\noriginal FD is dead because of references from child events. So we\ncannot copy the fasync pointer around. We can however consistently use\nthe parent\u0027s fasync, as that will be updated.\n\nReported-and-Tested-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Arnaldo Carvalho deMelo \u003cacme@kernel.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: eranian@google.com\nLink: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ad31516703a7c1210078f690ea94a8efe4d01e91",
      "tree": "ab4494f3a60980909ac339ea58ec920c363dbf18",
      "parents": [
        "e8a835b9a482c3ab97c08847361900f7ed8ab1a6",
        "3edd6224c2a677bb59efe0b083a51fc2b3b5c64d"
      ],
      "author": {
        "name": "David Hays",
        "email": "dhays90@gmail.com",
        "time": "Mon Feb 22 00:00:29 2016 -0500"
      },
      "committer": {
        "name": "David Hays",
        "email": "dhays90@gmail.com",
        "time": "Mon Feb 22 17:33:37 2016 -0500"
      },
      "message": "Merge tag v3.4.110 into cm-13.0\n\nConflicts:\n\tdrivers/bluetooth/btusb.c\n\tdrivers/cpufreq/cpufreq.c\n\tdrivers/md/dm-crypt.c\n\tdrivers/mmc/core/core.c\n\tfs/namespace.c\n\tinclude/linux/usb/quirks.h\n\tnet/bluetooth/l2cap_core.c\n\tnet/bluetooth/smp.c\n\tnet/netfilter/xt_socket.c\n\tsecurity/keys/gc.c\n\tsecurity/selinux/nlmsgtab.c\n\nChange-Id: I336fc28268bf70846a49e8f1db4899a10a4e5edb\n"
    },
    {
      "commit": "869a7247fb32e8b40574859d59f17bb068bd5c1a",
      "tree": "054416d93244b37fa8f2b53e28fd93d46a56ab64",
      "parents": [
        "403187dc8c35e873ccef85e0bd6eec174f9ced12"
      ],
      "author": {
        "name": "Mark Grondona",
        "email": "mgrondona@llnl.gov",
        "time": "Wed Sep 11 14:24:31 2013 -0700"
      },
      "committer": {
        "name": "Gerrit Code Review",
        "email": "gerrit@cyanogenmod.org",
        "time": "Wed Dec 16 10:21:05 2015 -0800"
      },
      "message": "__ptrace_may_access() should not deny sub-threads\n\ncommit 73af963f9f3036dffed55c3a2898598186db1045 upstream.\n\n__ptrace_may_access() checks get_dumpable/ptrace_has_cap/etc if task !\u003d\ncurrent, this can can lead to surprising results.\n\nFor example, a sub-thread can\u0027t readlink(\"/proc/self/exe\") if the\nexecutable is not readable.  setup_new_exec()-\u003ewould_dump() notices that\ninode_permission(MAY_READ) fails and then it does\nset_dumpable(suid_dumpable).  After that get_dumpable() fails.\n\n(It is not clear why proc_pid_readlink() checks get_dumpable(), perhaps we\ncould add PTRACE_MODE_NODUMPABLE)\n\nChange __ptrace_may_access() to use same_thread_group() instead of \"task\n\u003d\u003d current\".  Any security check is pointless when the tasks share the\nsame -\u003emm.\n\nChange-Id: Ib6ca927a1eb0637df8030aabcb3129d5be343512\nSigned-off-by: Mark Grondona \u003cmgrondona@llnl.gov\u003e\nSigned-off-by: Ben Woodard \u003cwoodard@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n"
    },
    {
      "commit": "c207c4948630601928b3fd5b168a89734f148e76",
      "tree": "2501dbda07c35fc81536b876b97a67ed67e728d2",
      "parents": [
        "7ebabd77613ddc5b1841c788085c5ac8c6b2cd85"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Thu Jun 25 18:10:09 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Thu Oct 22 09:20:06 2015 +0800"
      },
      "message": "tracing/filter: Do not allow infix to exceed end of string\n\ncommit 6b88f44e161b9ee2a803e5b2b1fbcf4e20e8b980 upstream.\n\nWhile debugging a WARN_ON() for filtering, I found that it is possible\nfor the filter string to be referenced after its end. With the filter:\n\n # echo \u0027\u003e\u0027 \u003e /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter\n\nThe filter_parse() function can call infix_get_op() which calls\ninfix_advance() that updates the infix filter pointers for the cnt\nand tail without checking if the filter is already at the end, which\nwill put the cnt to zero and the tail beyond the end. The loop then calls\ninfix_next() that has\n\n\tps-\u003einfix.cnt--;\n\treturn ps-\u003einfix.string[ps-\u003einfix.tail++];\n\nThe cnt will now be below zero, and the tail that is returned is\nalready passed the end of the filter string. So far the allocation\nof the filter string usually has some buffer that is zeroed out, but\nif the filter string is of the exact size of the allocated buffer\nthere\u0027s no guarantee that the charater after the nul terminating\ncharacter will be zero.\n\nLuckily, only root can write to the filter.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7ebabd77613ddc5b1841c788085c5ac8c6b2cd85",
      "tree": "e39de8a4ecf033b01f21d27eca26a68bddc1d2e1",
      "parents": [
        "800e58ae21796a472f39cd6d0601c87b297409af"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Thu Jun 25 18:02:29 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Thu Oct 22 09:20:06 2015 +0800"
      },
      "message": "tracing/filter: Do not WARN on operand count going below zero\n\ncommit b4875bbe7e68f139bd3383828ae8e994a0df6d28 upstream.\n\nWhen testing the fix for the trace filter, I could not come up with\na scenario where the operand count goes below zero, so I added a\nWARN_ON_ONCE(cnt \u003c 0) to the logic. But there is legitimate case\nthat it can happen (although the filter would be wrong).\n\n # echo \u0027\u003e\u0027 \u003e /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter\n\nThat is, a single operation without any operands will hit the path\nwhere the WARN_ON_ONCE() can trigger. Although this is harmless,\nand the filter is reported as a error. But instead of spitting out\na warning to the kernel dmesg, just fail nicely and report it via\nthe proper channels.\n\nLink: http://lkml.kernel.org/r/558C6082.90608@oracle.com\n\nReported-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nReported-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d5ea436a754c3b117421d4896eda6bc7dddb2f4e",
      "tree": "38532e817696d37308a207fcd9710f209d6321b0",
      "parents": [
        "272bc28a42deac776c1c45a88a90559c93a015c7"
      ],
      "author": {
        "name": "Paul E. McKenney",
        "email": "paulmck@linux.vnet.ibm.com",
        "time": "Mon May 11 11:13:05 2015 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Thu Oct 22 09:20:02 2015 +0800"
      },
      "message": "rcu: Correctly handle non-empty Tiny RCU callback list with none ready\n\ncommit 6e91f8cb138625be96070b778d9ba71ce520ea7e upstream.\n\nIf, at the time __rcu_process_callbacks() is invoked,  there are callbacks\nin Tiny RCU\u0027s callback list, but none of them are ready to be invoked,\nthe current list-management code will knit the non-ready callbacks out\nof the list.  This can result in hangs and possibly worse.  This commit\ntherefore inserts a check for there being no callbacks that can be\ninvoked immediately.\n\nThis bug is unlikely to occur -- you have to get a new callback between\nthe time rcu_sched_qs() or rcu_bh_qs() was called, but before we get to\n__rcu_process_callbacks().  It was detected by the addition of RCU-bh\ntesting to rcutorture, which in turn was instigated by Iftekhar Ahmed\u0027s\nmutation testing.  Although this bug was made much more likely by\n915e8a4fe45e (rcu: Remove fastpath from __rcu_process_callbacks()), this\ndid not cause the bug, but rather made it much more probable.   That\nsaid, it takes more than 40 hours of rcutorture testing, on average,\nfor this bug to appear, so this fix cannot be considered an emergency.\n\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n[lizf: Backported to 3.4: adjust filename ]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "427841d9ea9213bd066e6b2bddba5a70bce90c6d",
      "tree": "2356fe62cd88e6ca294c94a9129653184bfb3bd4",
      "parents": [
        "4a55c0cfdd8a8b0c39eba5e696c36c33d0879684"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Tue May 20 15:49:48 2014 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Thu Oct 22 09:20:01 2015 +0800"
      },
      "message": "hrtimer: Allow concurrent hrtimer_start() for self restarting timers\n\ncommit 5de2755c8c8b3a6b8414870e2c284914a2b42e4d upstream.\n\nBecause we drop cpu_base-\u003elock around calling hrtimer::function, it is\npossible for hrtimer_start() to come in between and enqueue the timer.\n\nIf hrtimer::function then returns HRTIMER_RESTART we\u0027ll hit the BUG_ON\nbecause HRTIMER_STATE_ENQUEUED will be set.\n\nSince the above is a perfectly valid scenario, remove the BUG_ON and\nmake the enqueue_hrtimer() call conditional on the timer not being\nenqueued already.\n\nNOTE: in that concurrent scenario its entirely common for both sites\nto want to modify the hrtimer, since hrtimers don\u0027t provide\nserialization themselves be sure to provide some such that the\nhrtimer::function and the hrtimer_start() caller don\u0027t both try and\nfudge the expiration state at the same time.\n\nTo that effect, add a WARN when someone tries to forward an already\nenqueued timer, the most common way to change the expiry of self\nrestarting timers. Ideally we\u0027d put the WARN in everything modifying\nthe expiry but most of that is inlines and we don\u0027t need the bloat.\n\nFixes: 2d44ae4d7135 (\"hrtimer: clean up cpu-\u003ebase locking tricks\")\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Ben Segall \u003cbsegall@google.com\u003e\nCc: Roman Gushchin \u003cklamm@yandex-team.ru\u003e\nCc: Paul Turner \u003cpjt@google.com\u003e\nLink: http://lkml.kernel.org/r/20150415113105.GT5029@twins.programming.kicks-ass.net\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "aa18f6fcc491d131e2b67135622e3c089bd5d0b4",
      "tree": "40086c66ca378f8d1334fa8f2ad84243eafedc31",
      "parents": [
        "6ff9603dec2399dbe2fe9e5fe87c11fda054c668"
      ],
      "author": {
        "name": "Eric W. Biederman",
        "email": "ebiederm@xmission.com",
        "time": "Wed Jun 15 10:21:48 2011 -0700"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Sat Oct 17 16:13:18 2015 -0700"
      },
      "message": "proc: Usable inode numbers for the namespace file descriptors.\n\nAssign a unique proc inode to each namespace, and use that\ninode number to ensure we only allocate at most one proc\ninode for every namespace in proc.\n\nA single proc inode per namespace allows userspace to test\nto see if two processes are in the same namespace.\n\nThis has been a long requested feature and only blocked because\na naive implementation would put the id in a global space and\nwould ultimately require having a namespace for the names of\nnamespaces, making migration and certain virtualization tricks\nimpossible.\n\nWe still don\u0027t have per superblock inode numbers for proc, which\nappears necessary for application unaware checkpoint/restart and\nmigrations (if the application is using namespace file descriptors)\nbut that is now allowd by the design if it becomes important.\n\nI have preallocated the ipc and uts initial proc inode numbers so\ntheir structures can be statically initialized.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n(cherry picked from commit 98f842e675f96ffac96e6c50315790912b2812be)\n"
    },
    {
      "commit": "bc1d98d9537f9cd5c6ff72bbec99c2a475219591",
      "tree": "e32cea9de3180021e271e3decc20adfd1c413996",
      "parents": [
        "c409ef81f8fb8af14a6d58bd2a639fcb0e5ca103"
      ],
      "author": {
        "name": "Eric W. Biederman",
        "email": "ebiederm@xmission.com",
        "time": "Thu Jul 26 21:08:32 2012 -0700"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Sat Oct 17 16:13:16 2015 -0700"
      },
      "message": "vfs: Add a user namespace reference from struct mnt_namespace\n\nThis will allow for support for unprivileged mounts in a new user namespace.\n\nAcked-by: \"Serge E. Hallyn\" \u003cserge@hallyn.com\u003e\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\n(cherry picked from commit 771b1371686e0a63e938ada28de020b9a0040f55)\n"
    },
    {
      "commit": "f2cf20af77285f033d11ce9c95253a46c129b270",
      "tree": "2b0e3e078d315d1552ef19ea1c0c3509c27fd97b",
      "parents": [
        "8b4a1d639931196eb4e011c6cc0e95fd247a6eee"
      ],
      "author": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Mon Jun 25 12:55:18 2012 +0100"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Sat Oct 17 16:13:13 2015 -0700"
      },
      "message": "VFS: Make clone_mnt()/copy_tree()/collect_mounts() return errors\n\ncopy_tree() can theoretically fail in a case other than ENOMEM, but always\nreturns NULL which is interpreted by callers as -ENOMEM.  Change it to return\nan explicit error.\n\nAlso change clone_mnt() for consistency and because union mounts will add new\nerror cases.\n\nThanks to Andreas Gruenbacher \u003cagruen@suse.de\u003e for a bug fix.\n[AV: folded braino fix by Dan Carpenter]\n\nOriginal-author: Valerie Aurora \u003cvaurora@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Valerie Aurora \u003cvalerie.aurora@gmail.com\u003e\nCc: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n(cherry picked from commit be34d1a3bc4b6f357a49acb55ae870c81337e4f0)\n"
    },
    {
      "commit": "0a6c3854fee6372ca2ea2f83973db0103f8e7b26",
      "tree": "c0b6cf1930d17035c70e63fa56d5e082ff81b3d5",
      "parents": [
        "33f50252ce953a70fa3129503f4d39331849a677"
      ],
      "author": {
        "name": "Andi Kleen",
        "email": "ak@linux.intel.com",
        "time": "Tue May 08 13:32:24 2012 +0930"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Sat Oct 17 15:53:55 2015 -0700"
      },
      "message": "brlocks/lglocks: turn into functions\n\nlglocks and brlocks are currently generated with some complicated macros\nin lglock.h.  But there\u0027s no reason to not just use common utility\nfunctions and put all the data into a common data structure.\n\nSince there are at least two users it makes sense to share this code in a\nlibrary.  This is also easier maintainable than a macro forest.\n\nThis will also make it later possible to dynamically allocate lglocks and\nalso use them in modules (this would both still need some additional, but\nnow straightforward, code)\n\n[akpm@linux-foundation.org: checkpatch fixes]\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n\n(cherry picked from commit eea62f831b8030b0eeea8314eed73b6132d1de26)\n\nChange-Id: I65a14e405b6a4188b8dd301d35904e9fc8fda72f\n"
    },
    {
      "commit": "aaedb09057b05c7c9e213dc465bff5f70e708535",
      "tree": "2f2a0c645f970d5f6390ca39ee2e1fe0f2eea790",
      "parents": [
        "a39bf4a8e29c7336c0c72652b7d0dd1cd1b13c51"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Fri Feb 07 20:58:41 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Sep 18 09:20:47 2015 +0800"
      },
      "message": "sched: Queue RT tasks to head when prio drops\n\ncommit 81a44c5441d7f7d2c3dc9105f4d65ad0d5818617 upstream.\n\nThe following scenario does not work correctly:\n\nRunqueue of CPUx contains two runnable and pinned tasks:\n\n T1: SCHED_FIFO, prio 80\n T2: SCHED_FIFO, prio 80\n\nT1 is on the cpu and executes the following syscalls (classic priority\nceiling scenario):\n\n sys_sched_setscheduler(pid(T1), SCHED_FIFO, .prio \u003d 90);\n ...\n sys_sched_setscheduler(pid(T1), SCHED_FIFO, .prio \u003d 80);\n ...\n\nNow T1 gets preempted by T3 (SCHED_FIFO, prio 95). After T3 goes back\nto sleep the scheduler picks T2. Surprise!\n\nThe same happens w/o actual preemption when T1 is forced into the\nscheduler due to a sporadic NEED_RESCHED event. The scheduler invokes\npick_next_task() which returns T2. So T1 gets preempted and scheduled\nout.\n\nThis happens because sched_setscheduler() dequeues T1 from the prio 90\nlist and then enqueues it on the tail of the prio 80 list behind T2.\nThis violates the POSIX spec and surprises user space which relies on\nthe guarantee that SCHED_FIFO tasks are not scheduled out unless they\ngive the CPU up voluntarily or are preempted by a higher priority\ntask. In the latter case the preempted task must get back on the CPU\nafter the preempting task schedules out again.\n\nWe fixed a similar issue already in commit 60db48c (sched: Queue a\ndeboosted task to the head of the RT prio queue). The same treatment\nis necessary for sched_setscheduler(). So enqueue to head of the prio\nbucket list if the priority of the task is lowered.\n\nIt might be possible that existing user space relies on the current\nbehaviour, but it can be considered highly unlikely due to the corner\ncase nature of the application scenario.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Sebastian Andrzej Siewior \u003cbigeasy@linutronix.de\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/1391803122-4425-6-git-send-email-bigeasy@linutronix.de\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ea1e8ee07cdf7405111cfa9236935b3da1075f56",
      "tree": "92bdc9ed00dd2bb76a565de25b5e328aeade8a36",
      "parents": [
        "c0e3f102c50b6bab71d4fe4232e45bf5c67b8be0"
      ],
      "author": {
        "name": "Steven Rostedt",
        "email": "rostedt@goodmis.org",
        "time": "Mon Jun 15 17:50:25 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Sep 18 09:20:45 2015 +0800"
      },
      "message": "tracing: Have filter check for balanced ops\n\ncommit 2cf30dc180cea808077f003c5116388183e54f9e upstream.\n\nWhen the following filter is used it causes a warning to trigger:\n\n # cd /sys/kernel/debug/tracing\n # echo \"((dev\u003d\u003d1)blocks\u003d\u003d2)\" \u003e events/ext4/ext4_truncate_exit/filter\n-bash: echo: write error: Invalid argument\n # cat events/ext4/ext4_truncate_exit/filter\n((dev\u003d\u003d1)blocks\u003d\u003d2)\n^\nparse_error: No error\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()\n Modules linked in: bnep lockd grace bluetooth  ...\n CPU: 3 PID: 1223 Comm: bash Tainted: G        W       4.1.0-rc3-test+ #450\n Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012\n  0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0\n  0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c\n  ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea\n Call Trace:\n  [\u003cffffffff816ed4f9\u003e] dump_stack+0x4c/0x6e\n  [\u003cffffffff8107fb07\u003e] warn_slowpath_common+0x97/0xe0\n  [\u003cffffffff8136b46c\u003e] ? _kstrtoull+0x2c/0x80\n  [\u003cffffffff8107fb6a\u003e] warn_slowpath_null+0x1a/0x20\n  [\u003cffffffff81159065\u003e] replace_preds+0x3c5/0x990\n  [\u003cffffffff811596b2\u003e] create_filter+0x82/0xb0\n  [\u003cffffffff81159944\u003e] apply_event_filter+0xd4/0x180\n  [\u003cffffffff81152bbf\u003e] event_filter_write+0x8f/0x120\n  [\u003cffffffff811db2a8\u003e] __vfs_write+0x28/0xe0\n  [\u003cffffffff811dda43\u003e] ? __sb_start_write+0x53/0xf0\n  [\u003cffffffff812e51e0\u003e] ? security_file_permission+0x30/0xc0\n  [\u003cffffffff811dc408\u003e] vfs_write+0xb8/0x1b0\n  [\u003cffffffff811dc72f\u003e] SyS_write+0x4f/0xb0\n  [\u003cffffffff816f5217\u003e] system_call_fastpath+0x12/0x6a\n ---[ end trace e11028bd95818dcd ]---\n\nWorse yet, reading the error message (the filter again) it says that\nthere was no error, when there clearly was. The issue is that the\ncode that checks the input does not check for balanced ops. That is,\nhaving an op between a closed parenthesis and the next token.\n\nThis would only cause a warning, and fail out before doing any real\nharm, but it should still not caues a warning, and the error reported\nshould work:\n\n # cd /sys/kernel/debug/tracing\n # echo \"((dev\u003d\u003d1)blocks\u003d\u003d2)\" \u003e events/ext4/ext4_truncate_exit/filter\n-bash: echo: write error: Invalid argument\n # cat events/ext4/ext4_truncate_exit/filter\n((dev\u003d\u003d1)blocks\u003d\u003d2)\n^\nparse_error: Meaningless filter expression\n\nAnd give no kernel warning.\n\nLink: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home\n\nCc: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nReported-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nTested-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n[lizf: Backported to 3.4: remove the check for OP_NOT, as it\u0027s not supported.]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c0e3f102c50b6bab71d4fe4232e45bf5c67b8be0",
      "tree": "adfffc6cdcc1bb5156b9123260bd3407849bc7c2",
      "parents": [
        "501e81d5d6b9434037851749c6194bf3a237b281"
      ],
      "author": {
        "name": "Wang Long",
        "email": "long.wanglong@huawei.com",
        "time": "Wed Jun 10 08:12:37 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Sep 18 09:20:45 2015 +0800"
      },
      "message": "ring-buffer-benchmark: Fix the wrong sched_priority of producer\n\ncommit 108029323910c5dd1ef8fa2d10da1ce5fbce6e12 upstream.\n\nThe producer should be used producer_fifo as its sched_priority,\nso correct it.\n\nLink: http://lkml.kernel.org/r/1433923957-67842-1-git-send-email-long.wanglong@huawei.com\n\nSigned-off-by: Wang Long \u003clong.wanglong@huawei.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a12cb100975637baf203b140ffc56057b29bdb86",
      "tree": "ac720f9155e5584738394629bdb7c2f77dd4617f",
      "parents": [
        "241cb82322f19f3194946cddfbb4a21c43f04e1b"
      ],
      "author": {
        "name": "Oleg Nesterov",
        "email": "oleg@redhat.com",
        "time": "Thu Apr 16 12:47:29 2015 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Sep 18 09:20:31 2015 +0800"
      },
      "message": "ptrace: fix race between ptrace_resume() and wait_task_stopped()\n\ncommit b72c186999e689cb0b055ab1c7b3cd8fffbeb5ed upstream.\n\nptrace_resume() is called when the tracee is still __TASK_TRACED.  We set\ntracee-\u003eexit_code and then wake_up_state() changes tracee-\u003estate.  If the\ntracer\u0027s sub-thread does wait() in between, task_stopped_code(ptrace \u003d\u003e T)\nwrongly looks like another report from tracee.\n\nThis confuses debugger, and since wait_task_stopped() clears -\u003eexit_code\nthe tracee can miss a signal.\n\nTest-case:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003csys/wait.h\u003e\n\t#include \u003csys/ptrace.h\u003e\n\t#include \u003cpthread.h\u003e\n\t#include \u003cassert.h\u003e\n\n\tint pid;\n\n\tvoid *waiter(void *arg)\n\t{\n\t\tint stat;\n\n\t\tfor (;;) {\n\t\t\tassert(pid \u003d\u003d wait(\u0026stat));\n\t\t\tassert(WIFSTOPPED(stat));\n\t\t\tif (WSTOPSIG(stat) \u003d\u003d SIGHUP)\n\t\t\t\tcontinue;\n\n\t\t\tassert(WSTOPSIG(stat) \u003d\u003d SIGCONT);\n\t\t\tprintf(\"ERR! extra/wrong report:%x\\n\", stat);\n\t\t}\n\t}\n\n\tint main(void)\n\t{\n\t\tpthread_t thread;\n\n\t\tpid \u003d fork();\n\t\tif (!pid) {\n\t\t\tassert(ptrace(PTRACE_TRACEME, 0,0,0) \u003d\u003d 0);\n\t\t\tfor (;;)\n\t\t\t\tkill(getpid(), SIGHUP);\n\t\t}\n\n\t\tassert(pthread_create(\u0026thread, NULL, waiter, NULL) \u003d\u003d 0);\n\n\t\tfor (;;)\n\t\t\tptrace(PTRACE_CONT, pid, 0, SIGCONT);\n\n\t\treturn 0;\n\t}\n\nNote for stable: the bug is very old, but without 9899d11f6544 \"ptrace:\nensure arch_ptrace/ptrace_request can never race with SIGKILL\" the fix\nshould use lock_task_sighand(child).\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReported-by: Pavel Labath \u003clabath@google.com\u003e\nTested-by: Pavel Labath \u003clabath@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b674b0adae623283de4f49e1734de675678c456f",
      "tree": "5d2fa2e8d481978046f29a12059d78e525df9352",
      "parents": [
        "8c9c6ffb188714b7d22261c029ec9fbc065bb5d1"
      ],
      "author": {
        "name": "Ben Greear",
        "email": "greearb@candelatech.com",
        "time": "Thu Jun 06 14:29:49 2013 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:32 2015 +0800"
      },
      "message": "Fix lockup related to stop_machine being stuck in __do_softirq.\n\ncommit 34376a50fb1fa095b9d0636fa41ed2e73125f214 upstream.\n\nThe stop machine logic can lock up if all but one of the migration\nthreads make it through the disable-irq step and the one remaining\nthread gets stuck in __do_softirq.  The reason __do_softirq can hang is\nthat it has a bail-out based on jiffies timeout, but in the lockup case,\njiffies itself is not incremented.\n\nTo work around this, re-add the max_restart counter in __do_irq and stop\nprocessing irqs after 10 restarts.\n\nThanks to Tejun Heo and Rusty Russell and others for helping me track\nthis down.\n\nThis was introduced in 3.9 by commit c10d73671ad3 (\"softirq: reduce\nlatencies\").\n\nIt may be worth looking into ath9k to see if it has issues with its irq\nhandler at a later date.\n\nThe hang stack traces look something like this:\n\n    ------------[ cut here ]------------\n    WARNING: at kernel/watchdog.c:245 watchdog_overflow_callback+0x9c/0xa7()\n    Watchdog detected hard LOCKUP on cpu 2\n    Modules linked in: ath9k ath9k_common ath9k_hw ath mac80211 cfg80211 nfsv4 auth_rpcgss nfs fscache nf_nat_ipv4 nf_nat veth 8021q garp stp mrp llc pktgen lockd sunrpc]\n    Pid: 23, comm: migration/2 Tainted: G         C   3.9.4+ #11\n    Call Trace:\n     \u003cNMI\u003e   warn_slowpath_common+0x85/0x9f\n      warn_slowpath_fmt+0x46/0x48\n      watchdog_overflow_callback+0x9c/0xa7\n      __perf_event_overflow+0x137/0x1cb\n      perf_event_overflow+0x14/0x16\n      intel_pmu_handle_irq+0x2dc/0x359\n      perf_event_nmi_handler+0x19/0x1b\n      nmi_handle+0x7f/0xc2\n      do_nmi+0xbc/0x304\n      end_repeat_nmi+0x1e/0x2e\n     \u003c\u003cEOE\u003e\u003e\n      cpu_stopper_thread+0xae/0x162\n      smpboot_thread_fn+0x258/0x260\n      kthread+0xc7/0xcf\n      ret_from_fork+0x7c/0xb0\n    ---[ end trace 4947dfa9b0a4cec3 ]---\n    BUG: soft lockup - CPU#1 stuck for 22s! [migration/1:17]\n    Modules linked in: ath9k ath9k_common ath9k_hw ath mac80211 cfg80211 nfsv4 auth_rpcgss nfs fscache nf_nat_ipv4 nf_nat veth 8021q garp stp mrp llc pktgen lockd sunrpc]\n    irq event stamp: 835637905\n    hardirqs last  enabled at (835637904): __do_softirq+0x9f/0x257\n    hardirqs last disabled at (835637905): apic_timer_interrupt+0x6d/0x80\n    softirqs last  enabled at (5654720): __do_softirq+0x1ff/0x257\n    softirqs last disabled at (5654725): irq_exit+0x5f/0xbb\n    CPU 1\n    Pid: 17, comm: migration/1 Tainted: G        WC   3.9.4+ #11 To be filled by O.E.M. To be filled by O.E.M./To be filled by O.E.M.\n    RIP: tasklet_hi_action+0xf0/0xf0\n    Process migration/1\n    Call Trace:\n     \u003cIRQ\u003e\n      __do_softirq+0x117/0x257\n      irq_exit+0x5f/0xbb\n      smp_apic_timer_interrupt+0x8a/0x98\n      apic_timer_interrupt+0x72/0x80\n     \u003cEOI\u003e\n      printk+0x4d/0x4f\n      stop_machine_cpu_stop+0x22c/0x274\n      cpu_stopper_thread+0xae/0x162\n      smpboot_thread_fn+0x258/0x260\n      kthread+0xc7/0xcf\n      ret_from_fork+0x7c/0xb0\n\nSigned-off-by: Ben Greear \u003cgreearb@candelatech.com\u003e\nAcked-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-by: Pekka Riikonen \u003cpriikone@iki.fi\u003e\nCc: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[xr: Backported to 3.4: Adjust context]\nSigned-off-by: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "8c9c6ffb188714b7d22261c029ec9fbc065bb5d1",
      "tree": "5ee033105e8257c1a26dcdd4a7df2a7bbc8f5525",
      "parents": [
        "b9909d5051722bf87a05895fd56517419914136e"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Thu Jan 10 15:26:34 2013 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:31 2015 +0800"
      },
      "message": "softirq: reduce latencies\n\ncommit c10d73671ad30f54692f7f69f0e09e75d3a8926a upstream.\n\nIn various network workloads, __do_softirq() latencies can be up\nto 20 ms if HZ\u003d1000, and 200 ms if HZ\u003d100.\n\nThis is because we iterate 10 times in the softirq dispatcher,\nand some actions can consume a lot of cycles.\n\nThis patch changes the fallback to ksoftirqd condition to :\n\n- A time limit of 2 ms.\n- need_resched() being set on current task\n\nWhen one of this condition is met, we wakeup ksoftirqd for further\nsoftirq processing if we still have pending softirqs.\n\nUsing need_resched() as the only condition can trigger RCU stalls,\nas we can keep BH disabled for too long.\n\nI ran several benchmarks and got no significant difference in\nthroughput, but a very significant reduction of latencies (one order\nof magnitude) :\n\nIn following bench, 200 antagonist \"netperf -t TCP_RR\" are started in\nbackground, using all available cpus.\n\nThen we start one \"netperf -t TCP_RR\", bound to the cpu handling the NIC\nIRQ (hard+soft)\n\nBefore patch :\n\n# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k\nRT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY\nMIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET\nto 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind\nRT_LATENCY\u003d550110.424\nMIN_LATENCY\u003d146858\nMAX_LATENCY\u003d997109\nP50_LATENCY\u003d305000\nP90_LATENCY\u003d550000\nP99_LATENCY\u003d710000\nMEAN_LATENCY\u003d376989.12\nSTDDEV_LATENCY\u003d184046.92\n\nAfter patch :\n\n# netperf -H 7.7.7.84 -t TCP_RR -T2,2 -- -k\nRT_LATENCY,MIN_LATENCY,MAX_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,MEAN_LATENCY,STDDEV_LATENCY\nMIGRATED TCP REQUEST/RESPONSE TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET\nto 7.7.7.84 () port 0 AF_INET : first burst 0 : cpu bind\nRT_LATENCY\u003d40545.492\nMIN_LATENCY\u003d9834\nMAX_LATENCY\u003d78366\nP50_LATENCY\u003d33583\nP90_LATENCY\u003d59000\nP99_LATENCY\u003d69000\nMEAN_LATENCY\u003d38364.67\nSTDDEV_LATENCY\u003d12865.26\n\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Tom Herbert \u003ctherbert@google.com\u003e\nCc: Ben Hutchings \u003cbhutchings@solarflare.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[xr: Backported to 3.4: Adjust context]\nSigned-off-by: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "36cddaebe771b9476da10b724da435d5130bb0aa",
      "tree": "c095ee93018c05172cab85deef8749623536a49b",
      "parents": [
        "7afc45bbf2c761175211a41feb5766a56c2f189a"
      ],
      "author": {
        "name": "Brian Silverman",
        "email": "brian@peloton-tech.com",
        "time": "Wed Feb 18 16:23:56 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:29 2015 +0800"
      },
      "message": "sched: Fix RLIMIT_RTTIME when PI-boosting to RT\n\ncommit 746db9443ea57fd9c059f62c4bfbf41cf224fe13 upstream.\n\nWhen non-realtime tasks get priority-inheritance boosted to a realtime\nscheduling class, RLIMIT_RTTIME starts to apply to them. However, the\ncounter used for checking this (the same one used for SCHED_RR\ntimeslices) was not getting reset. This meant that tasks running with a\nnon-realtime scheduling class which are repeatedly boosted to a realtime\none, but never block while they are running realtime, eventually hit the\ntimeout without ever running for a time over the limit. This patch\nresets the realtime timeslice counter when un-PI-boosting from an RT to\na non-RT scheduling class.\n\nI have some test code with two threads and a shared PTHREAD_PRIO_INHERIT\nmutex which induces priority boosting and spins while boosted that gets\nkilled by a SIGXCPU on non-fixed kernels but doesn\u0027t with this patch\napplied. It happens much faster with a CONFIG_PREEMPT_RT kernel, and\ndoes happen eventually with PREEMPT_VOLUNTARY kernels.\n\nSigned-off-by: Brian Silverman \u003cbrian@peloton-tech.com\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: austin@peloton-tech.com\nLink: http://lkml.kernel.org/r/1424305436-6716-1-git-send-email-brian@peloton-tech.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n[lizf: Backported to 3.4: adjust contest]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7afc45bbf2c761175211a41feb5766a56c2f189a",
      "tree": "c061ab20787c9701731568d68401c32a27f39dac",
      "parents": [
        "e5b3d85e53f72d0b18908a05b7366aaea3f893f5"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Thu Feb 19 18:03:11 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:28 2015 +0800"
      },
      "message": "perf: Fix irq_work \u0027tail\u0027 recursion\n\ncommit d525211f9d1be8b523ec7633f080f2116f5ea536 upstream.\n\nVince reported a watchdog lockup like:\n\n\t[\u003cffffffff8115e114\u003e] perf_tp_event+0xc4/0x210\n\t[\u003cffffffff810b4f8a\u003e] perf_trace_lock+0x12a/0x160\n\t[\u003cffffffff810b7f10\u003e] lock_release+0x130/0x260\n\t[\u003cffffffff816c7474\u003e] _raw_spin_unlock_irqrestore+0x24/0x40\n\t[\u003cffffffff8107bb4d\u003e] do_send_sig_info+0x5d/0x80\n\t[\u003cffffffff811f69df\u003e] send_sigio_to_task+0x12f/0x1a0\n\t[\u003cffffffff811f71ce\u003e] send_sigio+0xae/0x100\n\t[\u003cffffffff811f72b7\u003e] kill_fasync+0x97/0xf0\n\t[\u003cffffffff8115d0b4\u003e] perf_event_wakeup+0xd4/0xf0\n\t[\u003cffffffff8115d103\u003e] perf_pending_event+0x33/0x60\n\t[\u003cffffffff8114e3fc\u003e] irq_work_run_list+0x4c/0x80\n\t[\u003cffffffff8114e448\u003e] irq_work_run+0x18/0x40\n\t[\u003cffffffff810196af\u003e] smp_trace_irq_work_interrupt+0x3f/0xc0\n\t[\u003cffffffff816c99bd\u003e] trace_irq_work_interrupt+0x6d/0x80\n\nWhich is caused by an irq_work generating new irq_work and therefore\nnot allowing forward progress.\n\nThis happens because processing the perf irq_work triggers another\nperf event (tracepoint stuff) which in turn generates an irq_work ad\ninfinitum.\n\nAvoid this by raising the recursion counter in the irq_work -- which\neffectively disables all software events (including tracepoints) from\nactually triggering again.\n\nReported-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nTested-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nLink: http://lkml.kernel.org/r/20150219170311.GH21418@twins.programming.kicks-ass.net\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "cf46e6e7354fb1b0d5c39797b60270a88778999e",
      "tree": "5a601d672910aca322acdf5672c272b00eec51b0",
      "parents": [
        "2d4293a85d30bd669f6bf7578689618cd454a2c8"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Fri Mar 06 19:55:13 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:23 2015 +0800"
      },
      "message": "ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled\n\ncommit 524a38682573b2e15ab6317ccfe50280441514be upstream.\n\nSome archs (specifically PowerPC), are sensitive with the ordering of\nthe enabling of the calls to function tracing and setting of the\nfunction to use to be traced.\n\nThat is, update_ftrace_function() sets what function the ftrace_caller\ntrampoline should call. Some archs require this to be set before\ncalling ftrace_run_update_code().\n\nAnother bug was discovered, that ftrace_startup_sysctl() called\nftrace_run_update_code() directly. If the function the ftrace_caller\ntrampoline changes, then it will not be updated. Instead a call\nto ftrace_startup_enable() should be called because it tests to see\nif the callback changed since the code was disabled, and will\ntell the arch to update appropriately. Most archs do not need this\nnotification, but PowerPC does.\n\nThe problem could be seen by the following commands:\n\n # echo 0 \u003e /proc/sys/kernel/ftrace_enabled\n # echo function \u003e /sys/kernel/debug/tracing/current_tracer\n # echo 1 \u003e /proc/sys/kernel/ftrace_enabled\n # cat /sys/kernel/debug/tracing/trace\n\nThe trace will show that function tracing was not active.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "2d4293a85d30bd669f6bf7578689618cd454a2c8",
      "tree": "21934564fdc2ac61cf35a031cc6eb05fcb0da98f",
      "parents": [
        "2932a0a1abaaab014a5698c26dc95956618b4286"
      ],
      "author": {
        "name": "Pratyush Anand",
        "email": "panand@redhat.com",
        "time": "Fri Mar 06 23:58:06 2015 +0530"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:23 2015 +0800"
      },
      "message": "ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl\n\ncommit 1619dc3f8f555ee1cdd3c75db3885d5715442b12 upstream.\n\nWhen ftrace is enabled globally through the proc interface, we must check if\nftrace_graph_active is set. If it is set, then we should also pass the\nFTRACE_START_FUNC_RET command to ftrace_run_update_code(). Similarly, when\nftrace is disabled globally through the proc interface, we must check if\nftrace_graph_active is set. If it is set, then we should also pass the\nFTRACE_STOP_FUNC_RET command to ftrace_run_update_code().\n\nConsider the following situation.\n\n # echo 0 \u003e /proc/sys/kernel/ftrace_enabled\n\nAfter this ftrace_enabled \u003d 0.\n\n # echo function_graph \u003e /sys/kernel/debug/tracing/current_tracer\n\nSince ftrace_enabled \u003d 0, ftrace_enable_ftrace_graph_caller() is never\ncalled.\n\n # echo 1 \u003e /proc/sys/kernel/ftrace_enabled\n\nNow ftrace_enabled will be set to true, but still\nftrace_enable_ftrace_graph_caller() will not be called, which is not\ndesired.\n\nFurther if we execute the following after this:\n  # echo nop \u003e /sys/kernel/debug/tracing/current_tracer\n\nNow since ftrace_enabled is set it will call\nftrace_disable_ftrace_graph_caller(), which causes a kernel warning on\nthe ARM platform.\n\nOn the ARM platform, when ftrace_enable_ftrace_graph_caller() is called,\nit checks whether the old instruction is a nop or not. If it\u0027s not a nop,\nthen it returns an error. If it is a nop then it replaces instruction at\nthat address with a branch to ftrace_graph_caller.\nftrace_disable_ftrace_graph_caller() behaves just the opposite. Therefore,\nif generic ftrace code ever calls either ftrace_enable_ftrace_graph_caller()\nor ftrace_disable_ftrace_graph_caller() consecutively two times in a row,\nthen it will return an error, which will cause the generic ftrace code to\nraise a warning.\n\nNote, x86 does not have an issue with this because the architecture\nspecific code for ftrace_enable_ftrace_graph_caller() and\nftrace_disable_ftrace_graph_caller() does not check the previous state,\nand calling either of these functions twice in a row has no ill effect.\n\nLink: http://lkml.kernel.org/r/e4fbe64cdac0dd0e86a3bf914b0f83c0b419f146.1425666454.git.panand@redhat.com\n\nSigned-off-by: Pratyush Anand \u003cpanand@redhat.com\u003e\n[\n  removed extra if (ftrace_start_up) and defined ftrace_graph_active as 0\n  if CONFIG_FUNCTION_GRAPH_TRACER is not set.\n]\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7ebae41be6d18aa63ea086f3522243d090a8fc8d",
      "tree": "5af29bd6c2440db5cb2044887c9a9864e917d0e8",
      "parents": [
        "f835912a7be0ac4f06f3e5995e29726af45a3095"
      ],
      "author": {
        "name": "Peter Hurley",
        "email": "peter@hurleysoftware.com",
        "time": "Sun Mar 01 10:11:05 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:22 2015 +0800"
      },
      "message": "console: Fix console name size mismatch\n\ncommit 30a22c215a0007603ffc08021f2e8b64018517dd upstream.\n\ncommit 6ae9200f2cab7 (\"enlarge console.name\") increased the storage\nfor the console name to 16 bytes, but not the corresponding\nstruct console_cmdline::name storage. Console names longer than\n8 bytes cause read beyond end-of-string and failure to match\nconsole; I\u0027m not sure if there are other unexpected consequences.\n\nSigned-off-by: Peter Hurley \u003cpeter@hurleysoftware.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[lizf: Backported to 3.4:\n - adjust filename\n - s/c-\u003ename/console_cmdline[i].name/]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "bcf9fe97c24187e0590536886281a120e2bfbeba",
      "tree": "0e016140008642d623e2dce4f6cc6a57565aad49",
      "parents": [
        "c42a6c35db2f573ab1f58c9799ea4f41b759602f"
      ],
      "author": {
        "name": "Jay Lan",
        "email": "jlan@sgi.com",
        "time": "Mon Sep 29 15:36:57 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Fri Jun 19 11:40:17 2015 +0800"
      },
      "message": "kdb: fix incorrect counts in KDB summary command output\n\ncommit 146755923262037fc4c54abc28c04b1103f3cc51 upstream.\n\nThe output of KDB \u0027summary\u0027 command should report MemTotal, MemFree\nand Buffers output in kB. Current codes report in unit of pages.\n\nA define of K(x) as\nis defined in the code, but not used.\n\nThis patch would apply the define to convert the values to kB.\nPlease include me on Cc on replies. I do not subscribe to linux-kernel.\n\nSigned-off-by: Jay Lan \u003cjlan@sgi.com\u003e\nSigned-off-by: Jason Wessel \u003cjason.wessel@windriver.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "3916004126ba69346c303a779a062db80f719e9f",
      "tree": "80482c4936d00ee28228a26952a8740ae72efc7f",
      "parents": [
        "be383c7cf280df927999c45a92ec3a68a8dfe489",
        "7831a858f850372f0357229c79f650e0e2e596e2"
      ],
      "author": {
        "name": "David Hays",
        "email": "dhays90@gmail.com",
        "time": "Wed Apr 22 08:38:59 2015 -0500"
      },
      "committer": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Thu Apr 23 10:45:50 2015 -0500"
      },
      "message": "Merge remote-tracking branch \u0027caf/LA.AF.1.1_rb1.17\u0027 into cm-12.1\n\nChange-Id: I6d3bc1916bbc7872c2acbf93549334f70269a5db\n"
    },
    {
      "commit": "f8cce9e338db5d455e62a4b9abbbeda3d5a0e203",
      "tree": "9b48980a10250b2549a3e9b082414e098517bea3",
      "parents": [
        "9493ef4e311954d800e494196dccc423e5f1cfa5"
      ],
      "author": {
        "name": "John Stultz",
        "email": "john.stultz@linaro.org",
        "time": "Mon Feb 09 23:30:36 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:34:04 2015 +0800"
      },
      "message": "ntp: Fixup adjtimex freq validation on 32-bit systems\n\ncommit 29183a70b0b828500816bd794b3fe192fce89f73 upstream.\n\nAdditional validation of adjtimex freq values to avoid\npotential multiplication overflows were added in commit\n5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)\n\nUnfortunately the patch used LONG_MAX/MIN instead of\nLLONG_MAX/MIN, which was fine on 64-bit systems, but being\nmuch smaller on 32-bit systems caused false positives\nresulting in most direct frequency adjustments to fail w/\nEINVAL.\n\nntpd only does direct frequency adjustments at startup, so\nthe issue was not as easily observed there, but other time\nsync applications like ptpd and chrony were more effected by\nthe bug.\n\nSee bugs:\n\n  https://bugzilla.kernel.org/show_bug.cgi?id\u003d92481\n  https://bugzilla.redhat.com/show_bug.cgi?id\u003d1188074\n\nThis patch changes the checks to use LLONG_MAX for\nclarity, and additionally the checks are disabled\non 32-bit systems since LLONG_MAX/PPM_SCALE is always\nlarger then the 32-bit long freq value, so multiplication\noverflows aren\u0027t possible there.\n\nReported-by: Josh Boyer \u003cjwboyer@fedoraproject.org\u003e\nReported-by: George Joseph \u003cgeorge.joseph@fairview5.com\u003e\nTested-by: George Joseph \u003cgeorge.joseph@fairview5.com\u003e\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Sasha Levin \u003csasha.levin@oracle.com\u003e\nLink: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org\n[ Prettified the changelog and the comments a bit. ]\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "590603b71e399e5dbf328eda7b780ee0dca939ce",
      "tree": "5959e9dc2080225bd89a930ddd7cf2425ff2d89c",
      "parents": [
        "c12b6db9f1a9841949ce5776b71dffb03f911692"
      ],
      "author": {
        "name": "Tim Chen",
        "email": "tim.c.chen@linux.intel.com",
        "time": "Fri Dec 12 15:38:12 2014 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:34:03 2015 +0800"
      },
      "message": "sched/rt: Reduce rq lock contention by eliminating locking of non-feasible target\n\ncommit 80e3d87b2c5582db0ab5e39610ce3707d97ba409 upstream.\n\nThis patch adds checks that prevens futile attempts to move rt tasks\nto a CPU with active tasks of equal or higher priority.\n\nThis reduces run queue lock contention and improves the performance of\na well known OLTP benchmark by 0.7%.\n\nSigned-off-by: Tim Chen \u003ctim.c.chen@linux.intel.com\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Shawn Bohrer \u003csbohrer@rgmadvisors.com\u003e\nCc: Suruchi Kadu \u003csuruchi.a.kadu@intel.com\u003e\nCc: Doug Nelson\u003cdoug.nelson@intel.com\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nLink: http://lkml.kernel.org/r/1421430374.2399.27.camel@schen9-desk2.jf.intel.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "6fd17def6d964c81205230e02b4208c653106d51",
      "tree": "1253f07591fe80dc3442db927536c1b3f66b5cd7",
      "parents": [
        "a42e15a485c14f6d994192af4c16775fbd6c1126"
      ],
      "author": {
        "name": "Al Viro",
        "email": "viro@zeniv.linux.org.uk",
        "time": "Sun Oct 26 19:19:16 2014 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:33:58 2015 +0800"
      },
      "message": "move d_rcu from overlapping d_child to overlapping d_alias\n\ncommit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[bwh: Backported to 3.2:\n - Apply name changes in all the different places we use d_alias and d_child\n - Move the WARN_ON() in __d_free() to d_free() as we don\u0027t have dentry_free()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - need one more name change in debugfs]\n"
    },
    {
      "commit": "3f6d9b62622ce5dbb870160cb3da5f8bfc87adee",
      "tree": "91e676b714b14bd2b06f4ec68bd892963a966961",
      "parents": [
        "370375c0a447eefedc19e872e5137eeff47162f2"
      ],
      "author": {
        "name": "Sasha Levin",
        "email": "sasha.levin@oracle.com",
        "time": "Wed Dec 03 19:25:05 2014 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:33:51 2015 +0800"
      },
      "message": "time: adjtimex: Validate the ADJ_FREQUENCY values\n\ncommit 5e5aeb4367b450a28f447f6d5ab57d8f2ab16a5f upstream.\n\nVerify that the frequency value from userspace is valid and makes sense.\n\nUnverified values can cause overflows later on.\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n[jstultz: Fix up bug for negative values and drop redunent cap check]\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "370375c0a447eefedc19e872e5137eeff47162f2",
      "tree": "57fbb90eb9b5fbb56fc8733bafaf252e1d85c9f6",
      "parents": [
        "b25489c724b2775cb5eb3eb6d525ad355d1b1f47"
      ],
      "author": {
        "name": "Sasha Levin",
        "email": "sasha.levin@oracle.com",
        "time": "Wed Dec 03 19:22:48 2014 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:33:50 2015 +0800"
      },
      "message": "time: settimeofday: Validate the values of tv from user\n\ncommit 6ada1fc0e1c4775de0e043e1bd3ae9d065491aa5 upstream.\n\nAn unvalidated user input is multiplied by a constant, which can result in\nan undefined behaviour for large values. While this is validated later,\nwe should avoid triggering undefined behaviour.\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n[jstultz: include trivial milisecond-\u003emicrosecond correction noticed\nby Andy]\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\n[lizf: Backported to 3.4: adjust filename]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0d030473658c7760c4cdd4fd0cc61e287b6023b3",
      "tree": "0e66b9c5b5a6760e43c38bb8899fb2964bf5deba",
      "parents": [
        "81cc271d2c4a179aae41c503562af9e11ce94adc"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu Dec 11 23:01:41 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Tue Apr 14 17:33:46 2015 +0800"
      },
      "message": "genirq: Prevent proc race against freeing of irq descriptors\n\ncommit c291ee622165cb2c8d4e7af63fffd499354a23be upstream.\n\nSince the rework of the sparse interrupt code to actually free the\nunused interrupt descriptors there exists a race between the /proc\ninterfaces to the irq subsystem and the code which frees the interrupt\ndescriptor.\n\nCPU0\t\t\t\tCPU1\n\t\t\t\tshow_interrupts()\n\t\t\t\t  desc \u003d irq_to_desc(X);\nfree_desc(desc)\n  remove_from_radix_tree();\n  kfree(desc);\n\t\t\t\t  raw_spinlock_irq(\u0026desc-\u003elock);\n\n/proc/interrupts is the only interface which can actively corrupt\nkernel memory via the lock access. /proc/stat can only read from freed\nmemory. Extremly hard to trigger, but possible.\n\nThe interfaces in /proc/irq/N/ are not affected by this because the\nremoval of the proc file is serialized in procfs against concurrent\nreaders/writers. The removal happens before the descriptor is freed.\n\nFor architectures which have CONFIG_SPARSE_IRQ\u003dn this is a non issue\nas the descriptor is never freed. It\u0027s merely cleared out with the irq\ndescriptor lock held. So any concurrent proc access will either see\nthe old correct value or the cleared out ones.\n\nProtect the lookup and access to the irq descriptor in\nshow_interrupts() with the sparse_irq_lock.\n\nProvide kstat_irqs_usr() which is protecting the lookup and access\nwith sparse_irq_lock and switch /proc/stat to use it.\n\nDocument the existing kstat_irqs interfaces so it\u0027s clear that the\ncaller needs to take care about protection. The users of these\ninterfaces are either not affected due to SPARSE_IRQ\u003dn or already\nprotected against removal.\n\nFixes: 1f5a5b87f78f \"genirq: Implement a sane sparse_irq allocator\"\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n[lizf: Backported to 3.4:\n - define kstat_irqs() for CONFIG_GENERIC_HARDIRQS\n - add ifdef/endif CONFIG_SPARSE_IRQ]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "2fd850335c7e8e988ea935691590346ad2d7009e",
      "tree": "aaceae19915c5e23b769bde5ec29296f7dbb3fb3",
      "parents": [
        "84c25087058c0dd06a0637091661ad4eda611b26"
      ],
      "author": {
        "name": "Biswajit Paul",
        "email": "biswajitpaul@codeaurora.org",
        "time": "Mon Feb 09 15:21:12 2015 -0800"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Wed Apr 08 22:36:02 2015 -0700"
      },
      "message": "kernel: Restrict permissions of /proc/iomem.\n\nThe permissions of /proc/iomem currently are -r--r--r--. Everyone can\nsee its content. As iomem contains information about the physical memory\ncontent of the device, restrict the information only to root.\n\nChange-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891\nCRs-Fixed: 786116\nSigned-off-by: Biswajit Paul \u003cbiswajitpaul@codeaurora.org\u003e\nSigned-off-by: Avijit Kanti Das \u003cavijitnsec@codeaurora.org\u003e\n"
    },
    {
      "commit": "c7258f9c79d5161d9e5118bfa34387eaf705a84c",
      "tree": "9f38f752c911424b5f49c76f510c4a090351fe23",
      "parents": [
        "28b8962274e4f964feb2c92b717820de6b203202",
        "a8fa520aef7044c3366dc8eaa860624a3140a721"
      ],
      "author": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Tue Mar 31 14:34:18 2015 -0700"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Tue Mar 31 14:58:55 2015 -0700"
      },
      "message": "Merge remote-tracking branch \u0027caf/LA.AF.1.1_rb1.16\u0027 into cm-12.1\n\nConflicts:\n\tdrivers/gpu/ion/ion.c\n\tdrivers/gpu/ion/ion_cma_heap.c\n\tdrivers/media/video/msm/actuators/msm_actuator.c\n\tdrivers/media/video/msm/cpp/msm_cpp.c\n\tdrivers/media/video/msm/csi/msm_csid.c\n\tdrivers/media/video/msm/msm_vpe.c\n\tdrivers/misc/qseecom.c\n\nChange-Id: Iba8bebe2bc49c9c70b848833ecda9ab4480fa3fd\n"
    },
    {
      "commit": "600cbf8b9c94d32a465191dd0a3f07d5fa0d6d18",
      "tree": "b9e4ee6546deae1a03d83d54b9ced35d0ebce117",
      "parents": [
        "16942c11bf89a29479a1539b463b69eb4a760319"
      ],
      "author": {
        "name": "Swetha Chikkaboraiah",
        "email": "schikk@codeaurora.org",
        "time": "Wed Sep 17 17:28:13 2014 +0530"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Tue Feb 10 01:59:54 2015 -0800"
      },
      "message": "kernel: cgroup: protecting css_set object\n\nAccessing the css_set object should be protected with css_set_lock.\nNULL check is required before accesing object.\n\nCRs-fixed: 723762\nChange-Id: Ia3a0314a04419889d5002a8f2bf2c1fe9dfa3671\nSigned-off-by: Swetha Chikkaboraiah \u003cschikk@codeaurora.org\u003e\n"
    },
    {
      "commit": "bf5dbba17a6816e0b7f33abc034f5ca089884e10",
      "tree": "2bf58f35a1901e24afa52a01a01e38197e8639cc",
      "parents": [
        "3b5d98d44729594d72d3c36881234b7caa040d87"
      ],
      "author": {
        "name": "Miklos Szeredi",
        "email": "mszeredi@suse.cz",
        "time": "Tue Nov 04 11:27:12 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:19 2015 +0800"
      },
      "message": "audit: keep inode pinned\n\ncommit 799b601451b21ebe7af0e6e8f6e2ccd4683c5064 upstream.\n\nAudit rules disappear when an inode they watch is evicted from the cache.\nThis is likely not what we want.\n\nThe guilty commit is \"fsnotify: allow marks to not pin inodes in core\",\nwhich didn\u0027t take into account that audit_tree adds watches with a zero\nmask.\n\nAdding any mask should fix this.\n\nFixes: 90b1e7a57880 (\"fsnotify: allow marks to not pin inodes in core\")\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "9922dba85d9a2d752297ff6030f6af84156472a7",
      "tree": "0922b53129ab374e0f3ae68d992ed393fe7f0d50",
      "parents": [
        "4e6b1b9702836498015705ea4e870aab6b3dc637"
      ],
      "author": {
        "name": "Rabin Vincent",
        "email": "rabin@rab.in",
        "time": "Wed Oct 29 23:06:58 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:09 2015 +0800"
      },
      "message": "tracing/syscalls: Ignore numbers outside NR_syscalls\u0027 range\n\ncommit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.\n\nARM has some private syscalls (for example, set_tls(2)) which lie\noutside the range of NR_syscalls.  If any of these are called while\nsyscall tracing is being performed, out-of-bounds array access will\noccur in the ftrace and perf sys_{enter,exit} handlers.\n\n # trace-cmd record -e raw_syscalls:* true \u0026\u0026 trace-cmd report\n ...\n true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)\n true-653   [000]   384.675812: sys_exit:             NR 192 \u003d 1995915264\n true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)\n true-653   [000]   384.675988: sys_exit:             NR 983045 \u003d 0\n ...\n\n # trace-cmd record -e syscalls:* true\n [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace\n [   17.289590] pgd \u003d 9e71c000\n [   17.289696] [aaaaaace] *pgd\u003d00000000\n [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n [   17.290169] Modules linked in:\n [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21\n [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000\n [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8\n [   17.290866] LR is at syscall_trace_enter+0x124/0x184\n\nFix this by ignoring out-of-NR_syscalls-bounds syscall numbers.\n\nCommit cd0980fc8add \"tracing: Check invalid syscall nr while tracing syscalls\"\nadded the check for less than zero, but it should have also checked\nfor greater than NR_syscalls.\n\nLink: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in\n\nFixes: cd0980fc8add \"tracing: Check invalid syscall nr while tracing syscalls\"\nSigned-off-by: Rabin Vincent \u003crabin@rab.in\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "4e6b1b9702836498015705ea4e870aab6b3dc637",
      "tree": "c58ad4ef4acc964f641983100617a0e82f1bc1a4",
      "parents": [
        "7aff1a05050df389dd41eb1d2b9ade8d9ecb3c6c"
      ],
      "author": {
        "name": "Will Deacon",
        "email": "will.deacon@arm.com",
        "time": "Thu Aug 16 18:14:14 2012 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:09 2015 +0800"
      },
      "message": "tracing/syscalls: Fix perf syscall tracing when syscall_nr \u003d\u003d -1\n\ncommit 60916a9382e88fbf5e54fd36a3e658efd7ab7bed upstream.\n\nsyscall_get_nr can return -1 in the case that the task is not executing\na system call.\n\nThis patch fixes perf_syscall_{enter,exit} to check that the syscall\nnumber is valid before using it as an index into a bitmap.\n\nLink: http://lkml.kernel.org/r/1345137254-7377-1-git-send-email-will.deacon@arm.com\n\nCc: Jason Baron \u003cjbaron@redhat.com\u003e\nCc: Wade Farnsworth \u003cwade_farnsworth@mentor.com\u003e\nCc: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "358105b826419ac319ad05b398d40a31c52de90d",
      "tree": "c2edf4a478a37b1c5d2bb97af8fd5cf88d479f40",
      "parents": [
        "b1a76f1c42ec736247cd9a789d67532f7f2a1d31"
      ],
      "author": {
        "name": "Imre Deak",
        "email": "imre.deak@intel.com",
        "time": "Fri Oct 24 20:29:10 2014 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:05 2015 +0800"
      },
      "message": "PM / Sleep: fix recovery during resuming from hibernation\n\ncommit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream.\n\nIf a device\u0027s dev_pm_ops::freeze callback fails during the QUIESCE\nphase, we don\u0027t rollback things correctly calling the thaw and complete\ncallbacks. This could leave some devices in a suspended state in case of\nan error during resuming from hibernation.\n\nSigned-off-by: Imre Deak \u003cimre.deak@intel.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b1a76f1c42ec736247cd9a789d67532f7f2a1d31",
      "tree": "0aa981018542362f019b490aeda77b202bd890a3",
      "parents": [
        "aab6a6fa71741bb96288b634d4506e1630dba46a"
      ],
      "author": {
        "name": "Brian Silverman",
        "email": "bsilver16384@gmail.com",
        "time": "Sat Oct 25 20:20:37 2014 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:05 2015 +0800"
      },
      "message": "futex: Fix a race condition between REQUEUE_PI and task death\n\ncommit 30a6b8031fe14031ab27c1fa3483cb9780e7f63c upstream.\n\nfree_pi_state and exit_pi_state_list both clean up futex_pi_state\u0027s.\nexit_pi_state_list takes the hb lock first, and most callers of\nfree_pi_state do too. requeue_pi doesn\u0027t, which means free_pi_state\ncan free the pi_state out from under exit_pi_state_list. For example:\n\ntask A                            |  task B\nexit_pi_state_list                |\n  pi_state \u003d                      |\n      curr-\u003epi_state_list-\u003enext   |\n                                  |  futex_requeue(requeue_pi\u003d1)\n                                  |    // pi_state is the same as\n                                  |    // the one in task A\n                                  |    free_pi_state(pi_state)\n                                  |      list_del_init(\u0026pi_state-\u003elist)\n                                  |      kfree(pi_state)\n  list_del_init(\u0026pi_state-\u003elist)  |\n\nMove the free_pi_state calls in requeue_pi to before it drops the hb\nlocks which it\u0027s already holding.\n\n[ tglx: Removed a pointless free_pi_state() call and the hb-\u003elock held\n  \tdebugging. The latter comes via a seperate patch ]\n\nSigned-off-by: Brian Silverman \u003cbsilver16384@gmail.com\u003e\nCc: austin.linux@gmail.com\nCc: darren@dvhart.com\nCc: peterz@infradead.org\nLink: http://lkml.kernel.org/r/1414282837-23092-1-git-send-email-bsilver16384@gmail.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "aab6a6fa71741bb96288b634d4506e1630dba46a",
      "tree": "3fb2f71085b63a5705445552aefe6527f92196ba",
      "parents": [
        "65979d9f71de14952febb9f397a5949c220fa2dd"
      ],
      "author": {
        "name": "Mathias Krause",
        "email": "minipli@googlemail.com",
        "time": "Sat Oct 04 23:06:39 2014 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:05:05 2015 +0800"
      },
      "message": "posix-timers: Fix stack info leak in timer_create()\n\ncommit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream.\n\nIf userland creates a timer without specifying a sigevent info, we\u0027ll\ncreate one ourself, using a stack local variable. Particularly will we\nuse the timer ID as sival_int. But as sigev_value is a union containing\na pointer and an int, that assignment will only partially initialize\nsigev_value on systems where the size of a pointer is bigger than the\nsize of an int. On such systems we\u0027ll copy the uninitialized stack bytes\nfrom the timer_create() call to userland when the timer actually fires\nand we\u0027re going to deliver the signal.\n\nInitialize sigev_value with 0 to plug the stack info leak.\n\nFound in the PaX patch, written by the PaX Team.\n\nFixes: 5a9fa7307285 (\"posix-timers: kill -\u003eit_sigev_signo and...\")\nSigned-off-by: Mathias Krause \u003cminipli@googlemail.com\u003e\nCc: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Brad Spengler \u003cspender@grsecurity.net\u003e\nCc: PaX Team \u003cpageexec@freemail.hu\u003e\nLink: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n[lizf: Backported to 3.4: adjust filename]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7655f8554eb2792101151ba7a79919bf0a78b51c",
      "tree": "936925abffd063c3e1dcf8122d8100007855b7f5",
      "parents": [
        "b71ec07584b31aacb937d8b775a6e373b109028a"
      ],
      "author": {
        "name": "Michal Hocko",
        "email": "mhocko@suse.cz",
        "time": "Mon Oct 20 18:12:32 2014 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:04:55 2015 +0800"
      },
      "message": "OOM, PM: OOM killed task shouldn\u0027t escape PM suspend\n\ncommit 5695be142e203167e3cb515ef86a88424f3524eb upstream.\n\nPM freezer relies on having all tasks frozen by the time devices are\ngetting frozen so that no task will touch them while they are getting\nfrozen. But OOM killer is allowed to kill an already frozen task in\norder to handle OOM situtation. In order to protect from late wake ups\nOOM killer is disabled after all tasks are frozen. This, however, still\nkeeps a window open when a killed task didn\u0027t manage to die by the time\nfreeze_processes finishes.\n\nReduce the race window by checking all tasks after OOM killer has been\ndisabled. This is still not race free completely unfortunately because\noom_killer_disable cannot stop an already ongoing OOM killer so a task\nmight still wake up from the fridge and get killed without\nfreeze_processes noticing. Full synchronization of OOM and freezer is,\nhowever, too heavy weight for this highly unlikely case.\n\nIntroduce and check oom_kills counter which gets incremented early when\nthe allocator enters __alloc_pages_may_oom path and only check all the\ntasks if the counter changes during the freezing attempt. The counter\nis updated so early to reduce the race window since allocator checked\noom_killer_disabled which is set by PM-freezing code. A false positive\nwill push the PM-freezer into a slow path but that is not a big deal.\n\nChanges since v1\n- push the re-check loop out of freeze_processes into\n  check_frozen_processes and invert the condition to make the code more\n  readable as per Rafael\n\nFixes: f660daac474c6f (oom: thaw threads if oom killed thread is frozen before deferring)\nSigned-off-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b71ec07584b31aacb937d8b775a6e373b109028a",
      "tree": "2bb5d578e9f8308a842033fb3dd968a061b0d21a",
      "parents": [
        "ace595fd79ba3c6f1d067e8be9d311951f591d9c"
      ],
      "author": {
        "name": "Oleg Nesterov",
        "email": "oleg@redhat.com",
        "time": "Tue Jan 21 15:49:56 2014 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:04:55 2015 +0800"
      },
      "message": "introduce for_each_thread() to replace the buggy while_each_thread()\n\ncommit 0c740d0afc3bff0a097ad03a1c8df92757516f5c upstream.\n\nwhile_each_thread() and next_thread() should die, almost every lockless\nusage is wrong.\n\n1. Unless g \u003d\u003d current, the lockless while_each_thread() is not safe.\n\n   while_each_thread(g, t) can loop forever if g exits, next_thread()\n   can\u0027t reach the unhashed thread in this case. Note that this can\n   happen even if g is the group leader, it can exec.\n\n2. Even if while_each_thread() itself was correct, people often use\n   it wrongly.\n\n   It was never safe to just take rcu_read_lock() and loop unless\n   you verify that pid_alive(g) \u003d\u003d T, even the first next_thread()\n   can point to the already freed/reused memory.\n\nThis patch adds signal_struct-\u003ethread_head and task-\u003ethread_node to\ncreate the normal rcu-safe list with the stable head.  The new\nfor_each_thread(g, t) helper is always safe under rcu_read_lock() as\nlong as this task_struct can\u0027t go away.\n\nNote: of course it is ugly to have both task_struct-\u003ethread_node and the\nold task_struct-\u003ethread_group, we will kill it later, after we change\nthe users of while_each_thread() to use for_each_thread().\n\nPerhaps we can kill it even before we convert all users, we can\nreimplement next_thread(t) using the new thread_head/thread_node.  But\nwe can\u0027t do this right now because this will lead to subtle behavioural\nchanges.  For example, do/while_each_thread() always sees at least one\ntask, while for_each_thread() can do nothing if the whole thread group\nhas died.  Or thread_group_empty(), currently its semantics is not clear\nunless thread_group_leader(p) and we need to audit the callers before we\ncan change it.\n\nSo this patch adds the new interface which has to coexist with the old\none for some time, hopefully the next changes will be more or less\nstraightforward and the old one will go away soon.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Sergey Dyasly \u003cdserrg@gmail.com\u003e\nTested-by: Sergey Dyasly \u003cdserrg@gmail.com\u003e\nReviewed-by: Sameer Nanda \u003csnanda@chromium.org\u003e\nAcked-by: David Rientjes \u003crientjes@google.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nCc: Mandeep Singh Baines \u003cmsb@chromium.org\u003e\nCc: \"Ma, Xindong\" \u003cxindong.ma@intel.com\u003e\nCc: Michal Hocko \u003cmhocko@suse.cz\u003e\nCc: \"Tu, Xiaobing\" \u003cxiaobing.tu@intel.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ace595fd79ba3c6f1d067e8be9d311951f591d9c",
      "tree": "1fcc736f9db817e4b1ae6016f6a7d6f02382d19b",
      "parents": [
        "a2ca02f15bababecd0b0626a13a6291fd2d04dbc"
      ],
      "author": {
        "name": "Oleg Nesterov",
        "email": "oleg@redhat.com",
        "time": "Wed Jul 03 15:08:30 2013 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:04:55 2015 +0800"
      },
      "message": "kernel/fork.c:copy_process(): unify CLONE_THREAD-or-thread_group_leader code\n\ncommit 80628ca06c5d42929de6bc22c0a41589a834d151 upstream.\n\nCleanup and preparation for the next changes.\n\nMove the \"if (clone_flags \u0026 CLONE_THREAD)\" code down under \"if\n(likely(p-\u003epid))\" and turn it into into the \"else\" branch.  This makes the\nprocess/thread initialization more symmetrical and removes one check.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Michal Hocko \u003cmhocko@suse.cz\u003e\nCc: Pavel Emelyanov \u003cxemul@parallels.com\u003e\nCc: Sergey Dyasly \u003cdserrg@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a2ca02f15bababecd0b0626a13a6291fd2d04dbc",
      "tree": "fb8fc09d9185b641bf3fc08c2281e935a8cc50e6",
      "parents": [
        "7e55164764dc6dad42ae86ae5ebec4f352a87fdb"
      ],
      "author": {
        "name": "Cong Wang",
        "email": "xiyou.wangcong@gmail.com",
        "time": "Tue Oct 21 09:27:12 2014 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:04:54 2015 +0800"
      },
      "message": "freezer: Do not freeze tasks killed by OOM killer\n\ncommit 51fae6da640edf9d266c94f36bc806c63c301991 upstream.\n\nSince f660daac474c6f (oom: thaw threads if oom killed thread is frozen\nbefore deferring) OOM killer relies on being able to thaw a frozen task\nto handle OOM situation but a3201227f803 (freezer: make freezing() test\nfreeze conditions in effect instead of TIF_FREEZE) has reorganized the\ncode and stopped clearing freeze flag in __thaw_task. This means that\nthe target task only wakes up and goes into the fridge again because the\nfreezing condition hasn\u0027t changed for it. This reintroduces the bug\nfixed by f660daac474c6f.\n\nFix the issue by checking for TIF_MEMDIE thread flag in\nfreezing_slow_path and exclude the task from freezing completely. If a\ntask was already frozen it would get woken by __thaw_task from OOM killer\nand get out of freezer after rechecking freezing().\n\nChanges since v1\n- put TIF_MEMDIE check into freezing_slowpath rather than in __refrigerator\n  as per Oleg\n- return __thaw_task into oom_scan_process_thread because\n  oom_kill_process will not wake task in the fridge because it is\n  sleeping uninterruptible\n\n[mhocko@suse.cz: rewrote the changelog]\nFixes: a3201227f803 (freezer: make freezing() test freeze conditions in effect instead of TIF_FREEZE)\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "9e9aab5dbf6f13478cd996692ed9679af2404fc7",
      "tree": "3e8f726d264a7f0affc09df4609a9630493bc14f",
      "parents": [
        "e8ab53a5d68c75722c8a2ad3b08a6798ed47d4dc"
      ],
      "author": {
        "name": "Catalin Marinas",
        "email": "catalin.marinas@arm.com",
        "time": "Fri Oct 17 17:38:49 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Feb 02 17:04:51 2015 +0800"
      },
      "message": "futex: Ensure get_futex_key_refs() always implies a barrier\n\ncommit 76835b0ebf8a7fe85beb03c75121419a7dec52f0 upstream.\n\nCommit b0c29f79ecea (futexes: Avoid taking the hb-\u003elock if there\u0027s\nnothing to wake up) changes the futex code to avoid taking a lock when\nthere are no waiters. This code has been subsequently fixed in commit\n11d4616bd07f (futex: revert back to the explicit waiter counting code).\nBoth the original commit and the fix-up rely on get_futex_key_refs() to\nalways imply a barrier.\n\nHowever, for private futexes, none of the cases in the switch statement\nof get_futex_key_refs() would be hit and the function completes without\na memory barrier as required before checking the \"waiters\" in\nfutex_wake() -\u003e hb_waiters_pending(). The consequence is a race with a\nthread waiting on a futex on another CPU, allowing the waker thread to\nread \"waiters \u003d\u003d 0\" while the waiter thread to have read \"futex_val \u003d\u003d\nlocked\" (in kernel).\n\nWithout this fix, the problem (user space deadlocks) can be seen with\nAndroid bionic\u0027s mutex implementation on an arm64 multi-cluster system.\n\nSigned-off-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nReported-by: Matteo Franchin \u003cMatteo.Franchin@arm.com\u003e\nFixes: b0c29f79ecea (futexes: Avoid taking the hb-\u003elock if there\u0027s nothing to wake up)\nAcked-by: Davidlohr Bueso \u003cdave@stgolabs.net\u003e\nTested-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nCc: Darren Hart \u003cdvhart@linux.intel.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1097d78180e1a2916c2bcdb15cb90ba131af9cd8",
      "tree": "5910f8fc0dcb85c71011ccccee18895769699390",
      "parents": [
        "3ded4adc97887ddde3c1855f29f062e015d19425",
        "7fd7a446b1c2b96252e4389746e5419eae04faef"
      ],
      "author": {
        "name": "Paul",
        "email": "javelinanddart@gmail.com",
        "time": "Sun Jan 11 17:15:40 2015 -0800"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Sun Jan 11 17:20:45 2015 -0800"
      },
      "message": "Merge tag \u0027v3.4.105\u0027 into cm-12.0\n\nThis is the 3.4.105 stable release\n\nConflicts:\n\tarch/arm/mm/proc-v7.S\n\tdrivers/bluetooth/hci_ldisc.c\n\tdrivers/media/dvb/dvb-core/dmxdev.c\n\tdrivers/usb/core/driver.c\n\tdrivers/usb/dwc3/core.c\n\tdrivers/usb/host/xhci-hub.c\n\tdrivers/usb/host/xhci.c\n\tdrivers/usb/serial/qcserial.c\n\tdrivers/usb/serial/usb_wwan.c\n\tkernel/events/core.c\n\tkernel/time/tick-sched.ck\n\tkernel/futex.c\n\tmm/memory_hotplug.c\n\tmm/vmscan.c\n\tnet/bluetooth/hci_conn.c\n\tnet/bluetooth/hci_event.c\n\tnet/bluetooth/l2cap_core.c\n\tnet/ipv4/ping.c\n\tnet/wireless/nl80211.c\n\tsound/soc/soc-core.c\n\nChange-Id: Id09da84afb427ba1a32ff26e74f2bb86458d4a2e\n"
    },
    {
      "commit": "9bf75dffc07ea6b5e19251880b8dcf0debdbbccc",
      "tree": "329bb5327b7e523ed2812dc6679b035f594f69f5",
      "parents": [
        "74cfe2dcc0f4b17f9abbabf349e33c39a260987e"
      ],
      "author": {
        "name": "Andy Lutomirski",
        "email": "luto@amacapital.net",
        "time": "Thu Apr 12 16:47:50 2012 -0500"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Tue Dec 16 13:18:02 2014 -0800"
      },
      "message": "Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs\n\nWith this change, calling\n  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)\ndisables privilege granting operations at execve-time.  For example, a\nprocess will not be able to execute a setuid binary to change their uid\nor gid if this bit is set.  The same is true for file capabilities.\n\nAdditionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that\nLSMs respect the requested behavior.\n\nTo determine if the NO_NEW_PRIVS bit is set, a task may call\n  prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);\nIt returns 1 if set and 0 if it is not set. If any of the arguments are\nnon-zero, it will return -1 and set errno to -EINVAL.\n(PR_SET_NO_NEW_PRIVS behaves similarly.)\n\nThis functionality is desired for the proposed seccomp filter patch\nseries.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the\nsystem call behavior for itself and its child tasks without being\nable to impact the behavior of a more privileged task.\n\nAnother potential use is making certain privileged operations\nunprivileged.  For example, chroot may be considered \"safe\" if it cannot\naffect privileged tasks.\n\nNote, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is\nset and AppArmor is in use.  It is fixed in a subsequent patch.\n\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\n\nChange-Id: I2159006d20daefe6add5adc47c22bdbcd7d79e3a\nv18: updated change desc\nv17: using new define values as per 3.4\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n"
    },
    {
      "commit": "2f1eef27008bd0abf9879e51a74fb9d0418634e8",
      "tree": "363bbc5f67cd1ec1305010bd0a32e7f7093b8746",
      "parents": [
        "69724a603fc759242348f931068b97c6634e40f9"
      ],
      "author": {
        "name": "Pawel Moll",
        "email": "pawel.moll@arm.com",
        "time": "Fri Jun 13 16:03:32 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:42 2014 +0800"
      },
      "message": "perf: Handle compat ioctl\n\ncommit b3f207855f57b9c8f43a547a801340bb5cbc59e5 upstream.\n\nWhen running a 32-bit userspace on a 64-bit kernel (eg. i386\napplication on x86_64 kernel or 32-bit arm userspace on arm64\nkernel) some of the perf ioctls must be treated with special\ncare, as they have a pointer size encoded in the command.\n\nFor example, PERF_EVENT_IOC_ID in 32-bit world will be encoded\nas 0x80042407, but 64-bit kernel will expect 0x80082407. In\nresult the ioctl will fail returning -ENOTTY.\n\nThis patch solves the problem by adding code fixing up the\nsize as compat_ioctl file operation.\n\nReported-by: Drew Richardson \u003cdrew.richardson@arm.com\u003e\nSigned-off-by: Pawel Moll \u003cpawel.moll@arm.com\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nLink: http://lkml.kernel.org/r/1402671812-9078-1-git-send-email-pawel.moll@arm.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: David Ahern \u003cdsahern@gmail.com\u003e\n[lizf: Backported to 3.4 by David Ahern]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "232beb6ef710cf53def84d01276f59766b62756e",
      "tree": "25de72e5898ba09f9a0ad97743e1aa47f8f3df18",
      "parents": [
        "ea38cd4170bdf0aa767d04df8363d08d5cc45dd2"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Thu Oct 02 16:17:02 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:40 2014 +0800"
      },
      "message": "perf: fix perf bug in fork()\n\ncommit 6c72e3501d0d62fc064d3680e5234f3463ec5a86 upstream.\n\nOleg noticed that a cleanup by Sylvain actually uncovered a bug; by\ncalling perf_event_free_task() when failing sched_fork() we will not yet\nhave done the memset() on -\u003eperf_event_ctxp[] and will therefore try and\n\u0027free\u0027 the inherited contexts, which are still in use by the parent\nprocess.  This is bad..\n\nSuggested-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReported-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReported-by: Sylvain \u0027ythier\u0027 Hitier \u003csylvain.hitier@gmail.com\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "4fae6ccac642aa30d189dea30ef14306aad4d2d2",
      "tree": "f4277880c2438c5ef039b4a88d818555150799f9",
      "parents": [
        "699c06b386d592bede77d5a28ed1637c80ab99c0"
      ],
      "author": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Thu Sep 25 09:41:02 2014 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:38 2014 +0800"
      },
      "message": "cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags\n\ncommit 2ad654bc5e2b211e92f66da1d819e47d79a866f0 upstream.\n\nWhen we change cpuset.memory_spread_{page,slab}, cpuset will flip\nPF_SPREAD_{PAGE,SLAB} bit of tsk-\u003eflags for each task in that cpuset.\nThis should be done using atomic bitops, but currently we don\u0027t,\nwhich is broken.\n\nTetsuo reported a hard-to-reproduce kernel crash on RHEL6, which happened\nwhen one thread tried to clear PF_USED_MATH while at the same time another\nthread tried to flip PF_SPREAD_PAGE/PF_SPREAD_SLAB. They both operate on\nthe same task.\n\nHere\u0027s the full report:\nhttps://lkml.org/lkml/2014/9/19/230\n\nTo fix this, we make PF_SPREAD_PAGE and PF_SPREAD_SLAB atomic flags.\n\nv4:\n- updated mm/slab.c. (Fengguang Wu)\n- updated Documentation.\n\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Miao Xie \u003cmiaox@cn.fujitsu.com\u003e\nCc: Kees Cook \u003ckeescook@chromium.org\u003e\nFixes: 950592f7b991 (\"cpusets: update tasks\u0027 page/slab spread flags in time\")\nReported-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - check current-\u003eflags \u0026 PF_MEMPOLICY rather than current-\u003emempolicy]\n"
    },
    {
      "commit": "1f8f277312d81d9412ec94bec8ab1ba0dce0bf05",
      "tree": "8e03c5bb56e719859f858c5c00387e20491daf97",
      "parents": [
        "cf33e82d6b78b8ada9ee06809440a62adcb16021"
      ],
      "author": {
        "name": "Cong Wang",
        "email": "cwang@twopensource.com",
        "time": "Tue Sep 02 15:27:20 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:32 2014 +0800"
      },
      "message": "perf: Fix a race condition in perf_remove_from_context()\n\ncommit 3577af70a2ce4853d58e57d832e687d739281479 upstream.\n\nWe saw a kernel soft lockup in perf_remove_from_context(),\nit looks like the `perf` process, when exiting, could not go\nout of the retry loop. Meanwhile, the target process was forking\na child. So either the target process should execute the smp\nfunction call to deactive the event (if it was running) or it should\ndo a context switch which deactives the event.\n\nIt seems we optimize out a context switch in perf_event_context_sched_out(),\nand what\u0027s more important, we still test an obsolete task pointer when\nretrying, so no one actually would deactive that event in this situation.\nFix it directly by reloading the task pointer in perf_remove_from_context().\n\nThis should cure the above soft lockup.\n\nSigned-off-by: Cong Wang \u003ccwang@twopensource.com\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nLink: http://lkml.kernel.org/r/1409696840-843-1-git-send-email-xiyou.wangcong@gmail.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "49d4f0197912461fb2939ca51521b47655b04b11",
      "tree": "c9fbeb1f40c7e05498e157a4d6a2846d68750306",
      "parents": [
        "a90ec2a8bbd22a90dfdb5ca1b294c900226b7ff8"
      ],
      "author": {
        "name": "Andrew Hunter",
        "email": "ahh@google.com",
        "time": "Thu Sep 04 14:17:16 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:32 2014 +0800"
      },
      "message": "jiffies: Fix timeval conversion to jiffies\n\ncommit d78c9300c51d6ceed9f6d078d4e9366f259de28c upstream.\n\ntimeval_to_jiffies tried to round a timeval up to an integral number\nof jiffies, but the logic for doing so was incorrect: intervals\ncorresponding to exactly N jiffies would become N+1. This manifested\nitself particularly repeatedly stopping/starting an itimer:\n\nsetitimer(ITIMER_PROF, \u0026val, NULL);\nsetitimer(ITIMER_PROF, NULL, \u0026val);\n\nwould add a full tick to val, _even if it was exactly representable in\nterms of jiffies_ (say, the result of a previous rounding.)  Doing\nthis repeatedly would cause unbounded growth in val.  So fix the math.\n\nHere\u0027s what was wrong with the conversion: we essentially computed\n(eliding seconds)\n\njiffies \u003d usec  * (NSEC_PER_USEC/TICK_NSEC)\n\nby using scaling arithmetic, which took the best approximation of\nNSEC_PER_USEC/TICK_NSEC with denominator of 2^USEC_JIFFIE_SC \u003d\nx/(2^USEC_JIFFIE_SC), and computed:\n\njiffies \u003d (usec * x) \u003e\u003e USEC_JIFFIE_SC\n\nand rounded this calculation up in the intermediate form (since we\ncan\u0027t necessarily exactly represent TICK_NSEC in usec.) But the\nscaling arithmetic is a (very slight) *over*approximation of the true\nvalue; that is, instead of dividing by (1 usec/ 1 jiffie), we\neffectively divided by (1 usec/1 jiffie)-epsilon (rounding\ndown). This would normally be fine, but we want to round timeouts up,\nand we did so by adding 2^USEC_JIFFIE_SC - 1 before the shift; this\nwould be fine if our division was exact, but dividing this by the\nslightly smaller factor was equivalent to adding just _over_ 1 to the\nfinal result (instead of just _under_ 1, as desired.)\n\nIn particular, with HZ\u003d1000, we consistently computed that 10000 usec\nwas 11 jiffies; the same was true for any exact multiple of\nTICK_NSEC.\n\nWe could possibly still round in the intermediate form, adding\nsomething less than 2^USEC_JIFFIE_SC - 1, but easier still is to\nconvert usec-\u003ensec, round in nanoseconds, and then convert using\ntime*spec*_to_jiffies.  This adds one constant multiplication, and is\nnot observably slower in microbenchmarks on recent x86 hardware.\n\nTested: the following program:\n\nint main() {\n  struct itimerval zero \u003d {{0, 0}, {0, 0}};\n  /* Initially set to 10 ms. */\n  struct itimerval initial \u003d zero;\n  initial.it_interval.tv_usec \u003d 10000;\n  setitimer(ITIMER_PROF, \u0026initial, NULL);\n  /* Save and restore several times. */\n  for (size_t i \u003d 0; i \u003c 10; ++i) {\n    struct itimerval prev;\n    setitimer(ITIMER_PROF, \u0026zero, \u0026prev);\n    /* on old kernels, this goes up by TICK_USEC every iteration */\n    printf(\"previous value: %ld %ld %ld %ld\\n\",\n           prev.it_interval.tv_sec, prev.it_interval.tv_usec,\n           prev.it_value.tv_sec, prev.it_value.tv_usec);\n    setitimer(ITIMER_PROF, \u0026prev, NULL);\n  }\n    return 0;\n}\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Paul Turner \u003cpjt@google.com\u003e\nCc: Richard Cochran \u003crichardcochran@gmail.com\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nReviewed-by: Paul Turner \u003cpjt@google.com\u003e\nReported-by: Aaron Jacobs \u003cjacobsa@google.com\u003e\nSigned-off-by: Andrew Hunter \u003cahh@google.com\u003e\n[jstultz: Tweaked to apply to 3.17-rc]\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\n[lizf: Backported to 3.4: adjust filename]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "e06503426ebc296f1ae67bfd4733afadb69076cb",
      "tree": "f2830b94df6dca8837d91a538787dc6120d07c51",
      "parents": [
        "b114657d1e55a0484bcfdb3f3b946f96bb2f80e7"
      ],
      "author": {
        "name": "Richard Larocque",
        "email": "rlarocque@google.com",
        "time": "Tue Sep 09 18:31:05 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:31 2014 +0800"
      },
      "message": "alarmtimer: Lock k_itimer during timer callback\n\ncommit 474e941bed9262f5fa2394f9a4a67e24499e5926 upstream.\n\nLocks the k_itimer\u0027s it_lock member when handling the alarm timer\u0027s\nexpiry callback.\n\nThe regular posix timers defined in posix-timers.c have this lock held\nduring timout processing because their callbacks are routed through\nposix_timer_fn().  The alarm timers follow a different path, so they\nought to grab the lock somewhere else.\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Richard Cochran \u003crichardcochran@gmail.com\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nCc: Sharvil Nanavati \u003csharvil@google.com\u003e\nSigned-off-by: Richard Larocque \u003crlarocque@google.com\u003e\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b114657d1e55a0484bcfdb3f3b946f96bb2f80e7",
      "tree": "b2e1e5035bb4dd5ecf74f3513241c2478a36df87",
      "parents": [
        "7ccf24be49f1020e408ee27a3714d41590009422"
      ],
      "author": {
        "name": "Richard Larocque",
        "email": "rlarocque@google.com",
        "time": "Tue Sep 09 18:31:04 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:31 2014 +0800"
      },
      "message": "alarmtimer: Do not signal SIGEV_NONE timers\n\ncommit 265b81d23a46c39df0a735a3af4238954b41a4c2 upstream.\n\nAvoids sending a signal to alarm timers created with sigev_notify set to\nSIGEV_NONE by checking for that special case in the timeout callback.\n\nThe regular posix timers avoid sending signals to SIGEV_NONE timers by\nnot scheduling any callbacks for them in the first place.  Although it\nwould be possible to do something similar for alarm timers, it\u0027s simpler\nto handle this as a special case in the timeout.\n\nPrior to this patch, the alarm timer would ignore the sigev_notify value\nand try to deliver signals to the process anyway.  Even worse, the\nsanity check for the value of sigev_signo is skipped when SIGEV_NONE was\nspecified, so the signal number could be bogus.  If sigev_signo was an\nunitialized value (as it often would be if SIGEV_NONE is used), then\nit\u0027s hard to predict which signal will be sent.\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Richard Cochran \u003crichardcochran@gmail.com\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nCc: Sharvil Nanavati \u003csharvil@google.com\u003e\nSigned-off-by: Richard Larocque \u003crlarocque@google.com\u003e\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7ccf24be49f1020e408ee27a3714d41590009422",
      "tree": "c16f56adfb93c06a50e0b45a3bc77b60d9473d20",
      "parents": [
        "40ee8d0faf83eb55d4829796a28dacf48519caec"
      ],
      "author": {
        "name": "Richard Larocque",
        "email": "rlarocque@google.com",
        "time": "Tue Sep 09 18:31:03 2014 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:31 2014 +0800"
      },
      "message": "alarmtimer: Return relative times in timer_gettime\n\ncommit e86fea764991e00a03ff1e56409ec9cacdbda4c9 upstream.\n\nReturns the time remaining for an alarm timer, rather than the time at\nwhich it is scheduled to expire.  If the timer has already expired or it\nis not currently scheduled, the it_value\u0027s members are set to zero.\n\nThis new behavior matches that of the other posix-timers and the POSIX\nspecifications.\n\nThis is a change in user-visible behavior, and may break existing\napplications.  Hopefully, few users rely on the old incorrect behavior.\n\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Richard Cochran \u003crichardcochran@gmail.com\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nCc: Sharvil Nanavati \u003csharvil@google.com\u003e\nSigned-off-by: Richard Larocque \u003crlarocque@google.com\u003e\n[jstultz: minor style tweak]\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\n[lizf: Backported to 3.4:\n - add alarm_expires_remaining() introduced by commit 6cffe00f7d4e]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "40ee8d0faf83eb55d4829796a28dacf48519caec",
      "tree": "0395a72bf583d469f1a2552716faf0dc7841b0dc",
      "parents": [
        "e393942b1628770467481935738fd214566fe7bb"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu Sep 11 23:44:35 2014 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:30 2014 +0800"
      },
      "message": "futex: Unlock hb-\u003elock in futex_wait_requeue_pi() error path\n\ncommit 13c42c2f43b19aab3195f2d357db00d1e885eaa8 upstream.\n\nfutex_wait_requeue_pi() calls futex_wait_setup(). If\nfutex_wait_setup() succeeds it returns with hb-\u003elock held and\npreemption disabled. Now the sanity check after this does:\n\n        if (match_futex(\u0026q.key, \u0026key2)) {\n\t   \tret \u003d -EINVAL;\n\t\tgoto out_put_keys;\n\t}\n\nwhich releases the keys but does not release hb-\u003elock.\n\nSo we happily return to user space with hb-\u003elock held and therefor\npreemption disabled.\n\nUnlock hb-\u003elock before taking the exit route.\n\nReported-by: Dave \"Trinity\" Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nReviewed-by: Davidlohr Bueso \u003cdave@stgolabs.net\u003e\nCc: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nLink: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n[lizf: Backported to 3.4: queue_unlock() takes two parameters]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a48fec2f276f8003fb8098df892ea3acb5d7149a",
      "tree": "f9215afbe8d73833a7c5eaba2f6dc54ed4b8f96c",
      "parents": [
        "c16060dfda1c8418a9e638b79f5d2101b482e89f"
      ],
      "author": {
        "name": "Alban Crequy",
        "email": "alban.crequy@collabora.co.uk",
        "time": "Mon Aug 18 12:20:20 2014 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Mon Dec 01 18:02:23 2014 +0800"
      },
      "message": "cgroup: reject cgroup names with \u0027 \u0027\n\ncommit 71b1fb5c4473a5b1e601d41b109bdfe001ec82e0 upstream.\n\n/proc/\u003cpid\u003e/cgroup contains one cgroup path on each line. If cgroup names are\nallowed to contain \"\\n\", applications cannot parse /proc/\u003cpid\u003e/cgroup safely.\n\nSigned-off-by: Alban Crequy \u003calban.crequy@collabora.co.uk\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - s/name/dentry-\u003ed_name.name/]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a4273088648f2dc90c3a15060090285397ef8b09",
      "tree": "5b2c38cfb60973169713db30208a72500ee10c8b",
      "parents": [
        "7533da47fb87aabf1d79020e62c74723ec001421"
      ],
      "author": {
        "name": "Rabin Vincent",
        "email": "rabin@rab.in",
        "time": "Wed Oct 29 23:06:58 2014 +0100"
      },
      "committer": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Thu Nov 06 18:12:02 2014 -0600"
      },
      "message": "tracing/syscalls: Ignore numbers outside NR_syscalls\u0027 range\n\nARM has some private syscalls (for example, set_tls(2)) which lie\noutside the range of NR_syscalls.  If any of these are called while\nsyscall tracing is being performed, out-of-bounds array access will\noccur in the ftrace and perf sys_{enter,exit} handlers.\n\n # trace-cmd record -e raw_syscalls:* true \u0026\u0026 trace-cmd report\n ...\n true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)\n true-653   [000]   384.675812: sys_exit:             NR 192 \u003d 1995915264\n true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)\n true-653   [000]   384.675988: sys_exit:             NR 983045 \u003d 0\n ...\n\n # trace-cmd record -e syscalls:* true\n [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace\n [   17.289590] pgd \u003d 9e71c000\n [   17.289696] [aaaaaace] *pgd\u003d00000000\n [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n [   17.290169] Modules linked in:\n [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21\n [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000\n [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8\n [   17.290866] LR is at syscall_trace_enter+0x124/0x184\n\nFix this by ignoring out-of-NR_syscalls-bounds syscall numbers.\n\nCommit cd0980fc8add \"tracing: Check invalid syscall nr while tracing syscalls\"\nadded the check for less than zero, but it should have also checked\nfor greater than NR_syscalls.\n\nLink: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in\n\nChange-Id: Ic7ab546938e4655d73791d4cf371ffd9244c3e4d\nFixes: cd0980fc8add \"tracing: Check invalid syscall nr while tracing syscalls\"\nCc: stable@vger.kernel.org # 2.6.33+\nSigned-off-by: Rabin Vincent \u003crabin@rab.in\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n"
    },
    {
      "commit": "7533da47fb87aabf1d79020e62c74723ec001421",
      "tree": "ca9905d3a8ce7bc00f72345e0da44d136d3fc36e",
      "parents": [
        "af51a04ba1c5f2f52672458d97ac8e0e5627b889"
      ],
      "author": {
        "name": "Will Deacon",
        "email": "will.deacon@arm.com",
        "time": "Thu Aug 16 18:14:14 2012 +0100"
      },
      "committer": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Thu Nov 06 18:11:50 2014 -0600"
      },
      "message": "tracing/syscalls: Fix perf syscall tracing when syscall_nr \u003d\u003d -1\n\nsyscall_get_nr can return -1 in the case that the task is not executing\na system call.\n\nThis patch fixes perf_syscall_{enter,exit} to check that the syscall\nnumber is valid before using it as an index into a bitmap.\n\nLink: http://lkml.kernel.org/r/1345137254-7377-1-git-send-email-will.deacon@arm.com\n\nChange-Id: I12f99dea41390b9631f98f925dc1d572aa4fc22d\nCc: Jason Baron \u003cjbaron@redhat.com\u003e\nCc: Wade Farnsworth \u003cwade_farnsworth@mentor.com\u003e\nCc: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nSigned-off-by: Will Deacon \u003cwill.deacon@arm.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n"
    },
    {
      "commit": "fbbb7208969e8bfbd07782bbec069878a29d3267",
      "tree": "b0b5110b20ae77407f43801d002e26dd12764c09",
      "parents": [
        "f73ff697833654ee578b606ea746d15dc1220aab"
      ],
      "author": {
        "name": "Jan Kara",
        "email": "jack@suse.cz",
        "time": "Fri Aug 01 12:20:02 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 07 12:00:10 2014 -0700"
      },
      "message": "timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks\n\ncommit 504d58745c9ca28d33572e2d8a9990b43e06075d upstream.\n\nclockevents_increase_min_delta() calls printk() from under\nhrtimer_bases.lock. That causes lock inversion on scheduler locks because\nprintk() can call into the scheduler. Lockdep puts it as:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: possible circular locking dependency detected ]\n3.15.0-rc8-06195-g939f04b #2 Not tainted\n-------------------------------------------------------\ntrinity-main/74 is trying to acquire lock:\n (\u0026port_lock_key){-.....}, at: [\u003c811c60be\u003e] serial8250_console_write+0x8c/0x10c\n\nbut task is already holding lock:\n (hrtimer_bases.lock){-.-...}, at: [\u003c8103caeb\u003e] hrtimer_try_to_cancel+0x13/0x66\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #5 (hrtimer_bases.lock){-.-...}:\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f11d\u003e] _raw_spin_lock_irqsave+0x2e/0x3e\n       [\u003c8103c918\u003e] __hrtimer_start_range_ns+0x1c/0x197\n       [\u003c8107ec20\u003e] perf_swevent_start_hrtimer.part.41+0x7a/0x85\n       [\u003c81080792\u003e] task_clock_event_start+0x3a/0x3f\n       [\u003c810807a4\u003e] task_clock_event_add+0xd/0x14\n       [\u003c8108259a\u003e] event_sched_in+0xb6/0x17a\n       [\u003c810826a2\u003e] group_sched_in+0x44/0x122\n       [\u003c81082885\u003e] ctx_sched_in.isra.67+0x105/0x11f\n       [\u003c810828e6\u003e] perf_event_sched_in.isra.70+0x47/0x4b\n       [\u003c81082bf6\u003e] __perf_install_in_context+0x8b/0xa3\n       [\u003c8107eb8e\u003e] remote_function+0x12/0x2a\n       [\u003c8105f5af\u003e] smp_call_function_single+0x2d/0x53\n       [\u003c8107e17d\u003e] task_function_call+0x30/0x36\n       [\u003c8107fb82\u003e] perf_install_in_context+0x87/0xbb\n       [\u003c810852c9\u003e] SYSC_perf_event_open+0x5c6/0x701\n       [\u003c810856f9\u003e] SyS_perf_event_open+0x17/0x19\n       [\u003c8142f8ee\u003e] syscall_call+0x7/0xb\n\n-\u003e #4 (\u0026ctx-\u003elock){......}:\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f04c\u003e] _raw_spin_lock+0x21/0x30\n       [\u003c81081df3\u003e] __perf_event_task_sched_out+0x1dc/0x34f\n       [\u003c8142cacc\u003e] __schedule+0x4c6/0x4cb\n       [\u003c8142cae0\u003e] schedule+0xf/0x11\n       [\u003c8142f9a6\u003e] work_resched+0x5/0x30\n\n-\u003e #3 (\u0026rq-\u003elock){-.-.-.}:\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f04c\u003e] _raw_spin_lock+0x21/0x30\n       [\u003c81040873\u003e] __task_rq_lock+0x33/0x3a\n       [\u003c8104184c\u003e] wake_up_new_task+0x25/0xc2\n       [\u003c8102474b\u003e] do_fork+0x15c/0x2a0\n       [\u003c810248a9\u003e] kernel_thread+0x1a/0x1f\n       [\u003c814232a2\u003e] rest_init+0x1a/0x10e\n       [\u003c817af949\u003e] start_kernel+0x303/0x308\n       [\u003c817af2ab\u003e] i386_start_kernel+0x79/0x7d\n\n-\u003e #2 (\u0026p-\u003epi_lock){-.-...}:\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f11d\u003e] _raw_spin_lock_irqsave+0x2e/0x3e\n       [\u003c810413dd\u003e] try_to_wake_up+0x1d/0xd6\n       [\u003c810414cd\u003e] default_wake_function+0xb/0xd\n       [\u003c810461f3\u003e] __wake_up_common+0x39/0x59\n       [\u003c81046346\u003e] __wake_up+0x29/0x3b\n       [\u003c811b8733\u003e] tty_wakeup+0x49/0x51\n       [\u003c811c3568\u003e] uart_write_wakeup+0x17/0x19\n       [\u003c811c5dc1\u003e] serial8250_tx_chars+0xbc/0xfb\n       [\u003c811c5f28\u003e] serial8250_handle_irq+0x54/0x6a\n       [\u003c811c5f57\u003e] serial8250_default_handle_irq+0x19/0x1c\n       [\u003c811c56d8\u003e] serial8250_interrupt+0x38/0x9e\n       [\u003c810510e7\u003e] handle_irq_event_percpu+0x5f/0x1e2\n       [\u003c81051296\u003e] handle_irq_event+0x2c/0x43\n       [\u003c81052cee\u003e] handle_level_irq+0x57/0x80\n       [\u003c81002a72\u003e] handle_irq+0x46/0x5c\n       [\u003c810027df\u003e] do_IRQ+0x32/0x89\n       [\u003c8143036e\u003e] common_interrupt+0x2e/0x33\n       [\u003c8142f23c\u003e] _raw_spin_unlock_irqrestore+0x3f/0x49\n       [\u003c811c25a4\u003e] uart_start+0x2d/0x32\n       [\u003c811c2c04\u003e] uart_write+0xc7/0xd6\n       [\u003c811bc6f6\u003e] n_tty_write+0xb8/0x35e\n       [\u003c811b9beb\u003e] tty_write+0x163/0x1e4\n       [\u003c811b9cd9\u003e] redirected_tty_write+0x6d/0x75\n       [\u003c810b6ed6\u003e] vfs_write+0x75/0xb0\n       [\u003c810b7265\u003e] SyS_write+0x44/0x77\n       [\u003c8142f8ee\u003e] syscall_call+0x7/0xb\n\n-\u003e #1 (\u0026tty-\u003ewrite_wait){-.....}:\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f11d\u003e] _raw_spin_lock_irqsave+0x2e/0x3e\n       [\u003c81046332\u003e] __wake_up+0x15/0x3b\n       [\u003c811b8733\u003e] tty_wakeup+0x49/0x51\n       [\u003c811c3568\u003e] uart_write_wakeup+0x17/0x19\n       [\u003c811c5dc1\u003e] serial8250_tx_chars+0xbc/0xfb\n       [\u003c811c5f28\u003e] serial8250_handle_irq+0x54/0x6a\n       [\u003c811c5f57\u003e] serial8250_default_handle_irq+0x19/0x1c\n       [\u003c811c56d8\u003e] serial8250_interrupt+0x38/0x9e\n       [\u003c810510e7\u003e] handle_irq_event_percpu+0x5f/0x1e2\n       [\u003c81051296\u003e] handle_irq_event+0x2c/0x43\n       [\u003c81052cee\u003e] handle_level_irq+0x57/0x80\n       [\u003c81002a72\u003e] handle_irq+0x46/0x5c\n       [\u003c810027df\u003e] do_IRQ+0x32/0x89\n       [\u003c8143036e\u003e] common_interrupt+0x2e/0x33\n       [\u003c8142f23c\u003e] _raw_spin_unlock_irqrestore+0x3f/0x49\n       [\u003c811c25a4\u003e] uart_start+0x2d/0x32\n       [\u003c811c2c04\u003e] uart_write+0xc7/0xd6\n       [\u003c811bc6f6\u003e] n_tty_write+0xb8/0x35e\n       [\u003c811b9beb\u003e] tty_write+0x163/0x1e4\n       [\u003c811b9cd9\u003e] redirected_tty_write+0x6d/0x75\n       [\u003c810b6ed6\u003e] vfs_write+0x75/0xb0\n       [\u003c810b7265\u003e] SyS_write+0x44/0x77\n       [\u003c8142f8ee\u003e] syscall_call+0x7/0xb\n\n-\u003e #0 (\u0026port_lock_key){-.....}:\n       [\u003c8104a62d\u003e] __lock_acquire+0x9ea/0xc6d\n       [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n       [\u003c8142f11d\u003e] _raw_spin_lock_irqsave+0x2e/0x3e\n       [\u003c811c60be\u003e] serial8250_console_write+0x8c/0x10c\n       [\u003c8104e402\u003e] call_console_drivers.constprop.31+0x87/0x118\n       [\u003c8104f5d5\u003e] console_unlock+0x1d7/0x398\n       [\u003c8104fb70\u003e] vprintk_emit+0x3da/0x3e4\n       [\u003c81425f76\u003e] printk+0x17/0x19\n       [\u003c8105bfa0\u003e] clockevents_program_min_delta+0x104/0x116\n       [\u003c8105c548\u003e] clockevents_program_event+0xe7/0xf3\n       [\u003c8105cc1c\u003e] tick_program_event+0x1e/0x23\n       [\u003c8103c43c\u003e] hrtimer_force_reprogram+0x88/0x8f\n       [\u003c8103c49e\u003e] __remove_hrtimer+0x5b/0x79\n       [\u003c8103cb21\u003e] hrtimer_try_to_cancel+0x49/0x66\n       [\u003c8103cb4b\u003e] hrtimer_cancel+0xd/0x18\n       [\u003c8107f102\u003e] perf_swevent_cancel_hrtimer.part.60+0x2b/0x30\n       [\u003c81080705\u003e] task_clock_event_stop+0x20/0x64\n       [\u003c81080756\u003e] task_clock_event_del+0xd/0xf\n       [\u003c81081350\u003e] event_sched_out+0xab/0x11e\n       [\u003c810813e0\u003e] group_sched_out+0x1d/0x66\n       [\u003c81081682\u003e] ctx_sched_out+0xaf/0xbf\n       [\u003c81081e04\u003e] __perf_event_task_sched_out+0x1ed/0x34f\n       [\u003c8142cacc\u003e] __schedule+0x4c6/0x4cb\n       [\u003c8142cae0\u003e] schedule+0xf/0x11\n       [\u003c8142f9a6\u003e] work_resched+0x5/0x30\n\nother info that might help us debug this:\n\nChain exists of:\n  \u0026port_lock_key --\u003e \u0026ctx-\u003elock --\u003e hrtimer_bases.lock\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(hrtimer_bases.lock);\n                               lock(\u0026ctx-\u003elock);\n                               lock(hrtimer_bases.lock);\n  lock(\u0026port_lock_key);\n\n *** DEADLOCK ***\n\n4 locks held by trinity-main/74:\n #0:  (\u0026rq-\u003elock){-.-.-.}, at: [\u003c8142c6f3\u003e] __schedule+0xed/0x4cb\n #1:  (\u0026ctx-\u003elock){......}, at: [\u003c81081df3\u003e] __perf_event_task_sched_out+0x1dc/0x34f\n #2:  (hrtimer_bases.lock){-.-...}, at: [\u003c8103caeb\u003e] hrtimer_try_to_cancel+0x13/0x66\n #3:  (console_lock){+.+...}, at: [\u003c8104fb5d\u003e] vprintk_emit+0x3c7/0x3e4\n\nstack backtrace:\nCPU: 0 PID: 74 Comm: trinity-main Not tainted 3.15.0-rc8-06195-g939f04b #2\n 00000000 81c3a310 8b995c14 81426f69 8b995c44 81425a99 8161f671 8161f570\n 8161f538 8161f559 8161f538 8b995c78 8b142bb0 00000004 8b142fdc 8b142bb0\n 8b995ca8 8104a62d 8b142fac 000016f2 81c3a310 00000001 00000001 00000003\nCall Trace:\n [\u003c81426f69\u003e] dump_stack+0x16/0x18\n [\u003c81425a99\u003e] print_circular_bug+0x18f/0x19c\n [\u003c8104a62d\u003e] __lock_acquire+0x9ea/0xc6d\n [\u003c8104a942\u003e] lock_acquire+0x92/0x101\n [\u003c811c60be\u003e] ? serial8250_console_write+0x8c/0x10c\n [\u003c811c6032\u003e] ? wait_for_xmitr+0x76/0x76\n [\u003c8142f11d\u003e] _raw_spin_lock_irqsave+0x2e/0x3e\n [\u003c811c60be\u003e] ? serial8250_console_write+0x8c/0x10c\n [\u003c811c60be\u003e] serial8250_console_write+0x8c/0x10c\n [\u003c8104af87\u003e] ? lock_release+0x191/0x223\n [\u003c811c6032\u003e] ? wait_for_xmitr+0x76/0x76\n [\u003c8104e402\u003e] call_console_drivers.constprop.31+0x87/0x118\n [\u003c8104f5d5\u003e] console_unlock+0x1d7/0x398\n [\u003c8104fb70\u003e] vprintk_emit+0x3da/0x3e4\n [\u003c81425f76\u003e] printk+0x17/0x19\n [\u003c8105bfa0\u003e] clockevents_program_min_delta+0x104/0x116\n [\u003c8105cc1c\u003e] tick_program_event+0x1e/0x23\n [\u003c8103c43c\u003e] hrtimer_force_reprogram+0x88/0x8f\n [\u003c8103c49e\u003e] __remove_hrtimer+0x5b/0x79\n [\u003c8103cb21\u003e] hrtimer_try_to_cancel+0x49/0x66\n [\u003c8103cb4b\u003e] hrtimer_cancel+0xd/0x18\n [\u003c8107f102\u003e] perf_swevent_cancel_hrtimer.part.60+0x2b/0x30\n [\u003c81080705\u003e] task_clock_event_stop+0x20/0x64\n [\u003c81080756\u003e] task_clock_event_del+0xd/0xf\n [\u003c81081350\u003e] event_sched_out+0xab/0x11e\n [\u003c810813e0\u003e] group_sched_out+0x1d/0x66\n [\u003c81081682\u003e] ctx_sched_out+0xaf/0xbf\n [\u003c81081e04\u003e] __perf_event_task_sched_out+0x1ed/0x34f\n [\u003c8104416d\u003e] ? __dequeue_entity+0x23/0x27\n [\u003c81044505\u003e] ? pick_next_task_fair+0xb1/0x120\n [\u003c8142cacc\u003e] __schedule+0x4c6/0x4cb\n [\u003c81047574\u003e] ? trace_hardirqs_off_caller+0xd7/0x108\n [\u003c810475b0\u003e] ? trace_hardirqs_off+0xb/0xd\n [\u003c81056346\u003e] ? rcu_irq_exit+0x64/0x77\n\nFix the problem by using printk_deferred() which does not call into the\nscheduler.\n\nReported-by: Fengguang Wu \u003cfengguang.wu@intel.com\u003e\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "f73ff697833654ee578b606ea746d15dc1220aab",
      "tree": "5fba9efb577e61579fc9dba897f500b200fd6985",
      "parents": [
        "7f6c1deb02e6ac110645c87fd2446594803a8a72"
      ],
      "author": {
        "name": "John Stultz",
        "email": "john.stultz@linaro.org",
        "time": "Wed Jun 04 16:11:40 2014 -0700"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Aug 07 12:00:10 2014 -0700"
      },
      "message": "printk: rename printk_sched to printk_deferred\n\ncommit aac74dc495456412c4130a1167ce4beb6c1f0b38 upstream.\n\nAfter learning we\u0027ll need some sort of deferred printk functionality in\nthe timekeeping core, Peter suggested we rename the printk_sched function\nso it can be reused by needed subsystems.\n\nThis only changes the function name. No logic changes.\n\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nReviewed-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Jan Kara \u003cjack@suse.cz\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Jiri Bohac \u003cjbohac@suse.cz\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "db610f7571f287db43c153ce26dd20dbd44d5173",
      "tree": "2b972c70901065346d4dea9365a5319f788e2814",
      "parents": [
        "5ffeb0ef32669ed7b5905a60961d9b4bbd2b4d6d",
        "5bfc8718998bedfeea1997d83838ffd1981cbf12"
      ],
      "author": {
        "name": "Matt Mower",
        "email": "mowerm@gmail.com",
        "time": "Fri Aug 01 14:53:55 2014 -0700"
      },
      "committer": {
        "name": "Ethan Chen",
        "email": "intervigil@gmail.com",
        "time": "Fri Aug 01 14:53:55 2014 -0700"
      },
      "message": "Merge remote-tracking branch \u0027codeaurora/caf/kk_2.7_rb1.41\u0027 into cm-11.0\n\nConflicts:\n\tkernel/events/core.c\n\nChange-Id: I52dfe8b56924fb2d86bf1487eed6114342621603\n"
    },
    {
      "commit": "5dc1c8851364ffb79cb9403f72c712ee83cce755",
      "tree": "b327092a6e3ddd4f5b89de8809c80f691c74c018",
      "parents": [
        "299e667e26e9e3382fa471370121b117fa8ae987"
      ],
      "author": {
        "name": "Takashi Iwai",
        "email": "tiwai@suse.de",
        "time": "Tue Jul 15 08:51:27 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 28 07:06:46 2014 -0700"
      },
      "message": "PM / sleep: Fix request_firmware() error at resume\n\ncommit 4320f6b1d9db4ca912c5eb6ecb328b2e090e1586 upstream.\n\nThe commit [247bc037: PM / Sleep: Mitigate race between the freezer\nand request_firmware()] introduced the finer state control, but it\nalso leads to a new bug; for example, a bug report regarding the\nfirmware loading of intel BT device at suspend/resume:\n  https://bugzilla.novell.com/show_bug.cgi?id\u003d873790\n\nThe root cause seems to be a small window between the process resume\nand the clear of usermodehelper lock.  The request_firmware() function\nchecks the UMH lock and gives up when it\u0027s in UMH_DISABLE state.  This\nis for avoiding the invalid  f/w loading during suspend/resume phase.\nThe problem is, however, that usermodehelper_enable() is called at the\nend of thaw_processes().  Thus, a thawed process in between can kick\noff the f/w loader code path (in this case, via btusb_setup_intel())\neven before the call of usermodehelper_enable().  Then\nusermodehelper_read_trylock() returns an error and request_firmware()\nspews WARN_ON() in the end.\n\nThis oneliner patch fixes the issue just by setting to UMH_FREEZING\nstate again before restarting tasks, so that the call of\nrequest_firmware() will be blocked until the end of this function\ninstead of returning an error.\n\nFixes: 247bc0374254 (PM / Sleep: Mitigate race between the freezer and request_firmware())\nLink: https://bugzilla.novell.com/show_bug.cgi?id\u003d873790\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "299e667e26e9e3382fa471370121b117fa8ae987",
      "tree": "cb7dc72c583b7c561369c7ed28f6cfa3ad8874e8",
      "parents": [
        "b63dd4c81b9eccf95c1d08775bb7f2d05d70c8f1"
      ],
      "author": {
        "name": "John Stultz",
        "email": "john.stultz@linaro.org",
        "time": "Mon Jul 07 14:06:11 2014 -0700"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jul 28 07:06:46 2014 -0700"
      },
      "message": "alarmtimer: Fix bug where relative alarm timers were treated as absolute\n\ncommit 16927776ae757d0d132bdbfabbfe2c498342bd59 upstream.\n\nSharvil noticed with the posix timer_settime interface, using the\nCLOCK_REALTIME_ALARM or CLOCK_BOOTTIME_ALARM clockid, if the users\ntried to specify a relative time timer, it would incorrectly be\ntreated as absolute regardless of the state of the flags argument.\n\nThis patch corrects this, properly checking the absolute/relative flag,\nas well as adds further error checking that no invalid flag bits are set.\n\nReported-by: Sharvil Nanavati \u003csharvil@google.com\u003e\nSigned-off-by: John Stultz \u003cjohn.stultz@linaro.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nCc: Sharvil Nanavati \u003csharvil@google.com\u003e\nLink: http://lkml.kernel.org/r/1404767171-6902-1-git-send-email-john.stultz@linaro.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "2a77794da631ec2b2d2243b83fa6793676cdf411",
      "tree": "00290e2eca39d1b204d7a518b749b1ae68b18c0f",
      "parents": [
        "ea018da95368adfb700689bd9842714f7c3db665"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Wed Jun 11 18:44:04 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:50 2014 -0700"
      },
      "message": "rtmutex: Plug slow unlock race\n\ncommit 27e35715df54cbc4f2d044f681802ae30479e7fb upstream.\n\nWhen the rtmutex fast path is enabled the slow unlock function can\ncreate the following situation:\n\nspin_lock(foo-\u003em-\u003ewait_lock);\nfoo-\u003em-\u003eowner \u003d NULL;\n\t    \t\t\trt_mutex_lock(foo-\u003em); \u003c-- fast path\n\t\t\t\tfree \u003d atomic_dec_and_test(foo-\u003erefcnt);\n\t\t\t\trt_mutex_unlock(foo-\u003em); \u003c-- fast path\n\t\t\t\tif (free)\n\t\t\t\t   kfree(foo);\n\nspin_unlock(foo-\u003em-\u003ewait_lock); \u003c--- Use after free.\n\nPlug the race by changing the slow unlock to the following scheme:\n\n     while (!rt_mutex_has_waiters(m)) {\n     \t    /* Clear the waiters bit in m-\u003eowner */\n\t    clear_rt_mutex_waiters(m);\n      \t    owner \u003d rt_mutex_owner(m);\n      \t    spin_unlock(m-\u003ewait_lock);\n      \t    if (cmpxchg(m-\u003eowner, owner, 0) \u003d\u003d owner)\n      \t       return;\n      \t    spin_lock(m-\u003ewait_lock);\n     }\n\nSo in case of a new waiter incoming while the owner tries the slow\npath unlock we have two situations:\n\n unlock(wait_lock);\n\t\t\t\t\tlock(wait_lock);\n cmpxchg(p, owner, 0) \u003d\u003d owner\n \t    \t   \t\t\tmark_rt_mutex_waiters(lock);\n\t \t\t\t\tacquire(lock);\n\nOr:\n\n unlock(wait_lock);\n\t\t\t\t\tlock(wait_lock);\n\t \t\t\t\tmark_rt_mutex_waiters(lock);\n cmpxchg(p, owner, 0) !\u003d owner\n\t\t\t\t\tenqueue_waiter();\n\t\t\t\t\tunlock(wait_lock);\n lock(wait_lock);\n wakeup_next waiter();\n unlock(wait_lock);\n\t\t\t\t\tlock(wait_lock);\n\t\t\t\t\tacquire(lock);\n\nIf the fast path is disabled, then the simple\n\n   m-\u003eowner \u003d NULL;\n   unlock(m-\u003ewait_lock);\n\nis sufficient as all access to m-\u003eowner is serialized via\nm-\u003ewait_lock;\n\nAlso document and clarify the wakeup_next_waiter function as suggested\nby Oleg Nesterov.\n\nReported-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/20140611183852.937945560@linutronix.de\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "ea018da95368adfb700689bd9842714f7c3db665",
      "tree": "1292bd16701c41189f489d5950b074772b5cb2fc",
      "parents": [
        "307e2e09be9993d7fe403a7310b28ab2d8e2f6ce"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu Jun 05 12:34:23 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:50 2014 -0700"
      },
      "message": "rtmutex: Handle deadlock detection smarter\n\ncommit 3d5c9340d1949733eb37616abd15db36aef9a57c upstream.\n\nEven in the case when deadlock detection is not requested by the\ncaller, we can detect deadlocks. Right now the code stops the lock\nchain walk and keeps the waiter enqueued, even on itself. Silly not to\nyell when such a scenario is detected and to keep the waiter enqueued.\n\nReturn -EDEADLK unconditionally and handle it at the call sites.\n\nThe futex calls return -EDEADLK. The non futex ones dequeue the\nwaiter, throw a warning and put the task into a schedule loop.\n\nTagged for stable as it makes the code more robust.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Brad Mouring \u003cbmouring@ni.com\u003e\nLink: http://lkml.kernel.org/r/20140605152801.836501969@linutronix.de\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "307e2e09be9993d7fe403a7310b28ab2d8e2f6ce",
      "tree": "63c91c95088bebcce1bf4df486b17aa5312c95d0",
      "parents": [
        "90b421b52720b30644e104da002505f08a77c07a"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu Jun 05 11:16:12 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:50 2014 -0700"
      },
      "message": "rtmutex: Detect changes in the pi lock chain\n\ncommit 82084984383babe728e6e3c9a8e5c46278091315 upstream.\n\nWhen we walk the lock chain, we drop all locks after each step. So the\nlock chain can change under us before we reacquire the locks. That\u0027s\nharmless in principle as we just follow the wrong lock path. But it\ncan lead to a false positive in the dead lock detection logic:\n\nT0 holds L0\nT0 blocks on L1 held by T1\nT1 blocks on L2 held by T2\nT2 blocks on L3 held by T3\nT4 blocks on L4 held by T4\n\nNow we walk the chain\n\nlock T1 -\u003e lock L2 -\u003e adjust L2 -\u003e unlock T1 -\u003e\n     lock T2 -\u003e  adjust T2 -\u003e  drop locks\n\nT2 times out and blocks on L0\n\nNow we continue:\n\nlock T2 -\u003e lock L0 -\u003e deadlock detected, but it\u0027s not a deadlock at all.\n\nBrad tried to work around that in the deadlock detection logic itself,\nbut the more I looked at it the less I liked it, because it\u0027s crystal\nball magic after the fact.\n\nWe actually can detect a chain change very simple:\n\nlock T1 -\u003e lock L2 -\u003e adjust L2 -\u003e unlock T1 -\u003e lock T2 -\u003e adjust T2 -\u003e\n\n     next_lock \u003d T2-\u003epi_blocked_on-\u003elock;\n\ndrop locks\n\nT2 times out and blocks on L0\n\nNow we continue:\n\nlock T2 -\u003e\n\n     if (next_lock !\u003d T2-\u003epi_blocked_on-\u003elock)\n     \t   return;\n\nSo if we detect that T2 is now blocked on a different lock we stop the\nchain walk. That\u0027s also correct in the following scenario:\n\nlock T1 -\u003e lock L2 -\u003e adjust L2 -\u003e unlock T1 -\u003e lock T2 -\u003e adjust T2 -\u003e\n\n     next_lock \u003d T2-\u003epi_blocked_on-\u003elock;\n\ndrop locks\n\nT3 times out and drops L3\nT2 acquires L3 and blocks on L4 now\n\nNow we continue:\n\nlock T2 -\u003e\n\n     if (next_lock !\u003d T2-\u003epi_blocked_on-\u003elock)\n     \t   return;\n\nWe don\u0027t have to follow up the chain at that point, because T2\npropagated our priority up to T4 already.\n\n[ Folded a cleanup patch from peterz ]\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReported-by: Brad Mouring \u003cbmouring@ni.com\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/20140605152801.930031935@linutronix.de\nSigned-off-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "90b421b52720b30644e104da002505f08a77c07a",
      "tree": "6e267789da89c5601db4ad1f376b549215f7afdc",
      "parents": [
        "bf09db97205d46b3e083582eb2799aedddd9953b"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu May 22 03:25:39 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:50 2014 -0700"
      },
      "message": "rtmutex: Fix deadlock detector for real\n\ncommit 397335f004f41e5fcf7a795e94eb3ab83411a17c upstream.\n\nThe current deadlock detection logic does not work reliably due to the\nfollowing early exit path:\n\n\t/*\n\t * Drop out, when the task has no waiters. Note,\n\t * top_waiter can be NULL, when we are in the deboosting\n\t * mode!\n\t */\n\tif (top_waiter \u0026\u0026 (!task_has_pi_waiters(task) ||\n\t\t\t   top_waiter !\u003d task_top_pi_waiter(task)))\n\t\tgoto out_unlock_pi;\n\nSo this not only exits when the task has no waiters, it also exits\nunconditionally when the current waiter is not the top priority waiter\nof the task.\n\nSo in a nested locking scenario, it might abort the lock chain walk\nand therefor miss a potential deadlock.\n\nSimple fix: Continue the chain walk, when deadlock detection is\nenabled.\n\nWe also avoid the whole enqueue, if we detect the deadlock right away\n(A-A). It\u0027s an optimization, but also prevents that another waiter who\ncomes in after the detection and before the task has undone the damage\nobserves the situation and detects the deadlock and returns\n-EDEADLOCK, which is wrong as the other task is not in a deadlock\nsituation.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nReviewed-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nLink: http://lkml.kernel.org/r/20140522031949.725272460@linutronix.de\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "bf09db97205d46b3e083582eb2799aedddd9953b",
      "tree": "a56ddb942afc72096dc4b53c725f603d841d2ccb",
      "parents": [
        "fa1bd9b16b3432bce7937a5a4b5d75ab2f5b634c"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Tue Jun 24 23:50:09 2014 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:50 2014 -0700"
      },
      "message": "tracing: Remove ftrace_stop/start() from reading the trace file\n\ncommit 099ed151675cd1d2dbeae1dac697975f6a68716d upstream.\n\nDisabling reading and writing to the trace file should not be able to\ndisable all function tracing callbacks. There\u0027s other users today\n(like kprobes and perf). Reading a trace file should not stop those\nfrom happening.\n\nReviewed-by: Masami Hiramatsu \u003cmasami.hiramatsu.pt@hitachi.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "f54e04114e99817aae34261901fa5b54e6e2c336",
      "tree": "50371f4b87102e0b22d4c5e0b40428348941b2d0",
      "parents": [
        "d06191b3d67e11142db2d601a8393535e58de5e3"
      ],
      "author": {
        "name": "Gu Zheng",
        "email": "guz.fnst@cn.fujitsu.com",
        "time": "Wed Jun 25 09:57:18 2014 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jul 17 15:39:49 2014 -0700"
      },
      "message": "cpuset,mempolicy: fix sleeping function called from invalid context\n\ncommit 391acf970d21219a2a5446282d3b20eace0c0d7a upstream.\n\nWhen runing with the kernel(3.15-rc7+), the follow bug occurs:\n[ 9969.258987] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586\n[ 9969.359906] in_atomic(): 1, irqs_disabled(): 0, pid: 160655, name: python\n[ 9969.441175] INFO: lockdep is turned off.\n[ 9969.488184] CPU: 26 PID: 160655 Comm: python Tainted: G       A      3.15.0-rc7+ #85\n[ 9969.581032] Hardware name: FUJITSU-SV PRIMEQUEST 1800E/SB, BIOS PRIMEQUEST 1000 Series BIOS Version 1.39 11/16/2012\n[ 9969.706052]  ffffffff81a20e60 ffff8803e941fbd0 ffffffff8162f523 ffff8803e941fd18\n[ 9969.795323]  ffff8803e941fbe0 ffffffff8109995a ffff8803e941fc58 ffffffff81633e6c\n[ 9969.884710]  ffffffff811ba5dc ffff880405c6b480 ffff88041fdd90a0 0000000000002000\n[ 9969.974071] Call Trace:\n[ 9970.003403]  [\u003cffffffff8162f523\u003e] dump_stack+0x4d/0x66\n[ 9970.065074]  [\u003cffffffff8109995a\u003e] __might_sleep+0xfa/0x130\n[ 9970.130743]  [\u003cffffffff81633e6c\u003e] mutex_lock_nested+0x3c/0x4f0\n[ 9970.200638]  [\u003cffffffff811ba5dc\u003e] ? kmem_cache_alloc+0x1bc/0x210\n[ 9970.272610]  [\u003cffffffff81105807\u003e] cpuset_mems_allowed+0x27/0x140\n[ 9970.344584]  [\u003cffffffff811b1303\u003e] ? __mpol_dup+0x63/0x150\n[ 9970.409282]  [\u003cffffffff811b1385\u003e] __mpol_dup+0xe5/0x150\n[ 9970.471897]  [\u003cffffffff811b1303\u003e] ? __mpol_dup+0x63/0x150\n[ 9970.536585]  [\u003cffffffff81068c86\u003e] ? copy_process.part.23+0x606/0x1d40\n[ 9970.613763]  [\u003cffffffff810bf28d\u003e] ? trace_hardirqs_on+0xd/0x10\n[ 9970.683660]  [\u003cffffffff810ddddf\u003e] ? monotonic_to_bootbased+0x2f/0x50\n[ 9970.759795]  [\u003cffffffff81068cf0\u003e] copy_process.part.23+0x670/0x1d40\n[ 9970.834885]  [\u003cffffffff8106a598\u003e] do_fork+0xd8/0x380\n[ 9970.894375]  [\u003cffffffff81110e4c\u003e] ? __audit_syscall_entry+0x9c/0xf0\n[ 9970.969470]  [\u003cffffffff8106a8c6\u003e] SyS_clone+0x16/0x20\n[ 9971.030011]  [\u003cffffffff81642009\u003e] stub_clone+0x69/0x90\n[ 9971.091573]  [\u003cffffffff81641c29\u003e] ? system_call_fastpath+0x16/0x1b\n\nThe cause is that cpuset_mems_allowed() try to take\nmutex_lock(\u0026callback_mutex) under the rcu_read_lock(which was hold in\n__mpol_dup()). And in cpuset_mems_allowed(), the access to cpuset is\nunder rcu_read_lock, so in __mpol_dup, we can reduce the rcu_read_lock\nprotection region to protect the access to cpuset only in\ncurrent_cpuset_is_being_rebound(). So that we can avoid this bug.\n\nThis patch is a temporary solution that just addresses the bug\nmentioned above, can not fix the long-standing issue about cpuset.mems\nrebinding on fork():\n\n\"When the forker\u0027s task_struct is duplicated (which includes\n -\u003emems_allowed) and it races with an update to cpuset_being_rebound\n in update_tasks_nodemask() then the task\u0027s mems_allowed doesn\u0027t get\n updated. And the child task\u0027s mems_allowed can be wrong if the\n cpuset\u0027s nodemask changes before the child has been added to the\n cgroup\u0027s tasklist.\"\n\nSigned-off-by: Gu Zheng \u003cguz.fnst@cn.fujitsu.com\u003e\nAcked-by: Li Zefan \u003clizefan@huawei.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "ecab17be93f5c130f7ea19e860dce7472d297b0d",
      "tree": "3b9210fc5eaaadb406d89209eb0543d45d36ae7d",
      "parents": [
        "407525a370b9d0b5d27520eaa83a2fd6ae681f48"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Tue Jun 03 12:27:06 2014 +0000"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Tue Jul 08 06:26:58 2014 -0700"
      },
      "message": "futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr \u003d\u003d uaddr2 in futex_requeue(..., requeue_pi\u003d1)\n\nIf uaddr \u003d\u003d uaddr2, then we have broken the rule of only requeueing from\na non-pi futex to a pi futex with this call.  If we attempt this, then\ndangling pointers may be left for rt_waiter resulting in an exploitable\ncondition.\n\nThis change brings futex_requeue() in line with futex_wait_requeue_pi()\nwhich performs the same check as per commit 6f7b0a2a5c0f (\"futex: Forbid\nuaddr \u003d\u003d uaddr2 in futex_wait_requeue_pi()\")\n\n[ tglx: Compare the resulting keys as well, as uaddrs might be\n  \tdifferent depending on the mapping ]\n\nFixes CVE-2014-3153.\n\nReported-by: Pinkie Pie\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nChange-Id: I9ee5c8a87cc43c7b1e1dc2796949e7c20c74ddf4\nGit-commit: e9c243a5a6de0be8e584c604d353412584b592f8\nGit-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git\nSigned-off-by: Divya Sharma \u003cc_shard@codeaurora.org\u003e\n"
    },
    {
      "commit": "0c3351a0a4815ea566d3febf82033b6c55ed4a2d",
      "tree": "6aaeb576ba3bda684481e2ca0d4b185b7b0ff6a6",
      "parents": [
        "e3293b8639a90b7227be9c273af0a45015c499bb"
      ],
      "author": {
        "name": "Oleg Nesterov",
        "email": "oleg@redhat.com",
        "time": "Sun Apr 13 20:58:54 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sun Jul 06 18:49:20 2014 -0700"
      },
      "message": "tracing: Fix syscall_*regfunc() vs copy_process() race\n\ncommit 4af4206be2bd1933cae20c2b6fb2058dbc887f7c upstream.\n\nsyscall_regfunc() and syscall_unregfunc() should set/clear\nTIF_SYSCALL_TRACEPOINT system-wide, but do_each_thread() can race\nwith copy_process() and miss the new child which was not added to\nthe process/thread lists yet.\n\nChange copy_process() to update the child\u0027s TIF_SYSCALL_TRACEPOINT\nunder tasklist.\n\nLink: http://lkml.kernel.org/p/20140413185854.GB20668@redhat.com\n\nFixes: a871bd33a6c0 \"tracing: Add syscall tracepoints\"\nAcked-by: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nAcked-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a97df3f22b83742deb9191d53928641ec3befb6e",
      "tree": "c34f984ed3c4f844aeb3b2076148d2f334e5b134",
      "parents": [
        "1d48df4863c4a4d40809575efa1f101b1e8090b5"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Thu Mar 07 14:53:45 2013 +0100"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jun 30 20:01:33 2014 -0700"
      },
      "message": "genirq: Sanitize spurious interrupt detection of threaded irqs\n\ncommit 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c upstream.\n\nTill reported that the spurious interrupt detection of threaded\ninterrupts is broken in two ways:\n\n- note_interrupt() is called for each action thread of a shared\n  interrupt line. That\u0027s wrong as we are only interested whether none\n  of the device drivers felt responsible for the interrupt, but by\n  calling multiple times for a single interrupt line we account\n  IRQ_NONE even if one of the drivers felt responsible.\n\n- note_interrupt() when called from the thread handler is not\n  serialized. That leaves the members of irq_desc which are used for\n  the spurious detection unprotected.\n\nTo solve this we need to defer the spurious detection of a threaded\ninterrupt to the next hardware interrupt context where we have\nimplicit serialization.\n\nIf note_interrupt is called with action_ret \u003d\u003d IRQ_WAKE_THREAD, we\ncheck whether the previous interrupt requested a deferred check. If\nnot, we request a deferred check for the next hardware interrupt and\nreturn.\n\nIf set, we check whether one of the interrupt threads signaled\nsuccess. Depending on this information we feed the result into the\nspurious detector.\n\nIf one primary handler of a shared interrupt returns IRQ_HANDLED we\ndisable the deferred check of irq threads on the same line, as we have\nfound at least one device driver who cared.\n\nReported-by: Till Straumann \u003cstrauman@slac.stanford.edu\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nTested-by: Austin Schuh \u003caustin@peloton-tech.com\u003e\nCc: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: Wolfgang Grandegger \u003cwg@grandegger.com\u003e\nCc: Pavel Pisa \u003cpisa@cmp.felk.cvut.cz\u003e\nCc: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nCc: linux-can@vger.kernel.org\nLink: http://lkml.kernel.org/r/alpine.LFD.2.02.1303071450130.22263@ionos\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "3f8f4ae48f4023e1c53722b1dc1a7ab897cbca14",
      "tree": "2677e4c998e385b214a5a04f09343133b2ebc8be",
      "parents": [
        "7be9d6cd4b57ebd5b344e4a006c0aa6e7a08aba3"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Fri Nov 29 12:18:13 2013 +0100"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Thu Jun 26 15:10:29 2014 -0400"
      },
      "message": "nohz: Fix another inconsistency between CONFIG_NO_HZ\u003dn and nohz\u003doff\n\ncommit 0e576acbc1d9600cf2d9b4a141a2554639959d50 upstream.\n\nIf CONFIG_NO_HZ\u003dn tick_nohz_get_sleep_length() returns NSEC_PER_SEC/HZ.\n\nIf CONFIG_NO_HZ\u003dy and the nohz functionality is disabled via the\ncommand line option \"nohz\u003doff\" or not enabled due to missing hardware\nsupport, then tick_nohz_get_sleep_length() returns 0. That happens\nbecause ts-\u003esleep_length is never set in that case.\n\nSet it to NSEC_PER_SEC/HZ when the NOHZ mode is inactive.\n\nReported-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nReported-by: Borislav Petkov \u003cbp@alien8.de\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "1996c132e6e6524d2ecb386b8d96b8c32343ca67",
      "tree": "a411dfe837067b8595dd9cf0ce4c0a7b38ce49cd",
      "parents": [
        "bae16898d62fa7b608c17ab1f987d319af28b3e7",
        "15d8f1ef6b18f4c96cc5f95fc3acc204deeb2469"
      ],
      "author": {
        "name": "Linux Build Service Account",
        "email": "lnxbuild@localhost",
        "time": "Tue Jun 17 07:26:27 2014 -0700"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Tue Jun 17 07:26:27 2014 -0700"
      },
      "message": "Merge \"msm: perf: clean up duplicate constraint events\""
    },
    {
      "commit": "f37d83a8a407737a83f5149948ecd3cd557f4193",
      "tree": "ee693c2083bc03d5072e7d151503d7af00f61cc6",
      "parents": [
        "1aea5c99f4ee468b167b14f55998ee020c7f6b84",
        "13f898ac02a320773d70d2998a4803f07c58734d"
      ],
      "author": {
        "name": "Linux Build Service Account",
        "email": "lnxbuild@localhost",
        "time": "Tue Jun 17 07:26:26 2014 -0700"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Tue Jun 17 07:26:26 2014 -0700"
      },
      "message": "Merge \"Perf: Support sw events across hotplug\""
    },
    {
      "commit": "c261a5ae9e573d6178bee078bca21064aae24d71",
      "tree": "a2cd70bec61c699137160c163a882ac282487884",
      "parents": [
        "44796beb5ea98011490905a47d3a9b5a2f2bddee",
        "8165d84a0d90b1976ea6bb370a36df1b0cc14c63"
      ],
      "author": {
        "name": "Linux Build Service Account",
        "email": "lnxbuild@localhost",
        "time": "Tue Jun 17 07:26:24 2014 -0700"
      },
      "committer": {
        "name": "Gerrit - the friendly Code Review server",
        "email": "code-review@localhost",
        "time": "Tue Jun 17 07:26:24 2014 -0700"
      },
      "message": "Merge \"Perf: keep events across hotplug\""
    },
    {
      "commit": "39da9a416814e556060bab8569293b8f3d889765",
      "tree": "47e6e9dc9b64c873e31bd67dfe4d9ecdfb81ea98",
      "parents": [
        "35a2bae84d5bc0a6609134b51053f78d235940c2"
      ],
      "author": {
        "name": "Andy Lutomirski",
        "email": "luto@amacapital.net",
        "time": "Wed May 28 23:09:58 2014 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Mon Jun 16 13:45:46 2014 -0700"
      },
      "message": "auditsc: audit_krule mask accesses need bounds checking\n\ncommit a3c54931199565930d6d84f4c3456f6440aefd41 upstream.\n\nFixes an easy DoS and possible information disclosure.\n\nThis does nothing about the broken state of x32 auditing.\n\neparis: If the admin has enabled auditd and has specifically loaded\naudit rules.  This bug has been around since before git.  Wow...\n\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "d6e81d4f7b4e8cea2817c7568e3756798cd29aae",
      "tree": "0f9ff9d27bcba2a3278122bb4834a33a4da02266",
      "parents": [
        "ee40d72c3e6fc7e6cd5241eb84fa104b61dc8ec3"
      ],
      "author": {
        "name": "Lai Jiangshan",
        "email": "laijs@cn.fujitsu.com",
        "time": "Fri May 16 11:50:42 2014 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Jun 11 12:04:11 2014 -0700"
      },
      "message": "sched: Fix hotplug vs. set_cpus_allowed_ptr()\n\ncommit 6acbfb96976fc3350e30d964acb1dbbdf876d55e upstream.\n\nLai found that:\n\n  WARNING: CPU: 1 PID: 13 at arch/x86/kernel/smp.c:124 native_smp_send_reschedule+0x2d/0x4b()\n  ...\n  migration_cpu_stop+0x1d/0x22\n\nwas caused by set_cpus_allowed_ptr() assuming that cpu_active_mask is\nalways a sub-set of cpu_online_mask.\n\nThis isn\u0027t true since 5fbd036b552f (\"sched: Cleanup cpu_active madness\").\n\nSo set active and online at the same time to avoid this particular\nproblem.\n\nFixes: 5fbd036b552f (\"sched: Cleanup cpu_active madness\")\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Gautham R. Shenoy \u003cego@linux.vnet.ibm.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Michael wang \u003cwangyun@linux.vnet.ibm.com\u003e\nCc: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nCc: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nCc: Srivatsa S. Bhat \u003csrivatsa.bhat@linux.vnet.ibm.com\u003e\nCc: Toshi Kani \u003ctoshi.kani@hp.com\u003e\nLink: http://lkml.kernel.org/r/53758B12.8060609@cn.fujitsu.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4b2cfc9508d9e509708f85748548e03db696dbcd",
      "tree": "1c3f251ef8073234984c334c59993e7b4c3b26db",
      "parents": [
        "183f99ecb6a484c142ae2fc99df3ef5cdadc3985"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Fri May 02 16:56:01 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Jun 11 12:04:11 2014 -0700"
      },
      "message": "perf: Fix race in removing an event\n\ncommit 46ce0fe97a6be7532ce6126bb26ce89fed81528c upstream.\n\nWhen removing a (sibling) event we do:\n\n\traw_spin_lock_irq(\u0026ctx-\u003elock);\n\tperf_group_detach(event);\n\traw_spin_unlock_irq(\u0026ctx-\u003elock);\n\n\t\u003chole\u003e\n\n\tperf_remove_from_context(event);\n\t\traw_spin_lock_irq(\u0026ctx-\u003elock);\n\t\t...\n\t\traw_spin_unlock_irq(\u0026ctx-\u003elock);\n\nNow, assuming the event is a sibling, it will be \u0027unreachable\u0027 for\nthings like ctx_sched_out() because that iterates the\ngroups-\u003esiblings, and we just unhooked the sibling.\n\nSo, if during \u003chole\u003e we get ctx_sched_out(), it will miss the event\nand not call event_sched_out() on it, leaving it programmed on the\nPMU.\n\nThe subsequent perf_remove_from_context() call will find the ctx is\ninactive and only call list_del_event() to remove the event from all\nother lists.\n\nHereafter we can proceed to free the event; while still programmed!\n\nClose this hole by moving perf_group_detach() inside the same\nctx-\u003elock region(s) perf_remove_from_context() has.\n\nThe condition on inherited events only in __perf_event_exit_task() is\nlikely complete crap because non-inherited events are part of groups\ntoo and we\u0027re tearing down just the same. But leave that for another\npatch.\n\nMost-likely-Fixes: e03a9a55b4e (\"perf: Change close() semantics for group events\")\nReported-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nTested-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nMuch-staring-at-traces-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nMuch-staring-at-traces-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/20140505093124.GN17778@laptop.programming.kicks-ass.net\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "183f99ecb6a484c142ae2fc99df3ef5cdadc3985",
      "tree": "3058cc15bf054797ee4e2b64390b85563a627072",
      "parents": [
        "0d41f6026aa0c15d60e75f8f71f1408c32fe1ba4"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Thu May 15 20:23:48 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Jun 11 12:04:11 2014 -0700"
      },
      "message": "perf: Limit perf_event_attr::sample_period to 63 bits\n\ncommit 0819b2e30ccb93edf04876237b6205eef84ec8d2 upstream.\n\nVince reported that using a large sample_period (one with bit 63 set)\nresults in wreckage since while the sample_period is fundamentally\nunsigned (negative periods don\u0027t make sense) the way we implement\nthings very much rely on signed logic.\n\nSo limit sample_period to 63 bits to avoid tripping over this.\n\nReported-by: Vince Weaver \u003cvincent.weaver@maine.edu\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/n/tip-p25fhunibl4y3qi0zuqmyf4b@git.kernel.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "0d41f6026aa0c15d60e75f8f71f1408c32fe1ba4",
      "tree": "1e398bd28e5334c5074a97939a672c168f6d7168",
      "parents": [
        "4e0d105c09b8bec501ff5455b774bf3a845d017c"
      ],
      "author": {
        "name": "Jiri Olsa",
        "email": "jolsa@redhat.com",
        "time": "Mon Apr 07 11:04:08 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Jun 11 12:04:10 2014 -0700"
      },
      "message": "perf: Prevent false warning in perf_swevent_add\n\ncommit 39af6b1678afa5880dda7e375cf3f9d395087f6d upstream.\n\nThe perf cpu offline callback takes down all cpu context\nevents and releases swhash-\u003eswevent_hlist.\n\nThis could race with task context software event being just\nscheduled on this cpu via perf_swevent_add while cpu hotplug\ncode already cleaned up event\u0027s data.\n\nThe race happens in the gap between the cpu notifier code\nand the cpu being actually taken down. Note that only cpu\nctx events are terminated in the perf cpu hotplug code.\n\nIt\u0027s easily reproduced with:\n  $ perf record -e faults perf bench sched pipe\n\nwhile putting one of the cpus offline:\n  # echo 0 \u003e /sys/devices/system/cpu/cpu1/online\n\nConsole emits following warning:\n  WARNING: CPU: 1 PID: 2845 at kernel/events/core.c:5672 perf_swevent_add+0x18d/0x1a0()\n  Modules linked in:\n  CPU: 1 PID: 2845 Comm: sched-pipe Tainted: G        W    3.14.0+ #256\n  Hardware name: Intel Corporation Montevina platform/To be filled by O.E.M., BIOS AMVACRB1.86C.0066.B00.0805070703 05/07/2008\n   0000000000000009 ffff880077233ab8 ffffffff81665a23 0000000000200005\n   0000000000000000 ffff880077233af8 ffffffff8104732c 0000000000000046\n   ffff88007467c800 0000000000000002 ffff88007a9cf2a0 0000000000000001\n  Call Trace:\n   [\u003cffffffff81665a23\u003e] dump_stack+0x4f/0x7c\n   [\u003cffffffff8104732c\u003e] warn_slowpath_common+0x8c/0xc0\n   [\u003cffffffff8104737a\u003e] warn_slowpath_null+0x1a/0x20\n   [\u003cffffffff8110fb3d\u003e] perf_swevent_add+0x18d/0x1a0\n   [\u003cffffffff811162ae\u003e] event_sched_in.isra.75+0x9e/0x1f0\n   [\u003cffffffff8111646a\u003e] group_sched_in+0x6a/0x1f0\n   [\u003cffffffff81083dd5\u003e] ? sched_clock_local+0x25/0xa0\n   [\u003cffffffff811167e6\u003e] ctx_sched_in+0x1f6/0x450\n   [\u003cffffffff8111757b\u003e] perf_event_sched_in+0x6b/0xa0\n   [\u003cffffffff81117a4b\u003e] perf_event_context_sched_in+0x7b/0xc0\n   [\u003cffffffff81117ece\u003e] __perf_event_task_sched_in+0x43e/0x460\n   [\u003cffffffff81096f1e\u003e] ? put_lock_stats.isra.18+0xe/0x30\n   [\u003cffffffff8107b3c8\u003e] finish_task_switch+0xb8/0x100\n   [\u003cffffffff8166a7de\u003e] __schedule+0x30e/0xad0\n   [\u003cffffffff81172dd2\u003e] ? pipe_read+0x3e2/0x560\n   [\u003cffffffff8166b45e\u003e] ? preempt_schedule_irq+0x3e/0x70\n   [\u003cffffffff8166b45e\u003e] ? preempt_schedule_irq+0x3e/0x70\n   [\u003cffffffff8166b464\u003e] preempt_schedule_irq+0x44/0x70\n   [\u003cffffffff816707f0\u003e] retint_kernel+0x20/0x30\n   [\u003cffffffff8109e60a\u003e] ? lockdep_sys_exit+0x1a/0x90\n   [\u003cffffffff812a4234\u003e] lockdep_sys_exit_thunk+0x35/0x67\n   [\u003cffffffff81679321\u003e] ? sysret_check+0x5/0x56\n\nFixing this by tracking the cpu hotplug state and displaying\nthe WARN only if current cpu is initialized properly.\n\nCc: Corey Ashford \u003ccjashfor@linux.vnet.ibm.com\u003e\nCc: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nCc: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nReported-by: Fengguang Wu \u003cfengguang.wu@intel.com\u003e\nSigned-off-by: Jiri Olsa \u003cjolsa@redhat.com\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/1396861448-10097-1-git-send-email-jolsa@redhat.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4e0d105c09b8bec501ff5455b774bf3a845d017c",
      "tree": "2f40d878516c7293b85309c34e3caf78cd652465",
      "parents": [
        "22feaed11f1b0c58aab5df196c0bf011e7095a62"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Sun Apr 13 09:34:53 2014 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Wed Jun 11 12:04:10 2014 -0700"
      },
      "message": "sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri check\n\ncommit 6227cb00cc120f9a43ce8313bb0475ddabcb7d01 upstream.\n\nThe check at the beginning of cpupri_find() makes sure that the task_pri\nvariable does not exceed the cp-\u003epri_to_cpu array length. But that length\nis CPUPRI_NR_PRIORITIES not MAX_RT_PRIO, where it will miss the last two\npriorities in that array.\n\nAs task_pri is computed from convert_prio() which should never be bigger\nthan CPUPRI_NR_PRIORITIES, if the check should cause a panic if it is\nhit.\n\nReported-by: Mike Galbraith \u003cumgwanakikbuti@gmail.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/1397015410.5212.13.camel@marge.simpson.net\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "11b9a7a786232e811cbe988543cb83b5ff1a829c",
      "tree": "c88cd9cb8e97f103f4a03d3469a112bc26533f6a",
      "parents": [
        "a8f96abb1a78f16c498cb1e03386cc1a7b55a28c"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Tue Jun 03 12:27:08 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:16 2014 -0700"
      },
      "message": "futex: Make lookup_pi_state more robust\n\ncommit 54a217887a7b658e2650c3feff22756ab80c7339 upstream.\n\nThe current implementation of lookup_pi_state has ambigous handling of\nthe TID value 0 in the user space futex.  We can get into the kernel\neven if the TID value is 0, because either there is a stale waiters bit\nor the owner died bit is set or we are called from the requeue_pi path\nor from user space just for fun.\n\nThe current code avoids an explicit sanity check for pid \u003d 0 in case\nthat kernel internal state (waiters) are found for the user space\naddress.  This can lead to state leakage and worse under some\ncircumstances.\n\nHandle the cases explicit:\n\n       Waiter | pi_state | pi-\u003eowner | uTID      | uODIED | ?\n\n  [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid\n  [2]  NULL   | ---      | ---       | \u003e0        | 0/1    | Valid\n\n  [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid\n\n  [4]  Found  | Found    | NULL      | 0         | 1      | Valid\n  [5]  Found  | Found    | NULL      | \u003e0        | 1      | Invalid\n\n  [6]  Found  | Found    | task      | 0         | 1      | Valid\n\n  [7]  Found  | Found    | NULL      | Any       | 0      | Invalid\n\n  [8]  Found  | Found    | task      | \u003d\u003dtaskTID | 0/1    | Valid\n  [9]  Found  | Found    | task      | 0         | 0      | Invalid\n  [10] Found  | Found    | task      | !\u003dtaskTID | 0/1    | Invalid\n\n [1] Indicates that the kernel can acquire the futex atomically. We\n     came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.\n\n [2] Valid, if TID does not belong to a kernel thread. If no matching\n     thread is found then it indicates that the owner TID has died.\n\n [3] Invalid. The waiter is queued on a non PI futex\n\n [4] Valid state after exit_robust_list(), which sets the user space\n     value to FUTEX_WAITERS | FUTEX_OWNER_DIED.\n\n [5] The user space value got manipulated between exit_robust_list()\n     and exit_pi_state_list()\n\n [6] Valid state after exit_pi_state_list() which sets the new owner in\n     the pi_state but cannot access the user space value.\n\n [7] pi_state-\u003eowner can only be NULL when the OWNER_DIED bit is set.\n\n [8] Owner and user space value match\n\n [9] There is no transient state which sets the user space TID to 0\n     except exit_robust_list(), but this is indicated by the\n     FUTEX_OWNER_DIED bit. See [4]\n\n[10] There is no transient state which leaves owner and user space\n     TID out of sync.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Will Drewry \u003cwad@chromium.org\u003e\nCc: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a8f96abb1a78f16c498cb1e03386cc1a7b55a28c",
      "tree": "07c243177c4c43656c451c3a096a234d19ab5a02",
      "parents": [
        "2397889b03ef0f394e176b86ba37c421a01a9c89"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Tue Jun 03 12:27:07 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:16 2014 -0700"
      },
      "message": "futex: Always cleanup owner tid in unlock_pi\n\ncommit 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e upstream.\n\nIf the owner died bit is set at futex_unlock_pi, we currently do not\ncleanup the user space futex.  So the owner TID of the current owner\n(the unlocker) persists.  That\u0027s observable inconsistant state,\nespecially when the ownership of the pi state got transferred.\n\nClean it up unconditionally.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Will Drewry \u003cwad@chromium.org\u003e\nCc: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "2397889b03ef0f394e176b86ba37c421a01a9c89",
      "tree": "8596328ecedce75375bb3c51c671c3bb8d340bb7",
      "parents": [
        "4cca4db7bd5fb663660da34a3514d9fa8f5f14f3"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Tue Jun 03 12:27:06 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:16 2014 -0700"
      },
      "message": "futex: Validate atomic acquisition in futex_lock_pi_atomic()\n\ncommit b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 upstream.\n\nWe need to protect the atomic acquisition in the kernel against rogue\nuser space which sets the user space futex to 0, so the kernel side\nacquisition succeeds while there is existing state in the kernel\nassociated to the real owner.\n\nVerify whether the futex has waiters associated with kernel state.  If\nit has, return -EINVAL.  The state is corrupted already, so no point in\ncleaning it up.  Subsequent calls will fail as well.  Not our problem.\n\n[ tglx: Use futex_top_waiter() and explain why we do not need to try\n  \trestoring the already corrupted user space state. ]\n\nSigned-off-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nCc: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4cca4db7bd5fb663660da34a3514d9fa8f5f14f3",
      "tree": "31514f38e1694d440f616b23b91ac9686bbc91ed",
      "parents": [
        "c6f9d698ffd5cfbb941177bec02b43542c748d77"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Tue Jun 03 12:27:06 2014 +0000"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:16 2014 -0700"
      },
      "message": "futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr \u003d\u003d uaddr2 in futex_requeue(..., requeue_pi\u003d1)\n\ncommit e9c243a5a6de0be8e584c604d353412584b592f8 upstream.\n\nIf uaddr \u003d\u003d uaddr2, then we have broken the rule of only requeueing from\na non-pi futex to a pi futex with this call.  If we attempt this, then\ndangling pointers may be left for rt_waiter resulting in an exploitable\ncondition.\n\nThis change brings futex_requeue() in line with futex_wait_requeue_pi()\nwhich performs the same check as per commit 6f7b0a2a5c0f (\"futex: Forbid\nuaddr \u003d\u003d uaddr2 in futex_wait_requeue_pi()\")\n\n[ tglx: Compare the resulting keys as well, as uaddrs might be\n  \tdifferent depending on the mapping ]\n\nFixes CVE-2014-3153.\n\nReported-by: Pinkie Pie\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4652951d1202cef2798b1a0dfbf4122794594b41",
      "tree": "0c6dd14b186e021355bbb59166237711b97bf767",
      "parents": [
        "926685e95e4d6518110794b77676b3bb7f9c4be0"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Thu Mar 14 14:20:54 2013 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "tracing: Keep overwrite in sync between regular and snapshot buffers\n\ncommit 80902822658aab18330569587cdb69ac1dfdcea8 upstream.\n\nChanging the overwrite mode for the ring buffer via the trace\noption only sets the normal buffer. But the snapshot buffer could\nswap with it, and then the snapshot would be in non overwrite mode\nand the normal buffer would be in overwrite mode, even though the\noption flag states otherwise.\n\nKeep the two buffers overwrite modes in sync.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "926685e95e4d6518110794b77676b3bb7f9c4be0",
      "tree": "ab75d5532a97420774499be869f05331e45d7e17",
      "parents": [
        "e5f1ec5d39f6d59bfe5c53f4b28a94e3a4245e02"
      ],
      "author": {
        "name": "Wei Yongjun",
        "email": "yongjun_wei@trendmicro.com.cn",
        "time": "Fri Apr 12 11:05:54 2013 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "perf: Fix error return code\n\ncommit c481420248c6730246d2a1b1773d5d7007ae0835 upstream.\n\nFix to return -ENOMEM in the allocation error case instead of 0\n(if pmu_bus_running \u003d\u003d 1), as done elsewhere in this function.\n\nSigned-off-by: Wei Yongjun \u003cyongjun_wei@trendmicro.com.cn\u003e\nCc: a.p.zijlstra@chello.nl\nCc: paulus@samba.org\nCc: acme@ghostprotocols.net\nLink: http://lkml.kernel.org/r/CAPgLHd8j_fWcgqe%3DKLWjpBj%2B%3Do0Pw6Z-SEq%3DNTPU08c2w1tngQ@mail.gmail.com\n[ Tweaked the error code setting placement and the changelog. ]\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "e5f1ec5d39f6d59bfe5c53f4b28a94e3a4245e02",
      "tree": "72a98a486d26d757ef26ed5e6ccf25726d7b90ce",
      "parents": [
        "4aff95ab8f985d14f585187b5f78c65a56dd716b"
      ],
      "author": {
        "name": "libin",
        "email": "huawei.libin@huawei.com",
        "time": "Mon Apr 08 14:39:12 2013 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "sched/debug: Fix sd-\u003e*_idx limit range avoiding overflow\n\ncommit fd9b86d37a600488dbd80fe60cca46b822bff1cd upstream.\n\nCommit 201c373e8e (\"sched/debug: Limit sd-\u003e*_idx range on\nsysctl\") was an incomplete bug fix.\n\nThis patch fixes sd-\u003e*_idx limit range to [0 ~ CPU_LOAD_IDX_MAX-1]\navoiding array overflow caused by setting sd-\u003e*_idx to CPU_LOAD_IDX_MAX\non sysctl.\n\nSigned-off-by: Libin \u003chuawei.libin@huawei.com\u003e\nCc: \u003cjiang.liu@huawei.com\u003e\nCc: \u003cguohanjun@huawei.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/51626610.2040607@huawei.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "4aff95ab8f985d14f585187b5f78c65a56dd716b",
      "tree": "a009a89d60863d3681042a21b496c08758636b78",
      "parents": [
        "74d86ed74b4ddf37de24a9ad979a8aafd2d4c25f"
      ],
      "author": {
        "name": "Namhyung Kim",
        "email": "namhyung.kim@lge.com",
        "time": "Thu Aug 16 17:03:24 2012 +0900"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "sched/debug: Limit sd-\u003e*_idx range on sysctl\n\ncommit 201c373e8e4823700d3160d5c28e1ab18fd1193e upstream.\n\nVarious sd-\u003e*_idx\u0027s are used for refering the rq\u0027s load average table\nwhen selecting a cpu to run.  However they can be set to any number\nwith sysctl knobs so that it can crash the kernel if something bad is\ngiven. Fix it by limiting them into the actual range.\n\nSigned-off-by: Namhyung Kim \u003cnamhyung@kernel.org\u003e\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nLink: http://lkml.kernel.org/r/1345104204-8317-1-git-send-email-namhyung@kernel.org\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "74d86ed74b4ddf37de24a9ad979a8aafd2d4c25f",
      "tree": "320a1abfe9bf227ea4d9e10e60f534f9de8c3cb9",
      "parents": [
        "1fbbea7be9248d652fc2bb191e6ec9e823df422c"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Tue Jul 30 00:04:32 2013 -0400"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "ftrace: Check module functions being traced on reload\n\ncommit 8c4f3c3fa9681dc549cd35419b259496082fef8b upstream.\n\nThere\u0027s been a nasty bug that would show up and not give much info.\nThe bug displayed the following warning:\n\n WARNING: at kernel/trace/ftrace.c:1529 __ftrace_hash_rec_update+0x1e3/0x230()\n Pid: 20903, comm: bash Tainted: G           O 3.6.11+ #38405.trunk\n Call Trace:\n  [\u003cffffffff8103e5ff\u003e] warn_slowpath_common+0x7f/0xc0\n  [\u003cffffffff8103e65a\u003e] warn_slowpath_null+0x1a/0x20\n  [\u003cffffffff810c2ee3\u003e] __ftrace_hash_rec_update+0x1e3/0x230\n  [\u003cffffffff810c4f28\u003e] ftrace_hash_move+0x28/0x1d0\n  [\u003cffffffff811401cc\u003e] ? kfree+0x2c/0x110\n  [\u003cffffffff810c68ee\u003e] ftrace_regex_release+0x8e/0x150\n  [\u003cffffffff81149f1e\u003e] __fput+0xae/0x220\n  [\u003cffffffff8114a09e\u003e] ____fput+0xe/0x10\n  [\u003cffffffff8105fa22\u003e] task_work_run+0x72/0x90\n  [\u003cffffffff810028ec\u003e] do_notify_resume+0x6c/0xc0\n  [\u003cffffffff8126596e\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3c\n  [\u003cffffffff815c0f88\u003e] int_signal+0x12/0x17\n ---[ end trace 793179526ee09b2c ]---\n\nIt was finally narrowed down to unloading a module that was being traced.\n\nIt was actually more than that. When functions are being traced, there\u0027s\na table of all functions that have a ref count of the number of active\ntracers attached to that function. When a function trace callback is\nregistered to a function, the function\u0027s record ref count is incremented.\nWhen it is unregistered, the function\u0027s record ref count is decremented.\nIf an inconsistency is detected (ref count goes below zero) the above\nwarning is shown and the function tracing is permanently disabled until\nreboot.\n\nThe ftrace callback ops holds a hash of functions that it filters on\n(and/or filters off). If the hash is empty, the default means to filter\nall functions (for the filter_hash) or to disable no functions (for the\nnotrace_hash).\n\nWhen a module is unloaded, it frees the function records that represent\nthe module functions. These records exist on their own pages, that is\nfunction records for one module will not exist on the same page as\nfunction records for other modules or even the core kernel.\n\nNow when a module unloads, the records that represents its functions are\nfreed. When the module is loaded again, the records are recreated with\na default ref count of zero (unless there\u0027s a callback that traces all\nfunctions, then they will also be traced, and the ref count will be\nincremented).\n\nThe problem is that if an ftrace callback hash includes functions of the\nmodule being unloaded, those hash entries will not be removed. If the\nmodule is reloaded in the same location, the hash entries still point\nto the functions of the module but the module\u0027s ref counts do not reflect\nthat.\n\nWith the help of Steve and Joern, we found a reproducer:\n\n Using uinput module and uinput_release function.\n\n cd /sys/kernel/debug/tracing\n modprobe uinput\n echo uinput_release \u003e set_ftrace_filter\n echo function \u003e current_tracer\n rmmod uinput\n modprobe uinput\n # check /proc/modules to see if loaded in same addr, otherwise try again\n echo nop \u003e current_tracer\n\n [BOOM]\n\nThe above loads the uinput module, which creates a table of functions that\ncan be traced within the module.\n\nWe add uinput_release to the filter_hash to trace just that function.\n\nEnable function tracincg, which increments the ref count of the record\nassociated to uinput_release.\n\nRemove uinput, which frees the records including the one that represents\nuinput_release.\n\nLoad the uinput module again (and make sure it\u0027s at the same address).\nThis recreates the function records all with a ref count of zero,\nincluding uinput_release.\n\nDisable function tracing, which will decrement the ref count for uinput_release\nwhich is now zero because of the module removal and reload, and we have\na mismatch (below zero ref count).\n\nThe solution is to check all currently tracing ftrace callbacks to see if any\nare tracing any of the module\u0027s functions when a module is loaded (it already does\nthat with callbacks that trace all functions). If a callback happens to have\na module function being traced, it increments that records ref count and starts\ntracing that function.\n\nThere may be a strange side effect with this, where tracing module functions\non unload and then reloading a new module may have that new module\u0027s functions\nbeing traced. This may be something that confuses the user, but it\u0027s not\na big deal. Another approach is to disable all callback hashes on module unload,\nbut this leaves some ftrace callbacks that may not be registered, but can\nstill have hashes tracing the module\u0027s function where ftrace doesn\u0027t know about\nit. That situation can cause the same bug. This solution solves that case too.\nAnother benefit of this solution, is it is possible to trace a module\u0027s\nfunction on unload and load.\n\nLink: http://lkml.kernel.org/r/20130705142629.GA325@redhat.com\n\nReported-by: Jörn Engel \u003cjoern@logfs.org\u003e\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nReported-by: Steve Hodgson \u003csteve@purestorage.com\u003e\nTested-by: Steve Hodgson \u003csteve@purestorage.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "1fbbea7be9248d652fc2bb191e6ec9e823df422c",
      "tree": "4daa4b37c31c09bdd68827752b46a52195a79f60",
      "parents": [
        "76504c2489ad9e9bdc20fc8e24d23ac5e39b88b6"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Mon Oct 28 13:55:29 2013 +0100"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:04 2014 -0700"
      },
      "message": "perf: Fix perf ring buffer memory ordering\n\ncommit bf378d341e4873ed928dc3c636252e6895a21f50 upstream.\n\nThe PPC64 people noticed a missing memory barrier and crufty old\ncomments in the perf ring buffer code. So update all the comments and\nadd the missing barrier.\n\nWhen the architecture implements local_t using atomic_long_t there\nwill be double barriers issued; but short of introducing more\nconditional barrier primitives this is the best we can do.\n\nReported-by: Victor Kaplansky \u003cvictork@il.ibm.com\u003e\nTested-by: Victor Kaplansky \u003cvictork@il.ibm.com\u003e\nSigned-off-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Mathieu Desnoyers \u003cmathieu.desnoyers@polymtl.ca\u003e\nCc: michael@ellerman.id.au\nCc: Paul McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: Michael Neuling \u003cmikey@neuling.org\u003e\nCc: Frederic Weisbecker \u003cfweisbec@gmail.com\u003e\nCc: anton@samba.org\nCc: benh@kernel.crashing.org\nLink: http://lkml.kernel.org/r/20131025173749.GG19466@laptop.lan\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n[bwh: Backported to 3.2: adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nCc: Rui Xiang \u003crui.xiang@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "11f87a6a6049455cd0d1e6db13c0b984a888a4b4",
      "tree": "36d4fb7786b3450b65f85e6d8c0910f53f7d08f8",
      "parents": [
        "a91ccfcaaaa358eba4579965d9a85dbb756c2596"
      ],
      "author": {
        "name": "Viresh Kumar",
        "email": "viresh.kumar@linaro.org",
        "time": "Mon May 12 13:42:29 2014 +0530"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:01 2014 -0700"
      },
      "message": "hrtimer: Set expiry time before switch_hrtimer_base()\n\ncommit 84ea7fe37908254c3bd90910921f6e1045c1747a upstream.\n\nswitch_hrtimer_base() calls hrtimer_check_target() which ensures that\nwe do not migrate a timer to a remote cpu if the timer expires before\nthe current programmed expiry time on that remote cpu.\n\nBut __hrtimer_start_range_ns() calls switch_hrtimer_base() before the\nnew expiry time is set. So the sanity check in hrtimer_check_target()\nis operating on stale or even uninitialized data.\n\nUpdate expiry time before calling switch_hrtimer_base().\n\n[ tglx: Rewrote changelog once again ]\n\nSigned-off-by: Viresh Kumar \u003cviresh.kumar@linaro.org\u003e\nCc: linaro-kernel@lists.linaro.org\nCc: linaro-networking@linaro.org\nCc: fweisbec@gmail.com\nCc: arvind.chauhan@arm.com\nLink: http://lkml.kernel.org/r/81999e148745fc51bbcd0615823fbab9b2e87e23.1399882253.git.viresh.kumar@linaro.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "a91ccfcaaaa358eba4579965d9a85dbb756c2596",
      "tree": "c7232861d3241f50f6726b949419b3fba8e5ae87",
      "parents": [
        "3d8b2f5e4007d4b28ac760e1aa72e91f4021ea90"
      ],
      "author": {
        "name": "Leon Ma",
        "email": "xindong.ma@intel.com",
        "time": "Wed Apr 30 16:43:10 2014 +0800"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:01 2014 -0700"
      },
      "message": "hrtimer: Prevent remote enqueue of leftmost timers\n\ncommit 012a45e3f4af68e86d85cce060c6c2fed56498b2 upstream.\n\nIf a cpu is idle and starts an hrtimer which is not pinned on that\nsame cpu, the nohz code might target the timer to a different cpu.\n\nIn the case that we switch the cpu base of the timer we already have a\nsanity check in place, which determines whether the timer is earlier\nthan the current leftmost timer on the target cpu. In that case we\nenqueue the timer on the current cpu because we cannot reprogram the\nclock event device on the target.\n\nIf the timers base is already the target CPU we do not have this\nsanity check in place so we enqueue the timer as the leftmost timer in\nthe target cpus rb tree, but we cannot reprogram the clock event\ndevice on the target cpu. So the timer expires late and subsequently\nprevents the reprogramming of the target cpu clock event device until\nthe previously programmed event fires or a timer with an earlier\nexpiry time gets enqueued on the target cpu itself.\n\nAdd the same target check as we have for the switch base case and\nstart the timer on the current cpu if it would become the leftmost\ntimer on the target.\n\n[ tglx: Rewrote subject and changelog ]\n\nSigned-off-by: Leon Ma \u003cxindong.ma@intel.com\u003e\nLink: http://lkml.kernel.org/r/1398847391-5994-1-git-send-email-xindong.ma@intel.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "3d8b2f5e4007d4b28ac760e1aa72e91f4021ea90",
      "tree": "6b53e12b48f5f721ae7e66f8cd8de1e92b387f18",
      "parents": [
        "9dbdf25ec58ee67beee56e9bcc2f193ee29cc7b3"
      ],
      "author": {
        "name": "Stuart Hayes",
        "email": "stuart.w.hayes@gmail.com",
        "time": "Tue Apr 29 17:55:02 2014 -0500"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:01 2014 -0700"
      },
      "message": "hrtimer: Prevent all reprogramming if hang detected\n\ncommit 6c6c0d5a1c949d2e084706f9e5fb1fccc175b265 upstream.\n\nIf the last hrtimer interrupt detected a hang it sets hang_detected\u003d1\nand programs the clock event device with a delay to let the system\nmake progress.\n\nIf hang_detected \u003d\u003d 1, we prevent reprogramming of the clock event\ndevice in hrtimer_reprogram() but not in hrtimer_force_reprogram().\n\nThis can lead to the following situation:\n\nhrtimer_interrupt()\n   hang_detected \u003d 1;\n   program ce device to Xms from now (hang delay)\n\nWe have two timers pending:\n   T1 expires 50ms from now\n   T2 expires 5s from now\n\nNow T1 gets canceled, which causes hrtimer_force_reprogram() to be\ninvoked, which in turn programs the clock event device to T2 (5\nseconds from now).\n\nAny hrtimer_start after that will not reprogram the hardware due to\nhang_detected still being set. So we effectivly block all timers until\nthe T2 event fires and cleans up the hang situation.\n\nAdd a check for hang_detected to hrtimer_force_reprogram() which\nprevents the reprogramming of the hang delay in the hardware\ntimer. The subsequent hrtimer_interrupt will resolve all outstanding\nissues.\n\n[ tglx: Rewrote subject and changelog and fixed up the comment in\n  \thrtimer_force_reprogram() ]\n\nSigned-off-by: Stuart Hayes \u003cstuart.w.hayes@gmail.com\u003e\nLink: http://lkml.kernel.org/r/53602DC6.2060101@gmail.com\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    },
    {
      "commit": "11e69564f65b6c7a1089c5d45929714e3ed6a921",
      "tree": "455bbb4c582db9e54b9c06965caeab60a34c5ccc",
      "parents": [
        "3be2bb4956e5d9d849329d5d1b92f6510ac12315"
      ],
      "author": {
        "name": "Jiri Bohac",
        "email": "jbohac@suse.cz",
        "time": "Fri Apr 18 17:23:11 2014 +0200"
      },
      "committer": {
        "name": "Greg Kroah-Hartman",
        "email": "gregkh@linuxfoundation.org",
        "time": "Sat Jun 07 16:02:00 2014 -0700"
      },
      "message": "timer: Prevent overflow in apply_slack\n\ncommit 98a01e779f3c66b0b11cd7e64d531c0e41c95762 upstream.\n\nOn architectures with sizeof(int) \u003c sizeof (long), the\ncomputation of mask inside apply_slack() can be undefined if the\ncomputed bit is \u003e 32.\n\nE.g. with: expires \u003d 0xffffe6f5 and slack \u003d 25, we get:\n\nexpires_limit \u003d 0x20000000e\nbit \u003d 33\nmask \u003d (1 \u003c\u003c 33) - 1  /* undefined */\n\nOn x86, mask becomes 1 and and the slack is not applied properly.\nOn s390, mask is -1, expires is set to 0 and the timer fires immediately.\n\nUse 1UL \u003c\u003c bit to solve that issue.\n\nSuggested-by: Deborah Townsend \u003cdstownse@us.ibm.com\u003e\nSigned-off-by: Jiri Bohac \u003cjbohac@suse.cz\u003e\nLink: http://lkml.kernel.org/r/20140418152310.GA13654@midget.suse.cz\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n"
    }
  ],
  "next": "8f4c0e8b5438725d66c6c27f11cb2a1c61c6d6c5"
}
