--- /dev/null
+From 789bba82f63c3e81dce426ba457fc7905b30ac6e Mon Sep 17 00:00:00 2001
+From: Russ Weight <russell.h.weight@intel.com>
+Date: Tue, 30 Aug 2022 17:25:18 -0700
+Subject: firmware_loader: Fix memory leak in firmware upload
+
+From: Russ Weight <russell.h.weight@intel.com>
+
+commit 789bba82f63c3e81dce426ba457fc7905b30ac6e upstream.
+
+In the case of firmware-upload, an instance of struct fw_upload is
+allocated in firmware_upload_register(). This data needs to be freed
+in fw_dev_release(). Create a new fw_upload_free() function in
+sysfs_upload.c to handle the firmware-upload specific memory frees
+and incorporate the missing kfree call for the fw_upload structure.
+
+Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Russ Weight <russell.h.weight@intel.com>
+Link: https://lore.kernel.org/r/20220831002518.465274-1-russell.h.weight@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/firmware_loader/sysfs.c | 7 +++----
+ drivers/base/firmware_loader/sysfs.h | 5 +++++
+ drivers/base/firmware_loader/sysfs_upload.c | 9 +++++++++
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/firmware_loader/sysfs.c b/drivers/base/firmware_loader/sysfs.c
+index 77bad32c481a..5b66b3d1fa16 100644
+--- a/drivers/base/firmware_loader/sysfs.c
++++ b/drivers/base/firmware_loader/sysfs.c
+@@ -93,10 +93,9 @@ static void fw_dev_release(struct device *dev)
+ {
+ struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev);
+
+- if (fw_sysfs->fw_upload_priv) {
+- free_fw_priv(fw_sysfs->fw_priv);
+- kfree(fw_sysfs->fw_upload_priv);
+- }
++ if (fw_sysfs->fw_upload_priv)
++ fw_upload_free(fw_sysfs);
++
+ kfree(fw_sysfs);
+ }
+
+diff --git a/drivers/base/firmware_loader/sysfs.h b/drivers/base/firmware_loader/sysfs.h
+index 5d8ff1675c79..df1d5add698f 100644
+--- a/drivers/base/firmware_loader/sysfs.h
++++ b/drivers/base/firmware_loader/sysfs.h
+@@ -106,12 +106,17 @@ extern struct device_attribute dev_attr_cancel;
+ extern struct device_attribute dev_attr_remaining_size;
+
+ int fw_upload_start(struct fw_sysfs *fw_sysfs);
++void fw_upload_free(struct fw_sysfs *fw_sysfs);
+ umode_t fw_upload_is_visible(struct kobject *kobj, struct attribute *attr, int n);
+ #else
+ static inline int fw_upload_start(struct fw_sysfs *fw_sysfs)
+ {
+ return 0;
+ }
++
++static inline void fw_upload_free(struct fw_sysfs *fw_sysfs)
++{
++}
+ #endif
+
+ #endif /* __FIRMWARE_SYSFS_H */
+diff --git a/drivers/base/firmware_loader/sysfs_upload.c b/drivers/base/firmware_loader/sysfs_upload.c
+index 63e15bddd80c..a0af8f5f13d8 100644
+--- a/drivers/base/firmware_loader/sysfs_upload.c
++++ b/drivers/base/firmware_loader/sysfs_upload.c
+@@ -264,6 +264,15 @@ int fw_upload_start(struct fw_sysfs *fw_sysfs)
+ return 0;
+ }
+
++void fw_upload_free(struct fw_sysfs *fw_sysfs)
++{
++ struct fw_upload_priv *fw_upload_priv = fw_sysfs->fw_upload_priv;
++
++ free_fw_priv(fw_sysfs->fw_priv);
++ kfree(fw_upload_priv->fw_upload);
++ kfree(fw_upload_priv);
++}
++
+ /**
+ * firmware_upload_register() - register for the firmware upload sysfs API
+ * @module: kernel module of this device
+--
+2.37.3
+
--- /dev/null
+From 8b40c38e37492b5bdf8e95b46b5cca9517a9957a Mon Sep 17 00:00:00 2001
+From: Russ Weight <russell.h.weight@intel.com>
+Date: Mon, 29 Aug 2022 10:45:57 -0700
+Subject: firmware_loader: Fix use-after-free during unregister
+
+From: Russ Weight <russell.h.weight@intel.com>
+
+commit 8b40c38e37492b5bdf8e95b46b5cca9517a9957a upstream.
+
+In the following code within firmware_upload_unregister(), the call to
+device_unregister() could result in the dev_release function freeing the
+fw_upload_priv structure before it is dereferenced for the call to
+module_put(). This bug was found by the kernel test robot using
+CONFIG_KASAN while running the firmware selftests.
+
+ device_unregister(&fw_sysfs->dev);
+ module_put(fw_upload_priv->module);
+
+The problem is fixed by copying fw_upload_priv->module to a local variable
+for use when calling device_unregister().
+
+Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Matthew Gerlach <matthew.gerlach@linux.intel.com>
+Signed-off-by: Russ Weight <russell.h.weight@intel.com>
+Link: https://lore.kernel.org/r/20220829174557.437047-1-russell.h.weight@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/firmware_loader/sysfs_upload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/firmware_loader/sysfs_upload.c
++++ b/drivers/base/firmware_loader/sysfs_upload.c
+@@ -377,6 +377,7 @@ void firmware_upload_unregister(struct f
+ {
+ struct fw_sysfs *fw_sysfs = fw_upload->priv;
+ struct fw_upload_priv *fw_upload_priv = fw_sysfs->fw_upload_priv;
++ struct module *module = fw_upload_priv->module;
+
+ mutex_lock(&fw_upload_priv->lock);
+ if (fw_upload_priv->progress == FW_UPLOAD_PROG_IDLE) {
+@@ -392,6 +393,6 @@ void firmware_upload_unregister(struct f
+
+ unregister:
+ device_unregister(&fw_sysfs->dev);
+- module_put(fw_upload_priv->module);
++ module_put(module);
+ }
+ EXPORT_SYMBOL_GPL(firmware_upload_unregister);
--- /dev/null
+From 22b4277641c6823ec03d5b1cd82628e5e53e75b7 Mon Sep 17 00:00:00 2001
+From: Matti Vaittinen <mazziesaccount@gmail.com>
+Date: Fri, 19 Aug 2022 11:51:07 +0300
+Subject: iio: ad7292: Prevent regulator double disable
+
+From: Matti Vaittinen <mazziesaccount@gmail.com>
+
+commit 22b4277641c6823ec03d5b1cd82628e5e53e75b7 upstream.
+
+The ad7292 tries to add an devm_action for disabling a regulator at
+device detach using devm_add_action_or_reset(). The
+devm_add_action_or_reset() does call the release function should adding
+action fail. The driver inspects the value returned by
+devm_add_action_or_reset() and manually calls regulator_disable() if
+adding the action has failed. This leads to double disable and messes
+the enable count for regulator.
+
+Do not manually call disable if devm_add_action_or_reset() fails.
+
+Fixes: 506d2e317a0a ("iio: adc: Add driver support for AD7292")
+Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Tested-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
+Link: https://lore.kernel.org/r/Yv9O+9sxU7gAv3vM@fedora
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7292.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/ad7292.c
++++ b/drivers/iio/adc/ad7292.c
+@@ -287,10 +287,8 @@ static int ad7292_probe(struct spi_devic
+
+ ret = devm_add_action_or_reset(&spi->dev,
+ ad7292_regulator_disable, st);
+- if (ret) {
+- regulator_disable(st->reg);
++ if (ret)
+ return ret;
+- }
+
+ ret = regulator_get_voltage(st->reg);
+ if (ret < 0)
--- /dev/null
+From cfbd76d5c9c449739bb74288d982bccf9ff822f4 Mon Sep 17 00:00:00 2001
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+Date: Fri, 22 Jul 2022 15:07:19 +0200
+Subject: iio: adc: mcp3911: correct "microchip,device-addr" property
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+commit cfbd76d5c9c449739bb74288d982bccf9ff822f4 upstream.
+
+Go for the right property name that is documented in the bindings.
+
+Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220722130726.7627-3-marcus.folkesson@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/mcp3911.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/mcp3911.c
++++ b/drivers/iio/adc/mcp3911.c
+@@ -210,7 +210,14 @@ static int mcp3911_config(struct mcp3911
+ u32 configreg;
+ int ret;
+
+- device_property_read_u32(dev, "device-addr", &adc->dev_addr);
++ ret = device_property_read_u32(dev, "microchip,device-addr", &adc->dev_addr);
++
++ /*
++ * Fallback to "device-addr" due to historical mismatch between
++ * dt-bindings and implementation
++ */
++ if (ret)
++ device_property_read_u32(dev, "device-addr", &adc->dev_addr);
+ if (adc->dev_addr > 3) {
+ dev_err(&adc->spi->dev,
+ "invalid device address (%i). Must be in range 0-3.\n",
--- /dev/null
+From 9e2238e3ae40d371a1130226e0e740aa1601efa6 Mon Sep 17 00:00:00 2001
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+Date: Fri, 22 Jul 2022 15:07:20 +0200
+Subject: iio: adc: mcp3911: use correct formula for AD conversion
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+commit 9e2238e3ae40d371a1130226e0e740aa1601efa6 upstream.
+
+The ADC conversion is actually not rail-to-rail but with a factor 1.5.
+Make use of this factor when calculating actual voltage.
+
+Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220722130726.7627-4-marcus.folkesson@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/mcp3911.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/adc/mcp3911.c
++++ b/drivers/iio/adc/mcp3911.c
+@@ -40,8 +40,8 @@
+ #define MCP3911_CHANNEL(x) (MCP3911_REG_CHANNEL0 + x * 3)
+ #define MCP3911_OFFCAL(x) (MCP3911_REG_OFFCAL_CH0 + x * 6)
+
+-/* Internal voltage reference in uV */
+-#define MCP3911_INT_VREF_UV 1200000
++/* Internal voltage reference in mV */
++#define MCP3911_INT_VREF_MV 1200
+
+ #define MCP3911_REG_READ(reg, id) ((((reg) << 1) | ((id) << 5) | (1 << 0)) & 0xff)
+ #define MCP3911_REG_WRITE(reg, id) ((((reg) << 1) | ((id) << 5) | (0 << 0)) & 0xff)
+@@ -139,11 +139,18 @@ static int mcp3911_read_raw(struct iio_d
+
+ *val = ret / 1000;
+ } else {
+- *val = MCP3911_INT_VREF_UV;
++ *val = MCP3911_INT_VREF_MV;
+ }
+
+- *val2 = 24;
+- ret = IIO_VAL_FRACTIONAL_LOG2;
++ /*
++ * For 24bit Conversion
++ * Raw = ((Voltage)/(Vref) * 2^23 * Gain * 1.5
++ * Voltage = Raw * (Vref)/(2^23 * Gain * 1.5)
++ */
++
++ /* val2 = (2^23 * 1.5) */
++ *val2 = 12582912;
++ ret = IIO_VAL_FRACTIONAL;
+ break;
+ }
+
--- /dev/null
+From 160905549e663019e26395ed9d66c24ee2cf5187 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 7 Aug 2022 08:37:43 +0200
+Subject: iio: light: cm3605: Fix an error handling path in cm3605_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 160905549e663019e26395ed9d66c24ee2cf5187 upstream.
+
+The commit in Fixes also introduced a new error handling path which should
+goto the existing error handling path.
+Otherwise some resources leak.
+
+Fixes: 0d31d91e6145 ("iio: light: cm3605: Make use of the helper function dev_err_probe()")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/0e186de2c125b3e17476ebf9c54eae4a5d66f994.1659854238.git.christophe.jaillet@wanadoo.fr
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/cm3605.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/light/cm3605.c b/drivers/iio/light/cm3605.c
+index c721b69d5095..0b30db77f78b 100644
+--- a/drivers/iio/light/cm3605.c
++++ b/drivers/iio/light/cm3605.c
+@@ -226,8 +226,10 @@ static int cm3605_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0)
+- return dev_err_probe(dev, irq, "failed to get irq\n");
++ if (irq < 0) {
++ ret = dev_err_probe(dev, irq, "failed to get irq\n");
++ goto out_disable_aset;
++ }
+
+ ret = devm_request_threaded_irq(dev, irq, cm3605_prox_irq,
+ NULL, 0, "cm3605", indio_dev);
+--
+2.37.3
+
--- /dev/null
+From 98e01215708b6d416345465c09dce2bd4868c67a Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 27 Aug 2022 20:36:27 -0700
+Subject: Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 98e01215708b6d416345465c09dce2bd4868c67a upstream.
+
+syzbot is reporting hung task at __input_unregister_device() [1], for
+iforce_close() waiting at wait_event_interruptible() with dev->mutex held
+is blocking input_disconnect_device() from __input_unregister_device().
+
+It seems that the cause is simply that commit c2b27ef672992a20 ("Input:
+iforce - wait for command completion when closing the device") forgot to
+call wake_up() after clear_bit().
+
+Fix this problem by introducing a helper that calls clear_bit() followed
+by wake_up_all().
+
+Reported-by: syzbot <syzbot+deb6abc36aad4008f407@syzkaller.appspotmail.com>
+Fixes: c2b27ef672992a20 ("Input: iforce - wait for command completion when closing the device")
+Tested-by: syzbot <syzbot+deb6abc36aad4008f407@syzkaller.appspotmail.com>
+Suggested-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+Co-developed-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://lore.kernel.org/r/887021c3-4f13-40ce-c8b9-aa6e09faa3a7@I-love.SAKURA.ne.jp
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/iforce/iforce-serio.c | 6 +++---
+ drivers/input/joystick/iforce/iforce-usb.c | 8 ++++----
+ drivers/input/joystick/iforce/iforce.h | 6 ++++++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/joystick/iforce/iforce-serio.c
++++ b/drivers/input/joystick/iforce/iforce-serio.c
+@@ -39,7 +39,7 @@ static void iforce_serio_xmit(struct ifo
+
+ again:
+ if (iforce->xmit.head == iforce->xmit.tail) {
+- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
++ iforce_clear_xmit_and_wake(iforce);
+ spin_unlock_irqrestore(&iforce->xmit_lock, flags);
+ return;
+ }
+@@ -64,7 +64,7 @@ again:
+ if (test_and_clear_bit(IFORCE_XMIT_AGAIN, iforce->xmit_flags))
+ goto again;
+
+- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
++ iforce_clear_xmit_and_wake(iforce);
+
+ spin_unlock_irqrestore(&iforce->xmit_lock, flags);
+ }
+@@ -169,7 +169,7 @@ static irqreturn_t iforce_serio_irq(stru
+ iforce_serio->cmd_response_len = iforce_serio->len;
+
+ /* Signal that command is done */
+- wake_up(&iforce->wait);
++ wake_up_all(&iforce->wait);
+ } else if (likely(iforce->type)) {
+ iforce_process_packet(iforce, iforce_serio->id,
+ iforce_serio->data_in,
+--- a/drivers/input/joystick/iforce/iforce-usb.c
++++ b/drivers/input/joystick/iforce/iforce-usb.c
+@@ -30,7 +30,7 @@ static void __iforce_usb_xmit(struct ifo
+ spin_lock_irqsave(&iforce->xmit_lock, flags);
+
+ if (iforce->xmit.head == iforce->xmit.tail) {
+- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
++ iforce_clear_xmit_and_wake(iforce);
+ spin_unlock_irqrestore(&iforce->xmit_lock, flags);
+ return;
+ }
+@@ -58,9 +58,9 @@ static void __iforce_usb_xmit(struct ifo
+ XMIT_INC(iforce->xmit.tail, n);
+
+ if ( (n=usb_submit_urb(iforce_usb->out, GFP_ATOMIC)) ) {
+- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
+ dev_warn(&iforce_usb->intf->dev,
+ "usb_submit_urb failed %d\n", n);
++ iforce_clear_xmit_and_wake(iforce);
+ }
+
+ /* The IFORCE_XMIT_RUNNING bit is not cleared here. That's intended.
+@@ -175,15 +175,15 @@ static void iforce_usb_out(struct urb *u
+ struct iforce *iforce = &iforce_usb->iforce;
+
+ if (urb->status) {
+- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
+ dev_dbg(&iforce_usb->intf->dev, "urb->status %d, exiting\n",
+ urb->status);
++ iforce_clear_xmit_and_wake(iforce);
+ return;
+ }
+
+ __iforce_usb_xmit(iforce);
+
+- wake_up(&iforce->wait);
++ wake_up_all(&iforce->wait);
+ }
+
+ static int iforce_usb_probe(struct usb_interface *intf,
+--- a/drivers/input/joystick/iforce/iforce.h
++++ b/drivers/input/joystick/iforce/iforce.h
+@@ -119,6 +119,12 @@ static inline int iforce_get_id_packet(s
+ response_data, response_len);
+ }
+
++static inline void iforce_clear_xmit_and_wake(struct iforce *iforce)
++{
++ clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags);
++ wake_up_all(&iforce->wait);
++}
++
+ /* Public functions */
+ /* iforce-main.c */
+ int iforce_init_device(struct device *parent, u16 bustype,
--- /dev/null
+From 55e55920bbe3ccf516022c51f5527e7d026b8f1d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Wed, 31 Aug 2022 22:38:40 +0200
+Subject: landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 55e55920bbe3ccf516022c51f5527e7d026b8f1d upstream.
+
+This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right
+when multiple rulesets/domains are stacked. The expected behaviour was
+that an additional ruleset can only restrict the set of permitted
+operations, but in this particular case, it was potentially possible to
+re-gain the LANDLOCK_ACCESS_FS_REFER right.
+
+With the introduction of LANDLOCK_ACCESS_FS_REFER, we added the first
+globally denied-by-default access right. Indeed, this lifted an initial
+Landlock limitation to rename and link files, which was initially always
+denied when the source or the destination were different directories.
+
+This led to an inconsistent backward compatibility behavior which was
+only taken into account if no domain layer were using the new
+LANDLOCK_ACCESS_FS_REFER right. However, when restricting a thread with
+a new ruleset handling LANDLOCK_ACCESS_FS_REFER, all inherited parent
+rulesets/layers not explicitly handling LANDLOCK_ACCESS_FS_REFER would
+behave as if they were handling this access right and with all their
+rules allowing it. This means that renaming and linking files could
+became allowed by these parent layers, but all the other required
+accesses must also be granted: all layers must allow file removal or
+creation, and renaming and linking operations cannot lead to privilege
+escalation according to the Landlock policy. See detailed explanation
+in commit b91c3e4ea756 ("landlock: Add support for file reparenting with
+LANDLOCK_ACCESS_FS_REFER").
+
+To say it another way, this bug may lift the renaming and linking
+limitations of the initial Landlock version, and a same ruleset can
+enforce different restrictions depending on previous or next enforced
+ruleset (i.e. inconsistent behavior). The LANDLOCK_ACCESS_FS_REFER right
+cannot give access to data not already allowed, but this doesn't follow
+the contract of the first Landlock ABI. This fix puts back the
+limitation for sandboxes that didn't opt-in for this additional right.
+
+For instance, if a first ruleset allows LANDLOCK_ACCESS_FS_MAKE_REG on
+/dst and LANDLOCK_ACCESS_FS_REMOVE_FILE on /src, renaming /src/file to
+/dst/file is denied. However, without this fix, stacking a new ruleset
+which allows LANDLOCK_ACCESS_FS_REFER on / would now permit the
+sandboxed thread to rename /src/file to /dst/file .
+
+This change fixes the (absolute) rule access rights, which now always
+forbid LANDLOCK_ACCESS_FS_REFER except when it is explicitly allowed
+when creating a rule.
+
+Making all domain handle LANDLOCK_ACCESS_FS_REFER was an initial
+approach but there is two downsides:
+* it makes the code more complex because we still want to check that a
+ rule allowing LANDLOCK_ACCESS_FS_REFER is legitimate according to the
+ ruleset's handled access rights (i.e. ABI v1 != ABI v2);
+* it would not allow to identify if the user created a ruleset
+ explicitly handling LANDLOCK_ACCESS_FS_REFER or not, which will be an
+ issue to audit Landlock.
+
+Instead, this change adds an ACCESS_INITIALLY_DENIED list of
+denied-by-default rights, which (only) contains
+LANDLOCK_ACCESS_FS_REFER. All domains are treated as if they are also
+handling this list, but without modifying their fs_access_masks field.
+
+A side effect is that the errno code returned by rename(2) or link(2)
+*may* be changed from EXDEV to EACCES according to the enforced
+restrictions. Indeed, we now have the mechanic to identify if an access
+is denied because of a required right (e.g. LANDLOCK_ACCESS_FS_MAKE_REG,
+LANDLOCK_ACCESS_FS_REMOVE_FILE) or if it is denied because of missing
+LANDLOCK_ACCESS_FS_REFER rights. This may result in different errno
+codes than for the initial Landlock version, but this approach is more
+consistent and better for rename/link compatibility reasons, and it
+wasn't possible before (hence no backport to ABI v1). The
+layout1.rename_file test reflects this change.
+
+Add 4 layout1.refer_denied_by_default* test suites to check that the
+behavior of a ruleset not handling LANDLOCK_ACCESS_FS_REFER (ABI v1) is
+unchanged even if another layer handles LANDLOCK_ACCESS_FS_REFER (i.e.
+ABI v1 precedence). Make sure rule's absolute access rights are correct
+by testing with and without a matching path. Add test_rename() and
+test_exchange() helpers.
+
+Extend layout1.inval tests to check that a denied-by-default access
+right is not necessarily part of a domain's handled access rights.
+
+Test coverage for security/landlock is 95.3% of 599 lines according to
+gcc/gcov-11.
+
+Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Reviewed-by: Günther Noack <gnoack3000@gmail.com>
+Link: https://lore.kernel.org/r/20220831203840.1370732-1-mic@digikod.net
+Cc: stable@vger.kernel.org
+[mic: Constify and slightly simplify test helpers]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/fs.c | 48 ++++---
+ tools/testing/selftests/landlock/fs_test.c | 155 +++++++++++++++++++--
+ 2 files changed, 170 insertions(+), 33 deletions(-)
+
+diff --git a/security/landlock/fs.c b/security/landlock/fs.c
+index ec5a6247cd3e..a9dbd99d9ee7 100644
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -149,6 +149,16 @@ retry:
+ LANDLOCK_ACCESS_FS_READ_FILE)
+ /* clang-format on */
+
++/*
++ * All access rights that are denied by default whether they are handled or not
++ * by a ruleset/layer. This must be ORed with all ruleset->fs_access_masks[]
++ * entries when we need to get the absolute handled access masks.
++ */
++/* clang-format off */
++#define ACCESS_INITIALLY_DENIED ( \
++ LANDLOCK_ACCESS_FS_REFER)
++/* clang-format on */
++
+ /*
+ * @path: Should have been checked by get_path_from_fd().
+ */
+@@ -167,7 +177,9 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
+ return -EINVAL;
+
+ /* Transforms relative access rights to absolute ones. */
+- access_rights |= LANDLOCK_MASK_ACCESS_FS & ~ruleset->fs_access_masks[0];
++ access_rights |=
++ LANDLOCK_MASK_ACCESS_FS &
++ ~(ruleset->fs_access_masks[0] | ACCESS_INITIALLY_DENIED);
+ object = get_inode_object(d_backing_inode(path->dentry));
+ if (IS_ERR(object))
+ return PTR_ERR(object);
+@@ -277,23 +289,12 @@ static inline bool is_nouser_or_private(const struct dentry *dentry)
+ static inline access_mask_t
+ get_handled_accesses(const struct landlock_ruleset *const domain)
+ {
+- access_mask_t access_dom = 0;
+- unsigned long access_bit;
+-
+- for (access_bit = 0; access_bit < LANDLOCK_NUM_ACCESS_FS;
+- access_bit++) {
+- size_t layer_level;
++ access_mask_t access_dom = ACCESS_INITIALLY_DENIED;
++ size_t layer_level;
+
+- for (layer_level = 0; layer_level < domain->num_layers;
+- layer_level++) {
+- if (domain->fs_access_masks[layer_level] &
+- BIT_ULL(access_bit)) {
+- access_dom |= BIT_ULL(access_bit);
+- break;
+- }
+- }
+- }
+- return access_dom;
++ for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
++ access_dom |= domain->fs_access_masks[layer_level];
++ return access_dom & LANDLOCK_MASK_ACCESS_FS;
+ }
+
+ static inline access_mask_t
+@@ -316,8 +317,13 @@ init_layer_masks(const struct landlock_ruleset *const domain,
+
+ for_each_set_bit(access_bit, &access_req,
+ ARRAY_SIZE(*layer_masks)) {
+- if (domain->fs_access_masks[layer_level] &
+- BIT_ULL(access_bit)) {
++ /*
++ * Artificially handles all initially denied by default
++ * access rights.
++ */
++ if (BIT_ULL(access_bit) &
++ (domain->fs_access_masks[layer_level] |
++ ACCESS_INITIALLY_DENIED)) {
+ (*layer_masks)[access_bit] |=
+ BIT_ULL(layer_level);
+ handled_accesses |= BIT_ULL(access_bit);
+@@ -857,10 +863,6 @@ static int current_check_refer_path(struct dentry *const old_dentry,
+ NULL, NULL);
+ }
+
+- /* Backward compatibility: no reparenting support. */
+- if (!(get_handled_accesses(dom) & LANDLOCK_ACCESS_FS_REFER))
+- return -EXDEV;
+-
+ access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER;
+ access_request_parent2 |= LANDLOCK_ACCESS_FS_REFER;
+
+diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
+index 21a2ce8fa739..45de42a027c5 100644
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -4,7 +4,7 @@
+ *
+ * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
+ * Copyright © 2020 ANSSI
+- * Copyright © 2020-2021 Microsoft Corporation
++ * Copyright © 2020-2022 Microsoft Corporation
+ */
+
+ #define _GNU_SOURCE
+@@ -371,6 +371,13 @@ TEST_F_FORK(layout1, inval)
+ ASSERT_EQ(EINVAL, errno);
+ path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
+
++ /* Tests with denied-by-default access right. */
++ path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER;
++ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
++ &path_beneath, 0));
++ ASSERT_EQ(EINVAL, errno);
++ path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;
++
+ /* Test with unknown (64-bits) value. */
+ path_beneath.allowed_access |= (1ULL << 60);
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
+@@ -1826,6 +1833,20 @@ TEST_F_FORK(layout1, link)
+ ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
+ }
+
++static int test_rename(const char *const oldpath, const char *const newpath)
++{
++ if (rename(oldpath, newpath))
++ return errno;
++ return 0;
++}
++
++static int test_exchange(const char *const oldpath, const char *const newpath)
++{
++ if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE))
++ return errno;
++ return 0;
++}
++
+ TEST_F_FORK(layout1, rename_file)
+ {
+ const struct rule rules[] = {
+@@ -1867,10 +1888,10 @@ TEST_F_FORK(layout1, rename_file)
+ * to a different directory (which allows file removal).
+ */
+ ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
+- ASSERT_EQ(EXDEV, errno);
++ ASSERT_EQ(EACCES, errno);
+ ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
+ RENAME_EXCHANGE));
+- ASSERT_EQ(EXDEV, errno);
++ ASSERT_EQ(EACCES, errno);
+ ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
+ RENAME_EXCHANGE));
+ ASSERT_EQ(EXDEV, errno);
+@@ -1894,7 +1915,7 @@ TEST_F_FORK(layout1, rename_file)
+ ASSERT_EQ(EXDEV, errno);
+ ASSERT_EQ(0, unlink(file1_s1d3));
+ ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
+- ASSERT_EQ(EXDEV, errno);
++ ASSERT_EQ(EACCES, errno);
+
+ /* Exchanges and renames files with same parent. */
+ ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
+@@ -2014,6 +2035,115 @@ TEST_F_FORK(layout1, reparent_refer)
+ ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
+ }
+
++/* Checks renames beneath dir_s1d1. */
++static void refer_denied_by_default(struct __test_metadata *const _metadata,
++ const struct rule layer1[],
++ const int layer1_err,
++ const struct rule layer2[])
++{
++ int ruleset_fd;
++
++ ASSERT_EQ(0, unlink(file1_s1d2));
++
++ ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
++ ASSERT_LE(0, ruleset_fd);
++ enforce_ruleset(_metadata, ruleset_fd);
++ ASSERT_EQ(0, close(ruleset_fd));
++
++ /*
++ * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to
++ * layer1_err), then it allows some different-parent renames and links.
++ */
++ ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2));
++ if (layer1_err == 0)
++ ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1));
++ ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2));
++ ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1));
++
++ ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
++ ASSERT_LE(0, ruleset_fd);
++ enforce_ruleset(_metadata, ruleset_fd);
++ ASSERT_EQ(0, close(ruleset_fd));
++
++ /*
++ * Now, either the first or the second layer does not handle
++ * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent
++ * renames and links are denied, thus making the layer handling
++ * LANDLOCK_ACCESS_FS_REFER null and void.
++ */
++ ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2));
++ ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2));
++ ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1));
++}
++
++const struct rule layer_dir_s1d1_refer[] = {
++ {
++ .path = dir_s1d1,
++ .access = LANDLOCK_ACCESS_FS_REFER,
++ },
++ {},
++};
++
++const struct rule layer_dir_s1d1_execute[] = {
++ {
++ /* Matches a parent directory. */
++ .path = dir_s1d1,
++ .access = LANDLOCK_ACCESS_FS_EXECUTE,
++ },
++ {},
++};
++
++const struct rule layer_dir_s2d1_execute[] = {
++ {
++ /* Does not match a parent directory. */
++ .path = dir_s2d1,
++ .access = LANDLOCK_ACCESS_FS_EXECUTE,
++ },
++ {},
++};
++
++/*
++ * Tests precedence over renames: denied by default for different parent
++ * directories, *with* a rule matching a parent directory, but not directly
++ * denying access (with MAKE_REG nor REMOVE).
++ */
++TEST_F_FORK(layout1, refer_denied_by_default1)
++{
++ refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
++ layer_dir_s1d1_execute);
++}
++
++/*
++ * Same test but this time turning around the ABI version order: the first
++ * layer does not handle LANDLOCK_ACCESS_FS_REFER.
++ */
++TEST_F_FORK(layout1, refer_denied_by_default2)
++{
++ refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV,
++ layer_dir_s1d1_refer);
++}
++
++/*
++ * Tests precedence over renames: denied by default for different parent
++ * directories, *without* a rule matching a parent directory, but not directly
++ * denying access (with MAKE_REG nor REMOVE).
++ */
++TEST_F_FORK(layout1, refer_denied_by_default3)
++{
++ refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
++ layer_dir_s2d1_execute);
++}
++
++/*
++ * Same test but this time turning around the ABI version order: the first
++ * layer does not handle LANDLOCK_ACCESS_FS_REFER.
++ */
++TEST_F_FORK(layout1, refer_denied_by_default4)
++{
++ refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV,
++ layer_dir_s1d1_refer);
++}
++
+ TEST_F_FORK(layout1, reparent_link)
+ {
+ const struct rule layer1[] = {
+@@ -2336,11 +2466,12 @@ TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
+ ASSERT_EQ(EXDEV, errno);
+
+ /*
+- * However, moving the file2_s1d3 file below dir_s2d3 is allowed
+- * because it cannot inherit MAKE_REG nor MAKE_DIR rights (which are
+- * dedicated to directories).
++ * Moving the file2_s1d3 file below dir_s2d3 is denied because the
++ * second layer does not handle REFER, which is always denied by
++ * default.
+ */
+- ASSERT_EQ(0, rename(file2_s1d3, file1_s2d3));
++ ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3));
++ ASSERT_EQ(EXDEV, errno);
+ }
+
+ TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
+@@ -2373,8 +2504,12 @@ TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
+ ASSERT_EQ(EACCES, errno);
+ ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
+ ASSERT_EQ(EXDEV, errno);
+- /* Modify layout! */
+- ASSERT_EQ(0, rename(file2_s1d2, file1_s2d3));
++ /*
++ * Modifying the layout is now denied because the second layer does not
++ * handle REFER, which is always denied by default.
++ */
++ ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
++ ASSERT_EQ(EXDEV, errno);
+
+ /* Without REFER source, EACCES wins over EXDEV. */
+ ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
+--
+2.37.3
+
--- /dev/null
+From d245f43aab2b61195d8ebb64cef7b5a08c590ab4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 29 Aug 2022 10:05:30 +0200
+Subject: misc: fastrpc: fix memory corruption on open
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream.
+
+The probe session-duplication overflow check incremented the session
+count also when there were no more available sessions so that memory
+beyond the fixed-size slab-allocated session array could be corrupted in
+fastrpc_session_alloc() on open().
+
+Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
+Cc: stable@vger.kernel.org # 5.1
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1948,7 +1948,7 @@ static int fastrpc_cb_probe(struct platf
+ spin_unlock_irqrestore(&cctx->lock, flags);
+ return -ENOSPC;
+ }
+- sess = &cctx->session[cctx->sesscount];
++ sess = &cctx->session[cctx->sesscount++];
+ sess->used = false;
+ sess->valid = true;
+ sess->dev = dev;
+@@ -1961,13 +1961,12 @@ static int fastrpc_cb_probe(struct platf
+ struct fastrpc_session_ctx *dup_sess;
+
+ for (i = 1; i < sessions; i++) {
+- if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS)
++ if (cctx->sesscount >= FASTRPC_MAX_SESSIONS)
+ break;
+- dup_sess = &cctx->session[cctx->sesscount];
++ dup_sess = &cctx->session[cctx->sesscount++];
+ memcpy(dup_sess, sess, sizeof(*dup_sess));
+ }
+ }
+- cctx->sesscount++;
+ spin_unlock_irqrestore(&cctx->lock, flags);
+ rc = dma_set_mask(dev, DMA_BIT_MASK(32));
+ if (rc) {
--- /dev/null
+From 9baa1415d9abdd1e08362ea2dcfadfacee8690b5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 29 Aug 2022 10:05:29 +0200
+Subject: misc: fastrpc: fix memory corruption on probe
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 9baa1415d9abdd1e08362ea2dcfadfacee8690b5 upstream.
+
+Add the missing sanity check on the probed-session count to avoid
+corrupting memory beyond the fixed-size slab-allocated session array
+when there are more than FASTRPC_MAX_SESSIONS sessions defined in the
+devicetree.
+
+Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
+Cc: stable@vger.kernel.org # 5.1
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220829080531.29681-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1943,6 +1943,11 @@ static int fastrpc_cb_probe(struct platf
+ of_property_read_u32(dev->of_node, "qcom,nsessions", &sessions);
+
+ spin_lock_irqsave(&cctx->lock, flags);
++ if (cctx->sesscount >= FASTRPC_MAX_SESSIONS) {
++ dev_err(&pdev->dev, "too many sessions\n");
++ spin_unlock_irqrestore(&cctx->lock, flags);
++ return -ENOSPC;
++ }
+ sess = &cctx->session[cctx->sesscount];
+ sess->used = false;
+ sess->valid = true;
--- /dev/null
+From 63f1560930e4e1c4f6279b8ae715c9841fe1a6d3 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 15 Aug 2022 10:33:21 +0300
+Subject: mmc: core: Fix inconsistent sd3_bus_mode at UHS-I SD voltage switch failure
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 63f1560930e4e1c4f6279b8ae715c9841fe1a6d3 upstream.
+
+If re-initialization results is a different signal voltage, because the
+voltage switch failed previously, but not this time (or vice versa), then
+sd3_bus_mode will be inconsistent with the card because the SD_SWITCH
+command is done only upon first initialization.
+
+Fix by always reading SD_SWITCH information during re-initialization, which
+also means it does not need to be re-read later for the 1.8V fixup
+workaround.
+
+Note, brief testing showed SD_SWITCH took about 1.8ms to 2ms which added
+about 1% to 1.5% to the re-initialization time, so it's not particularly
+significant.
+
+Reported-by: Seunghui Lee <sh043.lee@samsung.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Seunghui Lee <sh043.lee@samsung.com>
+Tested-by: Seunghui Lee <sh043.lee@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220815073321.63382-3-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 42 ++++++++++++++++--------------------------
+ 1 file changed, 16 insertions(+), 26 deletions(-)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -949,16 +949,17 @@ int mmc_sd_setup_card(struct mmc_host *h
+
+ /* Erase init depends on CSD and SSR */
+ mmc_init_erase(card);
+-
+- /*
+- * Fetch switch information from card.
+- */
+- err = mmc_read_switch(card);
+- if (err)
+- return err;
+ }
+
+ /*
++ * Fetch switch information from card. Note, sd3_bus_mode can change if
++ * voltage switch outcome changes, so do this always.
++ */
++ err = mmc_read_switch(card);
++ if (err)
++ return err;
++
++ /*
+ * For SPI, enable CRC as appropriate.
+ * This CRC enable is located AFTER the reading of the
+ * card registers because some SDHC cards are not able
+@@ -1480,26 +1481,15 @@ retry:
+ if (!v18_fixup_failed && !mmc_host_is_spi(host) && mmc_host_uhs(host) &&
+ mmc_sd_card_using_v18(card) &&
+ host->ios.signal_voltage != MMC_SIGNAL_VOLTAGE_180) {
+- /*
+- * Re-read switch information in case it has changed since
+- * oldcard was initialized.
+- */
+- if (oldcard) {
+- err = mmc_read_switch(card);
+- if (err)
+- goto free_card;
+- }
+- if (mmc_sd_card_using_v18(card)) {
+- if (mmc_host_set_uhs_voltage(host) ||
+- mmc_sd_init_uhs_card(card)) {
+- v18_fixup_failed = true;
+- mmc_power_cycle(host, ocr);
+- if (!oldcard)
+- mmc_remove_card(card);
+- goto retry;
+- }
+- goto cont;
++ if (mmc_host_set_uhs_voltage(host) ||
++ mmc_sd_init_uhs_card(card)) {
++ v18_fixup_failed = true;
++ mmc_power_cycle(host, ocr);
++ if (!oldcard)
++ mmc_remove_card(card);
++ goto retry;
+ }
++ goto cont;
+ }
+
+ /* Initialization sequence for UHS-I cards */
--- /dev/null
+From 15c56208c79c340686869c31595c209d1431c5e8 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 15 Aug 2022 10:33:20 +0300
+Subject: mmc: core: Fix UHS-I SD 1.8V workaround branch
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 15c56208c79c340686869c31595c209d1431c5e8 upstream.
+
+When introduced, upon success, the 1.8V fixup workaround in
+mmc_sd_init_card() would branch to practically the end of the function, to
+a label named "done". Unfortunately, perhaps due to the label name, over
+time new code has been added that really should have come after "done" not
+before it. Let's fix the problem by moving the label to the correct place
+and rename it "cont".
+
+Fixes: 045d705dc1fb ("mmc: core: Enable the MMC host software queue for the SD card")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Seunghui Lee <sh043.lee@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220815073321.63382-2-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -1498,7 +1498,7 @@ retry:
+ mmc_remove_card(card);
+ goto retry;
+ }
+- goto done;
++ goto cont;
+ }
+ }
+
+@@ -1534,7 +1534,7 @@ retry:
+ mmc_set_bus_width(host, MMC_BUS_WIDTH_4);
+ }
+ }
+-
++cont:
+ if (!oldcard) {
+ /* Read/parse the extension registers. */
+ err = sd_read_ext_regs(card);
+@@ -1566,7 +1566,7 @@ retry:
+ err = -EINVAL;
+ goto free_card;
+ }
+-done:
++
+ host->card = card;
+ return 0;
+
powerpc-rtas-fix-rtas-msr-handling-for-cell.patch
vt-clear-selection-before-changing-the-font.patch
musb-fix-usb_musb_tusb6010-dependency.patch
+tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch
+input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch
+iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch
+iio-ad7292-prevent-regulator-double-disable.patch
+iio-adc-mcp3911-correct-microchip-device-addr-property.patch
+iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch
+misc-fastrpc-fix-memory-corruption-on-probe.patch
+misc-fastrpc-fix-memory-corruption-on-open.patch
+firmware_loader-fix-use-after-free-during-unregister.patch
+firmware_loader-fix-memory-leak-in-firmware-upload.patch
+usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch
+landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch
+mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch
+mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch
--- /dev/null
+From d5a2e0834364377a5d5a2fff1890a0b3f0bafd1f Mon Sep 17 00:00:00 2001
+From: Sherry Sun <sherry.sun@nxp.com>
+Date: Sun, 21 Aug 2022 18:15:27 +0800
+Subject: tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+commit d5a2e0834364377a5d5a2fff1890a0b3f0bafd1f upstream.
+
+When the user initializes the uart port, and waits for the transmit
+engine to complete in lpuart32_set_termios(), if the UART TX fifo has
+dirty data and the UARTMODIR enable the flow control, the TX fifo may
+never be empty. So here we should disable the flow control first to make
+sure the transmit engin can complete.
+
+Fixes: 380c966c093e ("tty: serial: fsl_lpuart: add 32-bit register interface support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20220821101527.10066-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2182,6 +2182,7 @@ lpuart32_set_termios(struct uart_port *p
+ uart_update_timeout(port, termios->c_cflag, baud);
+
+ /* wait transmit engin complete */
++ lpuart32_write(&sport->port, 0, UARTMODIR);
+ lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC);
+
+ /* disable transmit and receive */
--- /dev/null
+From 001047ea241a9646010b2744451dfbc7289542f3 Mon Sep 17 00:00:00 2001
+From: Niek Nooijens <niek.nooijens@omron.com>
+Date: Mon, 1 Aug 2022 10:39:25 +0200
+Subject: USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id
+
+From: Niek Nooijens <niek.nooijens@omron.com>
+
+commit 001047ea241a9646010b2744451dfbc7289542f3 upstream.
+
+works perfectly with:
+modprobe ftdi_sio
+echo "0590 00b2" | tee
+/sys/module/ftdi_sio/drivers/usb-serial\:ftdi_sio/new_id > /dev/null
+
+but doing this every reboot is a pain in the ass.
+
+Signed-off-by: Niek Nooijens <niek.nooijens@omron.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 2 ++
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1045,6 +1045,8 @@ static const struct usb_device_id id_tab
+ /* IDS GmbH devices */
+ { USB_DEVICE(IDS_VID, IDS_SI31A_PID) },
+ { USB_DEVICE(IDS_VID, IDS_CM31A_PID) },
++ /* Omron devices */
++ { USB_DEVICE(OMRON_VID, OMRON_CS1W_CIF31_PID) },
+ /* U-Blox devices */
+ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) },
+ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -662,6 +662,12 @@
+ #define INFINEON_TRIBOARD_TC2X7_PID 0x0043 /* DAS JTAG TriBoard TC2X7 V1.0 */
+
+ /*
++ * Omron corporation (https://www.omron.com)
++ */
++ #define OMRON_VID 0x0590
++ #define OMRON_CS1W_CIF31_PID 0x00b2
++
++/*
+ * Acton Research Corp.
+ */
+ #define ACTON_VID 0x0647 /* Vendor ID */