1. 22 8月, 2013 2 次提交
  2. 21 8月, 2013 5 次提交
  3. 17 8月, 2013 1 次提交
    • G
      s390: Fix broken build · 215b28a5
      Guenter Roeck 提交于
      Fix this build error:
      
        In file included from fs/exec.c:61:0:
        arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
        arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
        arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
        arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
      
      Broken due to commit 2b047252 ("Fix TLB gather virtual address range
      invalidation corner cases").
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      [ Oh well. We had build testing for ppc amd um, but no s390  - Linus ]
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      215b28a5
  4. 16 8月, 2013 1 次提交
    • L
      Fix TLB gather virtual address range invalidation corner cases · 2b047252
      Linus Torvalds 提交于
      Ben Tebulin reported:
      
       "Since v3.7.2 on two independent machines a very specific Git
        repository fails in 9/10 cases on git-fsck due to an SHA1/memory
        failures.  This only occurs on a very specific repository and can be
        reproduced stably on two independent laptops.  Git mailing list ran
        out of ideas and for me this looks like some very exotic kernel issue"
      
      and bisected the failure to the backport of commit 53a59fc6 ("mm:
      limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
      
      That commit itself is not actually buggy, but what it does is to make it
      much more likely to hit the partial TLB invalidation case, since it
      introduces a new case in tlb_next_batch() that previously only ever
      happened when running out of memory.
      
      The real bug is that the TLB gather virtual memory range setup is subtly
      buggered.  It was introduced in commit 597e1c35 ("mm/mmu_gather:
      enable tlb flush range in generic mmu_gather"), and the range handling
      was already fixed at least once in commit e6c495a9 ("mm: fix the TLB
      range flushed when __tlb_remove_page() runs out of slots"), but that fix
      was not complete.
      
      The problem with the TLB gather virtual address range is that it isn't
      set up by the initial tlb_gather_mmu() initialization (which didn't get
      the TLB range information), but it is set up ad-hoc later by the
      functions that actually flush the TLB.  And so any such case that forgot
      to update the TLB range entries would potentially miss TLB invalidates.
      
      Rather than try to figure out exactly which particular ad-hoc range
      setup was missing (I personally suspect it's the hugetlb case in
      zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
      did), this patch just gets rid of the problem at the source: make the
      TLB range information available to tlb_gather_mmu(), and initialize it
      when initializing all the other tlb gather fields.
      
      This makes the patch larger, but conceptually much simpler.  And the end
      result is much more understandable; even if you want to play games with
      partial ranges when invalidating the TLB contents in chunks, now the
      range information is always there, and anybody who doesn't want to
      bother with it won't introduce subtle bugs.
      
      Ben verified that this fixes his problem.
      Reported-bisected-and-tested-by: NBen Tebulin <tebulin@googlemail.com>
      Build-testing-by: NStephen Rothwell <sfr@canb.auug.org.au>
      Build-testing-by: NRichard Weinberger <richard.weinberger@gmail.com>
      Reviewed-by: NMichal Hocko <mhocko@suse.cz>
      Acked-by: NPeter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2b047252
  5. 14 8月, 2013 13 次提交
    • A
      m68k: Truncate base in do_div() · ea077b1b
      Andreas Schwab 提交于
      Explicitly truncate the second operand of do_div() to 32 bits to guard
      against bogus code calling it with a 64-bit divisor.
      
      [Thorsten]
      
      After upgrading from 3.2 to 3.10, mounting a btrfs volume fails with:
      
      btrfs: setting nodatacow, compression disabled
      btrfs: enabling auto recovery
      btrfs: disk space caching is enabled
      *** ZERO DIVIDE ***   FORMAT=2
      Current process id is 722
      BAD KERNEL TRAP: 00000000
      Modules linked in: evdev mac_hid ext4 crc16 jbd2 mbcache btrfs xor lzo_compress zlib_deflate raid6_pq crc32c libcrc32c
      PC: [<319535b2>] __btrfs_map_block+0x11c/0x119a [btrfs]
      SR: 2000  SP: 30c1fab4  a2: 30f0faf0
      d0: 00000000    d1: 00001000    d2: 00000000    d3: 00000000
      d4: 00010000    d5: 00000000    a0: 3085c72c    a1: 3085c72c
      Process mount (pid: 722, task=30f0faf0)
      Frame format=2 instr addr=319535ae
      Stack from 30c1faec:
              00000000 00000020 00000000 00001000 00000000 01401000 30253928 300ffc00
              00a843ac 3026f640 00000000 00010000 0009e250 00d106c0 00011220 00000000
              00001000 301c6830 0009e32a 000000ff 00000009 3085c72c 00000000 00000000
              30c1fd14 00000000 00000020 00000000 30c1fd14 0009e26c 00000020 00000003
              00000000 0009dd8a 300b0b6c 30253928 00a843ac 00001000 00000000 00000000
              0000a008 3194e76a 30253928 00a843ac 00001000 00000000 00000000 00000002
      Call Trace: [<00001000>] kernel_pg_dir+0x0/0x1000
      
          [...]
      
      Code: 222e ff74 2a2e ff5c 2c2e ff60 4c45 1402 <2d40> ff64 2d41 ff68 2205 4c2e 1800 ff68 4c04 0800 2041 d1c0 2206 4c2e 1400 ff68
      
      [Geert]
      
      As diagnosed by Andreas, fs/btrfs/volumes.c:__btrfs_map_block()
      calls
      
          do_div(stripe_nr, stripe_len);
      
      with stripe_len u64, while do_div() assumes the divisor is a 32-bit number.
      
      Due to the lack of truncation in the m68k-specific implementation of
      do_div(), the division is performed using the upper 32-bit word of
      stripe_len, which is zero.
      
      This was introduced by commit 53b381b3
      ("Btrfs: RAID5 and RAID6"), which changed the divisor from
      map->stripe_len (struct map_lookup.stripe_len is int) to a 64-bit temporary.
      Reported-by: NThorsten Glaser <tg@debian.org>
      Signed-off-by: NAndreas Schwab <schwab@linux-m68k.org>
      Tested-by: NThorsten Glaser <tg@debian.org>
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: stable@vger.kernel.org
      ea077b1b
    • G
      m68k/atari: ARAnyM - Fix NatFeat module support · e8184e10
      Geert Uytterhoeven 提交于
      As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls
      should be physical addresses, not virtual addresses.
      
      Fortunately on Atari, physical and virtual kernel addresses are the same,
      as long as normal kernel memory is concerned, so this usually worked fine
      without conversion.
      
      But for modules, pointers to literal strings are located in vmalloc()ed
      memory. Depending on the version of ARAnyM, this causes the nf_get_id()
      call to just fail, or worse, crash ARAnyM itself with e.g.
      
          Gotcha! Illegal memory access. Atari PC = $968c
      
      This is a big issue for distro kernels, who want to have all drivers as
      loadable modules in an initrd.
      
      Add a wrapper for nf_get_id() that copies the literal to the stack to
      work around this issue.
      Reported-by: NThorsten Glaser <tg@debian.org>
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: stable@vger.kernel.org
      e8184e10
    • C
      arch: *: Kconfig: add "kernel/Kconfig.freezer" to "arch/*/Kconfig" · 57a1a197
      Chen Gang 提交于
      All architectures include "kernel/Kconfig.freezer" except three left, so
      let them include it too, or 'allmodconfig' will report error.
      
      The related errors: (with allmodconfig for openrisc):
      
          CC      kernel/cgroup_freezer.o
        kernel/cgroup_freezer.c: In function 'freezer_css_online':
        kernel/cgroup_freezer.c:133:15: error: 'system_freezing_cnt' undeclared (first use in this function)
        kernel/cgroup_freezer.c:133:15: note: each undeclared identifier is reported only once for each function it appears in
        kernel/cgroup_freezer.c: In function 'freezer_css_offline':
        kernel/cgroup_freezer.c:157:15: error: 'system_freezing_cnt' undeclared (first use in this function)
        kernel/cgroup_freezer.c: In function 'freezer_attach':
        kernel/cgroup_freezer.c:200:4: error: implicit declaration of function 'freeze_task'
        kernel/cgroup_freezer.c: In function 'freezer_apply_state':
        kernel/cgroup_freezer.c:371:16: error: 'system_freezing_cnt' undeclared (first use in this function)
      Signed-off-by: NChen Gang <gang.chen@asianux.com>
      Cc: Richard Kuo <rkuo@codeaurora.org>
      Cc: Jonas Bonn <jonas@southpole.se>
      Cc: Chen Liqin <liqin.chen@sunplusct.com>
      Cc: Lennox Wu <lennox.wu@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      57a1a197
    • R
      x86 get_unmapped_area(): use proper mmap base for bottom-up direction · df54d6fa
      Radu Caragea 提交于
      When the stack is set to unlimited, the bottomup direction is used for
      mmap-ings but the mmap_base is not used and thus effectively renders
      ASLR for mmapings along with PIE useless.
      
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Reviewed-by: NRik van Riel <riel@redhat.com>
      Acked-by: NIngo Molnar <mingo@kernel.org>
      Cc: Adrian Sendroiu <molecula2788@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      df54d6fa
    • M
      microblaze: fix clone syscall · dfa9771a
      Michal Simek 提交于
      Fix inadvertent breakage in the clone syscall ABI for Microblaze that
      was introduced in commit f3268edb ("microblaze: switch to generic
      fork/vfork/clone").
      
      The Microblaze syscall ABI for clone takes the parent tid address in the
      4th argument; the third argument slot is used for the stack size.  The
      incorrectly-used CLONE_BACKWARDS type assigned parent tid to the 3rd
      slot.
      
      This commit restores the original ABI so that existing userspace libc
      code will work correctly.
      
      All kernel versions from v3.8-rc1 were affected.
      Signed-off-by: NMichal Simek <michal.simek@xilinx.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      dfa9771a
    • C
      mm: save soft-dirty bits on file pages · 41bb3476
      Cyrill Gorcunov 提交于
      Andy reported that if file page get reclaimed we lose the soft-dirty bit
      if it was there, so save _PAGE_BIT_SOFT_DIRTY bit when page address get
      encoded into pte entry.  Thus when #pf happens on such non-present pte
      we can restore it back.
      Reported-by: NAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
      Acked-by: NPavel Emelyanov <xemul@parallels.com>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      41bb3476
    • C
      mm: save soft-dirty bits on swapped pages · 179ef71c
      Cyrill Gorcunov 提交于
      Andy Lutomirski reported that if a page with _PAGE_SOFT_DIRTY bit set
      get swapped out, the bit is getting lost and no longer available when
      pte read back.
      
      To resolve this we introduce _PTE_SWP_SOFT_DIRTY bit which is saved in
      pte entry for the page being swapped out.  When such page is to be read
      back from a swap cache we check for bit presence and if it's there we
      clear it and restore the former _PAGE_SOFT_DIRTY bit back.
      
      One of the problem was to find a place in pte entry where we can save
      the _PTE_SWP_SOFT_DIRTY bit while page is in swap.  The _PAGE_PSE was
      chosen for that, it doesn't intersect with swap entry format stored in
      pte.
      Reported-by: NAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
      Acked-by: NPavel Emelyanov <xemul@parallels.com>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Reviewed-by: NMinchan Kim <minchan@kernel.org>
      Reviewed-by: NWanpeng Li <liwanp@linux.vnet.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      179ef71c
    • S
      perf/arm: Fix armpmu_map_hw_event() · b88a2595
      Stephen Boyd 提交于
      Fix constraint check in armpmu_map_hw_event().
      Reported-and-tested-by: NVince Weaver <vincent.weaver@maine.edu>
      Cc: <stable@kernel.org>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b88a2595
    • S
      ARM: 7807/1: kexec: validate CPU hotplug support · 2103f6cb
      Stephen Warren 提交于
      Architectures should fully validate whether kexec is possible as part of
      machine_kexec_prepare(), so that user-space's kexec_load() operation can
      report any problems. Performing validation in machine_kexec() itself is
      too late, since it is not allowed to return.
      
      Prior to this patch, ARM's machine_kexec() was testing after-the-fact
      whether machine_kexec_prepare() was able to disable all but one CPU.
      Instead, modify machine_kexec_prepare() to validate all conditions
      necessary for machine_kexec_prepare()'s to succeed. BUG if the validation
      succeeded, yet disabling the CPUs didn't actually work.
      Signed-off-by: NStephen Warren <swarren@nvidia.com>
      Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      2103f6cb
    • W
      ARM: 7812/1: rwlocks: retry trylock operation if strex fails on free lock · 00efaa02
      Will Deacon 提交于
      Commit 15e7e5c1 ("ARM: 7749/1: spinlock: retry trylock operation if
      strex fails on free lock") modifying our arch_spin_trylock to retry the
      acquisition if the lock appeared uncontended, but the strex failed.
      
      This patch does the same for rwlocks, which were missed by the original
      patch.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      00efaa02
    • W
      ARM: 7811/1: locks: use early clobber in arch_spin_trylock · afa31d8e
      Will Deacon 提交于
      The res variable is written before we've finished with the input
      operands (namely the lock address), so ensure that we mark it as `early
      clobber' to avoid unintended register sharing.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      afa31d8e
    • S
      ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event() · d9f96635
      Stephen Boyd 提交于
      Vince Weaver reports an oops in the ARM perf event code while
      running his perf_fuzzer tool on a pandaboard running v3.11-rc4.
      
      Unable to handle kernel paging request at virtual address 73fd14cc
      pgd = eca6c000
      [73fd14cc] *pgd=00000000
      Internal error: Oops: 5 [#1] SMP ARM
      Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
      CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
      task: eddcab80 ti: ed892000 task.ti: ed892000
      PC is at armpmu_map_event+0x20/0x88
      LR is at armpmu_event_init+0x38/0x280
      pc : [<c001c3e4>]    lr : [<c001c17c>]    psr: 60000013
      sp : ed893e40  ip : ecececec  fp : edfaec00
      r10: 00000000  r9 : 00000000  r8 : ed8c3ac0
      r7 : ed8c3b5c  r6 : edfaec00  r5 : 00000000  r4 : 00000000
      r3 : 000000ff  r2 : c0496144  r1 : c049611c  r0 : edfaec00
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      Control: 10c5387d  Table: aca6c04a  DAC: 00000015
      Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
      Stack: (0xed893e40 to 0xed894000)
      3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
      3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
      3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
      3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
      3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
      3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
      3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
      3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
      3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
      3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
      3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
      3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
      3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
      [<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
      [<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
      [<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
      [<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
      [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
      Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)
      
      This is because event->attr.config in armpmu_event_init()
      contains a very large number copied directly from userspace and
      is never checked against the size of the array indexed in
      armpmu_map_hw_event(). Fix the problem by checking the value of
      config before indexing the array and rejecting invalid config
      values.
      Reported-by: NVince Weaver <vincent.weaver@maine.edu>
      Tested-by: NVince Weaver <vincent.weaver@maine.edu>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      d9f96635
    • W
      ARM: 7809/1: perf: fix event validation for software group leaders · c95eb318
      Will Deacon 提交于
      It is possible to construct an event group with a software event as a
      group leader and then subsequently add a hardware event to the group.
      This results in the event group being validated by adding all members
      of the group to a fake PMU and attempting to allocate each event on
      their respective PMU.
      
      Unfortunately, for software events wthout a corresponding arm_pmu, this
      results in a kernel crash attempting to dereference the ->get_event_idx
      function pointer.
      
      This patch fixes the problem by checking explicitly for software events
      and ignoring those in event validation (since they can always be
      scheduled). We will probably want to revisit this for 3.12, since the
      validation checks don't appear to work correctly when dealing with
      multiple hardware PMUs anyway.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: NVince Weaver <vincent.weaver@maine.edu>
      Tested-by: NVince Weaver <vincent.weaver@maine.edu>
      Tested-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      c95eb318
  6. 13 8月, 2013 1 次提交
    • O
      sched: fix the theoretical signal_wake_up() vs schedule() race · e0acd0a6
      Oleg Nesterov 提交于
      This is only theoretical, but after try_to_wake_up(p) was changed
      to check p->state under p->pi_lock the code like
      
      	__set_current_state(TASK_INTERRUPTIBLE);
      	schedule();
      
      can miss a signal. This is the special case of wait-for-condition,
      it relies on try_to_wake_up/schedule interaction and thus it does
      not need mb() between __set_current_state() and if(signal_pending).
      
      However, this __set_current_state() can move into the critical
      section protected by rq->lock, now that try_to_wake_up() takes
      another lock we need to ensure that it can't be reordered with
      "if (signal_pending(current))" check inside that section.
      
      The patch is actually one-liner, it simply adds smp_wmb() before
      spin_lock_irq(rq->lock). This is what try_to_wake_up() already
      does by the same reason.
      
      We turn this wmb() into the new helper, smp_mb__before_spinlock(),
      for better documentation and to allow the architectures to change
      the default implementation.
      
      While at it, kill smp_mb__after_lock(), it has no callers.
      
      Perhaps we can also add smp_mb__before/after_spinunlock() for
      prepare_to_wait().
      Signed-off-by: NOleg Nesterov <oleg@redhat.com>
      Acked-by: NPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e0acd0a6
  7. 12 8月, 2013 1 次提交
  8. 09 8月, 2013 11 次提交
  9. 08 8月, 2013 2 次提交
  10. 07 8月, 2013 2 次提交
  11. 05 8月, 2013 1 次提交