)]}'
{
  "log": [
    {
      "commit": "87f4dcb8c9aeffa0b2ef13bc68401d50a3ffcec5",
      "tree": "4207e1f5018fad2446faf2fa1ebafc157dede59f",
      "parents": [
        "7a42c72c2d222f7887074396d83a806d8c50176d"
      ],
      "author": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Fri Dec 18 01:34:26 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:41 2016 +0800"
      },
      "message": "KEYS: Fix race between read and revoke\n\ncommit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream.\n\nThis fixes CVE-2015-7550.\n\nThere\u0027s a race between keyctl_read() and keyctl_revoke().  If the revoke\nhappens between keyctl_read() checking the validity of a key and the key\u0027s\nsemaphore being taken, then the key type read method will see a revoked key.\n\nThis causes a problem for the user-defined key type because it assumes in\nits read method that there will always be a payload in a non-revoked key\nand doesn\u0027t check for a NULL pointer.\n\nFix this by making keyctl_read() check the validity of a key after taking\nsemaphore instead of before.\n\nI think the bug was introduced with the original keyrings code.\n\nThis was discovered by a multithreaded test program generated by syzkaller\n(http://github.com/google/syzkaller).  Here\u0027s a cleaned up version:\n\n\t#include \u003csys/types.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\t#include \u003cpthread.h\u003e\n\tvoid *thr0(void *arg)\n\t{\n\t\tkey_serial_t key \u003d (unsigned long)arg;\n\t\tkeyctl_revoke(key);\n\t\treturn 0;\n\t}\n\tvoid *thr1(void *arg)\n\t{\n\t\tkey_serial_t key \u003d (unsigned long)arg;\n\t\tchar buffer[16];\n\t\tkeyctl_read(key, buffer, 16);\n\t\treturn 0;\n\t}\n\tint main()\n\t{\n\t\tkey_serial_t key \u003d add_key(\"user\", \"%\", \"foo\", 3, KEY_SPEC_USER_KEYRING);\n\t\tpthread_t th[5];\n\t\tpthread_create(\u0026th[0], 0, thr0, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[1], 0, thr1, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[2], 0, thr0, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[3], 0, thr1, (void *)(unsigned long)key);\n\t\tpthread_join(th[0], 0);\n\t\tpthread_join(th[1], 0);\n\t\tpthread_join(th[2], 0);\n\t\tpthread_join(th[3], 0);\n\t\treturn 0;\n\t}\n\nBuild as:\n\n\tcc -o keyctl-race keyctl-race.c -lkeyutils -lpthread\n\nRun as:\n\n\twhile keyctl-race; do :; done\n\nas it may need several iterations to crash the kernel.  The crash can be\nsummarised as:\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\n\tIP: [\u003cffffffff81279b08\u003e] user_read+0x56/0xa3\n\t...\n\tCall Trace:\n\t [\u003cffffffff81276aa9\u003e] keyctl_read_key+0xb6/0xd7\n\t [\u003cffffffff81277815\u003e] SyS_keyctl+0x83/0xe0\n\t [\u003cffffffff815dbb97\u003e] entry_SYSCALL_64_fastpath+0x12/0x6f\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7a42c72c2d222f7887074396d83a806d8c50176d",
      "tree": "2460350ac4b742cbfe1702bb360e2619700d2a36",
      "parents": [
        "681e285200c60969b3c45e9a4a9479d208a11631"
      ],
      "author": {
        "name": "Alan Stern",
        "email": "stern@rowland.harvard.edu",
        "time": "Wed Dec 16 13:32:38 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:41 2016 +0800"
      },
      "message": "USB: fix invalid memory access in hub_activate()\n\ncommit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream.\n\nCommit 8520f38099cc (\"USB: change hub initialization sleeps to\ndelayed_work\") changed the hub_activate() routine to make part of it\nrun in a workqueue.  However, the commit failed to take a reference to\nthe usb_hub structure or to lock the hub interface while doing so.  As\na result, if a hub is plugged in and quickly unplugged before the work\nroutine can run, the routine will try to access memory that has been\ndeallocated.  Or, if the hub is unplugged while the routine is\nrunning, the memory may be deallocated while it is in active use.\n\nThis patch fixes the problem by taking a reference to the usb_hub at\nthe start of hub_activate() and releasing it at the end (when the work\nis finished), and by locking the hub interface while the work routine\nis running.  It also adds a check at the start of the routine to see\nif the hub has already been disconnected, in which nothing should be\ndone.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nReported-by: Alexandru Cornea \u003calexandru.cornea@intel.com\u003e\nTested-by: Alexandru Cornea \u003calexandru.cornea@intel.com\u003e\nFixes: 8520f38099cc (\"USB: change hub initialization sleeps to delayed_work\")\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[lizf: Backported to 3.4: add forward declaration of hub_release()]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "681e285200c60969b3c45e9a4a9479d208a11631",
      "tree": "7e8a94cc2bd4c93d975328ede1b0c997c7d09a6d",
      "parents": [
        "c053c997ce9d19dc079ad23c482233bf3614e662"
      ],
      "author": {
        "name": "Dan Carpenter",
        "email": "dan.carpenter@oracle.com",
        "time": "Wed Dec 16 14:06:37 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "USB: ipaq.c: fix a timeout loop\n\ncommit abdc9a3b4bac97add99e1d77dc6d28623afe682b upstream.\n\nThe code expects the loop to end with \"retries\" set to zero but, because\nit is a post-op, it will end set to -1.  I have fixed this by moving the\ndecrement inside the loop.\n\nFixes: 014aa2a3c32e (\u0027USB: ipaq: minor ipaq_open() cleanup.\u0027)\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c053c997ce9d19dc079ad23c482233bf3614e662",
      "tree": "4a9fce5730715f9a901e63b3f4413955e93058fe",
      "parents": [
        "7e8c20ac766e4403b9b5277403112b77f916c2cf"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Mon Nov 02 18:13:27 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: Don\u0027t allow MSI-X ops if PCI_COMMAND_MEMORY is not set.\n\ncommit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 upstream.\n\ncommit f598282f51 (\"PCI: Fix the NIU MSI-X problem in a better way\")\nteaches us that dealing with MSI-X can be troublesome.\n\nFurther checks in the MSI-X architecture shows that if the\nPCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we\nmay not be able to access the BAR (since they are memory regions).\n\nSince the MSI-X tables are located in there.. that can lead\nto us causing PCIe errors. Inhibit us performing any\noperation on the MSI-X unless the MEMORY bit is set.\n\nNote that Xen hypervisor with:\n\"x86/MSI-X: access MSI-X table only after having enabled MSI-X\"\nwill return:\nxen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!\n\nWhen the generic MSI code tries to setup the PIRQ without\nMEMORY bit set. Which means with later versions of Xen\n(4.6) this patch is not neccessary.\n\nThis is part of XSA-157\n\nReviewed-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7e8c20ac766e4403b9b5277403112b77f916c2cf",
      "tree": "115df6acc66c4928d57c561e0de1ac194e25f9ec",
      "parents": [
        "073a5ac1cb93623e71cda2510929dcffd0b9554b"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Wed Apr 01 10:49:47 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled.\n\ncommit 7cfb905b9638982862f0331b36ccaaca5d383b49 upstream.\n\nOtherwise just continue on, returning the same values as\npreviously (return of 0, and op-\u003eresult has the PIRQ value).\n\nThis does not change the behavior of XEN_PCI_OP_disable_msi[|x].\n\nThe pci_disable_msi or pci_disable_msix have the checks for\nmsi_enabled or msix_enabled so they will error out immediately.\n\nHowever the guest can still call these operations and cause\nus to disable the \u0027ack_intr\u0027. That means the backend IRQ handler\nfor the legacy interrupt will not respond to interrupts anymore.\n\nThis will lead to (if the device is causing an interrupt storm)\nfor the Linux generic code to disable the interrupt line.\n\nNaturally this will only happen if the device in question\nis plugged in on the motherboard on shared level interrupt GSI.\n\nThis is part of XSA-157\n\nReviewed-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "073a5ac1cb93623e71cda2510929dcffd0b9554b",
      "tree": "b3b6161104d67027ae0eca9be2576521abc5e0e6",
      "parents": [
        "8f805deca3407ad322f66fce2f5bc111e848879a"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Mon Nov 02 17:24:08 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: Do not install an IRQ handler for MSI interrupts.\n\ncommit a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 upstream.\n\nOtherwise an guest can subvert the generic MSI code to trigger\nan BUG_ON condition during MSI interrupt freeing:\n\n for (i \u003d 0; i \u003c entry-\u003envec_used; i++)\n        BUG_ON(irq_has_action(entry-\u003eirq + i));\n\nXen PCI backed installs an IRQ handler (request_irq) for\nthe dev-\u003eirq whenever the guest writes PCI_COMMAND_MEMORY\n(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is\ndone in case the device has legacy interrupts the GSI line\nis shared by the backend devices.\n\nTo subvert the backend the guest needs to make the backend\nto change the dev-\u003eirq from the GSI to the MSI interrupt line,\nmake the backend allocate an interrupt handler, and then command\nthe backend to free the MSI interrupt and hit the BUG_ON.\n\nSince the backend only calls \u0027request_irq\u0027 when the guest\nwrites to the PCI_COMMAND register the guest needs to call\nXEN_PCI_OP_enable_msi before any other operation. This will\ncause the generic MSI code to setup an MSI entry and\npopulate dev-\u003eirq with the new PIRQ value.\n\nThen the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY\nand cause the backend to setup an IRQ handler for dev-\u003eirq\n(which instead of the GSI value has the MSI pirq). See\n\u0027xen_pcibk_control_isr\u0027.\n\nThen the guest disables the MSI: XEN_PCI_OP_disable_msi\nwhich ends up triggering the BUG_ON condition in \u0027free_msi_irqs\u0027\nas there is an IRQ handler for the entry-\u003eirq (dev-\u003eirq).\n\nNote that this cannot be done using MSI-X as the generic\ncode does not over-write dev-\u003eirq with the MSI-X PIRQ values.\n\nThe patch inhibits setting up the IRQ handler if MSI or\nMSI-X (for symmetry reasons) code had been called successfully.\n\nP.S.\nXen PCIBack when it sets up the device for the guest consumption\nends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).\nXSA-120 addendum patch removed that - however when upstreaming said\naddendum we found that it caused issues with qemu upstream. That\nhas now been fixed in qemu upstream.\n\nThis is part of XSA-157\n\nReviewed-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "8f805deca3407ad322f66fce2f5bc111e848879a",
      "tree": "663cb77d0e921c76b85f5d7dcb568fd25128b144",
      "parents": [
        "d3ec88675e4e82f6b520e3d1ca974dc3418e0410"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Mon Nov 02 18:07:44 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled\n\ncommit 5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 upstream.\n\nThe guest sequence of:\n\n  a) XEN_PCI_OP_enable_msix\n  b) XEN_PCI_OP_enable_msix\n\nresults in hitting an NULL pointer due to using freed pointers.\n\nThe device passed in the guest MUST have MSI-X capability.\n\nThe a) constructs and SysFS representation of MSI and MSI groups.\nThe b) adds a second set of them but adding in to SysFS fails (duplicate entry).\n\u0027populate_msi_sysfs\u0027 frees the newly allocated msi_irq_groups (note that\nin a) pdev-\u003emsi_irq_groups is still set) and also free\u0027s ALL of the\nMSI-X entries of the device (the ones allocated in step a) and b)).\n\nThe unwind code: \u0027free_msi_irqs\u0027 deletes all the entries and tries to\ndelete the pdev-\u003emsi_irq_groups (which hasn\u0027t been set to NULL).\nHowever the pointers in the SysFS are already freed and we hit an\nNULL pointer further on when \u0027strlen\u0027 is attempted on a freed pointer.\n\nThe patch adds a simple check in the XEN_PCI_OP_enable_msix to guard\nagainst that. The check for msi_enabled is not stricly neccessary.\n\nThis is part of XSA-157\n\nReviewed-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nReviewed-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d3ec88675e4e82f6b520e3d1ca974dc3418e0410",
      "tree": "26748ef200e52c66590106b11b451d2ab101b93c",
      "parents": [
        "550fe2571866702ec3951ad67574175fcd0bf9e7"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Fri Apr 03 11:08:22 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled\n\ncommit 56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d upstream.\n\nThe guest sequence of:\n\n a) XEN_PCI_OP_enable_msi\n b) XEN_PCI_OP_enable_msi\n c) XEN_PCI_OP_disable_msi\n\nresults in hitting an BUG_ON condition in the msi.c code.\n\nThe MSI code uses an dev-\u003emsi_list to which it adds MSI entries.\nUnder the above conditions an BUG_ON() can be hit. The device\npassed in the guest MUST have MSI capability.\n\nThe a) adds the entry to the dev-\u003emsi_list and sets msi_enabled.\nThe b) adds a second entry but adding in to SysFS fails (duplicate entry)\nand deletes all of the entries from msi_list and returns (with msi_enabled\nis still set).  c) pci_disable_msi passes the msi_enabled checks and hits:\n\nBUG_ON(list_empty(dev_to_msi_list(\u0026dev-\u003edev)));\n\nand blows up.\n\nThe patch adds a simple check in the XEN_PCI_OP_enable_msi to guard\nagainst that. The check for msix_enabled is not stricly neccessary.\n\nThis is part of XSA-157.\n\nReviewed-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nReviewed-by: Jan Beulich \u003cjbeulich@suse.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "550fe2571866702ec3951ad67574175fcd0bf9e7",
      "tree": "61afefe1c299719dadc726f0474b6df3a482a1fe",
      "parents": [
        "a7bc1af57e5a08e579b165df87ba446de0f7b476"
      ],
      "author": {
        "name": "Konrad Rzeszutek Wilk",
        "email": "konrad.wilk@oracle.com",
        "time": "Mon Nov 16 12:40:48 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:40 2016 +0800"
      },
      "message": "xen/pciback: Save xen_pci_op commands before processing it\n\ncommit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 upstream.\n\nDouble fetch vulnerabilities that happen when a variable is\nfetched twice from shared memory but a security check is only\nperformed the first time.\n\nThe xen_pcibk_do_op function performs a switch statements on the op-\u003ecmd\nvalue which is stored in shared memory. Interestingly this can result\nin a double fetch vulnerability depending on the performed compiler\noptimization.\n\nThis patch fixes it by saving the xen_pci_op command before\nprocessing it. We also use \u0027barrier\u0027 to make sure that the\ncompiler does not perform any optimization.\n\nThis is part of XSA155.\n\nReviewed-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Jan Beulich \u003cJBeulich@suse.com\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a7bc1af57e5a08e579b165df87ba446de0f7b476",
      "tree": "d44da5adcbd3a4ad01cd6f92c0388004e9722ddd",
      "parents": [
        "f97ed0a98cd26a2fa7249e7bad44e84091e19b17"
      ],
      "author": {
        "name": "Roger Pau Monné",
        "email": "roger.pau@citrix.com",
        "time": "Tue Nov 03 16:34:09 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:39 2016 +0800"
      },
      "message": "xen-blkback: only read request operation from shared ring once\n\ncommit 1f13d75ccb806260079e0679d55d9253e370ec8a upstream.\n\nA compiler may load a switch statement value multiple times, which could\nbe bad when the value is in memory shared with the frontend.\n\nWhen converting a non-native request to a native one, ensure that\nsrc-\u003eoperation is only loaded once by using READ_ONCE().\n\nThis is part of XSA155.\n\nSigned-off-by: Roger Pau Monné \u003croger.pau@citrix.com\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - call ACCESS_ONCE instead of READ_ONCE]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "f97ed0a98cd26a2fa7249e7bad44e84091e19b17",
      "tree": "c2560348120ce6f30c4fc14efb5d150e027ced24",
      "parents": [
        "ac2ce7ef843b5f2b1aec3116f5f55ccde179aa9e"
      ],
      "author": {
        "name": "David Vrabel",
        "email": "david.vrabel@citrix.com",
        "time": "Fri Oct 30 15:17:06 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:39 2016 +0800"
      },
      "message": "xen-netback: use RING_COPY_REQUEST() throughout\n\ncommit 68a33bfd8403e4e22847165d149823a2e0e67c9c upstream.\n\nInstead of open-coding memcpy()s and directly accessing Tx and Rx\nrequests, use the new RING_COPY_REQUEST() that ensures the local copy\nis correct.\n\nThis is more than is strictly necessary for guest Rx requests since\nonly the id and gref fields are used and it is harmless if the\nfrontend modifies these.\n\nThis is part of XSA155.\n\nReviewed-by: Wei Liu \u003cwei.liu2@citrix.com\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - s/queue/vif/g]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ac2ce7ef843b5f2b1aec3116f5f55ccde179aa9e",
      "tree": "4e898cf1369e14534552c0e68e4f372a0e0e3f58",
      "parents": [
        "ffac74669117c65a25fa0a9c5194ef70fb95ee70"
      ],
      "author": {
        "name": "David Vrabel",
        "email": "david.vrabel@citrix.com",
        "time": "Fri Oct 30 15:16:01 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:39 2016 +0800"
      },
      "message": "xen-netback: don\u0027t use last request to determine minimum Tx credit\n\ncommit 0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 upstream.\n\nThe last from guest transmitted request gives no indication about the\nminimum amount of credit that the guest might need to send a packet\nsince the last packet might have been a small one.\n\nInstead allow for the worst case 128 KiB packet.\n\nThis is part of XSA155.\n\nReviewed-by: Wei Liu \u003cwei.liu2@citrix.com\u003e\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\n[lizf: Backported to 3.4: s/queue/vif/g]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ffac74669117c65a25fa0a9c5194ef70fb95ee70",
      "tree": "5b90f61c4141795aab375b4d9d5aebe45b780732",
      "parents": [
        "334e907923e9cab057020a9c7ec7d9f32ead6573"
      ],
      "author": {
        "name": "David Vrabel",
        "email": "david.vrabel@citrix.com",
        "time": "Fri Oct 30 14:58:08 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:39 2016 +0800"
      },
      "message": "xen: Add RING_COPY_REQUEST()\n\ncommit 454d5d882c7e412b840e3c99010fe81a9862f6fb upstream.\n\nUsing RING_GET_REQUEST() on a shared ring is easy to use incorrectly\n(i.e., by not considering that the other end may alter the data in the\nshared ring while it is being inspected).  Safe usage of a request\ngenerally requires taking a local copy.\n\nProvide a RING_COPY_REQUEST() macro to use instead of\nRING_GET_REQUEST() and an open-coded memcpy().  This takes care of\nensuring that the copy is done correctly regardless of any possible\ncompiler optimizations.\n\nUse a volatile source to prevent the compiler from reordering or\nomitting the copy.\n\nThis is part of XSA155.\n\nSigned-off-by: David Vrabel \u003cdavid.vrabel@citrix.com\u003e\nSigned-off-by: Konrad Rzeszutek Wilk \u003ckonrad.wilk@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "334e907923e9cab057020a9c7ec7d9f32ead6573",
      "tree": "062ede32682abe09bb2ff11bfa887a13d2170c76",
      "parents": [
        "38b8ae4f5e4e766b206950a978f9a9051d55318a"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Tue Dec 15 16:06:10 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:39 2016 +0800"
      },
      "message": "ftrace/scripts: Have recordmcount copy the object file\n\ncommit a50bd43935586420fb75f4558369eb08566fac5e upstream.\n\nRussell King found that he had weird side effects when compiling the kernel\nwith hard linked ccache. The reason was that recordmcount modified the\nkernel in place via mmap, and when a file gets modified twice by\nrecordmcount, it will complain about it. To fix this issue, Russell wrote a\npatch that checked if the file was hard linked more than once and would\nunlink it if it was.\n\nLinus Torvalds was not happy with the fact that recordmcount does this in\nplace modification. Instead of doing the unlink only if the file has two or\nmore hard links, it does the unlink all the time. In otherwords, it always\ndoes a copy if it changed something. That is, it does the write out if a\nchange was made.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "38b8ae4f5e4e766b206950a978f9a9051d55318a",
      "tree": "977f240207f0a005d50990346cd573e6cd2800d4",
      "parents": [
        "1b17302a80d89c84ea3bdf7205ae363b7c12e3b7"
      ],
      "author": {
        "name": "Russell King",
        "email": "rmk+kernel@arm.linux.org.uk",
        "time": "Fri Dec 11 12:09:03 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "scripts: recordmcount: break hardlinks\n\ncommit dd39a26538e37f6c6131e829a4a510787e43c783 upstream.\n\nrecordmcount edits the file in-place, which can cause problems when\nusing ccache in hardlink mode.  Arrange for recordmcount to break a\nhardlinked object.\n\nLink: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk\n\nSigned-off-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1b17302a80d89c84ea3bdf7205ae363b7c12e3b7",
      "tree": "039cc2d3ae2cfa8e87006beea24a245d495d91e4",
      "parents": [
        "325c0423cb71364f51ac9d6f33739378ee19001b"
      ],
      "author": {
        "name": "Johan Hovold",
        "email": "johan@kernel.org",
        "time": "Mon Dec 14 16:16:19 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "spi: fix parent-device reference leak\n\ncommit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream.\n\nFix parent-device reference leak due to SPI-core taking an unnecessary\nreference to the parent when allocating the master structure, a\nreference that was never released.\n\nNote that driver core takes its own reference to the parent when the\nmaster device is registered.\n\nFixes: 49dce689ad4e (\"spi doesn\u0027t need class_device\")\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "325c0423cb71364f51ac9d6f33739378ee19001b",
      "tree": "0f93f03c82843269ecbba5e9856fe849b7842a52",
      "parents": [
        "eeeeb9763a6d52eb1ccaf92fa7d8ff347957a57d"
      ],
      "author": {
        "name": "Tilman Schmidt",
        "email": "tilman@imap.cc",
        "time": "Tue Dec 15 18:11:30 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "ser_gigaset: fix deallocation of platform device structure\n\ncommit 4c5e354a974214dfb44cd23fa0429327693bc3ea upstream.\n\nWhen shutting down the device, the struct ser_cardstate must not be\nkfree()d immediately after the call to platform_device_unregister()\nsince the embedded struct platform_device is still in use.\nMove the kfree() call to the release method instead.\n\nSigned-off-by: Tilman Schmidt \u003ctilman@imap.cc\u003e\nFixes: 2869b23e4b95 (\"drivers/isdn/gigaset: new M101 driver (v2)\")\nReported-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\nSigned-off-by: Paul Bolle \u003cpebolle@tiscali.nl\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "eeeeb9763a6d52eb1ccaf92fa7d8ff347957a57d",
      "tree": "0887adfa9349834a9c1752bcc7a4fc4ad92d2765",
      "parents": [
        "0629784cfde7ab2adf0118c981271e48aeeb6dbd"
      ],
      "author": {
        "name": "Dan Carpenter",
        "email": "dan.carpenter@oracle.com",
        "time": "Tue Dec 15 13:07:52 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "mISDN: fix a loop count\n\ncommit 40d24c4d8a7430aa4dfd7a665fa3faf3b05b673f upstream.\n\nThere are two issue here.\n1)  cnt starts as maxloop + 1 so all these loops iterate one more time\n    than intended.\n2)  At the end of the loop we test for \"if (maxloop \u0026\u0026 !cnt)\" but for\n    the first two loops, we end with cnt equal to -1.  Changing this to\n    a pre-op means we end with cnt set to 0.\n\nFixes: cae86d4a4e56 (\u0027mISDN: Add driver for Infineon ISDN chipset family\u0027)\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0629784cfde7ab2adf0118c981271e48aeeb6dbd",
      "tree": "09dce8bc8aba8e17c141326e47275f8dd20bbe3d",
      "parents": [
        "efd171004345809f4f4ce7e147028d865ab78f68"
      ],
      "author": {
        "name": "Anson Huang",
        "email": "Anson.Huang@freescale.com",
        "time": "Mon Dec 07 10:09:19 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "ARM: 8471/1: need to save/restore arm register(r11) when it is corrupted\n\ncommit fa0708b320f6da4c1104fe56e01b7abf66fd16ad upstream.\n\nIn cpu_v7_do_suspend routine, r11 is used while it is NOT\nsaved/restored, different compiler may have different usage\nof ARM general registers, so it may cause issues during\ncalling cpu_v7_do_suspend.\n\nWe meet kernel fault occurs when using GCC 4.8.3, r11 contains\nvalid value before calling into cpu_v7_do_suspend, but when returned\nfrom this routine, r11 is corrupted and lead to kernel fault.\nDoing save/restore for those corrupted registers is a must in\nassemble code.\n\nSigned-off-by: Anson Huang \u003cAnson.Huang@freescale.com\u003e\nReviewed-by: Nicolas Pitre \u003cnico@linaro.org\u003e\nSigned-off-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "efd171004345809f4f4ce7e147028d865ab78f68",
      "tree": "50dd22be44bdbbceef2c2ae11377b140575dd8a4",
      "parents": [
        "7b4eaec6943f0b7c77e445407215f5730210ed84"
      ],
      "author": {
        "name": "Sergei Shtylyov",
        "email": "sergei.shtylyov@cogentembedded.com",
        "time": "Sun Dec 13 21:27:04 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:38 2016 +0800"
      },
      "message": "sh_eth: fix TX buffer byte-swapping\n\ncommit 3e2309937f1e5d538ff13da5fb8de41196927c61 upstream.\n\nFor the little-endian SH771x kernels the driver has to byte-swap the RX/TX\nbuffers,  however yet unset physcial address from the TX descriptor is used\nto call sh_eth_soft_swap(). Use \u0027skb-\u003edata\u0027 instead...\n\nFixes: 31fcb99d9958 (\"net: sh_eth: remove __flush_purge_region\")\nSigned-off-by: Sergei Shtylyov \u003csergei.shtylyov@cogentembedded.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "7b4eaec6943f0b7c77e445407215f5730210ed84",
      "tree": "0f819dfae4410513db15befb3279eb186292f78e",
      "parents": [
        "d6aefa8720b67e70e715d469ed8c1a5ecb49752a"
      ],
      "author": {
        "name": "Thomas Gleixner",
        "email": "tglx@linutronix.de",
        "time": "Sun Dec 13 18:12:30 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "genirq: Prevent chip buslock deadlock\n\ncommit abc7e40c81d113ef4bacb556f0a77ca63ac81d85 upstream.\n\nIf a interrupt chip utilizes chip-\u003ebuslock then free_irq() can\ndeadlock in the following way:\n\nCPU0\t\t\t\tCPU1\n\t\t\t\tinterrupt(X) (Shared or spurious)\nfree_irq(X)\t\t\tinterrupt_thread(X)\nchip_bus_lock(X)\n\t\t\t\t   irq_finalize_oneshot(X)\n\t\t\t\t     chip_bus_lock(X)\nsynchronize_irq(X)\n\nsynchronize_irq() waits for the interrupt thread to complete,\ni.e. forever.\n\nSolution is simple: Drop chip_bus_lock() before calling\nsynchronize_irq() as we do with the irq_desc lock. There is nothing to\nbe protected after the point where irq_desc lock has been released.\n\nThis adds chip_bus_lock/unlock() to the remove_irq() code path, but\nthat\u0027s actually correct in the case where remove_irq() is called on\nsuch an interrupt. The current users of remove_irq() are not affected\nas none of those interrupts is on a chip which requires buslock.\n\nReported-by: Fredrik Markström \u003cfredrik.markstrom@gmail.com\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d6aefa8720b67e70e715d469ed8c1a5ecb49752a",
      "tree": "b446a6dffa9d9c0a475421e82953737466a43fad",
      "parents": [
        "c36340248874a0e7cb711da42699752e274ac564"
      ],
      "author": {
        "name": "Peter Hurley",
        "email": "peter@hurleysoftware.com",
        "time": "Fri Nov 27 14:25:08 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "tty: Fix GPF in flush_to_ldisc()\n\ncommit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream.\n\nA line discipline which does not define a receive_buf() method can\ncan cause a GPF if data is ever received [1]. Oddly, this was known\nto the author of n_tracesink in 2011, but never fixed.\n\n[1] GPF report\n    BUG: unable to handle kernel NULL pointer dereference at           (null)\n    IP: [\u003c          (null)\u003e]           (null)\n    PGD 3752d067 PUD 37a7b067 PMD 0\n    Oops: 0010 [#1] SMP KASAN\n    Modules linked in:\n    CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n    Workqueue: events_unbound flush_to_ldisc\n    task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000\n    RIP: 0010:[\u003c0000000000000000\u003e]  [\u003c          (null)\u003e]           (null)\n    RSP: 0018:ffff88006db67b50  EFLAGS: 00010246\n    RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102\n    RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388\n    RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0\n    R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000\n    R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8\n    FS:  0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b\n    CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0\n    Stack:\n     ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000\n     ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90\n     ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078\n    Call Trace:\n     [\u003cffffffff8127cf91\u003e] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030\n     [\u003cffffffff8127df14\u003e] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162\n     [\u003cffffffff8128faaf\u003e] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302\n     [\u003cffffffff852a7c2f\u003e] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468\n    Code:  Bad RIP value.\n    RIP  [\u003c          (null)\u003e]           (null)\n     RSP \u003cffff88006db67b50\u003e\n    CR2: 0000000000000000\n    ---[ end trace a587f8947e54d6ea ]---\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: Peter Hurley \u003cpeter@hurleysoftware.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[lizf: Backportd to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c36340248874a0e7cb711da42699752e274ac564",
      "tree": "963c7c10c0c797990c087c038f13348f39ced2cc",
      "parents": [
        "80357219ed5f91e0ca33dd85c5d3b68661065def"
      ],
      "author": {
        "name": "Naoya Horiguchi",
        "email": "n-horiguchi@ah.jp.nec.com",
        "time": "Fri Dec 11 13:40:49 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "mm: hugetlb: call huge_pte_alloc() only if ptep is null\n\ncommit 0d777df5d8953293be090d9ab5a355db893e8357 upstream.\n\nCurrently at the beginning of hugetlb_fault(), we call huge_pte_offset()\nand check whether the obtained *ptep is a migration/hwpoison entry or\nnot.  And if not, then we get to call huge_pte_alloc().  This is racy\nbecause the *ptep could turn into migration/hwpoison entry after the\nhuge_pte_offset() check.  This race results in BUG_ON in\nhuge_pte_alloc().\n\nWe don\u0027t have to call huge_pte_alloc() when the huge_pte_offset()\nreturns non-NULL, so let\u0027s fix this bug with moving the code into else\nblock.\n\nNote that the *ptep could turn into a migration/hwpoison entry after\nthis block, but that\u0027s not a problem because we have another\n!pte_present check later (we never go into hugetlb_no_page() in that\ncase.)\n\nFixes: 290408d4a250 (\"hugetlb: hugepage migration core\")\nSigned-off-by: Naoya Horiguchi \u003cn-horiguchi@ah.jp.nec.com\u003e\nAcked-by: Hillf Danton \u003chillf.zj@alibaba-inc.com\u003e\nAcked-by: David Rientjes \u003crientjes@google.com\u003e\nCc: Hugh Dickins \u003chughd@google.com\u003e\nCc: Dave Hansen \u003cdave.hansen@intel.com\u003e\nCc: Mel Gorman \u003cmgorman@suse.de\u003e\nCc: Joonsoo Kim \u003ciamjoonsoo.kim@lge.com\u003e\nCc: Mike Kravetz \u003cmike.kravetz@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "80357219ed5f91e0ca33dd85c5d3b68661065def",
      "tree": "ad3b1dc0559e8f23a9b13cbc4a78b6a20f34c1d4",
      "parents": [
        "1772ba8cfb6e51ff46feec983632c0877dd6eac6"
      ],
      "author": {
        "name": "Michal Hocko",
        "email": "mhocko@suse.com",
        "time": "Fri Dec 11 13:40:32 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "mm, vmstat: allow WQ concurrency to discover memory reclaim doesn\u0027t make any progress\n\ncommit 373ccbe5927034b55bdc80b0f8b54d6e13fe8d12 upstream.\n\nTetsuo Handa has reported that the system might basically livelock in\nOOM condition without triggering the OOM killer.\n\nThe issue is caused by internal dependency of the direct reclaim on\nvmstat counter updates (via zone_reclaimable) which are performed from\nthe workqueue context.  If all the current workers get assigned to an\nallocation request, though, they will be looping inside the allocator\ntrying to reclaim memory but zone_reclaimable can see stalled numbers so\nit will consider a zone reclaimable even though it has been scanned way\ntoo much.  WQ concurrency logic will not consider this situation as a\ncongested workqueue because it relies that worker would have to sleep in\nsuch a situation.  This also means that it doesn\u0027t try to spawn new\nworkers or invoke the rescuer thread if the one is assigned to the\nqueue.\n\nIn order to fix this issue we need to do two things.  First we have to\nlet wq concurrency code know that we are in trouble so we have to do a\nshort sleep.  In order to prevent from issues handled by 0e093d99763e\n(\"writeback: do not sleep on the congestion queue if there are no\ncongested BDIs or if significant congestion is not being encountered in\nthe current zone\") we limit the sleep only to worker threads which are\nthe ones of the interest anyway.\n\nThe second thing to do is to create a dedicated workqueue for vmstat and\nmark it WQ_MEM_RECLAIM to note it participates in the reclaim and to\nhave a spare worker thread for it.\n\nSigned-off-by: Michal Hocko \u003cmhocko@suse.com\u003e\nReported-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Cristopher Lameter \u003cclameter@sgi.com\u003e\nCc: Joonsoo Kim \u003cjs1304@gmail.com\u003e\nCc: Arkadiusz Miskiewicz \u003carekm@maven.pl\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1772ba8cfb6e51ff46feec983632c0877dd6eac6",
      "tree": "9b8b78b1b719dbbaba720acf4ab8701464c3db23",
      "parents": [
        "0dd69de3c4f45c6e3af43e9146ee4679dbc45a33"
      ],
      "author": {
        "name": "Mikulas Patocka",
        "email": "mpatocka@redhat.com",
        "time": "Mon Nov 30 14:47:46 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "parisc iommu: fix panic due to trying to allocate too large region\n\ncommit e46e31a3696ae2d66f32c207df3969613726e636 upstream.\n\nWhen using the Promise TX2+ SATA controller on PA-RISC, the system often\ncrashes with kernel panic, for example just writing data with the dd\nutility will make it crash.\n\nKernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources\n\nCPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2\nBacktrace:\n [\u003c000000004021497c\u003e] show_stack+0x14/0x20\n [\u003c0000000040410bf0\u003e] dump_stack+0x88/0x100\n [\u003c000000004023978c\u003e] panic+0x124/0x360\n [\u003c0000000040452c18\u003e] sba_alloc_range+0x698/0x6a0\n [\u003c0000000040453150\u003e] sba_map_sg+0x260/0x5b8\n [\u003c000000000c18dbb4\u003e] ata_qc_issue+0x264/0x4a8 [libata]\n [\u003c000000000c19535c\u003e] ata_scsi_translate+0xe4/0x220 [libata]\n [\u003c000000000c19a93c\u003e] ata_scsi_queuecmd+0xbc/0x320 [libata]\n [\u003c0000000040499bbc\u003e] scsi_dispatch_cmd+0xfc/0x130\n [\u003c000000004049da34\u003e] scsi_request_fn+0x6e4/0x970\n [\u003c00000000403e95a8\u003e] __blk_run_queue+0x40/0x60\n [\u003c00000000403e9d8c\u003e] blk_run_queue+0x3c/0x68\n [\u003c000000004049a534\u003e] scsi_run_queue+0x2a4/0x360\n [\u003c000000004049be68\u003e] scsi_end_request+0x1a8/0x238\n [\u003c000000004049de84\u003e] scsi_io_completion+0xfc/0x688\n [\u003c0000000040493c74\u003e] scsi_finish_command+0x17c/0x1d0\n\nThe cause of the crash is not exhaustion of the IOMMU space, there is\nplenty of free pages. The function sba_alloc_range is called with size\n0x11000, thus the pages_needed variable is 0x11. The function\nsba_search_bitmap is called with bits_wanted 0x11 and boundary size is\n0x10 (because dma_get_seg_boundary(dev) returns 0xffff).\n\nThe function sba_search_bitmap attempts to allocate 17 pages that must not\ncross 16-page boundary - it can\u0027t satisfy this requirement\n(iommu_is_span_boundary always returns true) and fails even if there are\nmany free entries in the IOMMU space.\n\nHow did it happen that we try to allocate 17 pages that don\u0027t cross\n16-page boundary? The cause is in the function iommu_coalesce_chunks. This\nfunction tries to coalesce adjacent entries in the scatterlist. The\nfunction does several checks if it may coalesce one entry with the next,\none of those checks is this:\n\n\tif (startsg-\u003elength + dma_len \u003e max_seg_size)\n\t\tbreak;\n\nWhen it finishes coalescing adjacent entries, it allocates the mapping:\n\nsg_dma_len(contig_sg) \u003d dma_len;\ndma_len \u003d ALIGN(dma_len + dma_offset, IOVP_SIZE);\nsg_dma_address(contig_sg) \u003d\n\tPIDE_FLAG\n\t| (iommu_alloc_range(ioc, dev, dma_len) \u003c\u003c IOVP_SHIFT)\n\t| dma_offset;\n\nIt is possible that (startsg-\u003elength + dma_len \u003e max_seg_size) is false\n(we are just near the 0x10000 max_seg_size boundary), so the funcion\ndecides to coalesce this entry with the next entry. When the coalescing\nsucceeds, the function performs\n\tdma_len \u003d ALIGN(dma_len + dma_offset, IOVP_SIZE);\nAnd now, because of non-zero dma_offset, dma_len is greater than 0x10000.\niommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts\nto allocate 17 pages for a device that must not cross 16-page boundary.\n\nTo fix the bug, we must make sure that dma_len after addition of\ndma_offset and alignment doesn\u0027t cross the segment boundary. I.e. change\n\tif (startsg-\u003elength + dma_len \u003e max_seg_size)\n\t\tbreak;\nto\n\tif (ALIGN(dma_len + dma_offset + startsg-\u003elength, IOVP_SIZE) \u003e max_seg_size)\n\t\tbreak;\n\nThis patch makes this change (it precalculates max_seg_boundary at the\nbeginning of the function iommu_coalesce_chunks). I also added a check\nthat the mapping length doesn\u0027t exceed dma_get_seg_boundary(dev) (it is\nnot needed for Promise TX2+ SATA, but it may be needed for other devices\nthat have dma_get_seg_boundary lower than dma_get_max_seg_size).\n\nSigned-off-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nSigned-off-by: Helge Deller \u003cdeller@gmx.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0dd69de3c4f45c6e3af43e9146ee4679dbc45a33",
      "tree": "e12fe94a12bb98f9030ff607c9ac6d9f1cc5d9d7",
      "parents": [
        "1405c2b764791b8b6328d1e39059fb6780beef9e"
      ],
      "author": {
        "name": "James Bottomley",
        "email": "James.Bottomley@HansenPartnership.com",
        "time": "Fri Dec 11 09:16:38 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:37 2016 +0800"
      },
      "message": "ses: fix additional element traversal bug\n\ncommit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream.\n\nKASAN found that our additional element processing scripts drop off\nthe end of the VPD page into unallocated space.  The reason is that\nnot every element has additional information but our traversal\nroutines think they do, leading to them expecting far more additional\ninformation than is present.  Fix this by adding a gate to the\ntraversal routine so that it only processes elements that are expected\nto have additional information (list is in SES-2 section 6.1.13.1:\nAdditional Element Status diagnostic page overview)\n\nReported-by: Pavel Tikhomirov \u003cptikhomirov@virtuozzo.com\u003e\nTested-by: Pavel Tikhomirov \u003cptikhomirov@virtuozzo.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1405c2b764791b8b6328d1e39059fb6780beef9e",
      "tree": "5efc8efc80a0920f88d12f1a99f6cfa94ac032c8",
      "parents": [
        "10c6ff6e59c741a94fc1cc819755f7b76e8db2c3"
      ],
      "author": {
        "name": "Kirill A. Shutemov",
        "email": "kirill@shutemov.name",
        "time": "Mon Nov 30 04:17:31 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:36 2016 +0800"
      },
      "message": "vgaarb: fix signal handling in vga_get()\n\ncommit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream.\n\nThere are few defects in vga_get() related to signal hadning:\n\n  - we shouldn\u0027t check for pending signals for TASK_UNINTERRUPTIBLE\n    case;\n\n  - if we found pending signal we must remove ourself from wait queue\n    and change task state back to running;\n\n  - -ERESTARTSYS is more appropriate, I guess.\n\nSigned-off-by: Kirill A. Shutemov \u003ckirill@shutemov.name\u003e\nReviewed-by: David Herrmann \u003cdh.herrmann@gmail.com\u003e\nSigned-off-by: Dave Airlie \u003cairlied@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "10c6ff6e59c741a94fc1cc819755f7b76e8db2c3",
      "tree": "dd2eba1862808997b34e5afdfc4dadaa56c54ac6",
      "parents": [
        "d8e33a2789a888f62f1ee2a0289509947c77bc65"
      ],
      "author": {
        "name": "James Bottomley",
        "email": "James.Bottomley@HansenPartnership.com",
        "time": "Tue Dec 08 09:00:31 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:36 2016 +0800"
      },
      "message": "ses: Fix problems with simple enclosures\n\ncommit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream.\n\nSimple enclosure implementations (mostly USB) are allowed to return only\npage 8 to every diagnostic query.  That really confuses our\nimplementation because we assume the return is the page we asked for and\nend up doing incorrect offsets based on bogus information leading to\naccesses outside of allocated ranges.  Fix that by checking the page\ncode of the return and giving an error if it isn\u0027t the one we asked for.\nThis should fix reported bugs with USB storage by simply refusing to\nattach to enclosures that behave like this.  It\u0027s also good defensive\npractise now that we\u0027re starting to see more USB enclosures.\n\nReported-by: Andrea Gelmini \u003candrea.gelmini@gelma.net\u003e\nReviewed-by: Ewan D. Milne \u003cemilne@redhat.com\u003e\nReviewed-by: Tomas Henzl \u003cthenzl@redhat.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d8e33a2789a888f62f1ee2a0289509947c77bc65",
      "tree": "350307be57a6981e3d92d5d8d72b0c70be3cc7d7",
      "parents": [
        "322d37f032a4d06408af44919ad969b02543afd0"
      ],
      "author": {
        "name": "Joe Thornber",
        "email": "ejt@redhat.com",
        "time": "Thu Dec 10 14:37:53 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:36 2016 +0800"
      },
      "message": "dm btree: fix bufio buffer leaks in dm_btree_del() error path\n\ncommit ed8b45a3679eb49069b094c0711b30833f27c734 upstream.\n\nIf dm_btree_del()\u0027s call to push_frame() fails, e.g. due to\nbtree_node_validator finding invalid metadata, the dm_btree_del() error\npath must unlock all frames (which have active dm-bufio buffers) that\nwere pushed onto the del_stack.\n\nOtherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio\nbuffers have leaked, e.g.:\n  device-mapper: bufio: leaked buffer 3, hold count 1, list 0\n\nSigned-off-by: Joe Thornber \u003cejt@redhat.com\u003e\nSigned-off-by: Mike Snitzer \u003csnitzer@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "322d37f032a4d06408af44919ad969b02543afd0",
      "tree": "4383bf94f524f99c6bee4a6f76127350a8275e8d",
      "parents": [
        "c5596fe183a9b36aae8c30334767014b6250350c"
      ],
      "author": {
        "name": "Johannes Berg",
        "email": "johannes.berg@intel.com",
        "time": "Thu Dec 10 10:37:51 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:36 2016 +0800"
      },
      "message": "rfkill: copy the name into the rfkill struct\n\ncommit b7bb110008607a915298bf0f47d25886ecb94477 upstream.\n\nSome users of rfkill, like NFC and cfg80211, use a dynamic name when\nallocating rfkill, in those cases dev_name(). Therefore, the pointer\npassed to rfkill_alloc() might not be valid forever, I specifically\nfound the case that the rfkill name was quite obviously an invalid\npointer (or at least garbage) when the wiphy had been renamed.\n\nFix this by making a copy of the rfkill name in rfkill_alloc().\n\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c5596fe183a9b36aae8c30334767014b6250350c",
      "tree": "15879d409924b80d80792c8f6ba8de3b9da540bb",
      "parents": [
        "938188912dc13ff051362774f840721d86a9d7e3"
      ],
      "author": {
        "name": "Jason A. Donenfeld",
        "email": "Jason@zx2c4.com",
        "time": "Sun Dec 06 02:51:37 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:36 2016 +0800"
      },
      "message": "crypto: skcipher - Copy iv from desc even for 0-len walks\n\ncommit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream.\n\nSome ciphers actually support encrypting zero length plaintexts. For\nexample, many AEAD modes support this. The resulting ciphertext for\nthose winds up being only the authentication tag, which is a result of\nthe key, the iv, the additional data, and the fact that the plaintext\nhad zero length. The blkcipher constructors won\u0027t copy the IV to the\nright place, however, when using a zero length input, resulting in\nsome significant problems when ciphers call their initialization\nroutines, only to find that the -\u003eiv parameter is uninitialized. One\nsuch example of this would be using chacha20poly1305 with a zero length\ninput, which then calls chacha20, which calls the key setup routine,\nwhich eventually OOPSes due to the uninitialized -\u003eiv member.\n\nSigned-off-by: Jason A. Donenfeld \u003cJason@zx2c4.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "938188912dc13ff051362774f840721d86a9d7e3",
      "tree": "7c15c73b07579520a7e7b5a368d1adc809459034",
      "parents": [
        "8a26248a33600fa61516fd190ec13279d1cdedf5"
      ],
      "author": {
        "name": "Al Viro",
        "email": "viro@zeniv.linux.org.uk",
        "time": "Tue Dec 08 03:07:22 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "9p: -\u003eevict_inode() should kick out -\u003ei_data, not -\u003ei_mapping\n\ncommit 4ad78628445d26e5e9487b2e8f23274ad7b0f5d3 upstream.\n\nFor block devices the pagecache is associated with the inode\non bdevfs, not with the aliasing ones on the mountable filesystems.\nThe latter have its own -\u003ei_data empty and -\u003ei_mapping pointing\nto the (unique per major/minor) bdevfs inode.  That guarantees\ncache coherence between all block device inodes with the same\ndevice number.\n\nEviction of an alias inode has no business trying to evict the\npages belonging to bdevfs one; moreover, -\u003ei_mapping is only\nsafe to access when the thing is opened.  At the time of\n-\u003eevict_inode() the victim is definitely *not* opened.  We are\nabout to kill the address space embedded into struct inode\n(inode-\u003ei_data) and that\u0027s what we need to empty of any pages.\n\n9p instance tries to empty inode-\u003ei_mapping instead, which is\nboth unsafe and bogus - if we have several device nodes with\nthe same device number in different places, closing one of them\nshould not try to empty the (shared) page cache.\n\nFortunately, other instances in the tree are OK; they are\nevicting from \u0026inode-\u003ei_data instead, as 9p one should.\n\nReported-by: \"Suzuki K. Poulose\" \u003cSuzuki.Poulose@arm.com\u003e\nTested-by: \"Suzuki K. Poulose\" \u003cSuzuki.Poulose@arm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "8a26248a33600fa61516fd190ec13279d1cdedf5",
      "tree": "ca3c7fa3b80a21b3a24e7464fbcfb56779ad63b4",
      "parents": [
        "5a8fea111f5199a7c1923874ff50c76ddbcfe548"
      ],
      "author": {
        "name": "lucien",
        "email": "lucien.xin@gmail.com",
        "time": "Sat Dec 05 15:35:36 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING\n\ncommit 8a0d19c5ed417c78d03f4e0fa7215e58c40896d8 upstream.\n\nwhen A sends a data to B, then A close() and enter into SHUTDOWN_PENDING\nstate, if B neither claim his rwnd is 0 nor send SACK for this data, A\nwill keep retransmitting this data until t5 timeout, Max.Retrans times\ncan\u0027t work anymore, which is bad.\n\nif B\u0027s rwnd is not 0, it should send abort after Max.Retrans times, only\nwhen B\u0027s rwnd \u003d\u003d 0 and A\u0027s retransmitting beyonds Max.Retrans times, A\nwill start t5 timer, which is also commit f8d960524328 (\"sctp: Enforce\nretransmission limit during shutdown\") means, but it lacks the condition\npeer rwnd \u003d\u003d 0.\n\nso fix it by adding a bit (zero_window_announced) in peer to record if\nthe last rwnd is 0. If it was, zero_window_announced will be set. and use\nthis bit to decide if start t5 timer when local.state is SHUTDOWN_PENDING.\n\nFixes: commit f8d960524328 (\"sctp: Enforce retransmission limit during shutdown\")\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nSigned-off-by: Marcelo Ricardo Leitner \u003cmarcelo.leitner@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.2: change sack_needed to bitfield as done earlier upstream]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "5a8fea111f5199a7c1923874ff50c76ddbcfe548",
      "tree": "e99b3cd41df0664793ca0d3c11b955a5b4bd0fe1",
      "parents": [
        "9f2426cd762c421bde7dcba2f12c73ef034ec5a3"
      ],
      "author": {
        "name": "Takashi Iwai",
        "email": "tiwai@suse.de",
        "time": "Fri Dec 04 16:44:24 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "ALSA: rme96: Fix unexpected volume reset after rate changes\n\ncommit a74a821624c0c75388a193337babd17a8c02c740 upstream.\n\nrme96 driver needs to reset DAC depending on the sample rate, and this\nresults in resetting to the max volume suddenly.  It\u0027s because of the\nmissing call of snd_rme96_apply_dac_volume().\n\nHowever, calling this function right after the DAC reset still may not\nwork, and we need some delay before this call.  Since the DAC reset\nand the procedure after that are performed in the spinlock, we delay\nthe DAC volume restore at the end after the spinlock.\n\nReported-and-tested-by: Sylvain LABOISNE \u003cmaeda1@free.fr\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "9f2426cd762c421bde7dcba2f12c73ef034ec5a3",
      "tree": "00cc67051e25f36cac3b5534cf2cf8ec3ac45a62",
      "parents": [
        "86325076e9777158fa4bd3946c7907b78d69f1eb"
      ],
      "author": {
        "name": "Chunfeng Yun",
        "email": "chunfeng.yun@mediatek.com",
        "time": "Fri Dec 04 15:53:43 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "usb: xhci: fix config fail of FS hub behind a HS hub with MTT\n\ncommit 096b110a3dd3c868e4610937c80d2e3f3357c1a9 upstream.\n\nif a full speed hub connects to a high speed hub which\nsupports MTT, the MTT field of its slot context will be set\nto 1 when xHCI driver setups an xHCI virtual device in\nxhci_setup_addressable_virt_dev(); once usb core fetch its\nhub descriptor, and need to update the xHC\u0027s internal data\nstructures for the device, the HUB field of its slot context\nwill be set to 1 too, meanwhile MTT is also set before,\nthis will cause configure endpoint command fail, so in the\ncase, we should clear MTT to 0 for full speed hub according\nto section 6.2.2\n\nSigned-off-by: Chunfeng Yun \u003cchunfeng.yun@mediatek.com\u003e\nSigned-off-by: Mathias Nyman \u003cmathias.nyman@linux.intel.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "86325076e9777158fa4bd3946c7907b78d69f1eb",
      "tree": "400d6917c14ce8cef9b3b4f811f85beb236c2c03",
      "parents": [
        "c4b5d77abb7e7c160d5d8c9976e35753caf5fc0b"
      ],
      "author": {
        "name": "Mike Snitzer",
        "email": "snitzer@redhat.com",
        "time": "Mon Nov 23 16:24:45 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "dm btree: fix leak of bufio-backed block in btree_split_sibling error path\n\ncommit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream.\n\nThe block allocated at the start of btree_split_sibling() is never\nreleased if later insert_at() fails.\n\nFix this by releasing the previously allocated bufio block using\nunlock_block().\n\nReported-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nSigned-off-by: Mike Snitzer \u003csnitzer@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c4b5d77abb7e7c160d5d8c9976e35753caf5fc0b",
      "tree": "fbaa604de6c470b6de1837750754bb7123831b01",
      "parents": [
        "5b63a11b222ebc685d611ec0c47b60df0085261a"
      ],
      "author": {
        "name": "Alexey Khoroshilov",
        "email": "khoroshilov@ispras.ru",
        "time": "Sat Nov 21 00:36:44 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:35 2016 +0800"
      },
      "message": "USB: whci-hcd: add check for dma mapping error\n\ncommit f9fa1887dcf26bd346665a6ae3d3f53dec54cba1 upstream.\n\nqset_fill_page_list() do not check for dma mapping errors.\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\nSigned-off-by: Alexey Khoroshilov \u003ckhoroshilov@ispras.ru\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "5b63a11b222ebc685d611ec0c47b60df0085261a",
      "tree": "03c010f884e7bd7284910357931cf458b4986cac",
      "parents": [
        "a8e989ab6494a5776c92ac6d428541fb747f816a"
      ],
      "author": {
        "name": "Mikulas Patocka",
        "email": "mpatocka@redhat.com",
        "time": "Thu Nov 26 12:00:59 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "sata_sil: disable trim\n\ncommit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream.\n\nWhen I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any\nTRIM command results in I/O errors being reported in the log. There is\nother similar error reported with TRIM and the SIL controller:\nhttps://bugs.centos.org/view.php?id\u003d5880\n\nApparently the controller doesn\u0027t support TRIM commands. This patch\ndisables TRIM support on the SATA SIL controller.\n\nata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0\nata7.00: BMDMA2 stat 0x50001\nata7.00: failed command: DATA SET MANAGEMENT\nata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out\n         res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error)\nata7.00: status: { DRDY ERR }\nata7.00: error: { ABRT }\nata7.00: device reported invalid CHS sector 0\nsd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte\u003dDID_OK driverbyte\u003dDRIVER_SENSE\nsd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor]\nsd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command\nsd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00\nblk_update_request: I/O error, dev sdb, sector 2200968\n\nSigned-off-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a8e989ab6494a5776c92ac6d428541fb747f816a",
      "tree": "69948a578303598cb73d2d5d12224acec19469f4",
      "parents": [
        "a164637644572e50547569cb05fe2d958c7061ec"
      ],
      "author": {
        "name": "Xiangliang Yu",
        "email": "Xiangliang.Yu@amd.com",
        "time": "Thu Nov 26 20:27:02 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "AHCI: Fix softreset failed issue of Port Multiplier\n\ncommit 023113d24ef9e1d2b44cb2446872b17e2b01d8b1 upstream.\n\nCurrent code doesn\u0027t update port value of Port Multiplier(PM) when\nsending FIS of softreset to device, command will fail if FBS is\nenabled.\n\nThere are two ways to fix the issue: the first is to disable FBS\nbefore sending softreset command to PM device and the second is\nto update port value of PM when sending command.\n\nFor the first way, i can\u0027t find any related rule in AHCI Spec. The\nsecond way can avoid disabling FBS and has better performance.\n\nSigned-off-by: Xiangliang Yu \u003cXiangliang.Yu@amd.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a164637644572e50547569cb05fe2d958c7061ec",
      "tree": "b0fec1d9dd64071cbc45054afe9967ffbe60373f",
      "parents": [
        "0a36982a2abdaf4b20401bc0a0ba3881c7071f4a"
      ],
      "author": {
        "name": "Jan Kara",
        "email": "jack@suse.cz",
        "time": "Tue Nov 24 15:34:35 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "jbd2: Fix unreclaimed pages after truncate in data\u003djournal mode\n\ncommit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream.\n\nTed and Namjae have reported that truncated pages don\u0027t get timely\nreclaimed after being truncated in data\u003djournal mode. The following test\ntriggers the issue easily:\n\nfor (i \u003d 0; i \u003c 1000; i++) {\n\tpwrite(fd, buf, 1024*1024, 0);\n\tfsync(fd);\n\tfsync(fd);\n\tftruncate(fd, 0);\n}\n\nThe reason is that journal_unmap_buffer() finds that truncated buffers\nare not journalled (jh-\u003eb_transaction \u003d\u003d NULL), they are part of\ncheckpoint list of a transaction (jh-\u003eb_cp_transaction !\u003d NULL) and have\nbeen already written out (!buffer_dirty(bh)). We clean such buffers but\nwe leave them in the checkpoint list. Since checkpoint transaction holds\na reference to the journal head, these buffers cannot be released until\nthe checkpoint transaction is cleaned up. And at that point we don\u0027t\ncall release_buffer_page() anymore so pages detached from mapping are\nlingering in the system waiting for reclaim to find them and free them.\n\nFix the problem by removing buffers from transaction checkpoint lists\nwhen journal_unmap_buffer() finds out they don\u0027t have to be there\nanymore.\n\nReported-and-tested-by: Namjae Jeon \u003cnamjae.jeon@samsung.com\u003e\nFixes: de1b794130b130e77ffa975bb58cb843744f9ae5\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0a36982a2abdaf4b20401bc0a0ba3881c7071f4a",
      "tree": "a4b0efe47e42882e207975b14c11502bb41d196e",
      "parents": [
        "202ebb76fcbafd9748cf132ea99eb88bd2a218c0"
      ],
      "author": {
        "name": "David Turner",
        "email": "novalis@novalis.org",
        "time": "Tue Nov 24 14:34:37 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "ext4: Fix handling of extended tv_sec\n\ncommit a4dad1ae24f850410c4e60f22823cba1289b8d52 upstream.\n\nIn ext4, the bottom two bits of {a,c,m}time_extra are used to extend\nthe {a,c,m}time fields, deferring the year 2038 problem to the year\n2446.\n\nWhen decoding these extended fields, for times whose bottom 32 bits\nwould represent a negative number, sign extension causes the 64-bit\nextended timestamp to be negative as well, which is not what\u0027s\nintended.  This patch corrects that issue, so that the only negative\n{a,c,m}times are those between 1901 and 1970 (as per 32-bit signed\ntimestamps).\n\nSome older kernels might have written pre-1970 dates with 1,1 in the\nextra bits.  This patch treats those incorrectly-encoded dates as\npre-1970, instead of post-2311, until kernel 4.20 is released.\nHopefully by then e2fsck will have fixed up the bad data.\n\nAlso add a comment explaining the encoding of ext4\u0027s extra {a,c,m}time\nbits.\n\nSigned-off-by: David Turner \u003cnovalis@novalis.org\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nReported-by: Mark Harris \u003cmh8928@yahoo.com\u003e\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d23732\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "202ebb76fcbafd9748cf132ea99eb88bd2a218c0",
      "tree": "0031ff372fbd52b21ede13f4e3429b57f891602f",
      "parents": [
        "0dfa2ec52321e4d6fb0ef02a58e86b3fb734a284"
      ],
      "author": {
        "name": "Konstantin Shkolnyy",
        "email": "konstantin.shkolnyy@gmail.com",
        "time": "Tue Nov 10 16:40:13 2015 -0600"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "USB: cp210x: Remove CP2110 ID from compatibility list\n\ncommit 7c90e610b60cd1ed6abafd806acfaedccbbe52d1 upstream.\n\nCP2110 ID (0x10c4, 0xea80) doesn\u0027t belong here because it\u0027s a HID\nand completely different from CP210x devices.\n\nSigned-off-by: Konstantin Shkolnyy \u003ckonstantin.shkolnyy@gmail.com\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0dfa2ec52321e4d6fb0ef02a58e86b3fb734a284",
      "tree": "6fa8634f622e50940e62ce094ed44839d0803a75",
      "parents": [
        "b411ae9afe4ddc0d7f31c023b09d50cd9559ffbd"
      ],
      "author": {
        "name": "Roman Gushchin",
        "email": "klamm@yandex-team.ru",
        "time": "Mon Oct 12 16:33:44 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:34 2016 +0800"
      },
      "message": "fuse: break infinite loop in fuse_fill_write_pages()\n\ncommit 3ca8138f014a913f98e6ef40e939868e1e9ea876 upstream.\n\nI got a report about unkillable task eating CPU. Further\ninvestigation shows, that the problem is in the fuse_fill_write_pages()\nfunction. If iov\u0027s first segment has zero length, we get an infinite\nloop, because we never reach iov_iter_advance() call.\n\nFix this by calling iov_iter_advance() before repeating an attempt to\ncopy data from userspace.\n\nA similar problem is described in 124d3b7041f (\"fix writev regression:\npan hanging unkillable and un-straceable\"). If zero-length segmend\nis followed by segment with invalid address,\niov_iter_fault_in_readable() checks only first segment (zero-length),\niov_iter_copy_from_user_atomic() skips it, fails at second and\nreturns zero -\u003e goto again without skipping zero-length segment.\n\nPatch calls iov_iter_advance() before goto again: we\u0027ll skip zero-length\nsegment at second iteraction and iov_iter_fault_in_readable() will detect\ninvalid address.\n\nSpecial thanks to Konstantin Khlebnikov, who helped a lot with the commit\ndescription.\n\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: Maxim Patlasov \u003cmpatlasov@parallels.com\u003e\nCc: Konstantin Khlebnikov \u003ckhlebnikov@yandex-team.ru\u003e\nSigned-off-by: Roman Gushchin \u003cklamm@yandex-team.ru\u003e\nSigned-off-by: Miklos Szeredi \u003cmiklos@szeredi.hu\u003e\nFixes: ea9b9907b82a (\"fuse: implement perform_write\")\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b411ae9afe4ddc0d7f31c023b09d50cd9559ffbd",
      "tree": "951b7de5f805bd72f77b4bfc833bcb79fd25c22c",
      "parents": [
        "e4d7eafcedc0e277421854577984009b51fb07ec"
      ],
      "author": {
        "name": "Al Viro",
        "email": "viro@zeniv.linux.org.uk",
        "time": "Mon Nov 23 21:11:08 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:33 2016 +0800"
      },
      "message": "fix sysvfs symlinks\n\ncommit 0ebf7f10d67a70e120f365018f1c5fce9ddc567d upstream.\n\nThe thing got broken back in 2002 - sysvfs does *not* have inline\nsymlinks; even short ones have bodies stored in the first block\nof file.  sysv_symlink() handles that correctly; unfortunately,\nattempting to look an existing symlink up will end up confusing\nthem for inline symlinks, and interpret the block number containing\nthe body as the body itself.\n\nNobody has noticed until now, which says something about the level\nof testing sysvfs gets ;-/\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "e4d7eafcedc0e277421854577984009b51fb07ec",
      "tree": "ed40a9bff0bc9ed6e9cb55f3ea272b6e8957f278",
      "parents": [
        "55d4174137baddba6a0291a9abd6fbc6c13c3302"
      ],
      "author": {
        "name": "Dmitry V. Levin",
        "email": "ldv@altlinux.org",
        "time": "Tue Dec 01 00:54:36 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:33 2016 +0800"
      },
      "message": "x86/signal: Fix restart_syscall number for x32 tasks\n\ncommit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream.\n\nWhen restarting a syscall with regs-\u003eax \u003d\u003d -ERESTART_RESTARTBLOCK,\nregs-\u003eax is assigned to a restart_syscall number.  For x32 tasks, this\nsyscall number must have __X32_SYSCALL_BIT set, otherwise it will be\nan x86_64 syscall number instead of a valid x32 syscall number. This\nissue has been there since the introduction of x32.\n\nReported-by: strace/tests/restart_syscall.test\nReported-and-tested-by: Elvira Khabirova \u003clineprinter0@gmail.com\u003e\nSigned-off-by: Dmitry V. Levin \u003cldv@altlinux.org\u003e\nCc: Elvira Khabirova \u003clineprinter0@gmail.com\u003e\nLink: http://lkml.kernel.org/r/20151130215436.GA25996@altlinux.org\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "55d4174137baddba6a0291a9abd6fbc6c13c3302",
      "tree": "8535e00782a7470adabeb3b5d56255d87b7ed82a",
      "parents": [
        "270c07a82df06074f75c70a5fc646fc1f4b4084f"
      ],
      "author": {
        "name": "Xunlei Pang",
        "email": "xlpang@redhat.com",
        "time": "Wed Dec 02 19:52:59 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:33 2016 +0800"
      },
      "message": "sched/core: Clear the root_domain cpumasks in init_rootdomain()\n\ncommit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream.\n\nroot_domain::rto_mask allocated through alloc_cpumask_var()\ncontains garbage data, this may cause problems. For instance,\nWhen doing pull_rt_task(), it may do useless iterations if\nrto_mask retains some extra garbage bits. Worse still, this\nviolates the isolated domain rule for clustered scheduling\nusing cpuset, because the tasks(with all the cpus allowed)\nbelongs to one root domain can be pulled away into another\nroot domain.\n\nThe patch cleans the garbage by using zalloc_cpumask_var()\ninstead of alloc_cpumask_var() for root_domain::rto_mask\nallocation, thereby addressing the issues.\n\nDo the same thing for root_domain\u0027s other cpumask memembers:\ndlo_mask, span, and online.\n\nSigned-off-by: Xunlei Pang \u003cxlpang@redhat.com\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Mike Galbraith \u003cefault@gmx.de\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nLink: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n[lizf: there\u0027s no rd-\u003edlo_mask, so remove the change to it]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "270c07a82df06074f75c70a5fc646fc1f4b4084f",
      "tree": "8ec9c2e029fa2421a59e60b1f734e46ed4774114",
      "parents": [
        "5cd25ba84bd375bb62ff8a8de68d3788591ecb6b"
      ],
      "author": {
        "name": "Peter Hurley",
        "email": "peter@hurleysoftware.com",
        "time": "Fri Nov 27 14:18:39 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:33 2016 +0800"
      },
      "message": "wan/x25: Fix use-after-free in x25_asy_open_tty()\n\ncommit ee9159ddce14bc1dec9435ae4e3bd3153e783706 upstream.\n\nThe N_X25 line discipline may access the previous line discipline\u0027s closed\nand already-freed private data on open [1].\n\nThe tty-\u003edisc_data field _never_ refers to valid data on entry to the\nline discipline\u0027s open() method. Rather, the ldisc is expected to\ninitialize that field for its own use for the lifetime of the instance\n(ie. from open() to close() only).\n\n[1]\n    [  634.336761] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0\n    [  634.339558] Read of size 4 by task syzkaller_execu/8981\n    [  634.340359] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected\n    ...\n    [  634.405018] Call Trace:\n    [  634.405277] dump_stack (lib/dump_stack.c:52)\n    [  634.405775] print_trailer (mm/slub.c:655)\n    [  634.406361] object_err (mm/slub.c:662)\n    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)\n    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)\n    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))\n    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)\n    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)\n    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)\n    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)\n    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)\n    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)\n\nReported-and-tested-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\nSigned-off-by: Peter Hurley \u003cpeter@hurleysoftware.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "5cd25ba84bd375bb62ff8a8de68d3788591ecb6b",
      "tree": "9d151962deb5cf74b9119ceded7a1c03d85d97bd",
      "parents": [
        "a8d3a5b24da10c5d6b7c2bc2ee26def66f9f46ec"
      ],
      "author": {
        "name": "Jeff Layton",
        "email": "jlayton@poochiereds.net",
        "time": "Wed Nov 25 13:50:11 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:33 2016 +0800"
      },
      "message": "nfs: if we have no valid attrs, then don\u0027t declare the attribute cache valid\n\ncommit c812012f9ca7cf89c9e1a1cd512e6c3b5be04b85 upstream.\n\nIf we pass in an empty nfs_fattr struct to nfs_update_inode, it will\n(correctly) not update any of the attributes, but it then clears the\nNFS_INO_INVALID_ATTR flag, which indicates that the attributes are\nup to date. Don\u0027t clear the flag if the fattr struct has no valid\nattrs to apply.\n\nReviewed-by: Steve French \u003csteve.french@primarydata.com\u003e\nSigned-off-by: Jeff Layton \u003cjeff.layton@primarydata.com\u003e\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a8d3a5b24da10c5d6b7c2bc2ee26def66f9f46ec",
      "tree": "542a077664ffb9a09cdc4a029fd408b30a78e5e9",
      "parents": [
        "9c6caab0351a09777714505db6a355a4479932b8"
      ],
      "author": {
        "name": "Jan Kara",
        "email": "jack@suse.cz",
        "time": "Mon Nov 23 13:09:51 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:32 2016 +0800"
      },
      "message": "vfs: Avoid softlockups with sendfile(2)\n\ncommit c2489e07c0a71a56fb2c84bc0ee66cddfca7d068 upstream.\n\nThe following test program from Dmitry can cause softlockups or RCU\nstalls as it copies 1GB from tmpfs into eventfd and we don\u0027t have any\nscheduling point at that path in sendfile(2) implementation:\n\n        int r1 \u003d eventfd(0, 0);\n        int r2 \u003d memfd_create(\"\", 0);\n        unsigned long n \u003d 1\u003c\u003c30;\n        fallocate(r2, 0, 0, n);\n        sendfile(r1, r2, 0, n);\n\nAdd cond_resched() into __splice_from_pipe() to fix the problem.\n\nCC: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "9c6caab0351a09777714505db6a355a4479932b8",
      "tree": "8f1bb02a107d2eb7d0ba9e46267e54ea9a560d44",
      "parents": [
        "cf030cb1542d200fc258f2efb1f118874a023d09"
      ],
      "author": {
        "name": "Jan Kara",
        "email": "jack@suse.cz",
        "time": "Mon Nov 23 13:09:50 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:32 2016 +0800"
      },
      "message": "vfs: Make sendfile(2) killable even better\n\ncommit c725bfce7968009756ed2836a8cd7ba4dc163011 upstream.\n\nCommit 296291cdd162 (mm: make sendfile(2) killable) fixed an issue where\nsendfile(2) was doing a lot of tiny writes into a filesystem and thus\nwas unkillable for a long time. However sendfile(2) can be (mis)used to\nissue lots of writes into arbitrary file descriptor such as evenfd or\nsimilar special file descriptors which never hit the standard filesystem\nwrite path and thus are still unkillable. E.g. the following example\nfrom Dmitry burns CPU for ~16s on my test system without possibility to\nbe killed:\n\n        int r1 \u003d eventfd(0, 0);\n        int r2 \u003d memfd_create(\"\", 0);\n        unsigned long n \u003d 1\u003c\u003c30;\n        fallocate(r2, 0, 0, n);\n        sendfile(r1, r2, 0, n);\n\nThere are actually quite a few tests for pending signals in sendfile\ncode however we data to write is always available none of them seems to\ntrigger. So fix the problem by adding a test for pending signal into\nsplice_from_pipe_next() also before the loop waiting for pipe buffers to\nbe available. This should fix all the lockup issues with sendfile of the\ndo-ton-of-tiny-writes nature.\n\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "cf030cb1542d200fc258f2efb1f118874a023d09",
      "tree": "d805e3a24dc7cc10c47ae9185330fd03df9e2778",
      "parents": [
        "34a906cd9f6445d9510841667eff0d980279ebf3"
      ],
      "author": {
        "name": "Mirza Krak",
        "email": "mirza.krak@hostmobility.com",
        "time": "Tue Nov 10 14:59:34 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:32 2016 +0800"
      },
      "message": "can: sja1000: clear interrupts on start\n\ncommit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.\n\nAccording to SJA1000 data sheet error-warning (EI) interrupt is not\ncleared by setting the controller in to reset-mode.\n\nThen if we have the following case:\n- system is suspended (echo mem \u003e /sys/power/state) and SJA1000 is left\n  in operating state\n- A bus error condition occurs which activates EI interrupt, system is\n  still suspended which means EI interrupt will be not be handled nor\n  cleared.\n\nIf the above two events occur, on resume there is no way to return the\nSJA1000 to operating state, except to cycle power to it.\n\nBy simply reading the IR register on start we will clear any previous\nconditions that could be present.\n\nSigned-off-by: Mirza Krak \u003cmirza.krak@hostmobility.com\u003e\nReported-by: Christian Magnusson \u003cChristian.Magnusson@semcon.com\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\n[lizf: Backported to 3.4: s/SJA1000_IR/REG_IR/]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "34a906cd9f6445d9510841667eff0d980279ebf3",
      "tree": "0527a814c89b7d52ac90ad6b3516595d3e551b78",
      "parents": [
        "1483b3cca5278889bfe4e7bfced14f1c3978f8be"
      ],
      "author": {
        "name": "Kees Cook",
        "email": "keescook@chromium.org",
        "time": "Thu Nov 19 17:18:54 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:32 2016 +0800"
      },
      "message": "mac: validate mac_partition is within sector\n\ncommit 02e2a5bfebe99edcf9d694575a75032d53fe1b73 upstream.\n\nIf md-\u003esignature \u003d\u003d MAC_DRIVER_MAGIC and md-\u003eblock_size \u003d\u003d 1023, a single\n512 byte sector would be read (secsize / 512). However the partition\nstructure would be located past the end of the buffer (secsize % 512).\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nSigned-off-by: Jens Axboe \u003caxboe@fb.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1483b3cca5278889bfe4e7bfced14f1c3978f8be",
      "tree": "cd251c45f719cb56ee817d6c36013fb0e066a3b3",
      "parents": [
        "69eff2b3042d89429a0cfcc744551168c0fd3402"
      ],
      "author": {
        "name": "Bjørn Mork",
        "email": "bjorn@mork.no",
        "time": "Wed Nov 18 21:12:33 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:32 2016 +0800"
      },
      "message": "USB: option: add XS Stick W100-2 from 4G Systems\n\ncommit 638148e20c7f8f6e95017fdc13bce8549a6925e0 upstream.\n\nThomas reports\n\"\n4gsystems sells two total different LTE-surfsticks under the same name.\n..\nThe newer version of XS Stick W100 is from \"omega\"\n..\nUnder windows the driver switches to the same ID, and uses MI03\\6 for\nnetwork and MI01\\6 for modem.\n..\necho \"1c9e 9b01\" \u003e /sys/bus/usb/drivers/qmi_wwan/new_id\necho \"1c9e 9b01\" \u003e /sys/bus/usb-serial/drivers/option1/new_id\n\nT:  Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d03 Cnt\u003d01 Dev#\u003d  4 Spd\u003d480 MxCh\u003d 0\nD:  Ver\u003d 2.00 Cls\u003d00(\u003eifc ) Sub\u003d00 Prot\u003d00 MxPS\u003d64 #Cfgs\u003d  1\nP:  Vendor\u003d1c9e ProdID\u003d9b01 Rev\u003d02.32\nS:  Manufacturer\u003dUSB Modem\nS:  Product\u003dUSB Modem\nS:  SerialNumber\u003d\nC:  #Ifs\u003d 5 Cfg#\u003d 1 Atr\u003d80 MxPwr\u003d500mA\nI:  If#\u003d 0 Alt\u003d 0 #EPs\u003d 2 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003doption\nI:  If#\u003d 1 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003doption\nI:  If#\u003d 2 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003doption\nI:  If#\u003d 3 Alt\u003d 0 #EPs\u003d 3 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003dqmi_wwan\nI:  If#\u003d 4 Alt\u003d 0 #EPs\u003d 2 Cls\u003d08(stor.) Sub\u003d06 Prot\u003d50 Driver\u003dusb-storage\n\nNow all important things are there:\n\nwwp0s29f7u2i3 (net), ttyUSB2 (at), cdc-wdm0 (qmi), ttyUSB1 (at)\n\nThere is also ttyUSB0, but it is not usable, at least not for at.\n\nThe device works well with qmi and ModemManager-NetworkManager.\n\"\n\nReported-by: Thomas Schäfer \u003ctschaefer@t-online.de\u003e\nSigned-off-by: Bjørn Mork \u003cbjorn@mork.no\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "69eff2b3042d89429a0cfcc744551168c0fd3402",
      "tree": "0087e51704cfbb71c2b591840ef7423fbcb5b22d",
      "parents": [
        "eb1876f774b4421ad4fe1e7a3c465bc508fceb4d"
      ],
      "author": {
        "name": "Sachin Pandhare",
        "email": "sachinpandhare@gmail.com",
        "time": "Tue Nov 10 23:38:02 2015 +0530"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:31 2016 +0800"
      },
      "message": "ASoC: wm8962: correct addresses for HPF_C_0/1\n\ncommit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream.\n\nFrom datasheet:\nR17408 (4400h) HPF_C_1\nR17409 (4401h) HPF_C_0\n17048 -\u003e 17408 (0x4400)\n17049 -\u003e 17409 (0x4401)\n\nSigned-off-by: Sachin Pandhare \u003csachinpandhare@gmail.com\u003e\nAcked-by: Charles Keepax \u003cckeepax@opensource.wolfsonmicro.com\u003e\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "eb1876f774b4421ad4fe1e7a3c465bc508fceb4d",
      "tree": "3a2ca3a76d042c203870ce050de1a50673aa8052",
      "parents": [
        "38f4635ce63eec7484a74a0b27da8bd668745464"
      ],
      "author": {
        "name": "Aleksander Morgado",
        "email": "aleksander@aleksander.es",
        "time": "Wed Nov 11 19:51:40 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:31 2016 +0800"
      },
      "message": "USB: serial: option: add support for Novatel MiFi USB620L\n\ncommit e07af133c3e2716db25e3e1e1d9f10c2088e9c1a upstream.\n\nAlso known as Verizon U620L.\n\nThe device is modeswitched from 1410:9020 to 1410:9022 by selecting the\n4th USB configuration:\n\n $ sudo usb_modeswitch –v 0x1410 –p 0x9020 –u 4\n\nThis configuration provides a ECM interface as well as TTYs (\u0027Enterprise\nMode\u0027 according to the U620 Linux integration guide).\n\nSigned-off-by: Aleksander Morgado \u003caleksander@aleksander.es\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "38f4635ce63eec7484a74a0b27da8bd668745464",
      "tree": "045a87c4cdb94067142f70190eb89c058fcfa924",
      "parents": [
        "1139b9c3142a5970786acfd7f59ba66c5d212c12"
      ],
      "author": {
        "name": "Clemens Ladisch",
        "email": "clemens@ladisch.de",
        "time": "Sun Nov 15 22:39:08 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:31 2016 +0800"
      },
      "message": "ALSA: usb-audio: work around CH345 input SysEx corruption\n\ncommit a91e627e3f0ed820b11d86cdc04df38f65f33a70 upstream.\n\nOne of the many faults of the QinHeng CH345 USB MIDI interface chip is\nthat it does not handle received SysEx messages correctly -- every second\nevent packet has a wrong code index number, which is the one from the last\nseen message, instead of 4.  For example, the two messages \"FE F0 01 02 03\n04 05 06 07 08 09 0A 0B 0C 0D 0E F7\" result in the following event\npackets:\n\ncorrect:       CH345:\n0F FE 00 00    0F FE 00 00\n04 F0 01 02    04 F0 01 02\n04 03 04 05    0F 03 04 05\n04 06 07 08    04 06 07 08\n04 09 0A 0B    0F 09 0A 0B\n04 0C 0D 0E    04 0C 0D 0E\n05 F7 00 00    05 F7 00 00\n\nA class-compliant driver must interpret an event packet with CIN 15 as\nhaving a single data byte, so the other two bytes would be ignored.  The\nmessage received by the host would then be missing two bytes out of six;\nin this example, \"F0 01 02 03 06 07 08 09 0C 0D 0E F7\".\n\nThese corrupted SysEx event packages contain only data bytes, while the\nCH345 uses event packets with a correct CIN value only for messages with\na status byte, so it is possible to distinguish between these two cases by\nchecking for the presence of this status byte.\n\n(Other bugs in the CH345\u0027s input handling, such as the corruption resulting\nfrom running status, cannot be worked around.)\n\nSigned-off-by: Clemens Ladisch \u003cclemens@ladisch.de\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1139b9c3142a5970786acfd7f59ba66c5d212c12",
      "tree": "e9734161aa39aa71940ffc9044bd2704fe58ace8",
      "parents": [
        "57d3b5d74b60c08d0a85a1d04d87351846e867ed"
      ],
      "author": {
        "name": "Clemens Ladisch",
        "email": "clemens@ladisch.de",
        "time": "Sun Nov 15 22:38:29 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:31 2016 +0800"
      },
      "message": "ALSA: usb-audio: prevent CH345 multiport output SysEx corruption\n\ncommit 1ca8b201309d842642f221db7f02f71c0af5be2d upstream.\n\nThe CH345 USB MIDI chip has two output ports.  However, they are\nmultiplexed through one pin, and the number of ports cannot be reduced\neven for hardware that implements only one connector, so for those\ndevices, data sent to either port ends up on the same hardware output.\nThis becomes a problem when both ports are used at the same time, as\nlonger MIDI commands (such as SysEx messages) are likely to be\ninterrupted by messages from the other port, and thus to get lost.\n\nIt would not be possible for the driver to detect how many ports the\ndevice actually has, except that in practice, _all_ devices built with\nthe CH345 have only one port.  So we can just ignore the device\u0027s\ndescriptors, and hardcode one output port.\n\nSigned-off-by: Clemens Ladisch \u003cclemens@ladisch.de\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "57d3b5d74b60c08d0a85a1d04d87351846e867ed",
      "tree": "3e64df5fb87ce77c448cd7a1dcfef1bd4321c1aa",
      "parents": [
        "a1977e3c98e9ce5a979b53c04bd8f722fc2b1200"
      ],
      "author": {
        "name": "Clemens Ladisch",
        "email": "clemens@ladisch.de",
        "time": "Sun Nov 15 22:37:44 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:31 2016 +0800"
      },
      "message": "ALSA: usb-audio: add packet size quirk for the Medeli DD305\n\ncommit 98d362becb6621bebdda7ed0eac7ad7ec6c37898 upstream.\n\nSigned-off-by: Clemens Ladisch \u003cclemens@ladisch.de\u003e\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a1977e3c98e9ce5a979b53c04bd8f722fc2b1200",
      "tree": "d46f3c0127db1ddd291966d808cd13f00f3bc05e",
      "parents": [
        "cb4a1131acf864b83c575478b16fc8485d4be1ae"
      ],
      "author": {
        "name": "Vladimir Zapolskiy",
        "email": "vz@mleia.com",
        "time": "Sat Oct 17 21:44:38 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:30 2016 +0800"
      },
      "message": "iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock\n\ncommit 01bb70ae0b98d266fa3e860482c7ce22fa482a6e upstream.\n\nIf common clock framework is configured, the driver generates a warning,\nwhich is fixed by this change:\n\n    root@devkit3250:~# cat /sys/bus/iio/devices/iio\\:device0/in_voltage0_raw\n    ------------[ cut here ]------------\n    WARNING: CPU: 0 PID: 724 at drivers/clk/clk.c:727 clk_core_enable+0x2c/0xa4()\n    Modules linked in: sc16is7xx snd_soc_uda1380\n    CPU: 0 PID: 724 Comm: cat Not tainted 4.3.0-rc2+ #198\n    Hardware name: LPC32XX SoC (Flattened Device Tree)\n    Backtrace:\n    [\u003c\u003e] (dump_backtrace) from [\u003c\u003e] (show_stack+0x18/0x1c)\n    [\u003c\u003e] (show_stack) from [\u003c\u003e] (dump_stack+0x20/0x28)\n    [\u003c\u003e] (dump_stack) from [\u003c\u003e] (warn_slowpath_common+0x90/0xb8)\n    [\u003c\u003e] (warn_slowpath_common) from [\u003c\u003e] (warn_slowpath_null+0x24/0x2c)\n    [\u003c\u003e] (warn_slowpath_null) from [\u003c\u003e] (clk_core_enable+0x2c/0xa4)\n    [\u003c\u003e] (clk_core_enable) from [\u003c\u003e] (clk_enable+0x24/0x38)\n    [\u003c\u003e] (clk_enable) from [\u003c\u003e] (lpc32xx_read_raw+0x38/0x80)\n    [\u003c\u003e] (lpc32xx_read_raw) from [\u003c\u003e] (iio_read_channel_info+0x70/0x94)\n    [\u003c\u003e] (iio_read_channel_info) from [\u003c\u003e] (dev_attr_show+0x28/0x4c)\n    [\u003c\u003e] (dev_attr_show) from [\u003c\u003e] (sysfs_kf_seq_show+0x8c/0xf0)\n    [\u003c\u003e] (sysfs_kf_seq_show) from [\u003c\u003e] (kernfs_seq_show+0x2c/0x30)\n    [\u003c\u003e] (kernfs_seq_show) from [\u003c\u003e] (seq_read+0x1c8/0x440)\n    [\u003c\u003e] (seq_read) from [\u003c\u003e] (kernfs_fop_read+0x38/0x170)\n    [\u003c\u003e] (kernfs_fop_read) from [\u003c\u003e] (do_readv_writev+0x16c/0x238)\n    [\u003c\u003e] (do_readv_writev) from [\u003c\u003e] (vfs_readv+0x50/0x58)\n    [\u003c\u003e] (vfs_readv) from [\u003c\u003e] (default_file_splice_read+0x1a4/0x308)\n    [\u003c\u003e] (default_file_splice_read) from [\u003c\u003e] (do_splice_to+0x78/0x84)\n    [\u003c\u003e] (do_splice_to) from [\u003c\u003e] (splice_direct_to_actor+0xc8/0x1cc)\n    [\u003c\u003e] (splice_direct_to_actor) from [\u003c\u003e] (do_splice_direct+0xa0/0xb8)\n    [\u003c\u003e] (do_splice_direct) from [\u003c\u003e] (do_sendfile+0x1a8/0x30c)\n    [\u003c\u003e] (do_sendfile) from [\u003c\u003e] (SyS_sendfile64+0x104/0x10c)\n    [\u003c\u003e] (SyS_sendfile64) from [\u003c\u003e] (ret_fast_syscall+0x0/0x38)\n\nSigned-off-by: Vladimir Zapolskiy \u003cvz@mleia.com\u003e\nSigned-off-by: Jonathan Cameron \u003cjic23@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "cb4a1131acf864b83c575478b16fc8485d4be1ae",
      "tree": "801d7fc3f6fb7ab9ed03a8a8763e7697c1aae959",
      "parents": [
        "468992e1e827feac0e1304b131a24679e7830958"
      ],
      "author": {
        "name": "Konstantin Khlebnikov",
        "email": "koct9i@gmail.com",
        "time": "Tue Dec 01 01:14:48 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:30 2016 +0800"
      },
      "message": "net/neighbour: fix crash at dumping device-agnostic proxy entries\n\ncommit 6adc5fd6a142c6e2c80574c1db0c7c17dedaa42e upstream.\n\nProxy entries could have null pointer to net-device.\n\nSigned-off-by: Konstantin Khlebnikov \u003ckoct9i@gmail.com\u003e\nFixes: 84920c1420e2 (\"net: Allow ipv6 proxies and arp proxies be shown with iproute2\")\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "468992e1e827feac0e1304b131a24679e7830958",
      "tree": "82e50c0049968be9d7d5db0167d3c9e82a2e0068",
      "parents": [
        "f134abb642c0fe8eb3f4ce8d5598ca8a251aa335"
      ],
      "author": {
        "name": "Steven Rostedt (Red Hat)",
        "email": "rostedt@goodmis.org",
        "time": "Mon Nov 23 10:35:36 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:30 2016 +0800"
      },
      "message": "ring-buffer: Update read stamp with first real commit on page\n\ncommit b81f472a208d3e2b4392faa6d17037a89442f4ce upstream.\n\nDo not update the read stamp after swapping out the reader page from the\nwrite buffer. If the reader page is swapped out of the buffer before an\nevent is written to it, then the read_stamp may get an out of date\ntimestamp, as the page timestamp is updated on the first commit to that\npage.\n\nrb_get_reader_page() only returns a page if it has an event on it, otherwise\nit will return NULL. At that point, check if the page being returned has\nevents and has not been read yet. Then at that point update the read_stamp\nto match the time stamp of the reader page.\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "f134abb642c0fe8eb3f4ce8d5598ca8a251aa335",
      "tree": "8a3bc4bdba19df17f89c98fffe2de41179a3677a",
      "parents": [
        "dc5fac08fa77a56769e4b095b9b4b248ffa1946f"
      ],
      "author": {
        "name": "Aaro Koskinen",
        "email": "aaro.koskinen@iki.fi",
        "time": "Sun Nov 22 01:08:54 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:30 2016 +0800"
      },
      "message": "broadcom: fix PHY_ID_BCM5481 entry in the id table\n\ncommit 3c25a860d17b7378822f35d8c9141db9507e3beb upstream.\n\nCommit fcb26ec5b18d (\"broadcom: move all PHY_ID\u0027s to header\")\nupdated broadcom_tbl to use PHY_IDs, but incorrectly replaced 0x0143bca0\nwith PHY_ID_BCM5482 (making a duplicate entry, and completely omitting\nthe original). Fix that.\n\nFixes: fcb26ec5b18d (\"broadcom: move all PHY_ID\u0027s to header\")\nSigned-off-by: Aaro Koskinen \u003caaro.koskinen@iki.fi\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "dc5fac08fa77a56769e4b095b9b4b248ffa1946f",
      "tree": "df18b4d233d782f67bcd584a1abfe77a08bc9137",
      "parents": [
        "fdf9925838bfafe6dbbd3072b5596e69f5b9d90b"
      ],
      "author": {
        "name": "Nikolay Aleksandrov",
        "email": "nikolay@cumulusnetworks.com",
        "time": "Fri Nov 20 13:54:20 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:30 2016 +0800"
      },
      "message": "net: ip6mr: fix static mfc/dev leaks on table destruction\n\ncommit 4c6980462f32b4f282c5d8e5f7ea8070e2937725 upstream.\n\nSimilar to ipv4, when destroying an mrt table the static mfc entries and\nthe static devices are kept, which leads to devices that can never be\ndestroyed (because of refcnt taken) and leaked memory. Make sure that\neverything is cleaned up on netns destruction.\n\nFixes: 8229efdaef1e (\"netns: ip6mr: enable namespace support in ipv6 multicast forwarding code\")\nCC: Benjamin Thery \u003cbenjamin.thery@bull.net\u003e\nSigned-off-by: Nikolay Aleksandrov \u003cnikolay@cumulusnetworks.com\u003e\nReviewed-by: Cong Wang \u003ccwang@twopensource.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "fdf9925838bfafe6dbbd3072b5596e69f5b9d90b",
      "tree": "1e4fbeed45d3205f980c6362b69b97121b3cc164",
      "parents": [
        "d547bd0868278d21d4a872fe28532117a8edaff4"
      ],
      "author": {
        "name": "WANG Cong",
        "email": "xiyou.wangcong@gmail.com",
        "time": "Tue Mar 31 11:01:47 2015 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "ip6mr: call del_timer_sync() in ip6mr_free_table()\n\ncommit 7ba0c47c34a1ea5bc7a24ca67309996cce0569b5 upstream.\n\nWe need to wait for the flying timers, since we\nare going to free the mrtable right after it.\n\nCc: Hannes Frederic Sowa \u003channes@stressinduktion.org\u003e\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d547bd0868278d21d4a872fe28532117a8edaff4",
      "tree": "025725fb50f5a38c16f6f5046ffe715bb1856627",
      "parents": [
        "d1ed24e961d75e95b482523de73f78e93b128048"
      ],
      "author": {
        "name": "Jiri Slaby",
        "email": "jslaby@suse.cz",
        "time": "Mon Nov 02 10:27:00 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "usblp: do not set TASK_INTERRUPTIBLE before lock\n\ncommit 19cd80a214821f4b558560ebd76bfb2c38b4f3d8 upstream.\n\nIt is not permitted to set task state before lock. usblp_wwait sets\nthe state to TASK_INTERRUPTIBLE and calls mutex_lock_interruptible.\nUpon return from that function, the state will be TASK_RUNNING again.\n\nThis is clearly a bug and a warning is generated with LOCKDEP too:\nWARNING: CPU: 1 PID: 5109 at kernel/sched/core.c:7404 __might_sleep+0x7d/0x90()\ndo not call blocking ops when !TASK_RUNNING; state\u003d1 set at [\u003cffffffffa0c588d0\u003e] usblp_wwait+0xa0/0x310 [usblp]\nModules linked in: ...\nCPU: 1 PID: 5109 Comm: captmon Tainted: G        W       4.2.5-0.gef2823b-default #1\nHardware name: LENOVO 23252SG/23252SG, BIOS G2ET33WW (1.13 ) 07/24/2012\n ffffffff81a4edce ffff880236ec7ba8 ffffffff81716651 0000000000000000\n ffff880236ec7bf8 ffff880236ec7be8 ffffffff8106e146 0000000000000282\n ffffffff81a50119 000000000000028b 0000000000000000 ffff8802dab7c508\nCall Trace:\n...\n [\u003cffffffff8106e1c6\u003e] warn_slowpath_fmt+0x46/0x50\n [\u003cffffffff8109a8bd\u003e] __might_sleep+0x7d/0x90\n [\u003cffffffff8171b20f\u003e] mutex_lock_interruptible_nested+0x2f/0x4b0\n [\u003cffffffffa0c588fc\u003e] usblp_wwait+0xcc/0x310 [usblp]\n [\u003cffffffffa0c58bb2\u003e] usblp_write+0x72/0x350 [usblp]\n [\u003cffffffff8121ed98\u003e] __vfs_write+0x28/0xf0\n...\n\nCommit 7f477358e2384c54b190cc3b6ce28277050a041b (usblp: Implement the\nENOSPC convention) moved the set prior locking. So move it back after\nthe lock.\n\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nFixes: 7f477358e2 (\"usblp: Implement the ENOSPC convention\")\nAcked-By: Pete Zaitcev \u003czaitcev@yahoo.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "d1ed24e961d75e95b482523de73f78e93b128048",
      "tree": "1598a7e9a3c8806ed9c960de34f2762f0c01b73d",
      "parents": [
        "97164eb83570f911e270436f5e4c286eb37ce831"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Wed Nov 18 12:40:13 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "tcp: md5: fix lockdep annotation\n\ncommit 1b8e6a01e19f001e9f93b39c32387961c91ed3cc upstream.\n\nWhen a passive TCP is created, we eventually call tcp_md5_do_add()\nwith sk pointing to the child. It is not owner by the user yet (we\nwill add this socket into listener accept queue a bit later anyway)\n\nBut we do own the spinlock, so amend the lockdep annotation to avoid\nfollowing splat :\n\n[ 8451.090932] net/ipv4/tcp_ipv4.c:923 suspicious rcu_dereference_protected() usage!\n[ 8451.090932]\n[ 8451.090932] other info that might help us debug this:\n[ 8451.090932]\n[ 8451.090934]\n[ 8451.090934] rcu_scheduler_active \u003d 1, debug_locks \u003d 1\n[ 8451.090936] 3 locks held by socket_sockopt_/214795:\n[ 8451.090936]  #0:  (rcu_read_lock){.+.+..}, at: [\u003cffffffff855c6ac1\u003e] __netif_receive_skb_core+0x151/0xe90\n[ 8451.090947]  #1:  (rcu_read_lock){.+.+..}, at: [\u003cffffffff85618143\u003e] ip_local_deliver_finish+0x43/0x2b0\n[ 8451.090952]  #2:  (slock-AF_INET){+.-...}, at: [\u003cffffffff855acda5\u003e] sk_clone_lock+0x1c5/0x500\n[ 8451.090958]\n[ 8451.090958] stack backtrace:\n[ 8451.090960] CPU: 7 PID: 214795 Comm: socket_sockopt_\n\n[ 8451.091215] Call Trace:\n[ 8451.091216]  \u003cIRQ\u003e  [\u003cffffffff856fb29c\u003e] dump_stack+0x55/0x76\n[ 8451.091229]  [\u003cffffffff85123b5b\u003e] lockdep_rcu_suspicious+0xeb/0x110\n[ 8451.091235]  [\u003cffffffff8564544f\u003e] tcp_md5_do_add+0x1bf/0x1e0\n[ 8451.091239]  [\u003cffffffff85645751\u003e] tcp_v4_syn_recv_sock+0x1f1/0x4c0\n[ 8451.091242]  [\u003cffffffff85642b27\u003e] ? tcp_v4_md5_hash_skb+0x167/0x190\n[ 8451.091246]  [\u003cffffffff85647c78\u003e] tcp_check_req+0x3c8/0x500\n[ 8451.091249]  [\u003cffffffff856451ae\u003e] ? tcp_v4_inbound_md5_hash+0x11e/0x190\n[ 8451.091253]  [\u003cffffffff85647170\u003e] tcp_v4_rcv+0x3c0/0x9f0\n[ 8451.091256]  [\u003cffffffff85618143\u003e] ? ip_local_deliver_finish+0x43/0x2b0\n[ 8451.091260]  [\u003cffffffff856181b6\u003e] ip_local_deliver_finish+0xb6/0x2b0\n[ 8451.091263]  [\u003cffffffff85618143\u003e] ? ip_local_deliver_finish+0x43/0x2b0\n[ 8451.091267]  [\u003cffffffff85618d38\u003e] ip_local_deliver+0x48/0x80\n[ 8451.091270]  [\u003cffffffff85618510\u003e] ip_rcv_finish+0x160/0x700\n[ 8451.091273]  [\u003cffffffff8561900e\u003e] ip_rcv+0x29e/0x3d0\n[ 8451.091277]  [\u003cffffffff855c74b7\u003e] __netif_receive_skb_core+0xb47/0xe90\n\nFixes: a8afca0329988 (\"tcp: md5: protects md5sig_info with RCU\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "97164eb83570f911e270436f5e4c286eb37ce831",
      "tree": "0bafd6ba77c99cf67f589ef7e24e5ef54f4516b6",
      "parents": [
        "e37ecd53989e3a4a7ed4ccb8cd38a11ddb8b4eff"
      ],
      "author": {
        "name": "Sabrina Dubroca",
        "email": "sd@queasysnail.net",
        "time": "Mon Nov 16 22:54:20 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "macvlan: fix leak in macvlan_handle_frame\n\ncommit e639b8d8a7a728f0b05ef2df6cb6b45dc3d4e556 upstream.\n\nReset pskb in macvlan_handle_frame in case skb_share_check returned a\nclone.\n\nFixes: 8a4eb5734e8d (\"net: introduce rx_handler results and logic around that\")\nSigned-off-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "e37ecd53989e3a4a7ed4ccb8cd38a11ddb8b4eff",
      "tree": "ebbea9f1fa0614b6c52eac03c6e6539abb030437",
      "parents": [
        "a73cb24083e4068c8a7b7de4820e4906f78651b8"
      ],
      "author": {
        "name": "Johannes Berg",
        "email": "johannes.berg@intel.com",
        "time": "Tue Nov 17 14:25:21 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "mac80211: mesh: fix call_rcu() usage\n\ncommit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream.\n\nWhen using call_rcu(), the called function may be delayed quite\nsignificantly, and without a matching rcu_barrier() there\u0027s no\nway to be sure it has finished.\nTherefore, global state that could be gone/freed/reused should\nnever be touched in the callback.\n\nFix this in mesh by moving the atomic_dec() into the caller;\nthat\u0027s not really a problem since we already unlinked the path\nand it will be destroyed anyway.\n\nThis fixes a crash Jouni observed when running certain tests in\na certain order, in which the mesh interface was torn down, the\nmemory reused for a function pointer (work struct) and running\nthat then crashed since the pointer had been decremented by 1,\nresulting in an invalid instruction byte stream.\n\nFixes: eb2b9311fd00 (\"mac80211: mesh path table implementation\")\nReported-by: Jouni Malinen \u003cj@w1.fi\u003e\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "a73cb24083e4068c8a7b7de4820e4906f78651b8",
      "tree": "80362dd610676ba64ca43f040fbaebe478ffcad1",
      "parents": [
        "f4ea18fe5670fd16215344eaf3f7bfd7f19e0012"
      ],
      "author": {
        "name": "Nikolay Aleksandrov",
        "email": "nikolay@cumulusnetworks.com",
        "time": "Fri Nov 13 15:20:24 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:29 2016 +0800"
      },
      "message": "net: fix __netdev_update_features return on ndo_set_features failure\n\ncommit 00ee5927177792a6e139d50b6b7564d35705556a upstream.\n\nIf ndo_set_features fails __netdev_update_features() will return -1 but\nthis is wrong because it is expected to return 0 if no features were\nchanged (see netdev_update_features()), which will cause a netdev\nnotifier to be called without any actual changes. Fix this by returning\n0 if ndo_set_features fails.\n\nFixes: 6cb6a27c45ce (\"net: Call netdev_features_change() from netdev_update_features()\")\nCC: Michał Mirosław \u003cmirq-linux@rere.qmqm.pl\u003e\nSigned-off-by: Nikolay Aleksandrov \u003cnikolay@cumulusnetworks.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "f4ea18fe5670fd16215344eaf3f7bfd7f19e0012",
      "tree": "e8c6bdb75485daa179ffaf2c63c4026786f0ab37",
      "parents": [
        "6f67790b827dd495e7bf1bd874b8ad5ac6b3c0c4"
      ],
      "author": {
        "name": "Uwe Kleine-König",
        "email": "u.kleine-koenig@pengutronix.de",
        "time": "Fri Oct 23 09:53:50 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "usb: musb: core: fix order of arguments to ulpi write callback\n\ncommit 705e63d2b29c8bbf091119084544d353bda70393 upstream.\n\nThere is a bit of a mess in the order of arguments to the ulpi write\ncallback. There is\n\n\tint ulpi_write(struct ulpi *ulpi, u8 addr, u8 val)\n\nin drivers/usb/common/ulpi.c;\n\n\tstruct usb_phy_io_ops {\n\t\t...\n\t\tint (*write)(struct usb_phy *x, u32 val, u32 reg);\n\t}\n\nin include/linux/usb/phy.h.\n\nThe callback registered by the musb driver has to comply to the latter,\nbut up to now had \"offset\" first which effectively made the function\nbroken for correct users. So flip the order and while at it also\nswitch to the parameter names of struct usb_phy_io_ops\u0027s write.\n\nFixes: ffb865b1e460 (\"usb: musb: add ulpi access operations\")\nSigned-off-by: Uwe Kleine-König \u003cu.kleine-koenig@pengutronix.de\u003e\nSigned-off-by: Felipe Balbi \u003cbalbi@ti.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "6f67790b827dd495e7bf1bd874b8ad5ac6b3c0c4",
      "tree": "1aea95a49b5091aa9510a2b0b8cffa77bb871187",
      "parents": [
        "bf4d43e3d2eb1a772e6ac915ffbb88e50f006cbf"
      ],
      "author": {
        "name": "lucien",
        "email": "lucien.xin@gmail.com",
        "time": "Thu Nov 12 13:07:07 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "sctp: translate host order to network order when setting a hmacid\n\ncommit ed5a377d87dc4c87fb3e1f7f698cba38cd893103 upstream.\n\nnow sctp auth cannot work well when setting a hmacid manually, which\nis caused by that we didn\u0027t use the network order for hmacid, so fix\nit by adding the transformation in sctp_auth_ep_set_hmacs.\n\neven we set hmacid with the network order in userspace, it still\ncan\u0027t work, because of this condition in sctp_auth_ep_set_hmacs():\n\n\t\tif (id \u003e SCTP_AUTH_HMAC_ID_MAX)\n\t\t\treturn -EOPNOTSUPP;\n\nso this wasn\u0027t working before and thus it won\u0027t break compatibility.\n\nFixes: 65b07e5d0d09 (\"[SCTP]: API updates to suport SCTP-AUTH extensions.\")\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nSigned-off-by: Marcelo Ricardo Leitner \u003cmarcelo.leitner@gmail.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: Vlad Yasevich \u003cvyasevich@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "bf4d43e3d2eb1a772e6ac915ffbb88e50f006cbf",
      "tree": "f22f4b0819117fac0eaae5af95a1c1ade85b225e",
      "parents": [
        "ca466a669d9ef5c0c9dd512bbfb6ef2743ae04f8"
      ],
      "author": {
        "name": "Maciej W. Rozycki",
        "email": "macro@imgtec.com",
        "time": "Mon Oct 26 15:48:19 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "binfmt_elf: Don\u0027t clobber passed executable\u0027s file header\n\ncommit b582ef5c53040c5feef4c96a8f9585b6831e2441 upstream.\n\nDo not clobber the buffer space passed from `search_binary_handler\u0027 and\noriginally preloaded by `prepare_binprm\u0027 with the executable\u0027s file\nheader by overwriting it with its interpreter\u0027s file header.  Instead\nkeep the buffer space intact and directly use the data structure locally\nallocated for the interpreter\u0027s file header, fixing a bug introduced in\n2.1.14 with loadable module support (linux-mips.org commit beb11695\n[Import of Linux/MIPS 2.1.14], predating kernel.org repo\u0027s history).\nAdjust the amount of data read from the interpreter\u0027s file accordingly.\n\nThis was not an issue before loadable module support, because back then\n`load_elf_binary\u0027 was executed only once for a given ELF executable,\nwhether the function succeeded or failed.\n\nWith loadable module support supported and enabled, upon a failure of\n`load_elf_binary\u0027 -- which may for example be caused by architecture\ncode rejecting an executable due to a missing hardware feature requested\nin the file header -- a module load is attempted and then the function\nreexecuted by `search_binary_handler\u0027.  With the executable\u0027s file\nheader replaced with its interpreter\u0027s file header the executable can\nthen be erroneously accepted in this subsequent attempt.\n\nSigned-off-by: Maciej W. Rozycki \u003cmacro@imgtec.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ca466a669d9ef5c0c9dd512bbfb6ef2743ae04f8",
      "tree": "b3d7c52fe7b4b9793897c876c9f3aa1754ce0da4",
      "parents": [
        "3d67710ac3f2660b786973ac89a74506e2584739"
      ],
      "author": {
        "name": "Peter Oberparleiter",
        "email": "oberpar@linux.vnet.ibm.com",
        "time": "Tue Oct 27 10:49:54 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "scsi_sysfs: Fix queue_ramp_up_period return code\n\ncommit 863e02d0e173bb9d8cea6861be22820b25c076cc upstream.\n\nWriting a number to /sys/bus/scsi/devices/\u003csdev\u003e/queue_ramp_up_period\nreturns the value of that number instead of the number of bytes written.\nThis behavior can confuse programs expecting POSIX write() semantics.\nFix this by returning the number of bytes written instead.\n\nSigned-off-by: Peter Oberparleiter \u003coberpar@linux.vnet.ibm.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.de\u003e\nReviewed-by: Matthew R. Ochs \u003cmrochs@linux.vnet.ibm.com\u003e\nReviewed-by: Ewan D. Milne \u003cemilne@redhat.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "3d67710ac3f2660b786973ac89a74506e2584739",
      "tree": "c1626947f9febdf9c3daa28910da28c5a7e416e8",
      "parents": [
        "c9a5c53a3165129becc2f17d7abd5fc3f200dbc1"
      ],
      "author": {
        "name": "Peter Zijlstra",
        "email": "peterz@infradead.org",
        "time": "Mon Nov 02 10:50:51 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "perf: Fix inherited events vs. tracepoint filters\n\ncommit b71b437eedaed985062492565d9d421d975ae845 upstream.\n\nArnaldo reported that tracepoint filters seem to misbehave (ie. not\napply) on inherited events.\n\nThe fix is obvious; filters are only set on the actual (parent)\nevent, use the normal pattern of using this parent event for filters.\nThis is safe because each child event has a reference to it.\n\nReported-by: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nTested-by: Arnaldo Carvalho de Melo \u003cacme@kernel.org\u003e\nSigned-off-by: Peter Zijlstra (Intel) \u003cpeterz@infradead.org\u003e\nCc: Adrian Hunter \u003cadrian.hunter@intel.com\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nCc: David Ahern \u003cdsahern@gmail.com\u003e\nCc: Frédéric Weisbecker \u003cfweisbec@gmail.com\u003e\nCc: Jiri Olsa \u003cjolsa@kernel.org\u003e\nCc: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Steven Rostedt \u003crostedt@goodmis.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Wang Nan \u003cwangnan0@huawei.com\u003e\nLink: http://lkml.kernel.org/r/20151102095051.GN17308@twins.programming.kicks-ass.net\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "c9a5c53a3165129becc2f17d7abd5fc3f200dbc1",
      "tree": "4c4ab35e321236d1edb466dcdf58d9d9536a4ba1",
      "parents": [
        "3682517dcd2d0986a5eccde63885c070b9dc9a7f"
      ],
      "author": {
        "name": "Filipe Manana",
        "email": "fdmanana@suse.com",
        "time": "Mon Nov 09 00:33:58 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:28 2016 +0800"
      },
      "message": "Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow\n\ncommit 1d512cb77bdbda80f0dd0620a3b260d697fd581d upstream.\n\nIf we are using the NO_HOLES feature, we have a tiny time window when\nrunning delalloc for a nodatacow inode where we can race with a concurrent\nlink or xattr add operation leading to a BUG_ON.\n\nThis happens because at run_delalloc_nocow() we end up casting a leaf item\nof type BTRFS_INODE_[REF|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a\nfile extent item (struct btrfs_file_extent_item) and then analyse its\nextent type field, which won\u0027t match any of the expected extent types\n(values BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]) and therefore trigger an\nexplicit BUG_ON(1).\n\nThe following sequence diagram shows how the race happens when running a\nno-cow dellaloc range [4K, 8K[ for inode 257 and we have the following\nneighbour leafs:\n\n             Leaf X (has N items)                    Leaf Y\n\n [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]\n              slot N - 2         slot N - 1              slot 0\n\n (Note the implicit hole for inode 257 regarding the [0, 8K[ range)\n\n       CPU 1                                         CPU 2\n\n run_dealloc_nocow()\n   btrfs_lookup_file_extent()\n     --\u003e searches for a key with value\n         (257 EXTENT_DATA 4096) in the\n         fs/subvol tree\n     --\u003e returns us a path with\n         path-\u003enodes[0] \u003d\u003d leaf X and\n         path-\u003eslots[0] \u003d\u003d N\n\n   because path-\u003eslots[0] is \u003e\u003d\n   btrfs_header_nritems(leaf X), it\n   calls btrfs_next_leaf()\n\n   btrfs_next_leaf()\n     --\u003e releases the path\n\n                                              hard link added to our inode,\n                                              with key (257 INODE_REF 500)\n                                              added to the end of leaf X,\n                                              so leaf X now has N + 1 keys\n\n     --\u003e searches for the key\n         (257 INODE_REF 256), because\n         it was the last key in leaf X\n         before it released the path,\n         with path-\u003ekeep_locks set to 1\n\n     --\u003e ends up at leaf X again and\n         it verifies that the key\n         (257 INODE_REF 256) is no longer\n         the last key in the leaf, so it\n         returns with path-\u003enodes[0] \u003d\u003d\n         leaf X and path-\u003eslots[0] \u003d\u003d N,\n         pointing to the new item with\n         key (257 INODE_REF 500)\n\n   the loop iteration of run_dealloc_nocow()\n   does not break out the loop and continues\n   because the key referenced in the path\n   at path-\u003enodes[0] and path-\u003eslots[0] is\n   for inode 257, its type is \u003c BTRFS_EXTENT_DATA_KEY\n   and its offset (500) is less then our delalloc\n   range\u0027s end (8192)\n\n   the item pointed by the path, an inode reference item,\n   is (incorrectly) interpreted as a file extent item and\n   we get an invalid extent type, leading to the BUG_ON(1):\n\n   if (extent_type \u003d\u003d BTRFS_FILE_EXTENT_REG ||\n      extent_type \u003d\u003d BTRFS_FILE_EXTENT_PREALLOC) {\n       (...)\n   } else if (extent_type \u003d\u003d BTRFS_FILE_EXTENT_INLINE) {\n       (...)\n   } else {\n       BUG_ON(1)\n   }\n\nThe same can happen if a xattr is added concurrently and ends up having\na key with an offset smaller then the delalloc\u0027s range end.\n\nSo fix this by skipping keys with a type smaller than\nBTRFS_EXTENT_DATA_KEY.\n\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "3682517dcd2d0986a5eccde63885c070b9dc9a7f",
      "tree": "40d8fc16220c2b48f0adae58b4eec7a5b17276f6",
      "parents": [
        "51257521d239b972074c0cd0d8f50b2b631e3997"
      ],
      "author": {
        "name": "Borislav Petkov",
        "email": "bp@suse.de",
        "time": "Thu Nov 05 16:57:56 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:27 2016 +0800"
      },
      "message": "x86/cpu: Call verify_cpu() after having entered long mode too\n\ncommit 04633df0c43d710e5f696b06539c100898678235 upstream.\n\nWhen we get loaded by a 64-bit bootloader, kernel entry point is\nstartup_64 in head_64.S. We don\u0027t trust any and all bootloaders because\nsome will fiddle with CPU configuration so we go ahead and massage each\nCPU into sanity again.\n\nFor example, some dell BIOSes have this XD disable feature which set\nIA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround\nfor other OSes but Linux sure doesn\u0027t need it.\n\nA similar thing is present in the Surface 3 firmware - see\nhttps://bugzilla.kernel.org/show_bug.cgi?id\u003d106051 - which sets this bit\nonly on the BSP:\n\n  # rdmsr -a 0x1a0\n  400850089\n  850089\n  850089\n  850089\n\nI know, right?!\n\nThere\u0027s not even an off switch in there.\n\nSo fix all those cases by sanitizing the 64-bit entry point too. For\nthat, make verify_cpu() callable in 64-bit mode also.\n\nRequested-and-debugged-by: \"H. Peter Anvin\" \u003chpa@zytor.com\u003e\nReported-and-tested-by: Bastien Nocera \u003cbugzilla@hadess.net\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nCc: Matt Fleming \u003cmatt@codeblueprint.co.uk\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nLink: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "51257521d239b972074c0cd0d8f50b2b631e3997",
      "tree": "357bd2661e1ef5a1288f30c97f6d6b035e87f39d",
      "parents": [
        "30832ee1fa1efe62fa1c4f2ebe4c335b77596e1f"
      ],
      "author": {
        "name": "Stefan Richter",
        "email": "stefanr@s5r6.in-berlin.de",
        "time": "Tue Nov 03 01:46:21 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:27 2016 +0800"
      },
      "message": "firewire: ohci: fix JMicron JMB38x IT context discovery\n\ncommit 100ceb66d5c40cc0c7018e06a9474302470be73c upstream.\n\nReported by Clifford and Craig for JMicron OHCI-1394 + SDHCI combo\ncontrollers:  Often or even most of the time, the controller is\ninitialized with the message \"added OHCI v1.10 device as card 0, 4 IR +\n0 IT contexts, quirks 0x10\".  With 0 isochronous transmit DMA contexts\n(IT contexts), applications like audio output are impossible.\n\nHowever, OHCI-1394 demands that at least 4 IT contexts are implemented\nby the link layer controller, and indeed JMicron JMB38x do implement\nfour of them.  Only their IsoXmitIntMask register is unreliable at early\naccess.\n\nWith my own JMB381 single function controller I found:\n  - I can reproduce the problem with a lower probability than Craig\u0027s.\n  - If I put a loop around the section which clears and reads\n    IsoXmitIntMask, then either the first or the second attempt will\n    return the correct initial mask of 0x0000000f.  I never encountered\n    a case of needing more than a second attempt.\n  - Consequently, if I put a dummy reg_read(...IsoXmitIntMaskSet)\n    before the first write, the subsequent read will return the correct\n    result.\n  - If I merely ignore a wrong read result and force the known real\n    result, later isochronous transmit DMA usage works just fine.\n\nSo let\u0027s just fix this chip bug up by the latter method.  Tested with\nJMB381 on kernel 3.13 and 4.3.\n\nSince OHCI-1394 generally requires 4 IT contexts at a minium, this\nworkaround is simply applied whenever the initial read of IsoXmitIntMask\nreturns 0, regardless whether it\u0027s a JMicron chip or not.  I never heard\nof this issue together with any other chip though.\n\nI am not 100% sure that this fix works on the OHCI-1394 part of JMB380\nand JMB388 combo controllers exactly the same as on the JMB381 single-\nfunction controller, but so far I haven\u0027t had a chance to let an owner\nof a combo chip run a patched kernel.\n\nStrangely enough, IsoRecvIntMask is always reported correctly, even\nthough it is probed right before IsoXmitIntMask.\n\nReported-by: Clifford Dunn\nReported-by: Craig Moore \u003ccraig.moore@qenos.com\u003e\nSigned-off-by: Stefan Richter \u003cstefanr@s5r6.in-berlin.de\u003e\n[lizf: Backported to 3.4: use dev_notice() instead of ohci_notice()]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "30832ee1fa1efe62fa1c4f2ebe4c335b77596e1f",
      "tree": "19dc7e529baa51a0dd086755a20a913df4a17530",
      "parents": [
        "41f3ded1a0e9198b41922bcf878273a7c1f8b1fd"
      ],
      "author": {
        "name": "Takashi Iwai",
        "email": "tiwai@suse.de",
        "time": "Wed Nov 04 22:39:16 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:27 2016 +0800"
      },
      "message": "ALSA: hda - Apply pin fixup for HP ProBook 6550b\n\ncommit c932b98c1e47312822d911c1bb76e81ef50e389c upstream.\n\nHP ProBook 6550b needs the same pin fixup applied to other HP B-series\nlaptops with docks for making its headphone and dock headphone jacks\nworking properly.  We just need to add the codec SSID to the list.\n\nBugzilla: https://bugzilla.kernel.org/attachment.cgi?id\u003d191971\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "41f3ded1a0e9198b41922bcf878273a7c1f8b1fd",
      "tree": "33a504887a7f2e3b46cf1009b979ab6af9acd64c",
      "parents": [
        "8b3e15b2088855b7fc6f4fb1891df6016640dbbd"
      ],
      "author": {
        "name": "sumit.saxena@avagotech.com",
        "email": "sumit.saxena@avagotech.com",
        "time": "Thu Oct 15 13:40:54 2015 +0530"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:27 2016 +0800"
      },
      "message": "megaraid_sas : SMAP restriction--do not access user memory from IOCTL code\n\ncommit 323c4a02c631d00851d8edc4213c4d184ef83647 upstream.\n\nThis is an issue on SMAP enabled CPUs and 32 bit apps running on 64 bit\nOS. Do not access user memory from kernel code. The SMAP bit restricts\naccessing user memory from kernel code.\n\nSigned-off-by: Sumit Saxena \u003csumit.saxena@avagotech.com\u003e\nSigned-off-by: Kashyap Desai \u003ckashyap.desai@avagotech.com\u003e\nReviewed-by: Tomas Henzl \u003cthenzl@redhat.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "8b3e15b2088855b7fc6f4fb1891df6016640dbbd",
      "tree": "6d60799a7bca7d5ffaf930ccc45a4857740bda21",
      "parents": [
        "022439379c5b03c99d8f60e0db40a0a67ea6c7c5"
      ],
      "author": {
        "name": "Herbert Xu",
        "email": "herbert@gondor.apana.org.au",
        "time": "Sun Nov 01 17:11:19 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "crypto: algif_hash - Only export and import on sockets with data\n\ncommit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream.\n\nThe hash_accept call fails to work on sockets that have not received\nany data.  For some algorithm implementations it may cause crashes.\n\nThis patch fixes this by ensuring that we only export and import on\nsockets that have received data.\n\nReported-by: Harsh Jain \u003charshjain.prof@gmail.com\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nTested-by: Stephan Mueller \u003csmueller@chronox.de\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "022439379c5b03c99d8f60e0db40a0a67ea6c7c5",
      "tree": "9f52fe6eb6225c00cf8bc7055ff33cc3c5f5f2c7",
      "parents": [
        "e4f365574df72caf5dbf0773adeee356275aa2ee"
      ],
      "author": {
        "name": "Mauricio Faria de Oliveira",
        "email": "mauricfo@linux.vnet.ibm.com",
        "time": "Thu Oct 29 10:24:23 2015 -0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "Revert \"dm mpath: fix stalls when handling invalid ioctls\"\n\ncommit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream.\n\nThis reverts commit a1989b330093578ea5470bea0a00f940c444c466.\n\nThat commit introduced a regression at least for the case of the SG_IO ioctl()\nrunning without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there\nare no active paths: the ioctl() fails with the ENOTTY errno immediately rather\nthan blocking due to queue_if_no_path until a path becomes active, for example.\n\nThat case happens to be exercised by QEMU KVM guests with \u0027scsi-block\u0027 devices\n(qemu \"-device scsi-block\" [1], libvirt \"\u003cdisk type\u003d\u0027block\u0027 device\u003d\u0027lun\u0027\u003e\" [2])\nfrom multipath devices; which leads to SCSI/filesystem errors in such a guest.\n\nMore general scenarios can hit that regression too. The following demonstration\nemploys a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective\n(some output \u0026 user changes omitted for brevity and comments added for clarity).\n\nReverting that commit restores normal operation (queueing) in failing scenarios;\ntested on linux-next (next-20151022).\n\n1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM)\n\n    $ cat sg_simple0.c\n    ... see [3] ...\n    $ sed \u0027/SG_GET_VERSION_NUM/,/}/d\u0027 sg_simple0.c \u003e sgio_inquiry.c\n    $ gcc sgio_inquiry.c -o sgio_inquiry\n\n2) The ioctl() works fine with active paths present.\n\n    # multipath -l 85ag56\n    85ag56 (...) dm-19 IBM     ,2145\n    size\u003d60G features\u003d\u00271 queue_if_no_path\u0027 hwhandler\u003d\u00270\u0027 wp\u003drw\n    |-+- policy\u003d\u0027service-time 0\u0027 prio\u003d0 status\u003dactive\n    | |- 8:0:11:0  sdz  65:144  active undef running\n    | `- 9:0:9:0   sdbf 67:144  active undef running\n    `-+- policy\u003d\u0027service-time 0\u0027 prio\u003d0 status\u003denabled\n      |- 8:0:12:0  sdae 65:224  active undef running\n      `- 9:0:12:0  sdbo 68:32   active undef running\n\n    $ ./sgio_inquiry /dev/mapper/85ag56\n    Some of the INQUIRY command\u0027s response:\n        IBM       2145              0000\n    INQUIRY duration\u003d0 millisecs, resid\u003d0\n\n3) The ioctl() fails with ENOTTY errno with _no_ active paths present,\n   for unprivileged users (rather than blocking due to queue_if_no_path).\n\n    # for path in $(multipath -l 85ag56 | grep -o \u0027sd[a-z]\\+\u0027); \\\n          do multipathd -k\"fail path $path\"; done\n\n    # multipath -l 85ag56\n    85ag56 (...) dm-19 IBM     ,2145\n    size\u003d60G features\u003d\u00271 queue_if_no_path\u0027 hwhandler\u003d\u00270\u0027 wp\u003drw\n    |-+- policy\u003d\u0027service-time 0\u0027 prio\u003d0 status\u003denabled\n    | |- 8:0:11:0  sdz  65:144  failed undef running\n    | `- 9:0:9:0   sdbf 67:144  failed undef running\n    `-+- policy\u003d\u0027service-time 0\u0027 prio\u003d0 status\u003denabled\n      |- 8:0:12:0  sdae 65:224  failed undef running\n      `- 9:0:12:0  sdbo 68:32   failed undef running\n\n    $ ./sgio_inquiry /dev/mapper/85ag56\n    sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device\n\n4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285);\n   it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl().\n\n    $ dmesg\n    \u003c...\u003e\n    [] device-mapper: multipath: Failing path 65:144.\n    [] device-mapper: multipath: Failing path 67:144.\n    [] device-mapper: multipath: Failing path 65:224.\n    [] device-mapper: multipath: Failing path 68:32.\n    [] sgio_inquiry: sending ioctl 2285 to a partition!\n\n5) The ioctl() only works if the SYS_CAP_RAWIO capability is present\n   (then queueing happens -- in this example, queue_if_no_path is set);\n   this is due to a conditional check in scsi_verify_blk_ioctl().\n\n    # capsh --drop\u003dcap_sys_rawio -- -c \u0027./sgio_inquiry /dev/mapper/85ag56\u0027\n    sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device\n\n    # ./sgio_inquiry /dev/mapper/85ag56 \u0026\n    [1] 72830\n\n    # cat /proc/72830/stack\n    [\u003cc00000171c0df700\u003e] 0xc00000171c0df700\n    [\u003cc000000000015934\u003e] __switch_to+0x204/0x350\n    [\u003cc000000000152d4c\u003e] msleep+0x5c/0x80\n    [\u003cc00000000077dfb0\u003e] dm_blk_ioctl+0x70/0x170\n    [\u003cc000000000487c40\u003e] blkdev_ioctl+0x2b0/0x9b0\n    [\u003cc0000000003128e4\u003e] block_ioctl+0x64/0xd0\n    [\u003cc0000000002dd3b0\u003e] do_vfs_ioctl+0x490/0x780\n    [\u003cc0000000002dd774\u003e] SyS_ioctl+0xd4/0xf0\n    [\u003cc000000000009358\u003e] system_call+0x38/0xd0\n\n6) This is the function call chain exercised in this analysis:\n\nSYSCALL_DEFINE3(ioctl, \u003c...\u003e) @ fs/ioctl.c\n    -\u003e do_vfs_ioctl()\n        -\u003e vfs_ioctl()\n            ...\n            error \u003d filp-\u003ef_op-\u003eunlocked_ioctl(filp, cmd, arg);\n            ...\n                -\u003e dm_blk_ioctl() @ drivers/md/dm.c\n                    -\u003e multipath_ioctl() @ drivers/md/dm-mpath.c\n                        ...\n                        (bdev \u003d NULL, due to no active paths)\n                        ...\n                        if (!bdev || \u003c...\u003e) {\n                            int err \u003d scsi_verify_blk_ioctl(NULL, cmd);\n                            if (err)\n                                r \u003d err;\n                        }\n                        ...\n                            -\u003e scsi_verify_blk_ioctl() @ block/scsi_ioctl.c\n                                ...\n                                if (bd \u0026\u0026 bd \u003d\u003d bd-\u003ebd_contains) // not taken (bd \u003d NULL)\n                                    return 0;\n                                ...\n                                if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user)\n                                    return 0;\n                                ...\n                                printk_ratelimited(KERN_WARNING\n                                           \"%s: sending ioctl %x to a partition!\\n\" \u003c...\u003e);\n\n                                return -ENOIOCTLCMD;\n                            \u003c-\n                        ...\n                        return r ? : \u003c...\u003e\n                    \u003c-\n            ...\n            if (error \u003d\u003d -ENOIOCTLCMD)\n                error \u003d -ENOTTY;\n             out:\n                return error;\n            ...\n\nLinks:\n[1] http://git.qemu.org/?p\u003dqemu.git;a\u003dcommit;h\u003d336a6915bc7089fb20fea4ba99972ad9a97c5f52\n[2] https://libvirt.org/formatdomain.html#elementsDisks (see \u0027disk\u0027 -\u003e \u0027device\u0027)\n[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03)\n\nSigned-off-by: Mauricio Faria de Oliveira \u003cmauricfo@linux.vnet.ibm.com\u003e\nSigned-off-by: Mike Snitzer \u003csnitzer@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "e4f365574df72caf5dbf0773adeee356275aa2ee",
      "tree": "e62f64707566140ae701bdc898ecba6b9a8ee013",
      "parents": [
        "1ce8fa16ce3b5e5d116f7a715c1fd82c4e2ae994"
      ],
      "author": {
        "name": "sumit.saxena@avagotech.com",
        "email": "sumit.saxena@avagotech.com",
        "time": "Thu Oct 15 13:40:04 2015 +0530"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "megaraid_sas: Do not use PAGE_SIZE for max_sectors\n\ncommit 357ae967ad66e357f78b5cfb5ab6ca07fb4a7758 upstream.\n\nDo not use PAGE_SIZE marco to calculate max_sectors per I/O\nrequest. Driver code assumes PAGE_SIZE will be always 4096 which can\nlead to wrongly calculated value if PAGE_SIZE is not 4096. This issue\nwas reported in Ubuntu Bugzilla Bug #1475166.\n\nSigned-off-by: Sumit Saxena \u003csumit.saxena@avagotech.com\u003e\nSigned-off-by: Kashyap Desai \u003ckashyap.desai@avagotech.com\u003e\nReviewed-by: Tomas Henzl \u003cthenzl@redhat.com\u003e\nReviewed-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1ce8fa16ce3b5e5d116f7a715c1fd82c4e2ae994",
      "tree": "8ac65ee84e405a85f92a3b79a8e5eebaae06ac31",
      "parents": [
        "1be2ead7a8f779f2595afaa5523e7f83cd0dcf2b"
      ],
      "author": {
        "name": "Takashi Iwai",
        "email": "tiwai@suse.de",
        "time": "Tue Oct 27 14:21:51 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "ALSA: hda - Disable 64bit address for Creative HDA controllers\n\ncommit cadd16ea33a938d49aee99edd4758cc76048b399 upstream.\n\nWe\u0027ve had many reports that some Creative sound cards with CA0132\ndon\u0027t work well.  Some reported that it starts working after reloading\nthe module, while some reported it starts working when a 32bit kernel\nis used.  All these facts seem implying that the chip fails to\ncommunicate when the buffer is located in 64bit address.\n\nThis patch addresses these issues by just adding AZX_DCAPS_NO_64BIT\nflag to the corresponding PCI entries.  I casually had a chance to\ntest an SB Recon3D board, and indeed this seems helping.\n\nAlthough this hasn\u0027t been tested on all Creative devices, it\u0027s safer\nto assume that this restriction applies to the rest of them, too.  So\nthe flag is applied to all Creative entries.\n\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n[lizf: Backported to 3.4: drop the change to macro AZX_DCAPS_PRESET_CTHDA]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "1be2ead7a8f779f2595afaa5523e7f83cd0dcf2b",
      "tree": "c6bf0497e9819a794611333d238f48c46f861f14",
      "parents": [
        "ff0dd8f8f68435374713feecdf74736953fd5196"
      ],
      "author": {
        "name": "Chen Yu",
        "email": "yu.c.chen@intel.com",
        "time": "Sun Oct 25 01:02:19 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "ACPI: Use correct IRQ when uninstalling ACPI interrupt handler\n\ncommit 49e4b84333f338d4f183f28f1f3c1131b9fb2b5a upstream.\n\nCurrently when the system is trying to uninstall the ACPI interrupt\nhandler, it uses acpi_gbl_FADT.sci_interrupt as the IRQ number.\nHowever, the IRQ number that the ACPI interrupt handled is installed\nfor comes from acpi_gsi_to_irq() and that is the number that should\nbe used for the handler removal.\n\nFix this problem by using the mapped IRQ returned from acpi_gsi_to_irq()\nas appropriate.\n\nAcked-by: Lv Zheng \u003clv.zheng@intel.com\u003e\nSigned-off-by: Chen Yu \u003cyu.c.chen@intel.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "ff0dd8f8f68435374713feecdf74736953fd5196",
      "tree": "9801d56c39e433565386c03ccc80115816dbbfa8",
      "parents": [
        "da619cbf55dc44c8c2ef2d1b529d79db79932597"
      ],
      "author": {
        "name": "Larry Finger",
        "email": "Larry.Finger@lwfinger.net",
        "time": "Sun Oct 18 22:14:48 2015 -0500"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:26 2016 +0800"
      },
      "message": "staging: rtl8712: Add device ID for Sitecom WLA2100\n\ncommit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream.\n\nThis adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file\nwas checked to verify that the addition is correct.\n\nReported-by: Frans van de Wiel \u003cfvdw@fvdw.eu\u003e\nSigned-off-by: Larry Finger \u003cLarry.Finger@lwfinger.net\u003e\nCc: Frans van de Wiel \u003cfvdw@fvdw.eu\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "da619cbf55dc44c8c2ef2d1b529d79db79932597",
      "tree": "2ff5df55c75073b3705a75b1bb7ab35b6837ea1e",
      "parents": [
        "8fb4b054c92925545e6e12b59f0c8b6b6f514984"
      ],
      "author": {
        "name": "Dmitry Tunin",
        "email": "hanipouspilot@gmail.com",
        "time": "Fri Oct 16 11:45:26 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "Bluetooth: ath3k: Add support of AR3012 0cf3:817b device\n\ncommit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream.\n\nT: Bus\u003d04 Lev\u003d02 Prnt\u003d02 Port\u003d04 Cnt\u003d01 Dev#\u003d 3 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.10 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0cf3 ProdID\u003d817b Rev\u003d00.02\nC: #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nI: If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI: If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n\nBugLink: https://bugs.launchpad.net/bugs/1506615\n\nSigned-off-by: Dmitry Tunin \u003chanipouspilot@gmail.com\u003e\nSigned-off-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "8fb4b054c92925545e6e12b59f0c8b6b6f514984",
      "tree": "44361522917cf85e00136eb90fcc8c7e57d692c4",
      "parents": [
        "b7d44ef53eb257900c6f0183a39e4dee6fad6072"
      ],
      "author": {
        "name": "Daeho Jeong",
        "email": "daeho.jeong@samsung.com",
        "time": "Sun Oct 18 17:02:56 2015 -0400"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "ext4, jbd2: ensure entering into panic after recording an error in superblock\n\ncommit 4327ba52afd03fc4b5afa0ee1d774c9c5b0e85c5 upstream.\n\nIf a EXT4 filesystem utilizes JBD2 journaling and an error occurs, the\njournaling will be aborted first and the error number will be recorded\ninto JBD2 superblock and, finally, the system will enter into the\npanic state in \"errors\u003dpanic\" option.  But, in the rare case, this\nsequence is little twisted like the below figure and it will happen\nthat the system enters into panic state, which means the system reset\nin mobile environment, before completion of recording an error in the\njournal superblock. In this case, e2fsck cannot recognize that the\nfilesystem failure occurred in the previous run and the corruption\nwouldn\u0027t be fixed.\n\nTask A                        Task B\next4_handle_error()\n-\u003e jbd2_journal_abort()\n  -\u003e __journal_abort_soft()\n    -\u003e __jbd2_journal_abort_hard()\n    | -\u003e journal-\u003ej_flags |\u003d JBD2_ABORT;\n    |\n    |                         __ext4_abort()\n    |                         -\u003e jbd2_journal_abort()\n    |                         | -\u003e __journal_abort_soft()\n    |                         |   -\u003e if (journal-\u003ej_flags \u0026 JBD2_ABORT)\n    |                         |           return;\n    |                         -\u003e panic()\n    |\n    -\u003e jbd2_journal_update_sb_errno()\n\nTested-by: Hobin Woo \u003chobin.woo@samsung.com\u003e\nSigned-off-by: Daeho Jeong \u003cdaeho.jeong@samsung.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b7d44ef53eb257900c6f0183a39e4dee6fad6072",
      "tree": "80113e4d7fcbe8114440d08861ff1095b2862fa1",
      "parents": [
        "b0daf15db552d07fb66375ca63fc89ff67db0e26"
      ],
      "author": {
        "name": "David Woodhouse",
        "email": "David.Woodhouse@intel.com",
        "time": "Thu Oct 15 09:28:06 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints\n\ncommit d14053b3c714178525f22660e6aaf41263d00056 upstream.\n\nThe VT-d specification says that \"Software must enable ATS on endpoint\ndevices behind a Root Port only if the Root Port is reported as\nsupporting ATS transactions.\"\n\nWe walk up the tree to find a Root Port, but for integrated devices we\ndon\u0027t find one — we get to the host bridge. In that case we *should*\nallow ATS. Currently we don\u0027t, which means that we are incorrectly\nfailing to use ATS for the integrated graphics. Fix that.\n\nWe should never break out of this loop \"naturally\" with bus\u003d\u003dNULL,\nsince we\u0027ll always find bridge\u003d\u003dNULL in that case (and now return 1).\n\nSo remove the check for (!bridge) after the loop, since it can never\nhappen. If it did, it would be worthy of a BUG_ON(!bridge). But since\nit\u0027ll oops anyway in that case, that\u0027ll do just as well.\n\nSigned-off-by: David Woodhouse \u003cDavid.Woodhouse@intel.com\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - drop the last part of the changes of the patch]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b0daf15db552d07fb66375ca63fc89ff67db0e26",
      "tree": "ebb97142a0fe4cebf2063e5565f72af9d9d580c3",
      "parents": [
        "e9bceb03dc6bff6e7c513f777ce5d5aead709f3b"
      ],
      "author": {
        "name": "Boris BREZILLON",
        "email": "boris.brezillon@free-electrons.com",
        "time": "Thu Jul 30 12:18:03 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "mtd: mtdpart: fix add_mtd_partitions error path\n\ncommit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream.\n\nIf we fail to allocate a partition structure in the middle of the partition\ncreation process, the already allocated partitions are never removed, which\nmeans they are still present in the partition list and their resources are\nnever freed.\n\nSigned-off-by: Boris Brezillon \u003cboris.brezillon@free-electrons.com\u003e\nSigned-off-by: Brian Norris \u003ccomputersforpeace@gmail.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "e9bceb03dc6bff6e7c513f777ce5d5aead709f3b",
      "tree": "59863c73cd4fc7a8320ffb898f333784baf50c11",
      "parents": [
        "26a4d4319f52f3e9a397b2006a95a682d9534e72"
      ],
      "author": {
        "name": "Richard Purdie",
        "email": "richard.purdie@linuxfoundation.org",
        "time": "Fri Sep 18 16:31:33 2015 -0700"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "HID: core: Avoid uninitialized buffer access\n\ncommit 79b568b9d0c7c5d81932f4486d50b38efdd6da6d upstream.\n\nhid_connect adds various strings to the buffer but they\u0027re all\nconditional. You can find circumstances where nothing would be written\nto it but the kernel will still print the supposedly empty buffer with\nprintk. This leads to corruption on the console/in the logs.\n\nEnsure buf is initialized to an empty string.\n\nSigned-off-by: Richard Purdie \u003crichard.purdie@linuxfoundation.org\u003e\n[dvhart: Initialize string to \"\" rather than assign buf[0] \u003d NULL;]\nCc: Jiri Kosina \u003cjikos@kernel.org\u003e\nCc: linux-input@vger.kernel.org\nSigned-off-by: Darren Hart \u003cdvhart@linux.intel.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "26a4d4319f52f3e9a397b2006a95a682d9534e72",
      "tree": "e2276b19e9d2544228b00664e5de8e6c59e03d8a",
      "parents": [
        "63698e052d6b5c03152644d7d7c80f2df00100dd"
      ],
      "author": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Wed Nov 04 15:20:42 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:25 2016 +0800"
      },
      "message": "FS-Cache: Handle a write to the page immediately beyond the EOF marker\n\ncommit 102f4d900c9c8f5ed89ae4746d493fe3ebd7ba64 upstream.\n\nHandle a write being requested to the page immediately beyond the EOF\nmarker on a cache object.  Currently this gets an assertion failure in\nCacheFiles because the EOF marker is used there to encode information about\na partial page at the EOF - which could lead to an unknown blank spot in\nthe file if we extend the file over it.\n\nThe problem is actually in fscache where we check the index of the page\nbeing written against store_limit.  store_limit is set to the number of\npages that we\u0027re allowed to store by fscache_set_store_limit() - which\nmeans it\u0027s one more than the index of the last page we\u0027re allowed to store.\nThe problem is that we permit writing to a page with an index _equal_ to\nthe store limit - when we should reject that case.\n\nWhilst we\u0027re at it, change the triggered assertion in CacheFiles to just\nreturn -ENOBUFS instead.\n\nThe assertion failure looks something like this:\n\nCacheFiles: Assertion failed\n1000 \u003c 7b1 is false\n------------[ cut here ]------------\nkernel BUG at fs/cachefiles/rdwr.c:962!\n...\nRIP: 0010:[\u003cffffffffa02c9e83\u003e]  [\u003cffffffffa02c9e83\u003e] cachefiles_write_page+0x273/0x2d0 [cachefiles]\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "63698e052d6b5c03152644d7d7c80f2df00100dd",
      "tree": "ad895f0d3c174e06ef53831f8fb709c57f12eb12",
      "parents": [
        "6100bd0a32642e6479c14a26da9e003da8641c0b"
      ],
      "author": {
        "name": "Kinglong Mee",
        "email": "kinglongmee@gmail.com",
        "time": "Wed Nov 04 15:20:24 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:24 2016 +0800"
      },
      "message": "FS-Cache: Don\u0027t override netfs\u0027s primary_index if registering failed\n\ncommit b130ed5998e62879a66bad08931a2b5e832da95c upstream.\n\nOnly override netfs-\u003eprimary_index when registering success.\n\nSigned-off-by: Kinglong Mee \u003ckinglongmee@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[lizf: Backported to 3.4: there are no n_active and flags in primary_index]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "6100bd0a32642e6479c14a26da9e003da8641c0b",
      "tree": "b3786755bac1cc3bfd553d5f606917b930be6fd5",
      "parents": [
        "74c1a5ecfcf8cd6a6238578add2ce0aefd5e44ed"
      ],
      "author": {
        "name": "Kinglong Mee",
        "email": "kinglongmee@gmail.com",
        "time": "Wed Nov 04 15:20:15 2015 +0000"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:24 2016 +0800"
      },
      "message": "FS-Cache: Increase reference of parent after registering, netfs success\n\ncommit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.\n\nIf netfs exist, fscache should not increase the reference of parent\u0027s\nusage and n_children, otherwise, never be decreased.\n\nv2: thanks David\u0027s suggest,\n move increasing reference of parent if success\n use kmem_cache_free() freeing primary_index directly\n\nv3: don\u0027t move \"netfs-\u003eprimary_index-\u003eparent \u003d \u0026fscache_fsdef_index;\"\n\nSigned-off-by: Kinglong Mee \u003ckinglongmee@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "74c1a5ecfcf8cd6a6238578add2ce0aefd5e44ed",
      "tree": "6ea2608d0d8b5944499ba205b7cbc378b698a4e9",
      "parents": [
        "abc5526f35b4d1095db64b4dbc0671543fcad5f4"
      ],
      "author": {
        "name": "Eric Dumazet",
        "email": "edumazet@google.com",
        "time": "Mon Nov 09 17:51:23 2015 -0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:24 2016 +0800"
      },
      "message": "net: fix a race in dst_release()\n\ncommit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 upstream.\n\nOnly cpu seeing dst refcount going to 0 can safely\ndereference dst-\u003eflags.\n\nOtherwise an other cpu might already have freed the dst.\n\nFixes: 27b75c95f10d (\"net: avoid RCU for NOCACHE dst\")\nReported-by: Greg Thelen \u003cgthelen@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "abc5526f35b4d1095db64b4dbc0671543fcad5f4",
      "tree": "8a939baf357e044b8d5c4532bd8fcf2d6edd7a72",
      "parents": [
        "cd23f0e1d1847abc122500c622b8954425fea806"
      ],
      "author": {
        "name": "Christoph Hellwig",
        "email": "hch@lst.de",
        "time": "Mon Oct 19 16:35:46 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:24 2016 +0800"
      },
      "message": "scsi: restart list search after unlock in scsi_remove_target\n\ncommit 40998193560dab6c3ce8d25f4fa58a23e252ef38 upstream.\n\nWhen dropping a lock while iterating a list we must restart the search\nas other threads could have manipulated the list under us.  Without this\nwe can get stuck in an endless loop.  This bug was introduced by\n\ncommit bc3f02a795d3b4faa99d37390174be2a75d091bd\nAuthor: Dan Williams \u003cdjbw@fb.com\u003e\nDate:   Tue Aug 28 22:12:10 2012 -0700\n\n    [SCSI] scsi_remove_target: fix softlockup regression on hot remove\n\nWhich was itself trying to fix a reported soft lockup issue\n\nhttp://thread.gmane.org/gmane.linux.kernel/1348679\n\nHowever, we believe even with this revert of the original patch, the soft\nlockup problem has been fixed by\n\ncommit f2495e228fce9f9cec84367547813cbb0d6db15a\nAuthor: James Bottomley \u003cJBottomley@Parallels.com\u003e\nDate:   Tue Jan 21 07:01:41 2014 -0800\n\n    [SCSI] dual scan thread bug fix\n\nThanks go to Dan Williams \u003cdan.j.williams@intel.com\u003e for tracking all this\nprior history down.\n\nReported-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nFixes: bc3f02a795d3b4faa99d37390174be2a75d091bd\nSigned-off-by: James Bottomley \u003cJBottomley@Odin.com\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "cd23f0e1d1847abc122500c622b8954425fea806",
      "tree": "a8b65c20866703bfec627f79a1aa985a85624dbd",
      "parents": [
        "0c760ac8778bbcac7e61e68465cf0258501d027d"
      ],
      "author": {
        "name": "Michal Kubeček",
        "email": "mkubecek@suse.cz",
        "time": "Tue Nov 03 08:51:07 2015 +0100"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:24 2016 +0800"
      },
      "message": "ipv6: fix tunnel error handling\n\ncommit ebac62fe3d24c0ce22dd83afa7b07d1a2aaef44d upstream.\n\nBoth tunnel6_protocol and tunnel46_protocol share the same error\nhandler, tunnel6_err(), which traverses through tunnel6_handlers list.\nFor ipip6 tunnels, we need to traverse tunnel46_handlers as we do e.g.\nin tunnel46_rcv(). Current code can generate an ICMPv6 error message\nwith an IPv4 packet embedded in it.\n\nFixes: 73d605d1abbd (\"[IPSEC]: changing API of xfrm6_tunnel_register\")\nSigned-off-by: Michal Kubecek \u003cmkubecek@suse.cz\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "0c760ac8778bbcac7e61e68465cf0258501d027d",
      "tree": "8e9ec67a9d41e6e093b978295e942ec68f942c85",
      "parents": [
        "2c2a597d9c5d204019bdfc63016e0c7b1fc67295"
      ],
      "author": {
        "name": "libin",
        "email": "huawei.libin@huawei.com",
        "time": "Tue Nov 03 08:58:47 2015 +0800"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:23 2016 +0800"
      },
      "message": "recordmcount: Fix endianness handling bug for nop_mcount\n\ncommit c84da8b9ad3761eef43811181c7e896e9834b26b upstream.\n\nIn nop_mcount, shdr-\u003esh_offset and welp-\u003er_offset should handle\nendianness properly, otherwise it will trigger Segmentation fault\nif the recordmcount main and file.o have different endianness.\n\nLink: http://lkml.kernel.org/r/563806C7.7070606@huawei.com\n\nSigned-off-by: Li Bin \u003chuawei.libin@huawei.com\u003e\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "2c2a597d9c5d204019bdfc63016e0c7b1fc67295",
      "tree": "404ad66f9bcfa91f29a1c3087c338d4c41702eed",
      "parents": [
        "27f443a7e6201f6c50a1d4bc54ff055663436c65"
      ],
      "author": {
        "name": "Ralf Baechle",
        "email": "ralf@linux-mips.org",
        "time": "Fri Oct 16 23:09:57 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:23 2016 +0800"
      },
      "message": "MIPS: atomic: Fix comment describing atomic64_add_unless\u0027s return value.\n\ncommit f25319d2cb439249a6859f53ad42ffa332b0acba upstream.\n\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nFixes: f24219b4e90cf70ec4a211b17fbabc725a0ddf3c\n(cherry picked from commit f0a232cde7be18a207fd057dd79bbac8a0a45dec)\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "27f443a7e6201f6c50a1d4bc54ff055663436c65",
      "tree": "c0c1fd141441383519b69af5de7c062bc4e5c6c1",
      "parents": [
        "b8c196dd0a6ae60c6a687df2a81810706e64a091"
      ],
      "author": {
        "name": "Arnd Bergmann",
        "email": "arnd@arndb.de",
        "time": "Mon Oct 12 15:46:08 2015 +0200"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:23 2016 +0800"
      },
      "message": "ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode\n\ncommit 54c09889bff6d99c8733eed4a26c9391b177c88b upstream.\n\nThe z2 machine calls pxa27x_set_pwrmode() in order to power off\nthe machine, but this function gets discarded early at boot because\nit is marked __init, as pointed out by kbuild:\n\nWARNING: vmlinux.o(.text+0x145c4): Section mismatch in reference from the function z2_power_off() to the function .init.text:pxa27x_set_pwrmode()\nThe function z2_power_off() references\nthe function __init pxa27x_set_pwrmode().\nThis is often because z2_power_off lacks a __init\nannotation or the annotation of pxa27x_set_pwrmode is wrong.\n\nThis removes the __init section modifier to fix rebooting and the\nbuild error.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nFixes: ba4a90a6d86a (\"ARM: pxa/z2: fix building error of pxa27x_cpu_suspend() no longer available\")\nSigned-off-by: Robert Jarzmik \u003crobert.jarzmik@free.fr\u003e\n[lizf: Backported to 3.4: adjust context]\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    },
    {
      "commit": "b8c196dd0a6ae60c6a687df2a81810706e64a091",
      "tree": "9275bee1d73d794a3bd7869ecb2622c6289b0419",
      "parents": [
        "355c6a10ace105674b8b0b9c0eacec89395ac0d5"
      ],
      "author": {
        "name": "Dan Carpenter",
        "email": "dan.carpenter@oracle.com",
        "time": "Mon Sep 21 19:21:51 2015 +0300"
      },
      "committer": {
        "name": "Zefan Li",
        "email": "lizefan@huawei.com",
        "time": "Wed Oct 26 23:15:23 2016 +0800"
      },
      "message": "devres: fix a for loop bounds check\n\ncommit 1f35d04a02a652f14566f875aef3a6f2af4cb77b upstream.\n\nThe iomap[] array has PCIM_IOMAP_MAX (6) elements and not\nDEVICE_COUNT_RESOURCE (16).  This bug was found using a static checker.\nIt may be that the \"if (!(mask \u0026 (1 \u003c\u003c i)))\" check means we never\nactually go past the end of the array in real life.\n\nFixes: ec04b075843d (\u0027iomap: implement pcim_iounmap_regions()\u0027)\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nAcked-by: Tejun Heo \u003ctj@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n"
    }
  ],
  "next": "355c6a10ace105674b8b0b9c0eacec89395ac0d5"
}
