# Copyright 2020 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Findings on qrtr rpmsg and mhi interface (with drivers implemented in 'smd.c' and 'mhi.c' under '$KERNEL_SRC/net/qrtr/') # The investigation is done using Linux 5.8-rc1 with following configs set: # - CONFIG_QRTR, CONFIG_QRTR_SMD, CONFIG_QRTR_TUN, CONFIG_QRTR_MHI, CONFIG_RPMSG, # CONFIG_RPMSG_CHAR, CONFIG_RPMSG_QCOM_GLINK_NATIVE, CONFIG_RPMSG_QCOM_GLINK_RPM, # CONFIG_RPMSG_VIRTIO # No additional device file was found in running kernel under '/dev/', and no device # was found under '/sys/bus/rpmsg/devices/'. # All examples found involve additional hardware assumptions. # The conclusion is that the testing of those subsystems relies on some hardware, # hence, not tested at this time. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # include include include include # QIPCRTR sockets resource sock_qrtr[sock] # 1 stands for qrtr_local_nid, -1 stands for QRTR_EP_NID_AUTO qrtr_nodes = QRTR_NODE_BCAST, -1, 0, 1, 2, 3, 4 # 0x4000 and 0x7fff stands for QRTR_MIN_EPH_SOCKET and QRTR_MAX_EPH_SOCKET, respectively qrtr_ports = QRTR_PORT_CTRL, 0x3fff, 0x4000, 0x4001, 0x7ffe, 0x7fff, 0x8000, 0, 1, 2 sockaddr_qrtr { sq_family const[AF_QIPCRTR, int16] sq_node flags[qrtr_nodes, int32] sq_port flags[qrtr_ports, int32] } socket$qrtr(domain const[AF_QIPCRTR], type const[SOCK_DGRAM], proto const[0]) sock_qrtr bind$qrtr(fd sock_qrtr, addr ptr[in, sockaddr_qrtr], addrlen len[addr]) connect$qrtr(fd sock_qrtr, addr ptr[in, sockaddr_qrtr], addrlen len[addr]) getsockname$qrtr(fd sock_qrtr, addr ptr[out, sockaddr_qrtr], addrlen ptr[inout, len[addr, int32]]) getpeername$qrtr(fd sock_qrtr, peer ptr[out, sockaddr_qrtr], peerlen ptr[inout, len[peer, int32]]) # ioctls ioctl$sock_qrtr_TIOCOUTQ(fd sock_qrtr, cmd const[TIOCOUTQ], arg ptr[out, int64]) ioctl$sock_qrtr_TIOCINQ(fd sock_qrtr, cmd const[TIOCINQ], arg ptr[out, int64]) ioctl$sock_qrtr_SIOCGIFADDR(fd sock_qrtr, cmd const[SIOCGIFADDR], arg ptr[out, ifreq_t[sockaddr_qrtr]]) # sendmsg, recvmsg, [send|recv]_msghdr sendmsg$qrtr(fd sock_qrtr, msg ptr[in, send_msghdr_qrtr], msglen len[msg]) recvmsg$qrtr(fd sock_qrtr, msg ptr[inout, recv_msghdr_qrtr], msglen len[msg], f flags[recv_flags]) send_msghdr_qrtr { addr ptr[in, sockaddr_qrtr, opt] addrlen len[addr, int32] vec ptr[in, array[iovec_in]] vlen len[vec, intptr] ctrl ptr[in, array[cmsghdr], opt] ctrllen bytesize[ctrl, intptr] f flags[send_flags, int32] } recv_msghdr_qrtr { addr ptr[out, sockaddr_qrtr, opt] addrlen len[addr, int32] vec ptr[in, array[iovec_out]] vlen len[vec, intptr] ctrl ptr[out, array[cmsghdr], opt] ctrllen bytesize[ctrl, intptr] f flags[recv_flags, int32] }