Restrict printing of kernel virtual addresses in SPS driver.
In debug prints, handles to bam device structures may be printed
as integers. As these handles are obtained by casting pointer
to bam device structures to integer, they can reveal addresses
of the structures to attackers.
Cast the handles in debug prints to pointers, printed with with %pK,
which hides these values if kptr_restrict is set (default on Android).
Change-Id: Idd28c7d11a06113605f7428a4cfc2505c1ae0073
Signed-off-by: Jishnu Prakash <jprakash@codeaurora.org>
Currently RT is deleted even if rt rule or header proc ctx
is invalid. Add check to prevent it.
Change-Id: Ic37ff9a33fab2b3c0d6393e43452e4b62a91d932
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Correctly free pointers allocated by kzalloc. Remove devm_kfree
in error handling as device associated memory is automatically
freed upon destruction of device. Always use put_device instead
of kfree on initialized device.
Change-Id: Icbd88e9ccd42fedb4fbce5eff69248c3fceffc02
Signed-off-by: David Dai <daidavid1@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
SSM driver is not enabled and hence needs deprecation.
Remove all the SSM driver references.
CRs-Fixed: 2268386
Change-Id: I02f82817023d2fcc6d05a2f0d7eb3aec8f60a7d5
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Protect ipa default routing table from
addition, deletion and modification once after
default rule added by ipa-driver.
Bug: 119052051
Change-Id: I045d9c29fed23edf796d826e440b81124e1f666a
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.
Bug: 109741776
Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
SPS driver does not support manual bind/unbind operations
through sysfs. Suppress the bind/unbind nodes. Do not free
SPS struct in sps_device_de_init since it is being done in
sps_exit, and also to avoid use-after-free.
Bug: 114042002
Change-Id: If6da6c5fb9d1a44d0420c6151f7f9d0a33cb2d04
Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
Header entry deleted but same entry pointer using in
routing table not updated. Added checks to confirm
header entry present or not before using it to avoid
null pointer dereference.
Change-Id: Id1d844c60b2dcb0cc7cf18352b78d62fe5a89347
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.
Bug: 36367253
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Clearing Non uC interrupts before processing will
result in clearing interrupt data.
Change-Id: I47ea7c22250264da206e1fb8691e77224c825ab0
CRs-Fixed: 1008549
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: sunil paidimarri <hisunil@codeaurora.org>
When stack memory is provided to HW as part of descriptor
it can lead to cache alignment issues. Make changes to
use heap memory whereever applicable.
Change-Id: I666f98cf2ec45a4743db0ab7bc6d2df821cce84a
Acked-by: Chaitanya Pratapa <cpratapa@qti.qualcomm.com>
Signed-off-by: Sridhar Ancha <sancha@codeaurora.org>
Currently value of MAX_NUM_OF_MUX_CHANNEL is 10
but number of valid interfaces is 8. So empty interface
is also getting mux id. Return mux id only for valid
interfaces.
Change-Id: I7852df0aa0ccee781c1bf6857a4183b99194f3ee
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Currently IPA send common error -EFAULT to user space
in case of IOCTL fails. Change error value for set quota
based on error received from modem.
Change-Id: Ib6ba487a186245ddf752cd08de12293af1ea1bb9
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Add ioctl for user space to get ipa hw version
Change-Id: Iba207623126f641324fbcf174bddd46552f489de
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
add support on wan-driver to query modem or
wlan-fw to get the total data usage for all
tethered clients.
Change-Id: I56f40f1c0f6b2ec4279e78b3aeb81c687d08bf2e
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
The first APPS default routing table rule is installed
at the IPA driver initialization. To prevent routing
exception, this rule cannot be deleted by user application.
This change prevents deleting this rule.
Change-Id: Ia27434fd24a15fea5956018a1271b11bbe227df7
CRs-fixed: 2165859
Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
This is a fix for dynamic memory leak seen with incorrectly
allocating memory of a different size than with intended
size.
Change-Id: I821442ee6728ea90ceab7644e194f4e06369333a
Acked-by: Jyothi Jayanthi <jyothij@qti.qualcomm.com>
Signed-off-by: Michael Adisumarta <madisuma@codeaurora.org>
Default IPA header is added or deleted from the driver
directly and not by user space application. This change
prevents adding/deleting it from user application which
may cause inconsistencies in the driver. Also the change
fixes the header reset function to skip on the correct
default header.
Change-Id: Ic813433655411f1447db8b0c15efdf64038d8c26
CRs-fixed: 2151146
Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
Floor vote data needs to be protected with mutex lock to
avoid double free of memory due to race condtion.
Change-Id: Ifaa01a14d273ccba6b9463aff3a41c0038b05f06
Signed-off-by: Odelu Kukatla <okukatla@codeaurora.org>
Restrict printing of kernel virtual addresses in SPS driver.
In debug code, %p is used to print virtual addresses of
kernel objects, which can be exploited by attackers. It is
replaced with %pK, which hides these values if kptr_restrict
is set (default on Android).
Change-Id: I57585fa655abc01b2e8d694c8f31b7617bbf4ec7
Signed-off-by: Jishnu Prakash <jprakash@codeaurora.org>
Added code changes to avoid use after free
if header already table already freed
during ipa ioctl test.
Change-Id: Idc5c57a5aa896d4af0c76cc49fd964f236229711
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Add null terminator at the end of string
extend_ioctl_data.u.rmnet_mux_val.vchannel_name
to avoid potential security issue.
Change-Id: I57fe3a9f7e3ad6a499b62a9cfc49bc6b2f3b42e0
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Added to code changes to ref_cnt variable will decrement only
when add_ref_hdr variable is true.
Change-Id: I0bcc3909669f4843c43135e5f047ac28fa62bb63
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
There is a race condition be observed
on global variable num_q6_rule used in
ipa wan-driver. The fix is to add lock
to prevent different threads are accessing
it at the same time.
Change-Id: Ia9190c60361cb5605b61963309beca3acdeac89d
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Overflow of reference counter can lead to memory leak.
Before incrementing the reference count, check with
U32_MAX and return for error check.
Bug: 35467471
Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
Accessing of incorrect structure pointer is causing
memory out of bound access, fixed issue by accessing
the correct structure pointer.
Change-Id: I3c2f5f7a97cac854093ef670184d06db4231f5e1
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Fix the security issue in handling add mux channel event
in ipa wan driver.
Change-Id: Ic2ffeafddad4954ec3ecba0d675646d0790eede7
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
On rmnet_ipa_set_data_quota() API, add the
string terminator to prevent vulnerability
of string buffer overflows on debug prints.
Change-Id: Ie669f6606f76b9006bce4edd0c6d04aef9cfb600
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Added mutex lock to query rt table function also to sync
with other ioctl calls in ipa.
Change-Id: I65d46c0ef28b5e6260c92473fd15e9763de20146
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
SPS debugfs APIs can be called concurrently which can result
in dangling pointer access. This change synchronizes access
to the SPS debugfs buffer.
Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa
Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
Static variable node_list list need to be protected with a mutex
to prevent race conditions and use after free cases.
Change-Id: I4790b06712b8a8b401f43418cfcc53b415fb0019
Signed-off-by: David Dai <daidavid1@codeaurora.org>
Cldata needed to be protected by lock since crash
happened when synchronous update and free.
CRs-Fixed: 2034222
Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c
Signed-off-by: Maria Yu <aiquny@codeaurora.org>
In some rare race condition during SSR, modem might
programmed commands to IPA to lock the pipe, and AP will
enable delay on this pipe which will prevent IPA to read
unlock command. In this case IPA HW will be stalled as it
is locked forever on this pipe.
CRs-Fixed: 1040724
Change-Id: Ifc874c9e881eb1b3ccea321679bb272cd427fabb
Acked-by: Ady Abraham <adya@qti.qualcomm.com>
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
Fix the security issue where mux channel name might
not be null-terminated causing memory access overflow
in ipa wan driver.
Change-Id: I3ef440b62cf3861464fb60c1e7f65f2be5e39ed0
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>