rmnet_data netlink handler currently does not check for the
incoming process pid and instead just loops back the pid.
A malicious root user could potentially send a message with
source pid 0 and this could cause rmnet_data to loop the message
back till an out of memory situation occurs.
rmnet_data also does not check for the message length of the
incoming netlink messages and instead casts the netlink message
without checking for the boundary.
Fix these two scenarios by adding the pid and message length checks
respectively.
Bug: 31252965
CRs-Fixed: 1098801
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Whenever handling a force-unassociate, make sure the device is closed
before freeing the logical endoint configuration. Whenever the endpoint
config is cleared, the egress device is set to null. This can cause null
pointer dereference if the endpoint config is cleared at the same time a
packet is being transmitted.
[ 479.906025] [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to un
register rmnet_ipa0
[ 479.913428] Unable to handle kernel NULL pointer dereference at virtual
address 000002c0
[ 480.068123] [<ffffffc000c73608>] rmnet_egress_handler+0x30/0x2bc
[ 480.074109] [<ffffffc000c728e8>] rmnet_vnd_start_xmit+0x108/0x13c
[ 480.080192] [<ffffffc000ae42ec>] dev_hard_start_xmit+0x260/0x484
[ 480.086178] [<ffffffc000afd390>] sch_direct_xmit+0x68/0x198
[ 480.091732] [<ffffffc000afd5b0>] __qdisc_run+0xf0/0x140
[ 480.096938] [<ffffffc000ae4794>] dev_queue_xmit+0x284/0x400
Change-Id: Ib87b123dc565b087374dfde6d3c40ddccf2a257d
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Add a call to unregister_netdevice_notifier in rmnet_config_exit,
and fix some compilation warnings.
CRs-Fixed: 633585
Change-Id: I0e61c5460b927c3348f4e9815bbd9f842488f14d
Acked-by: Sivan Reinstein <sivanr@qti.qualcomm.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Added support for RMNET_NETLINK_GET_LOGICAL_EP_CONFIG
and RMNET_NETLINK_GET_NETWORK_DEVICE_ASSOCIATED in the
rmnet_data configuration module.
CRs-fixed: 599231
Change-Id: Ib5eeb4a37f80a4df19cb3c1ef02ec477f5445740
Acked-by: David Arinzon <darinzon@qti.qualcomm.com>
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Clear out VNDs which have their egress device pointing to an interface
which is trying to unregister from the network stack. Required to prevent
systems hangs on unexpected shutdown/reboot of the device.
CRs-Fixed: 638324
Change-Id: I406270fee9feb1f9673b3391ce51c11e8e6c9d81
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Logging macros now enforce that function names are printed, and
newlines are inserted at the end. The start of log messages are
now standardize.
CRs-Fixed: 600629
Change-Id: I91dae00c331af80954b93eba1f7be2889c569276
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Added new parameter tail_spacing to
RMNET_NETLINK_SET_LINK_INGRESS_DATA_FORMAT in order to support
an additional fixed padding on packets. Required to support RNDIS
tethering.
CRs-Fixed: 579184
Change-Id: I58bbbfbaa68a28b25a96f52b04165285de9c24ef
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Gracefully handle device unregister notifications. Cleans
up any logical endpoints configured on a physical devices
and then unassociates it. Required to prevent crash if
references are held too long.
CRs-Fixed: 596227
Change-Id: I02d08e07e74510b7a8dffbefa99e651e0100db23
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Cleaned up refcount on get_dev_by_name.
Added new APIs to support cleanup of configuration and virtual devices.
Added explicit reference managment in association/un-association
and when setting/unsetting logical EP.
CRs-Fixed: 596227
Change-Id: Ic67bb649b0f0420d9a1e4bf5664ed63c0ff7d8bf
Signed-off-by: Harout Hadeshian <harouth@codeaurora.org>
Implement MAP based in-band flow control. Added 2 new configuration
messages to allow adding and deleting flow handles. Added handlers
in VND for flow control events. Added flow control command handler
in rmnet_map_commands.
CRs-fixed: 568534
Change-Id: Ica52e4ad89430c9fa5e2b38e389ee6bc91de2e9b
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Run-time user space components can now specify virtual network device
name prefix at device creation. This will be used to support legacy
data services.
CRs-Fixed: 555507
Change-Id: Id34c2761f2060e66b05c521304d5151620ba5665
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
RmNet Data driver provides a transport agnostic MAP (multiplexing and
aggregation protocol) support in embedded and bridge modes. Module
provides virtual network devices which can be attached to any IP-mode
physical device. This will be used to provide all MAP functionality
on future hardware in a single consistent location.
CRs-Fixed: 525675
Change-Id: I739947c9c3de008974dd485a74e9953ba2cbb75e
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Subash Abhinov Kasiviswanathan