Merge android13-gs-pixel-5.10-tm-qpr3 into android13-gs-pixel-5.10-udc
SBMerger: 478053055
Change-Id: Ie6274f45c99e69274a0c7cc3f79b6aeed2c2ed2c
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
diff --git a/kernel/drivers/net/ieee802154/dw3000_debugfs.c b/kernel/drivers/net/ieee802154/dw3000_debugfs.c
index c2f6b2d..33b88c1 100644
--- a/kernel/drivers/net/ieee802154/dw3000_debugfs.c
+++ b/kernel/drivers/net/ieee802154/dw3000_debugfs.c
@@ -762,10 +762,12 @@
*/
void dw3000_debugfs_remove(struct dw3000 *dw)
{
- struct dw3000_debugfs_file *cur;
-
- list_for_each_entry (cur, &dw->debugfs.dbgfile_list, ll) {
+ while (!list_empty(&dw->debugfs.dbgfile_list)) {
+ struct dw3000_debugfs_file *cur =
+ list_first_entry(&dw->debugfs.dbgfile_list,
+ struct dw3000_debugfs_file, ll);
debugfs_remove(cur->file);
+ list_del(&cur->ll);
kfree(cur);
}
diff --git a/kernel/drivers/net/ieee802154/dw3000_mcps.c b/kernel/drivers/net/ieee802154/dw3000_mcps.c
index 8c7c5c2..f1810a7 100644
--- a/kernel/drivers/net/ieee802154/dw3000_mcps.c
+++ b/kernel/drivers/net/ieee802154/dw3000_mcps.c
@@ -1488,8 +1488,9 @@
{
dev_dbg(dw->dev, "%s called\n", __func__);
if (dw->llhw) {
- mcps802154_free_llhw(dw->llhw);
+ struct mcps802154_llhw *llhw = dw->llhw;
dw->llhw = NULL;
+ mcps802154_free_llhw(llhw);
}
}
diff --git a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
index db6f253..18b74be 100644
--- a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
+++ b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
@@ -33,6 +33,7 @@
#define TLV_U32_LEN (4 + 1) /* u32 + ack/nack. */
#define TLV_SLOTS_LEN(nbslots) \
(1 + (8 * (nbslots)) + 1) /* nslots + slots + ack/nack. */
+#define TLV_SLOTS_LIST_SIZE_MAX (1 + (8 * (TLV_MAX_NB_SLOTS)))
#define MSG_NEXT_TLV(buffer, offset) \
(struct dw3000_nfcc_coex_tlv *)((buffer)->msg.tlvs + (offset))
@@ -272,6 +273,9 @@
/* Reject a new TLV with same type. Behavior not defined. */
if (slot_list)
return -EINVAL;
+ /* Check if the tlv size isn't exceeding the list max size */
+ if (tlv->len > TLV_SLOTS_LIST_SIZE_MAX)
+ return -EINVAL;
slot_list = (const struct dw3000_nfcc_coex_tlv_slot_list
*)&tlv->tlv;
/* Update rx_msg_info. */
diff --git a/mac/fira_frame.c b/mac/fira_frame.c
index 7feabc1..6ebefbe 100644
--- a/mac/fira_frame.c
+++ b/mac/fira_frame.c
@@ -273,7 +273,7 @@
const struct fira_ranging_info *ranging_info =
&local->ranging_info[slot->ranging_index];
bool tof_present, aoa_azimuth_present, aoa_elevation_present,
- aoa_fom_present;
+ aoa_fom_present, neg_tof_present;
u8 *p;
tof_present = ranging_info->tof_present && params->report_tof;
@@ -284,12 +284,13 @@
aoa_fom_present = (ranging_info->local_aoa_azimuth.aoa_fom ||
ranging_info->local_aoa_elevation.aoa_fom) &&
params->report_aoa_fom;
+ neg_tof_present = tof_present && (ranging_info->tof_rctu < 0);
p = fira_frame_common_payload_put(
skb,
FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
tof_present, aoa_azimuth_present, aoa_elevation_present,
- aoa_fom_present),
+ aoa_fom_present, neg_tof_present),
FIRA_MESSAGE_ID_RESULT_REPORT);
*p++ = FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_TOF_PRESENT, tof_present) |
@@ -298,7 +299,9 @@
FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT,
aoa_elevation_present) |
FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT,
- aoa_fom_present);
+ aoa_fom_present) |
+ FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT,
+ neg_tof_present);
if (tof_present) {
put_unaligned_le32(
@@ -323,6 +326,10 @@
p++;
}
}
+ if (neg_tof_present) {
+ put_unaligned_le32(-ranging_info->tof_rctu, p);
+ p += sizeof(u32);
+ }
}
void fira_frame_rframe_payload_put(struct fira_local *local,
@@ -660,7 +667,7 @@
tof_rctu =
((s32)remote_round_trip_rctu - adjusted_reply_rctu) / 2;
}
- ranging_info->tof_rctu = tof_rctu > 0 ? tof_rctu : 0;
+ ranging_info->tof_rctu = (!slot->controller_tx) ? -tof_rctu : tof_rctu;
ranging_info->tof_present = true;
session->controlee.hopping_mode = hopping_mode;
@@ -729,7 +736,7 @@
struct fira_ranging_info *ranging_info =
&local->ranging_info[slot->ranging_index];
u8 control;
- bool tof_present, aoa_azimuth_present, aoa_elevation_present,
+ bool tof_present, neg_tof_present, aoa_azimuth_present, aoa_elevation_present,
aoa_fom_present;
control = *p++;
@@ -740,9 +747,10 @@
!!(control & FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT);
aoa_fom_present =
!!(control & FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT);
+ neg_tof_present = !!(control & FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT);
if (ie_len < FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
tof_present, aoa_azimuth_present,
- aoa_elevation_present, aoa_fom_present))
+ aoa_elevation_present, aoa_fom_present, neg_tof_present))
return false;
if (tof_present) {
@@ -760,6 +768,13 @@
ranging_info->remote_aoa_elevation_pi = get_unaligned_le16(p);
p += sizeof(s16);
}
+ if (neg_tof_present) {
+ /* When negative ToF is present at end of frame,
+ * ToF read ahead MUST be 0, so, is safe to overwrite */
+ ranging_info->tof_rctu = -get_unaligned_le32(p);
+ p += sizeof(u32);
+ }
+
if (aoa_fom_present) {
ranging_info->remote_aoa_fom_present = true;
if (aoa_azimuth_present)
@@ -795,7 +810,7 @@
continue;
if (ie_get->len < FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
- false, false, false, false))
+ false, false, false, false, false))
return false;
message_id = (*p++) & 0xf;
if (message_id != FIRA_MESSAGE_ID_RESULT_REPORT)
diff --git a/mac/fira_frame.h b/mac/fira_frame.h
index f37620f..7adf39c 100644
--- a/mac/fira_frame.h
+++ b/mac/fira_frame.h
@@ -53,11 +53,12 @@
4 * (reply_time_present) + 6 * (n_reply_time))
#define FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(tof_present, aoa_azimuth_present, \
aoa_elevation_present, \
- aoa_fom_present) \
+ aoa_fom_present, neg_tof_present) \
(FIRA_IE_VENDOR_OUI_LEN + 2 + 4 * (tof_present) + \
2 * (aoa_azimuth_present) + 2 * (aoa_elevation_present) + \
(aoa_fom_present) * \
- (1 * (aoa_azimuth_present) + 1 * (aoa_elevation_present)))
+ (1 * (aoa_azimuth_present) + 1 * (aoa_elevation_present)) + \
+ 4 * (neg_tof_present))
#define FIRA_MIC_LEVEL 64
#define FIRA_MIC_LEN (FIRA_MIC_LEVEL / 8)
@@ -88,6 +89,7 @@
#define FIRA_RESULT_REPORT_CONTROL_AOA_AZIMUTH_PRESENT (1 << 1)
#define FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT (1 << 2)
#define FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT (1 << 3)
+#define FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT (1 << 4)
/**
* fira_frame_check_n_controlees() - Check the number of wanted
diff --git a/mac/fira_region_call.c b/mac/fira_region_call.c
index 8e324aa..1438d4b 100644
--- a/mac/fira_region_call.c
+++ b/mac/fira_region_call.c
@@ -306,6 +306,9 @@
GET_ANTENNA(step_attrs[STEP_ATTR(TX_ANT_SET_RANGING)],
step->tx_ant_set_ranging);
+ if (!step_attrs[STEP_ATTR(RX_ANT_SETS_RANGING)])
+ return -EINVAL;
+
r = nla_parse_nested(rx_ant_sets_attrs, ASR_ATTR(MAX),
step_attrs[STEP_ATTR(RX_ANT_SETS_RANGING)],
rx_ant_sets_ranging_policy, info->extack);
diff --git a/mac/include/net/fira_region_params.h b/mac/include/net/fira_region_params.h
index 9cade01..bd4f650 100644
--- a/mac/include/net/fira_region_params.h
+++ b/mac/include/net/fira_region_params.h
@@ -28,7 +28,7 @@
#define FIRA_VUPPER64_SIZE 8
#define FIRA_STS_VUPPER64_OFFSET 8
-#define FIRA_KEY_SIZE_MAX 32
+#define FIRA_KEY_SIZE_MAX 16
#define FIRA_KEY_SIZE_MIN 16
#define FIRA_CONTROLEES_MAX 8
#define FIRA_RX_ANTENNA_PAIR_INVALID 0xff
diff --git a/mac/nfcc_coex_region_call.c b/mac/nfcc_coex_region_call.c
index 743b581..a7e63cd 100644
--- a/mac/nfcc_coex_region_call.c
+++ b/mac/nfcc_coex_region_call.c
@@ -68,6 +68,9 @@
(S32_MAX * NS_PER_SECOND) / local->llhw->dtu_freq_hz;
int r;
+ if (!params)
+ return -EINVAL;
+
r = nla_parse_nested(attrs, NFCC_COEX_CCC_SESSION_PARAM_ATTR_MAX,
params, nfcc_coex_session_param_nla_policy,
info->extack);
