The core_ctl module takes input from userspace and CPU load information to
decide how many CPUs to keep online. User space has the following tunables:

- min_cpus: Minimum number of CPUs to keep online. This overrides other
  heuristics.
- max_cpus: Maximum number of CPUs to keep online. This overrides other
  heuristics.
- additional_cpus: Additional idle CPUs to keep ready for use.
- busy_up_thres: The normalized load% threshold that the CPU load should
  exceeded for the CPU to be go from not busy to busy.
  It could be a single threshold for all CPUs in a group, or num_cpus
  thresholds separated by spaces to specify different thresholds based on
  the current number of online CPUs.
- busy_down_thres: The normalized load% threshold that the CPU load should
  be lower than for the CPU to go from busy to not busy.
  It could be a single threshold for all CPUs in a group, or num_cpus
  thresholds separated by spaces to specify different thresholds based on
  the current number of online CPUs.
- offline_delay_ms: The time to wait for before offline cores when the
  number of needed CPUs goes down.

Mot-CRs-fixed: (CR)

Change-Id: Ied1d5bcbb8da5bbd5f3d1a3f042599babace6b65
Signed-off-by: Saravana Kannan <skannan@codeaurora.org>
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
Signed-off-by: Ravi Chebolu <arc095@motorola.com>
Reviewed-on: http://gerrit.mot.com/866560


SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver <sltawvr@motorola.com>
Tested-by: Jira Key <jirakey@motorola.com>
Reviewed-by: Lian-Wei Wang <lian-wei.wang@motorola.com>
Reviewed-by: Christopher Fries <cfries@motorola.com>
Submit-Approved: Jira Key <jirakey@motorola.com>

Extend sched_get_nr_running_avg() API to return average nr_big_tasks,
in addition to average nr_running and average nr_io_wait tasks. Also
add a new trace point to record values returned by
sched_get_nr_running_avg() API.

Change-Id: Id3591e6d04da8db484b4d1cb9d95dba075f5ab9a
Signed-off-by: Srivatsa Vaddagiri <vatsa@codeaurora.org>
[rameezmustafa@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Syed Rameez Mustafa <rameezmustafa@codeaurora.org>

sched_get_nr_running_avg() returns average nr_running and nr_iowait
task count since it was last invoked. Fix several bugs in their
calculation.

* sched_update_nr_prod() needs to consider that nr_running count can
  change by more than 1 when CFS_BANDWIDTH feature is used

* sched_get_nr_running_avg() needs to sum up nr_iowait count across
  all cpus, rather than just one

* sched_get_nr_running_avg() could race with sched_update_nr_prod(),
  as a result of which it could use curr_time which is behind a cpu's
  'last_time' value. That would lead to erroneous calculation of
  average nr_running or nr_iowait.

While at it, fix also a bug in BUG_ON() check in
sched_update_nr_prod() function and remove unnecessary nr_running
argument to sched_update_nr_prod() function.

Change-Id: I46737614737292fae0d7204c4648fb9b862f65b2
Signed-off-by: Srivatsa Vaddagiri <vatsa@codeaurora.org>

Based on TAG LA.BR.1.2.7-02610-8x16.0 from CAF.

When cluster enters a low power mode, the mode entered is stored
in last_level. During LPM driver probe last_level is initialized
to default level, if a core in that cluster is online.

If all the cores in the cluster are hotplugged after initializing
the last_level and before the per cluster data structures are
initialized, cluster enters low power mode but does not update
last_level as the data structures are not available. In this case
when a core in this cluster is coming online and last_level indicates
default level, assumes cluster did not enter any low power mode,
the update of flags to reflect the cores as active for this cluster
does not happen. This makes driver to select system level low power
mode as if this cluster is in low power mode eventhough it is out
of low power mode.

To avoid this race, prevent cores hotplug during lpm probe.

Change-Id: I1d0c51c52e54ab30239b2fca11040f134315fe61
Signed-off-by: Anil Kumar Mamidala <amami@codeaurora.org>

In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.

Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>

Add checks of the user input count to avoid possible heap overflow

Bug: 30799828
Change-Id: I896492b18c4ace6565fb9edd5cbf51f363ce157b
Signed-off-by: chengengjia <chengjia4574@gmail.com>
Signed-off-by: Andrew Chant <achant@google.com>
Git-repo: https://android.googlesource.com/kernel/msm.git


Git-commit: f549796fb9da58586c5cfc31d07b243c87dcfbd5
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>

Add checks of the user input count to avoid possible heap overflow

Signed-off-by: Min Chong <mchong@google.com>
Bug: 30937462
Git-repo: https://android.googlesource.com/kernel/msm.git


Git-commit: a6accafb252a76256f11c83e28c556c8ca4b8e1f
Change-Id: I6fc8323cbcf395a2c24e49e65cc7012709d031a2
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>

Make the digest length not larger than the size of the buffer
qcedev_areq.sha_op_req.digest; and use the checked variants of
the copy_from/to_user() APIs to avoid small race window of their
unchecked variants.

Change-Id: I3db0c20ac5fa47ed278f3d60368c406f472430c1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>

Hardware does not handle pad bytes in egress packets when uplink
aggregation is not enabled. This is due to the translation support
added on hardware for MAPv4.

Change-Id: Ic246a4548561450035d5252221032d72eff44518
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

Change-Id: I9c779a01a040fda0c55dcd49164302c5b1debd92

A malicious application can take advantage of the ION contig heap to
create a specific memory chunk size to exercise a rowhammer attack on the
physical hardware.
So remove support for the ION contig heap.

Change-Id: I9cb454cebb74df291479cecc3533d2c684363f77
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Signed-off-by: Prakash Gupta <guptap@codeaurora.org>

Merge "ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and create_uaxx_quirk() functions allocate the audioformat object by themselves and free it upon error before returning. However, once the object is linked to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be double-freed, eventually resulting in a memory corruption."

scm_call2 is printing the input arguments if TZ ret value is  < 0
leading to information leak. Remove printing input arguments.

Change-Id: I21dd6d83fa979aed2c79ebb2c9c8de63a247dded
CRs-Fixed: 1076407
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
	pid_t pid, child;
	long nproc, i;

	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
	syscall(SYS_ioprio_set, 1, 0, 0x6000);

	nproc = sysconf(_SC_NPROCESSORS_ONLN);

	for (i = 0; i < nproc; i++) {
		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				pid = fork();
				assert(pid != -1);
				if (pid == 0) {
					_exit(0);
				} else {
					child = wait(NULL);
					assert(child == pid);
				}
			}
		}

		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
				syscall(SYS_ioprio_get, 2, 0);
			}
		}
	}

	for (;;) {
		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
		syscall(SYS_ioprio_get, 2, 0);
	}

	return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009] 	___slab_alloc+0x55d/0x5a0
[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
[   35.530009] 	create_task_io_context+0x2b/0x370
[   35.530009] 	get_task_io_context+0x92/0xb0
[   35.530009] 	copy_process.part.8+0x5029/0x5660
[   35.530009] 	_do_fork+0x155/0x7e0
[   35.530009] 	SyS_clone+0x19/0x20
[   35.530009] 	do_syscall_64+0x195/0x3a0
[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009] 	__slab_free+0x27b/0x3d0
[   35.530009] 	kmem_cache_free+0x1fb/0x220
[   35.530009] 	put_io_context+0xe7/0x120
[   35.530009] 	put_io_context_active+0x238/0x380
[   35.530009] 	exit_io_context+0x66/0x80
[   35.530009] 	do_exit+0x158e/0x2b90
[   35.530009] 	do_group_exit+0xe5/0x2b0
[   35.530009] 	SyS_exit_group+0x1d/0x20
[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Change-Id: Icacf9fc31e35e8914d0724dbdf0c76954bd5291e
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git


Git-commit: 8ba8682107ee2ca3347354e018865d8e1967c5f4
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>

Prevent using a binder_ref with only weak references where a strong
reference is required..

BUG: 30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Git-repo: https://android.googlesource.com/kernel/msm.git


Git-commit: 5e2a2bc89956ae1c739854403408059144b23c28
[d-cagle@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>

Adds lock to ioctl and other external calls to driver.
Adds missing null check in __usf_set_stream_param.

Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>