Default security rule is freed while it is being used to check
security permission in ipcrtr send api. This results in use
after free case.
Default security rule should not be changed, removing the code
to change default rule from user space.
CRs-Fixed: 2591650
Change-Id: I08788102a0748b6bc72cb3c77b46de2d65ede91d
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
sockaddr structure is filled with required information only which
results in few memory locations of structure with uninitialized data.
Memset complete structure before using it to remove uninitialized data.
CRs-Fixed: 2274853
Change-Id: I181710bde100fb1553b925d9fdf227af35ff38b5
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
The increment logic of u64 pointer in skb_copy_to_log_buf() leads to
buffer overflow.
Modify the proto type of skb_copy_to_log_buf() function to accept
only unsigned char pointer.
CRs-Fixed: 2212592
Change-Id: I8affff1316656c1060ec57f2fb10b46f85314358
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Fail cases of accept() system call on AF_MSM_IPC socket family causes
NULL pointer de-reference of sock structure variable in release operation.
Validate the sock structure pointer before using it in release operation.
CRs-Fixed: 1068888
Change-Id: I5637e52be59ea9504ea6ae317394bef0c28c7865
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
IPC Router binds any port as a control port and moves it from the client
port list to control port list. Misbehaving clients can exploit this
incorrect behavior.
IPC Router to check if the port is a client port before binding it as a
control port.
CRs-Fixed: 974577
Change-Id: I9f189b76967d5f85750218a7cb6537d187a69663
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
The service info structure is allocated with uninitialized memory for the
max number of services and returns the complete structure to the usersapce
resulting in the information leak if lookup operation finds less number of
services than the requested number.
Check the minimum of requested and available services and copy the minimum
information to the user-space.
CRs-Fixed: 965934
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
IPC Router logs the message summary into SMEM Logs, a centralized logging
framework by default. The usage of SMEM Logs from the context of SSR
framework is restricted, while some clients exchange messages in the
context of SSR framework.
Disable using SMEM logs from IPC Router by default and enable it only
when required.
CRs-Fixed: 906400
Change-Id: Id8612a4617793f3f896800c111f6b1402b1fae9e
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
During SSR removing the routing table entry before flushing the xprt
reader workqueue is allowing to add a duplicate routing table entry
again with removed xprt pointer and causing a xprt access after free.
Flush the xprt reader workqueue and free all pending packets from
the list before removing the routing table entry.
CRs-Fixed: 874846
Change-Id: I2f858252bb5f7a7b6382b42011ad524da3fffe87
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Improve port shutdown time by moving to APIs which use call_rcu() instead
of synchronize_rcu().
CRs-Fixed: 845110
Change-Id: Id762f2c4c296a2b1535c5b2a38f0f19ddad51ea4
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Multicast Messaging from peripheral subsystems use optional header
to add additional information. Add support to handle optional
header in IPC Router V2 header.
Change-Id: I0fdeb63ddefa4f197c569fef70f9f6261760ec75
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
Flow control events in IPC Router are posted through a resume_tx
message. For clients that prefer a callback approach, add support
for write_space callback to notify about the flow control events.
The resume_tx message is not posted for such clients.
Change-Id: Iae25fd78f190bc7aeb7311ece68b3be407a1f910
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
The socket associated with an IPC Router port can be released before
the port is released. This leads to an use after free bug in cases
where the socket is closed while a packet is in flight.
Fix the use after free scenario by holding a sock reference during
creation of the port and releasing that in release port function.
CRs-Fixed: 811335
Change-Id: I638cc59e3b4e2347107e5ac19f233b0f7b9dd7b0
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
Currently IPC Router uses stop and wait flow control approach.
Update it to use a variant of sliding-window flow control. Send
the flow control request when the number of packets in flight
reaches the low watermark. Block the transmission when the number
of packets in flight reaches the high watermark.
Change-Id: Id52c02f6a9cd94e3a969f7bf65cba7a0d86a6841
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
Add MSG_PEEK flag handling support to enable clients to query
about a IPCRTR packet size through socket.
Change-Id: Ia8119ceeaba3a8b5a4ef6a0bdc9e6afacfc4a399
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
Current ipc_logging usage by IPC Router violates the layering
and interprets the payload as QMI messages.
Fix this usage, by moving all the logging into IPC Router core and
log the first 8 bytes of payload without any interpretation.
Change-Id: Ie5b6e283728a9781797dcdbf793cdbc36aa889b6
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
The data_ready function pointer is not initialized only if sk is NULL.
In that case, it is also not used. However, uninitialized-variable
checking may falsely cause a compiler warning.
Initialize the function pointer with NULL to avoid the compilation
issue.
Change-Id: I80500248acd769c77735273335ef8ad79c0ee0b6
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
Any client communicating over IPC Router via kernel sockets expects
a data_ready callback upon data reception.
Add data_ready callback to support data availability notification
for those clients.
Change-Id: Ie11e9da6179438020480ec5f6cbdbdf8836e587a
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
The debugfs module in ipc_router uses a buffer to dump the data.
Update the debugfs to use seq_files instead of buffers to dump the ipc
router related information.
Change-Id: I6b72c388a6e3ef330c97758f15d4d977fa8aabf7
Signed-off-by: Atish Kumar Patra <apatra@codeaurora.org>
During the server registration, remote port is created after the server.
This leads to a race condition where the client can resolve the server
address, but cannot send data to it because the remote port is not found.
Create the remote port before creating the server so that the resolved
server address is always found.
CRs-Fixed: 761229
Change-Id: I18e1e28b5bdef9dc3b17dfd23535587bb14f001c
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
If the namespaces are enabled, then userspace UID and GID can overlap while
they translate to different kernel UID and GID. Translate to the kernel
UID and GID by passing the calling process's namespace.
Also when the user-space process has root privileges, it will have
CAP_NET_RAW & CAP_NET_BIND_SERVICE capabilities by default. Hence remove
the redundant check for root privileges.
Change-Id: I4940193685bdfa518b7794e5980df186c5f3c2d4
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Permit the processes having CAP_NET_RAW or CAP_NET_BIND_SERVICE
capabilities to bind a service with IPC Router.
CRs-Fixed: 731805
Change-Id: Ie57d39d6c8252bc2238714558c4809aaa561494a
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Mapping one lookup mask to another does not produce the client-expected
behavior during the server lookup operation. The existing clients of IPC
Router are specifying the lookup mask explicitly.
Do not map one server lookup mask to another.
Change-Id: I7e9190e8d0f93f0c4f92a45dd0d7f6ae1287b8b2
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Add support for blocking sends that enables the sender to wait for
the resume transmit signal from a remote endpoint.
Change-Id: Id7a27ccda4d07b14a81e1a4ec4429785df3c31c6
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Update the receive operation to be blocking by default and use MSG_DONTWAIT
flag to enable non-blocking receive operation.
Change-Id: I4d460ac3a57cbca4bd9756b42326805927d601ff
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Enable support for connect system call, so that the destination address is
stored as part of the port. Subsequently the clients of IPC Router can use
send and recv system calls in addition to sendto and recvfrom.
Reset any connection between the local port and remote port if the remote
port exits either voluntarily or due to subsystem restart.
Change-Id: Icf45934a1fc9d01ff96f2a7a47359b66ac22ccbd
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
The intra-processor communication bypasses the flow control and access
control logic. Add remote port information for the endpoints in a fully
local connection, so that both flow control and access control can be
supported for such connections.
Change-Id: Id93ceea8907dd44acf41d0c6e960114c4d59024d
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Currently platform_device for a service is part of the server structure and
is allocated when the concerned server structure is allocated. This leads
to a problem when the server structure is freed while a reference to the
platform device is held by another thread.
Do not embed the platform device as part of the server structure and
allocate it using platform_device_alloc helper function.
CRs-Fixed: 720408
Change-Id: Ibda50de5b0439417615e40c3f8a8b3a12f7215d6
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Everytime a server is searched and then accessed, a global lock is
used to protect the access for its entire duration.
Define a reference element in the server. Get a reference to the server
everytime it is searched and accessed. Put the reference back once the
access is complete. Release the server when the reference count is zero.
Change-Id: Ice11a6d3ef86c3c49b43d8c7b6c04df260dca28c
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Kernel UID and GID types are converted from integer to a structure
containing a value. Currently this conversion is protected using
UIDGID_STRICT_TYPE_CHECKS kernel config item.
Start using kernel uid and gid types to avoid any potential compilation
issues.
Change-Id: Ic52c4a75fc7250ece2908add8a7fa88ec253d78a
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Everytime a port is searched and then accessed, a global lock is
used to protect the port for the entire duration of the access.
Define a reference element in the port. Get a reference to the port
everytime it is searched and accessed. Put the reference back once the
access is complete. Release the port when the reference count is zero.
Update the lock hierarchies so that the changes do not cause out of order
locking.
Change-Id: Ie5ccb50d6f952ff94c8408b42d51e0d207b06b24
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Everytime a routing table entry or a remote port is searched and then
accessed, a global lock is used to protect the access for its entire
duration.
Define a reference element in the concerned structure. Get a reference
to the entry everytime it is searched and accessed. Put the reference back
once the access is complete. Release the data structure when the reference
count is zero.
Change-Id: I95312e4903167dda50c83ecf2e2a409b9dcbf6bd
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Since IPC Router is used for non-QMI message communication purposes, add
"SVC" prefix to the service name instead of "QMI" prefix.
Change-Id: I5c97d6e4652df3c365e45d8b636bb63b798bdda8
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
During subsystem restart, SMD XPRT state is checked after starting the
write operation on a SMD channel. The channel state is different from its
corresponding XPRT state. This causes a writer to start the write operation
and then abort it, since the channel is not in reset state and the XPRT is
in reset state. This in turn causes the channel to be busy.
Check the XPRT state first before performing the write operation on its
corresponding channel. Remove the XPRT from the XPRT list at the earliest
possible, so that any write operation on a reset XPRT is avoided.
Change-Id: Id97870d4d6dae2d778fe0b4f39fc5265ffcaa51b
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
If a message buffer cannot be returned due to allocation failure, then
return appropriate error code.
Change-Id: I39bbf857c1aa6e302ea0af8c9a144002edb38d29
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
The clients of IPC Router are initialized and they attempt to interface
with IPC Router before it is initialized. The clients are blocked until
the IPC Router is initialized. Instead initialize IPC Router on a first
interface attempt.
Change-Id: I7e4d4eb837e9d04df1ec9f1d0b03703d0ba5b061
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
Deepak Kumar Singh
Arun Kumar Neelakantam
syphyr
LuK1337
Linux Build Service Account
Karthikeyan Ramasubramanian
Patrick Daly
Atish Kumar Patra