--- /dev/null
+From 0e3fb6995bfabb23c172e8b883bf5ac57102678e Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sat, 1 Jun 2019 12:08:01 +0900
+Subject: ALSA: firewire-motu: fix destruction of data for isochronous resources
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 0e3fb6995bfabb23c172e8b883bf5ac57102678e upstream.
+
+The data for isochronous resources is not destroyed in expected place.
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: 9b2bb4f2f4a2 ("ALSA: firewire-motu: add stream management functionality")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/motu/motu-stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/motu/motu-stream.c
++++ b/sound/firewire/motu/motu-stream.c
+@@ -345,7 +345,7 @@ static void destroy_stream(struct snd_mo
+ }
+
+ amdtp_stream_destroy(stream);
+- fw_iso_resources_free(resources);
++ fw_iso_resources_destroy(resources);
+ }
+
+ int snd_motu_stream_init_duplex(struct snd_motu *motu)
--- /dev/null
+From 717f43d81afc1250300479075952a0e36d74ded3 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 31 May 2019 17:16:53 +0800
+Subject: ALSA: hda/realtek - Update headset mode for ALC256
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 717f43d81afc1250300479075952a0e36d74ded3 upstream.
+
+ALC255 and ALC256 were some difference for hidden register.
+This update was suitable for ALC256.
+
+Fixes: e69e7e03ed22 ("ALSA: hda/realtek - ALC256 speaker noise issue")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 75 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 60 insertions(+), 15 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4084,18 +4084,19 @@ static struct coef_fw alc225_pre_hsmode[
+ static void alc_headset_mode_unplugged(struct hda_codec *codec)
+ {
+ static struct coef_fw coef0255[] = {
++ WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
+ WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */
+ UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
+ WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */
+ WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */
+ {}
+ };
+- static struct coef_fw coef0255_1[] = {
+- WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
+- {}
+- };
+ static struct coef_fw coef0256[] = {
+ WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */
++ WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */
++ WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */
++ WRITE_COEFEX(0x57, 0x03, 0x09a3), /* Direct Drive HP Amp control */
++ UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
+ {}
+ };
+ static struct coef_fw coef0233[] = {
+@@ -4158,13 +4159,11 @@ static void alc_headset_mode_unplugged(s
+
+ switch (codec->core.vendor_id) {
+ case 0x10ec0255:
+- alc_process_coef_fw(codec, coef0255_1);
+ alc_process_coef_fw(codec, coef0255);
+ break;
+ case 0x10ec0236:
+ case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0256);
+- alc_process_coef_fw(codec, coef0255);
+ break;
+ case 0x10ec0234:
+ case 0x10ec0274:
+@@ -4217,6 +4216,12 @@ static void alc_headset_mode_mic_in(stru
+ WRITE_COEF(0x06, 0x6100), /* Set MIC2 Vref gate to normal */
+ {}
+ };
++ static struct coef_fw coef0256[] = {
++ UPDATE_COEFEX(0x57, 0x05, 1<<14, 1<<14), /* Direct Drive HP Amp control(Set to verb control)*/
++ WRITE_COEFEX(0x57, 0x03, 0x09a3),
++ WRITE_COEF(0x06, 0x6100), /* Set MIC2 Vref gate to normal */
++ {}
++ };
+ static struct coef_fw coef0233[] = {
+ UPDATE_COEF(0x35, 0, 1<<14),
+ WRITE_COEF(0x06, 0x2100),
+@@ -4264,14 +4269,19 @@ static void alc_headset_mode_mic_in(stru
+ };
+
+ switch (codec->core.vendor_id) {
+- case 0x10ec0236:
+ case 0x10ec0255:
+- case 0x10ec0256:
+ alc_write_coef_idx(codec, 0x45, 0xc489);
+ snd_hda_set_pin_ctl_cache(codec, hp_pin, 0);
+ alc_process_coef_fw(codec, coef0255);
+ snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50);
+ break;
++ case 0x10ec0236:
++ case 0x10ec0256:
++ alc_write_coef_idx(codec, 0x45, 0xc489);
++ snd_hda_set_pin_ctl_cache(codec, hp_pin, 0);
++ alc_process_coef_fw(codec, coef0256);
++ snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50);
++ break;
+ case 0x10ec0234:
+ case 0x10ec0274:
+ case 0x10ec0294:
+@@ -4353,6 +4363,14 @@ static void alc_headset_mode_default(str
+ WRITE_COEF(0x49, 0x0049),
+ {}
+ };
++ static struct coef_fw coef0256[] = {
++ WRITE_COEF(0x45, 0xc489),
++ WRITE_COEFEX(0x57, 0x03, 0x0da3),
++ WRITE_COEF(0x49, 0x0049),
++ UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
++ WRITE_COEF(0x06, 0x6100),
++ {}
++ };
+ static struct coef_fw coef0233[] = {
+ WRITE_COEF(0x06, 0x2100),
+ WRITE_COEF(0x32, 0x4ea3),
+@@ -4403,11 +4421,16 @@ static void alc_headset_mode_default(str
+ alc_process_coef_fw(codec, alc225_pre_hsmode);
+ alc_process_coef_fw(codec, coef0225);
+ break;
+- case 0x10ec0236:
+ case 0x10ec0255:
+- case 0x10ec0256:
+ alc_process_coef_fw(codec, coef0255);
+ break;
++ case 0x10ec0236:
++ case 0x10ec0256:
++ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
++ alc_write_coef_idx(codec, 0x45, 0xc089);
++ msleep(50);
++ alc_process_coef_fw(codec, coef0256);
++ break;
+ case 0x10ec0234:
+ case 0x10ec0274:
+ case 0x10ec0294:
+@@ -4451,8 +4474,7 @@ static void alc_headset_mode_ctia(struct
+ };
+ static struct coef_fw coef0256[] = {
+ WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */
+- WRITE_COEF(0x1b, 0x0c6b),
+- WRITE_COEFEX(0x57, 0x03, 0x8ea6),
++ WRITE_COEF(0x1b, 0x0e6b),
+ {}
+ };
+ static struct coef_fw coef0233[] = {
+@@ -4570,8 +4592,7 @@ static void alc_headset_mode_omtp(struct
+ };
+ static struct coef_fw coef0256[] = {
+ WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */
+- WRITE_COEF(0x1b, 0x0c6b),
+- WRITE_COEFEX(0x57, 0x03, 0x8ea6),
++ WRITE_COEF(0x1b, 0x0e6b),
+ {}
+ };
+ static struct coef_fw coef0233[] = {
+@@ -4703,13 +4724,37 @@ static void alc_determine_headset_type(s
+ };
+
+ switch (codec->core.vendor_id) {
+- case 0x10ec0236:
+ case 0x10ec0255:
++ alc_process_coef_fw(codec, coef0255);
++ msleep(300);
++ val = alc_read_coef_idx(codec, 0x46);
++ is_ctia = (val & 0x0070) == 0x0070;
++ break;
++ case 0x10ec0236:
+ case 0x10ec0256:
++ alc_write_coef_idx(codec, 0x1b, 0x0e4b);
++ alc_write_coef_idx(codec, 0x06, 0x6104);
++ alc_write_coefex_idx(codec, 0x57, 0x3, 0x09a3);
++
++ snd_hda_codec_write(codec, 0x21, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
++ msleep(80);
++ snd_hda_codec_write(codec, 0x21, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
++
+ alc_process_coef_fw(codec, coef0255);
+ msleep(300);
+ val = alc_read_coef_idx(codec, 0x46);
+ is_ctia = (val & 0x0070) == 0x0070;
++
++ alc_write_coefex_idx(codec, 0x57, 0x3, 0x0da3);
++ alc_update_coefex_idx(codec, 0x57, 0x5, 1<<14, 0);
++
++ snd_hda_codec_write(codec, 0x21, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT);
++ msleep(80);
++ snd_hda_codec_write(codec, 0x21, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE);
+ break;
+ case 0x10ec0234:
+ case 0x10ec0274:
--- /dev/null
+From 352bcae97f9ba87801f497571cdec20af190efe1 Mon Sep 17 00:00:00 2001
+From: Rui Nuno Capela <rncbc@rncbc.org>
+Date: Fri, 7 Jun 2019 15:13:37 +0100
+Subject: ALSA: ice1712: Check correct return value to snd_i2c_sendbytes (EWS/DMX 6Fire)
+
+From: Rui Nuno Capela <rncbc@rncbc.org>
+
+commit 352bcae97f9ba87801f497571cdec20af190efe1 upstream.
+
+Check for exact and correct return value to snd_i2c_sendbytes
+call for EWS/DMX 6Fire (snd_ice1712).
+
+Fixes a systemic error on every boot starting from kernel 5.1
+onwards to snd_ice1712 driver ("cannot send pca") on Terratec
+EWS/DMX 6Fire PCI soundcards.
+
+Check for exact and correct return value to snd_i2c_sendbytes
+call for EWS/DMX 6Fire (snd_ice1712).
+
+Fixes a systemic error on every boot to snd_ice1712 driver
+("cannot send pca") on Terratec EWS/DMX 6Fire PCI soundcards.
+
+Fixes: c99776cc4018 ("ALSA: ice1712: fix a missing check of snd_i2c_sendbytes")
+Signed-off-by: Rui Nuno Capela <rncbc@rncbc.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ice1712/ews.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ice1712/ews.c
++++ b/sound/pci/ice1712/ews.c
+@@ -826,7 +826,7 @@ static int snd_ice1712_6fire_read_pca(st
+
+ snd_i2c_lock(ice->i2c);
+ byte = reg;
+- if (snd_i2c_sendbytes(spec->i2cdevs[EWS_I2C_6FIRE], &byte, 1)) {
++ if (snd_i2c_sendbytes(spec->i2cdevs[EWS_I2C_6FIRE], &byte, 1) != 1) {
+ snd_i2c_unlock(ice->i2c);
+ dev_err(ice->card->dev, "cannot send pca\n");
+ return -EIO;
--- /dev/null
+From d8fa87c368f5b4096c4746894fdcc195da285df1 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 9 Jun 2019 19:29:12 +0900
+Subject: ALSA: oxfw: allow PCM capture for Stanton SCS.1m
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit d8fa87c368f5b4096c4746894fdcc195da285df1 upstream.
+
+Stanton SCS.1m can transfer isochronous packet with Multi Bit Linear
+Audio data channels, therefore it allows software to capture PCM
+substream. However, ALSA oxfw driver doesn't.
+
+This commit changes the driver to add one PCM substream for capture
+direction.
+
+Fixes: de5126cc3c0b ("ALSA: oxfw: add stream format quirk for SCS.1 models")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/oxfw/oxfw.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -148,9 +148,6 @@ static int detect_quirks(struct snd_oxfw
+ oxfw->midi_input_ports = 0;
+ oxfw->midi_output_ports = 0;
+
+- /* Output stream exists but no data channels are useful. */
+- oxfw->has_output = false;
+-
+ return snd_oxfw_scs1x_add(oxfw);
+ }
+
--- /dev/null
+From b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Thu, 18 Apr 2019 16:45:15 +1000
+Subject: drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 upstream.
+
+There was a nouveau DDX that relied on legacy context ioctls to work,
+but we fixed it years ago, give distros that have a modern DDX the
+option to break the uAPI and close the mess of holes that legacy
+context support is.
+
+Full context of the story:
+
+commit 0e975980d435d58df2d430d688b8c18778b42218
+Author: Peter Antoine <peter.antoine@intel.com>
+Date: Tue Jun 23 08:18:49 2015 +0100
+
+ drm: Turn off Legacy Context Functions
+
+ The context functions are not used by the i915 driver and should not
+ be used by modeset drivers. These driver functions contain several bugs
+ and security holes. This change makes these functions optional can be
+ turned on by a setting, they are turned off by default for modeset
+ driver with the exception of the nouvea driver that may require them with
+ an old version of libdrm.
+
+ The previous attempt was
+
+ commit 7c510133d93dd6f15ca040733ba7b2891ed61fd1
+ Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+ Date: Thu Aug 8 15:41:21 2013 +0200
+
+ drm: mark context support as a legacy subsystem
+
+ but this had to be reverted
+
+ commit c21eb21cb50d58e7cbdcb8b9e7ff68b85cfa5095
+ Author: Dave Airlie <airlied@redhat.com>
+ Date: Fri Sep 20 08:32:59 2013 +1000
+
+ Revert "drm: mark context support as a legacy subsystem"
+
+ v2: remove returns from void function, and formatting (Daniel Vetter)
+
+ v3:
+ - s/Nova/nouveau/ in the commit message, and add references to the
+ previous attempts
+ - drop the part touching the drm hw lock, that should be a separate
+ patch.
+
+ Signed-off-by: Peter Antoine <peter.antoine@intel.com> (v2)
+ Cc: Peter Antoine <peter.antoine@intel.com> (v2)
+ Reviewed-by: Peter Antoine <peter.antoine@intel.com>
+ Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+v2: move DRM_VM dependency into legacy config.
+v3: fix missing dep (kbuild robot)
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/Kconfig | 13 ++++++++++++-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 7 +++++--
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/Kconfig
++++ b/drivers/gpu/drm/nouveau/Kconfig
+@@ -17,10 +17,21 @@ config DRM_NOUVEAU
+ select INPUT if ACPI && X86
+ select THERMAL if ACPI && X86
+ select ACPI_VIDEO if ACPI && X86
+- select DRM_VM
+ help
+ Choose this option for open-source NVIDIA support.
+
++config NOUVEAU_LEGACY_CTX_SUPPORT
++ bool "Nouveau legacy context support"
++ depends on DRM_NOUVEAU
++ select DRM_VM
++ default y
++ help
++ There was a version of the nouveau DDX that relied on legacy
++ ctx ioctls not erroring out. But that was back in time a long
++ ways, so offer a way to disable it now. For uapi compat with
++ old nouveau ddx this should be on by default, but modern distros
++ should consider turning it off.
++
+ config NOUVEAU_PLATFORM_DRIVER
+ bool "Nouveau (NVIDIA) SoC GPUs"
+ depends on DRM_NOUVEAU && ARCH_TEGRA
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -1094,8 +1094,11 @@ nouveau_driver_fops = {
+ static struct drm_driver
+ driver_stub = {
+ .driver_features =
+- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER |
+- DRIVER_KMS_LEGACY_CONTEXT,
++ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER
++#if defined(CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT)
++ | DRIVER_KMS_LEGACY_CONTEXT
++#endif
++ ,
+
+ .open = nouveau_drm_open,
+ .postclose = nouveau_drm_postclose,
--- /dev/null
+From 39b3c3a5fbc5d744114e497d35bf0c12f798c134 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Thu, 18 Apr 2019 09:47:41 +0200
+Subject: HID: input: fix assignment of .value
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 39b3c3a5fbc5d744114e497d35bf0c12f798c134 upstream.
+
+The value field is actually an array of .maxfield. We should assign the
+correct number to the correct usage.
+
+Not that we never encounter a device that requires this ATM, but better
+have the proper code path.
+
+Fixes: 2dc702c991e377 ("HID: input: use the Resolution Multiplier for
+ high-resolution scrolling")
+Cc: stable@vger.kernel.org # v5.0+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1595,7 +1595,7 @@ static bool __hidinput_change_resolution
+ if (usage->hid != HID_GD_RESOLUTION_MULTIPLIER)
+ continue;
+
+- *report->field[i]->value = value;
++ report->field[i]->value[j] = value;
+ update_needed = true;
+ }
+ }
--- /dev/null
+From d43c17ead879ba7c076dc2f5fd80cd76047c9ff4 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Wed, 3 Apr 2019 16:20:20 +0200
+Subject: HID: input: make sure the wheel high resolution multiplier is set
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit d43c17ead879ba7c076dc2f5fd80cd76047c9ff4 upstream.
+
+Some old mice have a tendency to not accept the high resolution multiplier.
+They reply with a -EPIPE which was previously ignored.
+
+Force the call to resolution multiplier to be synchronous and actually
+check for the answer. If this fails, consider the mouse like a normal one.
+
+Fixes: 2dc702c991e377 ("HID: input: use the Resolution Multiplier for
+ high-resolution scrolling")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1700071
+Reported-and-tested-by: James Feeney <james@nurealm.net>
+Cc: stable@vger.kernel.org # v5.0+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 7 ++--
+ drivers/hid/hid-input.c | 81 +++++++++++++++++++++++++++++-------------------
+ include/linux/hid.h | 2 -
+ 3 files changed, 56 insertions(+), 34 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1636,7 +1636,7 @@ static struct hid_report *hid_get_report
+ * Implement a generic .request() callback, using .raw_request()
+ * DO NOT USE in hid drivers directly, but through hid_hw_request instead.
+ */
+-void __hid_request(struct hid_device *hid, struct hid_report *report,
++int __hid_request(struct hid_device *hid, struct hid_report *report,
+ int reqtype)
+ {
+ char *buf;
+@@ -1645,7 +1645,7 @@ void __hid_request(struct hid_device *hi
+
+ buf = hid_alloc_report_buf(report, GFP_KERNEL);
+ if (!buf)
+- return;
++ return -ENOMEM;
+
+ len = hid_report_len(report);
+
+@@ -1662,8 +1662,11 @@ void __hid_request(struct hid_device *hi
+ if (reqtype == HID_REQ_GET_REPORT)
+ hid_input_report(hid, report->type, buf, ret, 0);
+
++ ret = 0;
++
+ out:
+ kfree(buf);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(__hid_request);
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1557,52 +1557,71 @@ static void hidinput_close(struct input_
+ hid_hw_close(hid);
+ }
+
+-static void hidinput_change_resolution_multipliers(struct hid_device *hid)
++static bool __hidinput_change_resolution_multipliers(struct hid_device *hid,
++ struct hid_report *report, bool use_logical_max)
+ {
+- struct hid_report_enum *rep_enum;
+- struct hid_report *rep;
+ struct hid_usage *usage;
++ bool update_needed = false;
+ int i, j;
+
+- rep_enum = &hid->report_enum[HID_FEATURE_REPORT];
+- list_for_each_entry(rep, &rep_enum->report_list, list) {
+- bool update_needed = false;
++ if (report->maxfield == 0)
++ return false;
+
+- if (rep->maxfield == 0)
+- continue;
++ /*
++ * If we have more than one feature within this report we
++ * need to fill in the bits from the others before we can
++ * overwrite the ones for the Resolution Multiplier.
++ */
++ if (report->maxfield > 1) {
++ hid_hw_request(hid, report, HID_REQ_GET_REPORT);
++ hid_hw_wait(hid);
++ }
+
+- /*
+- * If we have more than one feature within this report we
+- * need to fill in the bits from the others before we can
+- * overwrite the ones for the Resolution Multiplier.
++ for (i = 0; i < report->maxfield; i++) {
++ __s32 value = use_logical_max ?
++ report->field[i]->logical_maximum :
++ report->field[i]->logical_minimum;
++
++ /* There is no good reason for a Resolution
++ * Multiplier to have a count other than 1.
++ * Ignore that case.
+ */
+- if (rep->maxfield > 1) {
+- hid_hw_request(hid, rep, HID_REQ_GET_REPORT);
+- hid_hw_wait(hid);
+- }
++ if (report->field[i]->report_count != 1)
++ continue;
+
+- for (i = 0; i < rep->maxfield; i++) {
+- __s32 logical_max = rep->field[i]->logical_maximum;
++ for (j = 0; j < report->field[i]->maxusage; j++) {
++ usage = &report->field[i]->usage[j];
+
+- /* There is no good reason for a Resolution
+- * Multiplier to have a count other than 1.
+- * Ignore that case.
+- */
+- if (rep->field[i]->report_count != 1)
++ if (usage->hid != HID_GD_RESOLUTION_MULTIPLIER)
+ continue;
+
+- for (j = 0; j < rep->field[i]->maxusage; j++) {
+- usage = &rep->field[i]->usage[j];
++ *report->field[i]->value = value;
++ update_needed = true;
++ }
++ }
++
++ return update_needed;
++}
++
++static void hidinput_change_resolution_multipliers(struct hid_device *hid)
++{
++ struct hid_report_enum *rep_enum;
++ struct hid_report *rep;
++ int ret;
+
+- if (usage->hid != HID_GD_RESOLUTION_MULTIPLIER)
+- continue;
++ rep_enum = &hid->report_enum[HID_FEATURE_REPORT];
++ list_for_each_entry(rep, &rep_enum->report_list, list) {
++ bool update_needed = __hidinput_change_resolution_multipliers(hid,
++ rep, true);
+
+- *rep->field[i]->value = logical_max;
+- update_needed = true;
++ if (update_needed) {
++ ret = __hid_request(hid, rep, HID_REQ_SET_REPORT);
++ if (ret) {
++ __hidinput_change_resolution_multipliers(hid,
++ rep, false);
++ return;
+ }
+ }
+- if (update_needed)
+- hid_hw_request(hid, rep, HID_REQ_SET_REPORT);
+ }
+
+ /* refresh our structs */
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -894,7 +894,7 @@ struct hid_field *hidinput_get_led_field
+ unsigned int hidinput_count_leds(struct hid_device *hid);
+ __s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code);
+ void hid_output_report(struct hid_report *report, __u8 *data);
+-void __hid_request(struct hid_device *hid, struct hid_report *rep, int reqtype);
++int __hid_request(struct hid_device *hid, struct hid_report *rep, int reqtype);
+ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags);
+ struct hid_device *hid_allocate_device(void);
+ struct hid_report *hid_register_report(struct hid_device *device,
--- /dev/null
+From 81bcbad53bab4bf9f200eda303d7a05cdb9bd73b Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 21 May 2019 15:38:31 +0200
+Subject: HID: multitouch: handle faulty Elo touch device
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 81bcbad53bab4bf9f200eda303d7a05cdb9bd73b upstream.
+
+Since kernel v5.0, one single win8 touchscreen device failed.
+And it turns out this is because it reports 2 InRange usage per touch.
+
+It's a first, and I *really* wonder how this was allowed by Microsoft in
+the first place. But IIRC, Breno told me this happened *after* a firmware
+upgrade...
+
+Anyway, better be safe for those crappy devices, and make sure we have
+a full slot before jumping to the next.
+This won't prevent all crappy devices to fail here, but at least we will
+have a safeguard as long as the contact ID and the X and Y coordinates
+are placed in the report after the grabage.
+
+Fixes: 01eaac7e5713 ("HID: multitouch: remove one copy of values")
+CC: stable@vger.kernel.org # v5.0+
+Reported-and-tested-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-multitouch.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -641,6 +641,13 @@ static void mt_store_field(struct hid_de
+ if (*target != DEFAULT_TRUE &&
+ *target != DEFAULT_FALSE &&
+ *target != DEFAULT_ZERO) {
++ if (usage->contactid == DEFAULT_ZERO ||
++ usage->x == DEFAULT_ZERO ||
++ usage->y == DEFAULT_ZERO) {
++ hid_dbg(hdev,
++ "ignoring duplicate usage on incomplete");
++ return;
++ }
+ usage = mt_allocate_usage(hdev, application);
+ if (!usage)
+ return;
--- /dev/null
+From 6441fc781c344df61402be1fde582c4491fa35fa Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Tue, 7 May 2019 11:53:21 -0700
+Subject: HID: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 6441fc781c344df61402be1fde582c4491fa35fa upstream.
+
+The button numbering of the 2nd-gen Intuos Pro is not consistent between
+the USB and Bluetooth interfaces. Over USB, the HID_GENERIC codepath
+enumerates the eight ExpressKeys first (BTN_0 - BTN_7) followed by the
+center modeswitch button (BTN_8). The Bluetooth codepath, however, has
+the center modeswitch button as BTN_0 and the the eight ExpressKeys as
+BTN_1 - BTN_8. To ensure userspace button mappings do not change
+depending on how the tablet is connected, modify the Bluetooth codepath
+to report buttons in the same order as USB.
+
+To ensure the mode switch LED continues to toggle in response to the
+mode switch button, the `wacom_is_led_toggled` function also requires
+a small update.
+
+Link: https://github.com/linuxwacom/input-wacom/pull/79
+Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Cc: <stable@vger.kernel.org> # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Aaron Skomra <aaron.skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1383,7 +1383,7 @@ static void wacom_intuos_pro2_bt_pad(str
+ struct input_dev *pad_input = wacom->pad_input;
+ unsigned char *data = wacom->data;
+
+- int buttons = (data[282] << 1) | ((data[281] >> 6) & 0x01);
++ int buttons = data[282] | ((data[281] & 0x40) << 2);
+ int ring = data[285] & 0x7F;
+ bool ringstatus = data[285] & 0x80;
+ bool prox = buttons || ringstatus;
+@@ -3832,7 +3832,7 @@ static void wacom_24hd_update_leds(struc
+ static bool wacom_is_led_toggled(struct wacom *wacom, int button_count,
+ int mask, int group)
+ {
+- int button_per_group;
++ int group_button;
+
+ /*
+ * 21UX2 has LED group 1 to the left and LED group 0
+@@ -3842,9 +3842,12 @@ static bool wacom_is_led_toggled(struct
+ if (wacom->wacom_wac.features.type == WACOM_21UX2)
+ group = 1 - group;
+
+- button_per_group = button_count/wacom->led.count;
++ group_button = group * (button_count/wacom->led.count);
+
+- return mask & (1 << (group * button_per_group));
++ if (wacom->wacom_wac.features.type == INTUOSP2_BT)
++ group_button = 8;
++
++ return mask & (1 << group_button);
+ }
+
+ static void wacom_update_led(struct wacom *wacom, int button_count, int mask,
--- /dev/null
+From e92a7be7fe5b2510fa60965eaf25f9e3dc08b8cc Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Wed, 24 Apr 2019 15:12:58 -0700
+Subject: HID: wacom: Don't report anything prior to the tool entering range
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit e92a7be7fe5b2510fa60965eaf25f9e3dc08b8cc upstream.
+
+If the tool spends some time in prox before entering range, a series of
+events (e.g. ABS_DISTANCE, MSC_SERIAL) can be sent before we or userspace
+have any clue about the pen whose data is being reported. We need to hold
+off on reporting anything until the pen has entered range. Since we still
+want to report events that occur "in prox" after the pen has *left* range
+we use 'wacom-tool[0]' as the indicator that the pen did at one point
+enter range and provide us/userspace with tool type and serial number
+information.
+
+Fixes: a48324de6d4d ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range")
+Cc: <stable@vger.kernel.org> # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1290,23 +1290,26 @@ static void wacom_intuos_pro2_bt_pen(str
+ get_unaligned_le16(&frame[11]));
+ }
+ }
+- input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5]));
+- if (wacom->features.type == INTUOSP2_BT) {
+- input_report_abs(pen_input, ABS_DISTANCE,
+- range ? frame[13] : wacom->features.distance_max);
+- } else {
+- input_report_abs(pen_input, ABS_DISTANCE,
+- range ? frame[7] : wacom->features.distance_max);
+- }
+
+- input_report_key(pen_input, BTN_TOUCH, frame[0] & 0x01);
+- input_report_key(pen_input, BTN_STYLUS, frame[0] & 0x02);
+- input_report_key(pen_input, BTN_STYLUS2, frame[0] & 0x04);
++ if (wacom->tool[0]) {
++ input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5]));
++ if (wacom->features.type == INTUOSP2_BT) {
++ input_report_abs(pen_input, ABS_DISTANCE,
++ range ? frame[13] : wacom->features.distance_max);
++ } else {
++ input_report_abs(pen_input, ABS_DISTANCE,
++ range ? frame[7] : wacom->features.distance_max);
++ }
++
++ input_report_key(pen_input, BTN_TOUCH, frame[0] & 0x01);
++ input_report_key(pen_input, BTN_STYLUS, frame[0] & 0x02);
++ input_report_key(pen_input, BTN_STYLUS2, frame[0] & 0x04);
+
+- input_report_key(pen_input, wacom->tool[0], prox);
+- input_event(pen_input, EV_MSC, MSC_SERIAL, wacom->serial[0]);
+- input_report_abs(pen_input, ABS_MISC,
+- wacom_intuos_id_mangle(wacom->id[0])); /* report tool id */
++ input_report_key(pen_input, wacom->tool[0], prox);
++ input_event(pen_input, EV_MSC, MSC_SERIAL, wacom->serial[0]);
++ input_report_abs(pen_input, ABS_MISC,
++ wacom_intuos_id_mangle(wacom->id[0])); /* report tool id */
++ }
+
+ wacom->shared->stylus_in_proximity = prox;
+
--- /dev/null
+From 2cc08800a6b9fcda7c7afbcf2da1a6e8808da725 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Wed, 24 Apr 2019 15:12:57 -0700
+Subject: HID: wacom: Don't set tool type until we're in range
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 2cc08800a6b9fcda7c7afbcf2da1a6e8808da725 upstream.
+
+The serial number and tool type information that is reported by the tablet
+while a pen is merely "in prox" instead of fully "in range" can be stale
+and cause us to report incorrect tool information. Serial number, tool
+type, and other information is only valid once the pen comes fully in range
+so we should be careful to not use this information until that point.
+
+In particular, this issue may cause the driver to incorectly report
+BTN_TOOL_RUBBER after switching from the eraser tool back to the pen.
+
+Fixes: a48324de6d4d ("HID: wacom: Bluetooth IRQ for Intuos Pro should handle prox/range")
+Cc: <stable@vger.kernel.org> # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1236,13 +1236,13 @@ static void wacom_intuos_pro2_bt_pen(str
+ /* Add back in missing bits of ID for non-USI pens */
+ wacom->id[0] |= (wacom->serial[0] >> 32) & 0xFFFFF;
+ }
+- wacom->tool[0] = wacom_intuos_get_tool_type(wacom_intuos_id_mangle(wacom->id[0]));
+
+ for (i = 0; i < pen_frames; i++) {
+ unsigned char *frame = &data[i*pen_frame_len + 1];
+ bool valid = frame[0] & 0x80;
+ bool prox = frame[0] & 0x40;
+ bool range = frame[0] & 0x20;
++ bool invert = frame[0] & 0x10;
+
+ if (!valid)
+ continue;
+@@ -1251,9 +1251,24 @@ static void wacom_intuos_pro2_bt_pen(str
+ wacom->shared->stylus_in_proximity = false;
+ wacom_exit_report(wacom);
+ input_sync(pen_input);
++
++ wacom->tool[0] = 0;
++ wacom->id[0] = 0;
++ wacom->serial[0] = 0;
+ return;
+ }
++
+ if (range) {
++ if (!wacom->tool[0]) { /* first in range */
++ /* Going into range select tool */
++ if (invert)
++ wacom->tool[0] = BTN_TOOL_RUBBER;
++ else if (wacom->id[0])
++ wacom->tool[0] = wacom_intuos_get_tool_type(wacom->id[0]);
++ else
++ wacom->tool[0] = BTN_TOOL_PEN;
++ }
++
+ input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1]));
+ input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3]));
+
--- /dev/null
+From fe7f8d73d1af19b678171170e4e5384deb57833d Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Tue, 7 May 2019 11:53:20 -0700
+Subject: HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit fe7f8d73d1af19b678171170e4e5384deb57833d upstream.
+
+The Bluetooth reports from the 2nd-gen Intuos Pro have separate bits for
+indicating if the tip or eraser is in contact with the tablet. At the
+moment, only the tip contact bit controls the state of the BTN_TOUCH
+event. This prevents the eraser from working as expected. This commit
+changes the driver to send BTN_TOUCH whenever either the tip or eraser
+contact bit is set.
+
+Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Cc: <stable@vger.kernel.org> # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Aaron Skomra <aaron.skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1301,7 +1301,7 @@ static void wacom_intuos_pro2_bt_pen(str
+ range ? frame[7] : wacom->features.distance_max);
+ }
+
+- input_report_key(pen_input, BTN_TOUCH, frame[0] & 0x01);
++ input_report_key(pen_input, BTN_TOUCH, frame[0] & 0x09);
+ input_report_key(pen_input, BTN_STYLUS, frame[0] & 0x02);
+ input_report_key(pen_input, BTN_STYLUS2, frame[0] & 0x04);
+
--- /dev/null
+From 69dbdfffef20c715df9f381b2cee4e9e0a4efd93 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Tue, 7 May 2019 11:53:22 -0700
+Subject: HID: wacom: Sync INTUOSP2_BT touch state after each frame if necessary
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 69dbdfffef20c715df9f381b2cee4e9e0a4efd93 upstream.
+
+The Bluetooth interface of the 2nd-gen Intuos Pro batches together four
+independent "frames" of finger data into a single report. Each frame
+is essentially equivalent to a single USB report, with the up-to-10
+fingers worth of information being spread across two frames. At the
+moment the driver only calls `input_sync` after processing all four
+frames have been processed, which can result in the driver sending
+multiple updates for a single slot within the same SYN_REPORT. This
+can confuse userspace, so modify the driver to sync more often if
+necessary (i.e., after reporting the state of all fingers).
+
+Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Cc: <stable@vger.kernel.org> # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1371,11 +1371,17 @@ static void wacom_intuos_pro2_bt_touch(s
+ if (wacom->num_contacts_left <= 0) {
+ wacom->num_contacts_left = 0;
+ wacom->shared->touch_down = wacom_wac_finger_count_touches(wacom);
++ input_sync(touch_input);
+ }
+ }
+
+- input_report_switch(touch_input, SW_MUTE_DEVICE, !(data[281] >> 7));
+- input_sync(touch_input);
++ if (wacom->num_contacts_left == 0) {
++ // Be careful that we don't accidentally call input_sync with
++ // only a partial set of fingers of processed
++ input_report_switch(touch_input, SW_MUTE_DEVICE, !(data[281] >> 7));
++ input_sync(touch_input);
++ }
++
+ }
+
+ static void wacom_intuos_pro2_bt_pad(struct wacom_wac *wacom)
--- /dev/null
+From 355e8d26f719c207aa2e00e6f3cfab3acf21769b Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 12 Jun 2019 14:58:43 -0700
+Subject: io_uring: fix memory leak of UNIX domain socket inode
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 355e8d26f719c207aa2e00e6f3cfab3acf21769b upstream.
+
+Opening and closing an io_uring instance leaks a UNIX domain socket
+inode. This is because the ->file of the io_uring instance's internal
+UNIX domain socket is set to point to the io_uring file, but then
+sock_release() sees the non-NULL ->file and assumes the inode reference
+is held by the file so doesn't call iput(). That's not the case here,
+since the reference is still meant to be held by the socket; the actual
+inode of the io_uring file is different.
+
+Fix this leak by NULL-ing out ->file before releasing the socket.
+
+Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
+Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
+Cc: <stable@vger.kernel.org> # v5.1+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2633,8 +2633,10 @@ static void io_ring_ctx_free(struct io_r
+ io_sqe_files_unregister(ctx);
+
+ #if defined(CONFIG_UNIX)
+- if (ctx->ring_sock)
++ if (ctx->ring_sock) {
++ ctx->ring_sock->file = NULL; /* so that iput() is called */
+ sock_release(ctx->ring_sock);
++ }
+ #endif
+
+ io_mem_free(ctx->sq_ring);
--- /dev/null
+From 31f6264e225fb92cf6f4b63031424f20797c297d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 11 Jun 2019 16:32:59 +0200
+Subject: libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 31f6264e225fb92cf6f4b63031424f20797c297d upstream.
+
+We've received a bugreport that using LPM with ST1000LM024 drives leads
+to system lockups. So it seems that these models are buggy in more then
+1 way. Add NOLPM quirk to the existing quirks entry for BROKEN_FPDMA_AA.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330
+Cc: stable@vger.kernel.org
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4476,9 +4476,12 @@ static const struct ata_blacklist_entry
+ { "ST3320[68]13AS", "SD1[5-9]", ATA_HORKAGE_NONCQ |
+ ATA_HORKAGE_FIRMWARE_WARN },
+
+- /* drives which fail FPDMA_AA activation (some may freeze afterwards) */
+- { "ST1000LM024 HN-M101MBB", "2AR10001", ATA_HORKAGE_BROKEN_FPDMA_AA },
+- { "ST1000LM024 HN-M101MBB", "2BA30001", ATA_HORKAGE_BROKEN_FPDMA_AA },
++ /* drives which fail FPDMA_AA activation (some may freeze afterwards)
++ the ST disks also have LPM issues */
++ { "ST1000LM024 HN-M101MBB", "2AR10001", ATA_HORKAGE_BROKEN_FPDMA_AA |
++ ATA_HORKAGE_NOLPM, },
++ { "ST1000LM024 HN-M101MBB", "2BA30001", ATA_HORKAGE_BROKEN_FPDMA_AA |
++ ATA_HORKAGE_NOLPM, },
+ { "VB0250EAVER", "HPG7", ATA_HORKAGE_BROKEN_FPDMA_AA },
+
+ /* Blacklist entries taken from Silicon Image 3124/3132
--- /dev/null
+From 0d91b155a7f9c1f4a2b360bc2b79dc728aee8b48 Mon Sep 17 00:00:00 2001
+From: Thomas Backlund <tmb@mageia.org>
+Date: Sat, 15 Jun 2019 12:22:44 +0300
+Subject: nouveau: Fix build with CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT disabled
+
+From: Thomas Backlund <tmb@mageia.org>
+
+Not-entirely-upstream-sha1-but-equivalent: bed2dd8421
+("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()")
+
+Setting CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n (added by commit: b30a43ac7132)
+causes the build to fail with:
+
+ERROR: "drm_legacy_mmap" [drivers/gpu/drm/nouveau/nouveau.ko] undefined!
+
+This does not happend upstream as the offending code got removed in:
+bed2dd8421 ("drm/ttm: Quick-test mmap offset in ttm_bo_mmap()")
+
+Fix that by adding check for CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT around
+the drm_legacy_mmap() call.
+
+Also, as Sven Joachim pointed out, we need to make the check in
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=n case return -EINVAL as its done
+for basically all other gpu drivers, especially in upstream kernels
+drivers/gpu/drm/ttm/ttm_bo_vm.c as of the upstream commit bed2dd8421.
+
+NOTE. This is a minimal stable-only fix for trees where b30a43ac7132 is
+backported as the build error affects nouveau only.
+
+Fixes: b30a43ac7132 ("drm/nouveau: add kconfig option to turn off nouveau
+ legacy contexts. (v3)")
+Signed-off-by: Thomas Backlund <tmb@mageia.org>
+Cc: stable@vger.kernel.org
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sven Joachim <svenjoac@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
+@@ -169,7 +169,11 @@ nouveau_ttm_mmap(struct file *filp, stru
+ struct nouveau_drm *drm = nouveau_drm(file_priv->minor->dev);
+
+ if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET))
++#if defined(CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT)
+ return drm_legacy_mmap(filp, vma);
++#else
++ return -EINVAL;
++#endif
+
+ return ttm_bo_mmap(filp, vma, &drm->ttm.bdev);
+ }
--- /dev/null
+From 17d304604a88cf20c8dfd2c95d3decb9c4f8bca4 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 14 Jun 2019 16:44:12 +0800
+Subject: Revert "ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops"
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 17d304604a88cf20c8dfd2c95d3decb9c4f8bca4 upstream.
+
+This reverts commit 9cb40eb184c4220d244a532bd940c6345ad9dbd9.
+
+This patch introduces noise and headphone playback issue after
+rebooting or suspending/resuming. Let us revert it.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203831
+Fixes: 9cb40eb184c4 ("ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6166,15 +6166,13 @@ static const struct hda_fixup alc269_fix
+ .chain_id = ALC269_FIXUP_THINKPAD_ACPI,
+ },
+ [ALC255_FIXUP_ACER_MIC_NO_PRESENCE] = {
+- .type = HDA_FIXUP_VERBS,
+- .v.verbs = (const struct hda_verb[]) {
+- /* Enable the Mic */
+- { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 },
+- { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 },
+- {}
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ { }
+ },
+ .chained = true,
+- .chain_id = ALC269_FIXUP_LIFEBOOK_EXTMIC
++ .chain_id = ALC255_FIXUP_HEADSET_MODE
+ },
+ [ALC255_FIXUP_ASUS_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+@@ -7220,10 +7218,6 @@ static const struct snd_hda_pin_quirk al
+ {0x19, 0x0181303F},
+ {0x21, 0x0221102f}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
+- {0x12, 0x90a60140},
+- {0x14, 0x90170120},
+- {0x21, 0x02211030}),
+- SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
+ {0x12, 0x90a601c0},
+ {0x14, 0x90171120},
+ {0x21, 0x02211030}),
--- /dev/null
+From 15fc1b5c86128f91c8c6699c3b0d9615740b13f1 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Wed, 5 Jun 2019 14:44:05 +0200
+Subject: Revert "HID: Increase maximum report size allowed by hid_field_extract()"
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 15fc1b5c86128f91c8c6699c3b0d9615740b13f1 upstream.
+
+This reverts commit 94a9992f7dbdfb28976b565af220e0c4a117144a.
+
+The commit allows for more than 32 bits in hid_field_extract(),
+but the return value is a 32 bits int.
+So basically what this commit is doing is just silencing those
+legitimate errors.
+
+Revert to a previous situation in the hope that a proper
+fix will be impletemented.
+
+Fixes: 94a9992f7dbd ("HID: Increase maximum report size allowed by hid_field_extract()")
+Cc: stable@vger.kernel.org # v5.1
+Acked-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1313,10 +1313,10 @@ static u32 __extract(u8 *report, unsigne
+ u32 hid_field_extract(const struct hid_device *hid, u8 *report,
+ unsigned offset, unsigned n)
+ {
+- if (n > 256) {
+- hid_warn(hid, "hid_field_extract() called with n (%d) > 256! (%s)\n",
++ if (n > 32) {
++ hid_warn(hid, "hid_field_extract() called with n (%d) > 32! (%s)\n",
+ n, current->comm);
+- n = 256;
++ n = 32;
+ }
+
+ return __extract(report, offset, n);
--- /dev/null
+From e2e0e09758a6f7597de0f9b819647addfb71b6bd Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Wed, 12 Jun 2019 21:28:21 +0800
+Subject: selinux: fix a missing-check bug in selinux_add_mnt_opt( )
+
+From: Gen Zhang <blackgod016574@gmail.com>
+
+commit e2e0e09758a6f7597de0f9b819647addfb71b6bd upstream.
+
+In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns
+NULL when fails. So 'val' should be checked. And 'mnt_opts' should be
+freed when error.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()")
+Cc: <stable@vger.kernel.org>
+[PM: fixed some indenting problems]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1048,15 +1048,24 @@ static int selinux_add_mnt_opt(const cha
+ if (token == Opt_error)
+ return -EINVAL;
+
+- if (token != Opt_seclabel)
++ if (token != Opt_seclabel) {
+ val = kmemdup_nul(val, len, GFP_KERNEL);
++ if (!val) {
++ rc = -ENOMEM;
++ goto free_opt;
++ }
++ }
+ rc = selinux_add_opt(token, val, mnt_opts);
+ if (unlikely(rc)) {
+ kfree(val);
+- if (*mnt_opts) {
+- selinux_free_mnt_opts(*mnt_opts);
+- *mnt_opts = NULL;
+- }
++ goto free_opt;
++ }
++ return rc;
++
++free_opt:
++ if (*mnt_opts) {
++ selinux_free_mnt_opts(*mnt_opts);
++ *mnt_opts = NULL;
+ }
+ return rc;
+ }
--- /dev/null
+From fec6375320c6399c708fa9801f8cfbf950fee623 Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Wed, 12 Jun 2019 21:55:38 +0800
+Subject: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()
+
+From: Gen Zhang <blackgod016574@gmail.com>
+
+commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream.
+
+In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
+returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
+should be freed when error.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2612,10 +2612,11 @@ static int selinux_sb_eat_lsm_opts(char
+ char *from = options;
+ char *to = options;
+ bool first = true;
++ int rc;
+
+ while (1) {
+ int len = opt_len(from);
+- int token, rc;
++ int token;
+ char *arg = NULL;
+
+ token = match_opt_prefix(from, len, &arg);
+@@ -2631,15 +2632,15 @@ static int selinux_sb_eat_lsm_opts(char
+ *q++ = c;
+ }
+ arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
++ if (!arg) {
++ rc = -ENOMEM;
++ goto free_opt;
++ }
+ }
+ rc = selinux_add_opt(token, arg, mnt_opts);
+ if (unlikely(rc)) {
+ kfree(arg);
+- if (*mnt_opts) {
+- selinux_free_mnt_opts(*mnt_opts);
+- *mnt_opts = NULL;
+- }
+- return rc;
++ goto free_opt;
+ }
+ } else {
+ if (!first) { // copy with preceding comma
+@@ -2657,6 +2658,13 @@ static int selinux_sb_eat_lsm_opts(char
+ }
+ *to = '\0';
+ return 0;
++
++free_opt:
++ if (*mnt_opts) {
++ selinux_free_mnt_opts(*mnt_opts);
++ *mnt_opts = NULL;
++ }
++ return rc;
+ }
+
+ static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
--- /dev/null
+From aff7ed4851680d0d28ad9f52cd2f99213e1371b2 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 11 Jun 2019 10:07:19 +0200
+Subject: selinux: log raw contexts as untrusted strings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit aff7ed4851680d0d28ad9f52cd2f99213e1371b2 upstream.
+
+These strings may come from untrusted sources (e.g. file xattrs) so they
+need to be properly escaped.
+
+Reproducer:
+ # setenforce 0
+ # touch /tmp/test
+ # setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
+ # runcon system_u:system_r:sshd_t:s0 cat /tmp/test
+ (look at the generated AVCs)
+
+Actual result:
+ type=AVC [...] trawcon=kuřecí řízek
+
+Expected result:
+ type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656B
+
+Fixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
+Cc: stable@vger.kernel.org # v5.1+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/avc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -739,14 +739,20 @@ static void avc_audit_post_callback(stru
+ rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
+ &scontext_len);
+ if (!rc && scontext) {
+- audit_log_format(ab, " srawcon=%s", scontext);
++ if (scontext_len && scontext[scontext_len - 1] == '\0')
++ scontext_len--;
++ audit_log_format(ab, " srawcon=");
++ audit_log_n_untrustedstring(ab, scontext, scontext_len);
+ kfree(scontext);
+ }
+
+ rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
+ &scontext_len);
+ if (!rc && scontext) {
+- audit_log_format(ab, " trawcon=%s", scontext);
++ if (scontext_len && scontext[scontext_len - 1] == '\0')
++ scontext_len--;
++ audit_log_format(ab, " trawcon=");
++ audit_log_n_untrustedstring(ab, scontext, scontext_len);
+ kfree(scontext);
+ }
+ }