Merge android13-gs-pixel-5.10-tm-qpr3 into android13-gs-pixel-5.10-udcandroid-u-preview-2_r0.4android-u-preview-2_r0.3android-u-preview-1_r0.4android-u-preview-1_r0.3android-u-preview-1_r0.2android-gs-raviole-5.10-u-preview-1android-gs-pantah-5.10-u-preview-2android-gs-pantah-5.10-u-preview-1android-gs-bluejay-5.10-u-preview-2android-gs-bluejay-5.10-u-preview-1

SBMerger: 478053055
Change-Id: Ie6274f45c99e69274a0c7cc3f79b6aeed2c2ed2c
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

8 files changed, 44 insertions, 14 deletions

diff --git a/kernel/drivers/net/ieee802154/dw3000_debugfs.c b/kernel/drivers/net/ieee802154/dw3000_debugfs.c
index c2f6b2d..33b88c1 100644
--- a/kernel/drivers/net/ieee802154/dw3000_debugfs.c
+++ b/kernel/drivers/net/ieee802154/dw3000_debugfs.c
@@ -762,10 +762,12 @@ int dw3000_debugsfs_init(struct dw3000 *dw)
  */
 void dw3000_debugfs_remove(struct dw3000 *dw)
 {
-	struct dw3000_debugfs_file *cur;
-
-	list_for_each_entry (cur, &dw->debugfs.dbgfile_list, ll) {
+	while (!list_empty(&dw->debugfs.dbgfile_list)) {
+		struct dw3000_debugfs_file *cur =
+			list_first_entry(&dw->debugfs.dbgfile_list,
+					struct dw3000_debugfs_file, ll);
 		debugfs_remove(cur->file);
+		list_del(&cur->ll);
 		kfree(cur);
 	}
 
diff --git a/kernel/drivers/net/ieee802154/dw3000_mcps.c b/kernel/drivers/net/ieee802154/dw3000_mcps.c
index 8c7c5c2..f1810a7 100644
--- a/kernel/drivers/net/ieee802154/dw3000_mcps.c
+++ b/kernel/drivers/net/ieee802154/dw3000_mcps.c
@@ -1488,8 +1488,9 @@ void dw3000_mcps_free(struct dw3000 *dw)
 {
 	dev_dbg(dw->dev, "%s called\n", __func__);
 	if (dw->llhw) {
-		mcps802154_free_llhw(dw->llhw);
+		struct mcps802154_llhw *llhw = dw->llhw;
 		dw->llhw = NULL;
+		mcps802154_free_llhw(llhw);
 	}
 }
 
diff --git a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
index db6f253..18b74be 100644
--- a/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
+++ b/kernel/drivers/net/ieee802154/dw3000_nfcc_coex_msg.c
@@ -33,6 +33,7 @@
 #define TLV_U32_LEN (4 + 1) /* u32 + ack/nack. */
 #define TLV_SLOTS_LEN(nbslots) \
 	(1 + (8 * (nbslots)) + 1) /* nslots + slots + ack/nack. */
+#define TLV_SLOTS_LIST_SIZE_MAX (1 + (8 * (TLV_MAX_NB_SLOTS)))
 #define MSG_NEXT_TLV(buffer, offset) \
 	(struct dw3000_nfcc_coex_tlv *)((buffer)->msg.tlvs + (offset))
 
@@ -272,6 +273,9 @@ dw3000_nfcc_coex_tlvs_check(struct dw3000 *dw,
 			/* Reject a new TLV with same type. Behavior not defined. */
 			if (slot_list)
 				return -EINVAL;
+			/* Check if the tlv size isn't exceeding the list max size */
+			if (tlv->len > TLV_SLOTS_LIST_SIZE_MAX)
+				return -EINVAL;
 			slot_list = (const struct dw3000_nfcc_coex_tlv_slot_list
 					     *)&tlv->tlv;
 			/* Update rx_msg_info. */
diff --git a/mac/fira_frame.c b/mac/fira_frame.c
index 7feabc1..6ebefbe 100644
--- a/mac/fira_frame.c
+++ b/mac/fira_frame.c
@@ -273,7 +273,7 @@ void fira_frame_result_report_payload_put(const struct fira_local *local,
 	const struct fira_ranging_info *ranging_info =
 		&local->ranging_info[slot->ranging_index];
 	bool tof_present, aoa_azimuth_present, aoa_elevation_present,
-		aoa_fom_present;
+		aoa_fom_present, neg_tof_present;
 	u8 *p;
 
 	tof_present = ranging_info->tof_present && params->report_tof;
@@ -284,12 +284,13 @@ void fira_frame_result_report_payload_put(const struct fira_local *local,
 	aoa_fom_present = (ranging_info->local_aoa_azimuth.aoa_fom ||
 			   ranging_info->local_aoa_elevation.aoa_fom) &&
 			  params->report_aoa_fom;
+	neg_tof_present = tof_present && (ranging_info->tof_rctu < 0);
 
 	p = fira_frame_common_payload_put(
 		skb,
 		FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
 			tof_present, aoa_azimuth_present, aoa_elevation_present,
-			aoa_fom_present),
+			aoa_fom_present, neg_tof_present),
 		FIRA_MESSAGE_ID_RESULT_REPORT);
 
 	*p++ = FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_TOF_PRESENT, tof_present) |
@@ -298,7 +299,9 @@ void fira_frame_result_report_payload_put(const struct fira_local *local,
 	       FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT,
 			  aoa_elevation_present) |
 	       FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT,
-			  aoa_fom_present);
+			  aoa_fom_present) |
+		   FIELD_PREP(FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT,
+			  neg_tof_present);
 
 	if (tof_present) {
 		put_unaligned_le32(
@@ -323,6 +326,10 @@ void fira_frame_result_report_payload_put(const struct fira_local *local,
 			p++;
 		}
 	}
+	if (neg_tof_present) {
+		put_unaligned_le32(-ranging_info->tof_rctu, p);
+		p += sizeof(u32);
+	}
 }
 
 void fira_frame_rframe_payload_put(struct fira_local *local,
@@ -660,7 +667,7 @@ fira_frame_measurement_report_fill_ranging_info(struct fira_local *local,
 		tof_rctu =
 			((s32)remote_round_trip_rctu - adjusted_reply_rctu) / 2;
 	}
-	ranging_info->tof_rctu = tof_rctu > 0 ? tof_rctu : 0;
+	ranging_info->tof_rctu = (!slot->controller_tx) ? -tof_rctu : tof_rctu;
 	ranging_info->tof_present = true;
 
 	session->controlee.hopping_mode = hopping_mode;
@@ -729,7 +736,7 @@ fira_frame_result_report_fill_ranging_info(struct fira_local *local,
 	struct fira_ranging_info *ranging_info =
 		&local->ranging_info[slot->ranging_index];
 	u8 control;
-	bool tof_present, aoa_azimuth_present, aoa_elevation_present,
+	bool tof_present, neg_tof_present, aoa_azimuth_present, aoa_elevation_present,
 		aoa_fom_present;
 
 	control = *p++;
@@ -740,9 +747,10 @@ fira_frame_result_report_fill_ranging_info(struct fira_local *local,
 		!!(control & FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT);
 	aoa_fom_present =
 		!!(control & FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT);
+	neg_tof_present = !!(control & FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT);
 	if (ie_len < FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
 			     tof_present, aoa_azimuth_present,
-			     aoa_elevation_present, aoa_fom_present))
+			     aoa_elevation_present, aoa_fom_present, neg_tof_present))
 		return false;
 
 	if (tof_present) {
@@ -760,6 +768,13 @@ fira_frame_result_report_fill_ranging_info(struct fira_local *local,
 		ranging_info->remote_aoa_elevation_pi = get_unaligned_le16(p);
 		p += sizeof(s16);
 	}
+	if (neg_tof_present) {
+		/* When negative ToF is present at end of frame,
+		 * ToF read ahead MUST be 0, so, is safe to overwrite */
+		ranging_info->tof_rctu = -get_unaligned_le32(p);
+		p += sizeof(u32);
+	}
+
 	if (aoa_fom_present) {
 		ranging_info->remote_aoa_fom_present = true;
 		if (aoa_azimuth_present)
@@ -795,7 +810,7 @@ bool fira_frame_result_report_payload_check(
 				continue;
 
 			if (ie_get->len < FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(
-						  false, false, false, false))
+						  false, false, false, false, false))
 				return false;
 			message_id = (*p++) & 0xf;
 			if (message_id != FIRA_MESSAGE_ID_RESULT_REPORT)
diff --git a/mac/fira_frame.h b/mac/fira_frame.h
index f37620f..7adf39c 100644
--- a/mac/fira_frame.h
+++ b/mac/fira_frame.h
@@ -53,11 +53,12 @@ struct fira_session_params;
 	 4 * (reply_time_present) + 6 * (n_reply_time))
 #define FIRA_IE_PAYLOAD_RESULT_REPORT_LEN(tof_present, aoa_azimuth_present, \
 					  aoa_elevation_present,            \
-					  aoa_fom_present)                  \
+					  aoa_fom_present, neg_tof_present)                  \
 	(FIRA_IE_VENDOR_OUI_LEN + 2 + 4 * (tof_present) +                   \
 	 2 * (aoa_azimuth_present) + 2 * (aoa_elevation_present) +          \
 	 (aoa_fom_present) *                                                \
-		 (1 * (aoa_azimuth_present) + 1 * (aoa_elevation_present)))
+		 (1 * (aoa_azimuth_present) + 1 * (aoa_elevation_present)) +		\
+	4 * (neg_tof_present))
 
 #define FIRA_MIC_LEVEL 64
 #define FIRA_MIC_LEN (FIRA_MIC_LEVEL / 8)
@@ -88,6 +89,7 @@ struct fira_session_params;
 #define FIRA_RESULT_REPORT_CONTROL_AOA_AZIMUTH_PRESENT (1 << 1)
 #define FIRA_RESULT_REPORT_CONTROL_AOA_ELEVATION_PRESENT (1 << 2)
 #define FIRA_RESULT_REPORT_CONTROL_AOA_FOM_PRESENT (1 << 3)
+#define FIRA_RESULT_REPORT_CONTROL_NEG_TOF_PRESENT (1 << 4)
 
 /**
  * fira_frame_check_n_controlees() - Check the number of wanted
diff --git a/mac/fira_region_call.c b/mac/fira_region_call.c
index 8e324aa..1438d4b 100644
--- a/mac/fira_region_call.c
+++ b/mac/fira_region_call.c
@@ -306,6 +306,9 @@ static int fira_session_params_set_measurement_sequence_step(
 	GET_ANTENNA(step_attrs[STEP_ATTR(TX_ANT_SET_RANGING)],
 		    step->tx_ant_set_ranging);
 
+	if (!step_attrs[STEP_ATTR(RX_ANT_SETS_RANGING)])
+		return -EINVAL;
+
 	r = nla_parse_nested(rx_ant_sets_attrs, ASR_ATTR(MAX),
 			     step_attrs[STEP_ATTR(RX_ANT_SETS_RANGING)],
 			     rx_ant_sets_ranging_policy, info->extack);
diff --git a/mac/include/net/fira_region_params.h b/mac/include/net/fira_region_params.h
index 9cade01..bd4f650 100644
--- a/mac/include/net/fira_region_params.h
+++ b/mac/include/net/fira_region_params.h
@@ -28,7 +28,7 @@
 
 #define FIRA_VUPPER64_SIZE 8
 #define FIRA_STS_VUPPER64_OFFSET 8
-#define FIRA_KEY_SIZE_MAX 32
+#define FIRA_KEY_SIZE_MAX 16
 #define FIRA_KEY_SIZE_MIN 16
 #define FIRA_CONTROLEES_MAX 8
 #define FIRA_RX_ANTENNA_PAIR_INVALID 0xff
diff --git a/mac/nfcc_coex_region_call.c b/mac/nfcc_coex_region_call.c
index 743b581..a7e63cd 100644
--- a/mac/nfcc_coex_region_call.c
+++ b/mac/nfcc_coex_region_call.c
@@ -68,6 +68,9 @@ static int nfcc_coex_session_set_parameters(struct nfcc_coex_local *local,
 		(S32_MAX * NS_PER_SECOND) / local->llhw->dtu_freq_hz;
 	int r;
 
+	if (!params)
+		return -EINVAL;
+
 	r = nla_parse_nested(attrs, NFCC_COEX_CCC_SESSION_PARAM_ATTR_MAX,
 			     params, nfcc_coex_session_param_nla_policy,
 			     info->extack);