--- /dev/null
+From ae541cb5ce5896be2f224b9ae45cfb9fa5cd9d20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2019 12:00:33 +0200
+Subject: ACPI: video: Add new hw_changes_brightness quirk, set it on PB
+ Easynote MZ35
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 4f7f96453b462b3de0fa18d18fe983960bb5ee7f ]
+
+Some machines change the brightness themselves when a brightness hotkey
+gets pressed, despite us telling them not to. This causes the brightness to
+go two steps up / down when the hotkey is pressed. This is esp. a problem
+on older machines with only a few brightness levels.
+
+This commit adds a new hw_changes_brightness quirk which makes
+acpi_video_device_notify() only call backlight_force_update(...,
+BACKLIGHT_UPDATE_HOTKEY) and not do anything else, notifying userspace
+that the brightness was changed and leaving it at that fixing the dual
+step problem.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204077
+Reported-by: Kacper Piwiński <cosiekvfj@o2.pl>
+Tested-by: Kacper Piwiński <cosiekvfj@o2.pl>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_video.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
+index d73afb562ad95..1a23e7aa74df7 100644
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -73,6 +73,12 @@ module_param(report_key_events, int, 0644);
+ MODULE_PARM_DESC(report_key_events,
+ "0: none, 1: output changes, 2: brightness changes, 3: all");
+
++static int hw_changes_brightness = -1;
++module_param(hw_changes_brightness, int, 0644);
++MODULE_PARM_DESC(hw_changes_brightness,
++ "Set this to 1 on buggy hw which changes the brightness itself when "
++ "a hotkey is pressed: -1: auto, 0: normal 1: hw-changes-brightness");
++
+ /*
+ * Whether the struct acpi_video_device_attrib::device_id_scheme bit should be
+ * assumed even if not actually set.
+@@ -418,6 +424,14 @@ static int video_set_report_key_events(const struct dmi_system_id *id)
+ return 0;
+ }
+
++static int video_hw_changes_brightness(
++ const struct dmi_system_id *d)
++{
++ if (hw_changes_brightness == -1)
++ hw_changes_brightness = 1;
++ return 0;
++}
++
+ static const struct dmi_system_id video_dmi_table[] = {
+ /*
+ * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121
+@@ -542,6 +556,21 @@ static const struct dmi_system_id video_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V131"),
+ },
+ },
++ /*
++ * Some machines change the brightness themselves when a brightness
++ * hotkey gets pressed, despite us telling them not to. In this case
++ * acpi_video_device_notify() should only call backlight_force_update(
++ * BACKLIGHT_UPDATE_HOTKEY) and not do anything else.
++ */
++ {
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=204077 */
++ .callback = video_hw_changes_brightness,
++ .ident = "Packard Bell EasyNote MZ35",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Packard Bell"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "EasyNote MZ35"),
++ },
++ },
+ {}
+ };
+
+@@ -1625,6 +1654,14 @@ static void acpi_video_device_notify(acpi_handle handle, u32 event, void *data)
+ bus = video_device->video;
+ input = bus->input;
+
++ if (hw_changes_brightness > 0) {
++ if (video_device->backlight)
++ backlight_force_update(video_device->backlight,
++ BACKLIGHT_UPDATE_HOTKEY);
++ acpi_notifier_call_chain(device, event, 0);
++ return;
++ }
++
+ switch (event) {
+ case ACPI_VIDEO_NOTIFY_CYCLE_BRIGHTNESS: /* Cycle brightness */
+ brightness_switch_event(video_device, event);
+--
+2.20.1
+
--- /dev/null
+From 4dc42a6a7650c4280b93e2f59fc750e9167b02f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 17:10:42 +0800
+Subject: Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 6d0762b19c5963ff9e178e8af3626532ee04d93d ]
+
+The ASUS X412FA laptop contains a Realtek RTL8822CE device with an
+associated BT chip using a USB ID of 04ca:4005. This ID is added to the
+driver.
+
+The /sys/kernel/debug/usb/devices portion for this device is:
+
+T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=04ca ProdID=4005 Rev= 0.00
+S: Manufacturer=Realtek
+S: Product=Bluetooth Radio
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=204707
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 96b8a00934c4a..08936bf696d33 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -391,6 +391,9 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x13d3, 0x3526), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8822CE Bluetooth devices */
++ { USB_DEVICE(0x04ca, 0x4005), .driver_info = BTUSB_REALTEK },
++
+ /* Silicon Wave based devices */
+ { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
+
+--
+2.20.1
+
--- /dev/null
+From cf2919280704460ab83cac431b07a927f7011bd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jun 2019 16:30:51 +0800
+Subject: Bluetooth: btrtl: HCI reset on close for Realtek BT chip
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 7af3f558aca74f2ee47b173f1c27f6bb9a5b5561 ]
+
+Realtek RTL8822BE BT chip on ASUS X420FA cannot be turned on correctly
+after on-off several times. Bluetooth daemon sets BT mode failed when
+this issue happens. Scanning must be active while turning off for this
+bug to be hit.
+
+bluetoothd[1576]: Failed to set mode: Failed (0x03)
+
+If BT is turned off, then turned on again, it works correctly again.
+
+According to the vendor driver, the HCI_QUIRK_RESET_ON_CLOSE flag is set
+during probing. So, this patch makes Realtek's BT reset on close to fix
+this issue.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=203429
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Reviewed-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btrtl.c | 20 ++++++++++++++++++++
+ drivers/bluetooth/btrtl.h | 6 ++++++
+ drivers/bluetooth/btusb.c | 1 +
+ 3 files changed, 27 insertions(+)
+
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 1342f8e6025cc..8d1cd2479e36f 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -639,6 +639,26 @@ int btrtl_setup_realtek(struct hci_dev *hdev)
+ }
+ EXPORT_SYMBOL_GPL(btrtl_setup_realtek);
+
++int btrtl_shutdown_realtek(struct hci_dev *hdev)
++{
++ struct sk_buff *skb;
++ int ret;
++
++ /* According to the vendor driver, BT must be reset on close to avoid
++ * firmware crash.
++ */
++ skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
++ if (IS_ERR(skb)) {
++ ret = PTR_ERR(skb);
++ bt_dev_err(hdev, "HCI reset during shutdown failed");
++ return ret;
++ }
++ kfree_skb(skb);
++
++ return 0;
++}
++EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
++
+ static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
+ {
+ switch (device_baudrate) {
+diff --git a/drivers/bluetooth/btrtl.h b/drivers/bluetooth/btrtl.h
+index f5e36f3993a81..852f27d4ee289 100644
+--- a/drivers/bluetooth/btrtl.h
++++ b/drivers/bluetooth/btrtl.h
+@@ -65,6 +65,7 @@ void btrtl_free(struct btrtl_device_info *btrtl_dev);
+ int btrtl_download_firmware(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev);
+ int btrtl_setup_realtek(struct hci_dev *hdev);
++int btrtl_shutdown_realtek(struct hci_dev *hdev);
+ int btrtl_get_uart_settings(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev,
+ unsigned int *controller_baudrate,
+@@ -93,6 +94,11 @@ static inline int btrtl_setup_realtek(struct hci_dev *hdev)
+ return -EOPNOTSUPP;
+ }
+
++static inline int btrtl_shutdown_realtek(struct hci_dev *hdev)
++{
++ return -EOPNOTSUPP;
++}
++
+ static inline int btrtl_get_uart_settings(struct hci_dev *hdev,
+ struct btrtl_device_info *btrtl_dev,
+ unsigned int *controller_baudrate,
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 09c83dc2ef677..96b8a00934c4a 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3128,6 +3128,7 @@ static int btusb_probe(struct usb_interface *intf,
+ #ifdef CONFIG_BT_HCIBTUSB_RTL
+ if (id->driver_info & BTUSB_REALTEK) {
+ hdev->setup = btrtl_setup_realtek;
++ hdev->shutdown = btrtl_shutdown_realtek;
+
+ /* Realtek devices lose their updated firmware over suspend,
+ * but the USB hub doesn't notice any status change.
+--
+2.20.1
+
--- /dev/null
+From 8d8a838ead4791e9be7b08eea07ca476719c15cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2019 14:58:57 +0100
+Subject: drm: Flush output polling on shutdown
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 3b295cb1a411d9c82bbfaa66bc17a8508716ed07 ]
+
+We need to mark the output polling as disabled to prevent concurrent
+irqs from queuing new work as shutdown the probe -- causing that work to
+execute after we have freed the structs:
+
+<4> [341.846490] DEBUG_LOCKS_WARN_ON(mutex_is_locked(lock))
+<4> [341.846497] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
+<4> [341.846508] Modules linked in: i915(-) vgem thunderbolt snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm mcs7830 btusb usbnet btrtl mii btbcm btintel bluetooth ecdh_generic ecc mei_me mei prime_numbers i2c_hid pinctrl_sunrisepoint pinctrl_intel [last unloaded: i915]
+<4> [341.846546] CPU: 3 PID: 3300 Comm: i915_module_loa Tainted: G U 5.2.0-rc2-CI-CI_DRM_6175+ #1
+<4> [341.846553] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
+<4> [341.846560] RIP: 0010:mutex_destroy+0x49/0x50
+<4> [341.846565] Code: 00 00 5b c3 e8 a8 9f 3b 00 85 c0 74 ed 8b 05 3e 55 23 01 85 c0 75 e3 48 c7 c6 00 d0 08 82 48 c7 c7 a8 aa 07 82 e8 e7 08 fa ff <0f> 0b eb cc 0f 1f 00 48 b8 11 11 11 11 11 11 11 11 48 89 76 20 48
+<4> [341.846578] RSP: 0018:ffffc900006cfdb0 EFLAGS: 00010286
+<4> [341.846583] RAX: 0000000000000000 RBX: ffff88826759a168 RCX: 0000000000000000
+<4> [341.846589] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffffff8112844c
+<4> [341.846595] RBP: ffff8882708fa548 R08: 0000000000000000 R09: 0000000000039600
+<4> [341.846601] R10: 0000000000000000 R11: 0000000000000ce4 R12: ffffffffa07de1e0
+<4> [341.846607] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffa07de2d0
+<4> [341.846613] FS: 00007f62b5ae0e40(0000) GS:ffff888276380000(0000) knlGS:0000000000000000
+<4> [341.846620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4> [341.846626] CR2: 000055a4e064f4a0 CR3: 0000000266b16006 CR4: 00000000003606e0
+<4> [341.846632] Call Trace:
+<4> [341.846639] drm_fb_helper_fini.part.17+0xb3/0x100
+<4> [341.846682] intel_fbdev_fini+0x20/0x80 [i915]
+<4> [341.846722] intel_modeset_cleanup+0x9a/0x140 [i915]
+<4> [341.846750] i915_driver_unload+0xa3/0x100 [i915]
+<4> [341.846778] i915_pci_remove+0x19/0x30 [i915]
+<4> [341.846784] pci_device_remove+0x36/0xb0
+<4> [341.846790] device_release_driver_internal+0xd3/0x1b0
+<4> [341.846795] driver_detach+0x3f/0x80
+<4> [341.846800] bus_remove_driver+0x53/0xd0
+<4> [341.846805] pci_unregister_driver+0x25/0xa0
+<4> [341.846843] i915_exit+0x16/0x1c [i915]
+<4> [341.846849] __se_sys_delete_module+0x162/0x210
+<4> [341.846855] ? trace_hardirqs_off_thunk+0x1a/0x1c
+<4> [341.846859] ? do_syscall_64+0xd/0x1c0
+<4> [341.846864] do_syscall_64+0x55/0x1c0
+<4> [341.846869] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+<4> [341.846875] RIP: 0033:0x7f62b51871b7
+<4> [341.846881] Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
+<4> [341.846897] RSP: 002b:00007ffe7a227138 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+<4> [341.846904] RAX: ffffffffffffffda RBX: 00007ffe7a2272b0 RCX: 00007f62b51871b7
+<4> [341.846910] RDX: 0000000000000001 RSI: 0000000000000800 RDI: 0000557cd6b55948
+<4> [341.846916] RBP: 0000557cd6b558e0 R08: 0000557cd6b5594c R09: 00007ffe7a227160
+<4> [341.846922] R10: 00007ffe7a226134 R11: 0000000000000206 R12: 0000000000000000
+<4> [341.846927] R13: 00007ffe7a227820 R14: 0000000000000000 R15: 0000000000000000
+<4> [341.846936] irq event stamp: 3547847
+<4> [341.846940] hardirqs last enabled at (3547847): [<ffffffff819aad2c>] _raw_spin_unlock_irqrestore+0x4c/0x60
+<4> [341.846949] hardirqs last disabled at (3547846): [<ffffffff819aab9d>] _raw_spin_lock_irqsave+0xd/0x50
+<4> [341.846957] softirqs last enabled at (3547376): [<ffffffff81c0033a>] __do_softirq+0x33a/0x4b9
+<4> [341.846966] softirqs last disabled at (3547367): [<ffffffff810b6379>] irq_exit+0xa9/0xc0
+<4> [341.846973] WARNING: CPU: 3 PID: 3300 at kernel/locking/mutex-debug.c:103 mutex_destroy+0x49/0x50
+<4> [341.846980] ---[ end trace ba94ca8952ba970e ]---
+<7> [341.866547] [drm:intel_dp_detect [i915]] MST support? port A: no, sink: no, modparam: yes
+<7> [341.890480] [drm:drm_add_display_info] non_desktop set to 0
+<7> [341.890530] [drm:drm_add_edid_modes] ELD: no CEA Extension found
+<7> [341.890537] [drm:drm_add_display_info] non_desktop set to 0
+<7> [341.890578] [drm:drm_helper_probe_single_connector_modes] [CONNECTOR:86:eDP-1] probed modes :
+<7> [341.890589] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 60 373250 3200 3248 3280 3360 1800 1803 1808 1852 0x48 0xa
+<7> [341.890602] [drm:drm_mode_debug_printmodeline] Modeline "3200x1800": 48 298600 3200 3248 3280 3360 1800 1803 1808 1852 0x40 0xa
+<4> [341.890628] general protection fault: 0000 [#1] PREEMPT SMP PTI
+<4> [341.890636] CPU: 0 PID: 508 Comm: kworker/0:4 Tainted: G U W 5.2.0-rc2-CI-CI_DRM_6175+ #1
+<4> [341.890646] Hardware name: Dell Inc. XPS 13 9360/0823VW, BIOS 2.9.0 07/09/2018
+<4> [341.890655] Workqueue: events output_poll_execute
+<4> [341.890663] RIP: 0010:drm_setup_crtcs+0x13e/0xbe0
+<4> [341.890669] Code: 00 41 8b 44 24 58 85 c0 0f 8e f9 01 00 00 44 8b 6c 24 20 44 8b 74 24 28 31 db 31 ed 49 8b 44 24 60 48 63 d5 44 89 ee 83 c5 01 <48> 8b 04 d0 44 89 f2 48 8b 38 48 8b 87 88 01 00 00 48 8b 40 20 e8
+<4> [341.890686] RSP: 0018:ffffc9000033fd40 EFLAGS: 00010202
+<4> [341.890692] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000002 RCX: 0000000000000000
+<4> [341.890700] RDX: 0000000000000001 RSI: 0000000000000c80 RDI: 00000000ffffffff
+<4> [341.890707] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+<4> [341.890715] R10: 0000000000000c80 R11: 0000000000000000 R12: ffff888267599fe8
+<4> [341.890722] R13: 0000000000000c80 R14: 0000000000000708 R15: 0000000000000007
+<4> [341.890730] FS: 0000000000000000(0000) GS:ffff888276200000(0000) knlGS:0000000000000000
+<4> [341.890739] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4> [341.890745] CR2: 000055a4e064f4a0 CR3: 000000026d234003 CR4: 00000000003606f0
+<4> [341.890752] Call Trace:
+<4> [341.890760] drm_fb_helper_hotplug_event.part.24+0x89/0xb0
+<4> [341.890768] drm_kms_helper_hotplug_event+0x21/0x30
+<4> [341.890774] output_poll_execute+0x9d/0x1a0
+<4> [341.890782] process_one_work+0x245/0x610
+<4> [341.890790] worker_thread+0x37/0x380
+<4> [341.890796] ? process_one_work+0x610/0x610
+<4> [341.890802] kthread+0x119/0x130
+<4> [341.890808] ? kthread_park+0x80/0x80
+<4> [341.890815] ret_from_fork+0x3a/0x50
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109964
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Imre Deak <imre.deak@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190603135910.15979-2-chris@chris-wilson.co.uk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_probe_helper.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c
+index d18b7e27ef64c..c0b26135dbd5b 100644
+--- a/drivers/gpu/drm/drm_probe_helper.c
++++ b/drivers/gpu/drm/drm_probe_helper.c
+@@ -581,6 +581,9 @@ static void output_poll_execute(struct work_struct *work)
+ enum drm_connector_status old_status;
+ bool repoll = false, changed;
+
++ if (!dev->mode_config.poll_enabled)
++ return;
++
+ /* Pick up any changes detected by the probe functions. */
+ changed = dev->mode_config.delayed_event;
+ dev->mode_config.delayed_event = false;
+@@ -735,7 +738,11 @@ EXPORT_SYMBOL(drm_kms_helper_poll_init);
+ */
+ void drm_kms_helper_poll_fini(struct drm_device *dev)
+ {
+- drm_kms_helper_poll_disable(dev);
++ if (!dev->mode_config.poll_enabled)
++ return;
++
++ dev->mode_config.poll_enabled = false;
++ cancel_delayed_work_sync(&dev->mode_config.output_poll_work);
+ }
+ EXPORT_SYMBOL(drm_kms_helper_poll_fini);
+
+--
+2.20.1
+
--- /dev/null
+From a54bb14122b13476305e518879a44a7338d066c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 May 2019 18:41:49 -0400
+Subject: drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling
+
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+
+[ Upstream commit 533f4752407543f488a9118d817b8c504352b6fb ]
+
+Previously center scaling would get scaling applied to it (when it was
+only supposed to center the image), and aspect-corrected scaling did not
+always correctly pick whether to reduce width or height for a particular
+combination of inputs/outputs.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110660
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/dispnv50/head.c | 28 +++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/dispnv50/head.c b/drivers/gpu/drm/nouveau/dispnv50/head.c
+index d81a99bb2ac31..b041ffb3af270 100644
+--- a/drivers/gpu/drm/nouveau/dispnv50/head.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/head.c
+@@ -169,14 +169,34 @@ nv50_head_atomic_check_view(struct nv50_head_atom *armh,
+ */
+ switch (mode) {
+ case DRM_MODE_SCALE_CENTER:
+- asyh->view.oW = min((u16)umode->hdisplay, asyh->view.oW);
+- asyh->view.oH = min((u16)umode_vdisplay, asyh->view.oH);
+- /* fall-through */
++ /* NOTE: This will cause scaling when the input is
++ * larger than the output.
++ */
++ asyh->view.oW = min(asyh->view.iW, asyh->view.oW);
++ asyh->view.oH = min(asyh->view.iH, asyh->view.oH);
++ break;
+ case DRM_MODE_SCALE_ASPECT:
+- if (asyh->view.oH < asyh->view.oW) {
++ /* Determine whether the scaling should be on width or on
++ * height. This is done by comparing the aspect ratios of the
++ * sizes. If the output AR is larger than input AR, that means
++ * we want to change the width (letterboxed on the
++ * left/right), otherwise on the height (letterboxed on the
++ * top/bottom).
++ *
++ * E.g. 4:3 (1.333) AR image displayed on a 16:10 (1.6) AR
++ * screen will have letterboxes on the left/right. However a
++ * 16:9 (1.777) AR image on that same screen will have
++ * letterboxes on the top/bottom.
++ *
++ * inputAR = iW / iH; outputAR = oW / oH
++ * outputAR > inputAR is equivalent to oW * iH > iW * oH
++ */
++ if (asyh->view.oW * asyh->view.iH > asyh->view.iW * asyh->view.oH) {
++ /* Recompute output width, i.e. left/right letterbox */
+ u32 r = (asyh->view.iW << 19) / asyh->view.iH;
+ asyh->view.oW = ((asyh->view.oH * r) + (r / 2)) >> 19;
+ } else {
++ /* Recompute output height, i.e. top/bottom letterbox */
+ u32 r = (asyh->view.iH << 19) / asyh->view.iW;
+ asyh->view.oH = ((asyh->view.oW * r) + (r / 2)) >> 19;
+ }
+--
+2.20.1
+
--- /dev/null
+From a8cbf5f2b3dbb95015a656145f6ba4727f3edd7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 May 2019 23:07:25 +0800
+Subject: f2fs: fix to do sanity check on segment bitmap of LFS curseg
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit c854f4d681365498f53ba07843a16423625aa7e9 ]
+
+As Jungyeon Reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=203233
+
+- Reproduces
+gcc poc_13.c
+./run.sh f2fs
+
+- Kernel messages
+ F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
+ kernel BUG at fs/f2fs/segment.c:2133!
+ RIP: 0010:update_sit_entry+0x35d/0x3e0
+ Call Trace:
+ f2fs_allocate_data_block+0x16c/0x5a0
+ do_write_page+0x57/0x100
+ f2fs_do_write_node_page+0x33/0xa0
+ __write_node_page+0x270/0x4e0
+ f2fs_sync_node_pages+0x5df/0x670
+ f2fs_write_checkpoint+0x364/0x13a0
+ f2fs_sync_fs+0xa3/0x130
+ f2fs_do_sync_file+0x1a6/0x810
+ do_fsync+0x33/0x60
+ __x64_sys_fsync+0xb/0x10
+ do_syscall_64+0x43/0x110
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The testcase fails because that, in fuzzed image, current segment was
+allocated with LFS type, its .next_blkoff should point to an unused
+block address, but actually, its bitmap shows it's not. So during
+allocation, f2fs crash when setting bitmap.
+
+Introducing sanity_check_curseg() to check such inconsistence of
+current in-used segment.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 8fc3edb6760c2..da7af7822e595 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -4098,6 +4098,41 @@ static int build_dirty_segmap(struct f2fs_sb_info *sbi)
+ return init_victim_secmap(sbi);
+ }
+
++static int sanity_check_curseg(struct f2fs_sb_info *sbi)
++{
++ int i;
++
++ /*
++ * In LFS/SSR curseg, .next_blkoff should point to an unused blkaddr;
++ * In LFS curseg, all blkaddr after .next_blkoff should be unused.
++ */
++ for (i = 0; i < NO_CHECK_TYPE; i++) {
++ struct curseg_info *curseg = CURSEG_I(sbi, i);
++ struct seg_entry *se = get_seg_entry(sbi, curseg->segno);
++ unsigned int blkofs = curseg->next_blkoff;
++
++ if (f2fs_test_bit(blkofs, se->cur_valid_map))
++ goto out;
++
++ if (curseg->alloc_type == SSR)
++ continue;
++
++ for (blkofs += 1; blkofs < sbi->blocks_per_seg; blkofs++) {
++ if (!f2fs_test_bit(blkofs, se->cur_valid_map))
++ continue;
++out:
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Current segment's next free block offset is "
++ "inconsistent with bitmap, logtype:%u, "
++ "segno:%u, type:%u, next_blkoff:%u, blkofs:%u",
++ i, curseg->segno, curseg->alloc_type,
++ curseg->next_blkoff, blkofs);
++ return -EINVAL;
++ }
++ }
++ return 0;
++}
++
+ /*
+ * Update min, max modified time for cost-benefit GC algorithm
+ */
+@@ -4193,6 +4228,10 @@ int f2fs_build_segment_manager(struct f2fs_sb_info *sbi)
+ if (err)
+ return err;
+
++ err = sanity_check_curseg(sbi);
++ if (err)
++ return err;
++
+ init_min_max_mtime(sbi);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3301a16a3fece94c6c5e44bd7e9d49883288c2b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2019 15:20:21 -0700
+Subject: net: don't warn in inet diag when IPV6 is disabled
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 1e64d7cbfdce4887008314d5b367209582223f27 ]
+
+If IPV6 was disabled, then ss command would cause a kernel warning
+because the command was attempting to dump IPV6 socket information.
+The fix is to just remove the warning.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202249
+Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets")
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/raw_diag.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/ipv4/raw_diag.c b/net/ipv4/raw_diag.c
+index c200065ef9a5e..6367ecdf76c42 100644
+--- a/net/ipv4/raw_diag.c
++++ b/net/ipv4/raw_diag.c
+@@ -23,9 +23,6 @@ raw_get_hashinfo(const struct inet_diag_req_v2 *r)
+ return &raw_v6_hashinfo;
+ #endif
+ } else {
+- pr_warn_once("Unexpected inet family %d\n",
+- r->sdiag_family);
+- WARN_ON_ONCE(1);
+ return ERR_PTR(-EINVAL);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From a97dc6a1b42438d8c5e9831347160b85a7c6a946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2019 02:58:05 -0700
+Subject: net/rds: An rds_sock is added too early to the hash table
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+[ Upstream commit c5c1a030a7dbf8dd4e1fa4405ae9a89dc1d2a8db ]
+
+In rds_bind(), an rds_sock is added to the RDS bind hash table before
+rs_transport is set. This means that the socket can be found by the
+receive code path when rs_transport is NULL. And the receive code
+path de-references rs_transport for congestion update check. This can
+cause a panic. An rds_sock should not be added to the bind hash table
+before all the needed fields are set.
+
+Reported-by: syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/bind.c | 40 ++++++++++++++++++----------------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/net/rds/bind.c b/net/rds/bind.c
+index 0f4398e7f2a7a..05464fd7c17af 100644
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses. You may choose to be licensed under the terms of the GNU
+@@ -239,34 +239,30 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ goto out;
+ }
+
+- sock_set_flag(sk, SOCK_RCU_FREE);
+- ret = rds_add_bound(rs, binding_addr, &port, scope_id);
+- if (ret)
+- goto out;
+-
+- if (rs->rs_transport) { /* previously bound */
++ /* The transport can be set using SO_RDS_TRANSPORT option before the
++ * socket is bound.
++ */
++ if (rs->rs_transport) {
+ trans = rs->rs_transport;
+ if (trans->laddr_check(sock_net(sock->sk),
+ binding_addr, scope_id) != 0) {
+ ret = -ENOPROTOOPT;
+- rds_remove_bound(rs);
+- } else {
+- ret = 0;
++ goto out;
+ }
+- goto out;
+- }
+- trans = rds_trans_get_preferred(sock_net(sock->sk), binding_addr,
+- scope_id);
+- if (!trans) {
+- ret = -EADDRNOTAVAIL;
+- rds_remove_bound(rs);
+- pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n",
+- __func__, binding_addr);
+- goto out;
++ } else {
++ trans = rds_trans_get_preferred(sock_net(sock->sk),
++ binding_addr, scope_id);
++ if (!trans) {
++ ret = -EADDRNOTAVAIL;
++ pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n",
++ __func__, binding_addr);
++ goto out;
++ }
++ rs->rs_transport = trans;
+ }
+
+- rs->rs_transport = trans;
+- ret = 0;
++ sock_set_flag(sk, SOCK_RCU_FREE);
++ ret = rds_add_bound(rs, binding_addr, &port, scope_id);
+
+ out:
+ release_sock(sk);
+--
+2.20.1
+
--- /dev/null
+From 86bfc272f43478c44888b22c4e4e2b9b3f3a23b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Sep 2019 12:11:23 -0700
+Subject: net_sched: check cops->tcf_block in tc_bind_tclass()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 8b142a00edcf8422ca48b8de88d286efb500cb53 ]
+
+At least sch_red and sch_tbf don't implement ->tcf_block()
+while still have a non-zero tc "class".
+
+Instead of adding nop implementations to each of such qdisc's,
+we can just relax the check of cops->tcf_block() in
+tc_bind_tclass(). They don't support TC filter anyway.
+
+Reported-by: syzbot+21b29db13c065852f64b@syzkaller.appspotmail.com
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index be7cd140b2a38..b06cc5e504127 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1831,6 +1831,8 @@ static void tc_bind_tclass(struct Qdisc *q, u32 portid, u32 clid,
+ cl = cops->find(q, portid);
+ if (!cl)
+ return;
++ if (!cops->tcf_block)
++ return;
+ block = cops->tcf_block(q, cl, NULL);
+ if (!block)
+ return;
+--
+2.20.1
+
--- /dev/null
+From 09da868755decc5d12858741d4d48bba510505f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2019 11:48:08 +0200
+Subject: netfilter: nft_socket: fix erroneous socket assignment
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+[ Upstream commit 039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 ]
+
+The socket assignment is wrong, see skb_orphan():
+When skb->destructor callback is not set, but skb->sk is set, this hits BUG().
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
+Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
+index d7f3776dfd719..637ce3e8c575c 100644
+--- a/net/netfilter/nft_socket.c
++++ b/net/netfilter/nft_socket.c
+@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,
+ return;
+ }
+
+- /* So that subsequent socket matching not to require other lookups. */
+- skb->sk = sk;
+-
+ switch(priv->key) {
+ case NFT_SOCKET_TRANSPARENT:
+ nft_reg_store8(dest, inet_sk_transparent(sk));
+@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
+ WARN_ON(1);
+ regs->verdict.code = NFT_BREAK;
+ }
++
++ if (sk != skb->sk)
++ sock_gen_put(sk);
+ }
+
+ static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
+--
+2.20.1
+
revert-f2fs-avoid-out-of-range-memory-access.patch
dm-zoned-fix-invalid-memory-access.patch
net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
+f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch
+drm-flush-output-polling-on-shutdown.patch
+net-don-t-warn-in-inet-diag-when-ipv6-is-disabled.patch
+bluetooth-btrtl-hci-reset-on-close-for-realtek-bt-ch.patch
+acpi-video-add-new-hw_changes_brightness-quirk-set-i.patch
+drm-nouveau-disp-nv50-fix-center-aspect-corrected-sc.patch
+xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch
+netfilter-nft_socket-fix-erroneous-socket-assignment.patch
+bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch
+net_sched-check-cops-tcf_block-in-tc_bind_tclass.patch
+net-rds-an-rds_sock-is-added-too-early-to-the-hash-t.patch
--- /dev/null
+From 2f25d72c9a5e1ba2befd9a74f796d89285c1cbc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Aug 2019 15:52:27 -0700
+Subject: xfs: don't crash on null attr fork xfs_bmapi_read
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 8612de3f7ba6e900465e340516b8313806d27b2d ]
+
+Zorro Lang reported a crash in generic/475 if we try to inactivate a
+corrupt inode with a NULL attr fork (stack trace shortened somewhat):
+
+RIP: 0010:xfs_bmapi_read+0x311/0xb00 [xfs]
+RSP: 0018:ffff888047f9ed68 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff888047f9f038 RCX: 1ffffffff5f99f51
+RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000012
+RBP: ffff888002a41f00 R08: ffffed10005483f0 R09: ffffed10005483ef
+R10: ffffed10005483ef R11: ffff888002a41f7f R12: 0000000000000004
+R13: ffffe8fff53b5768 R14: 0000000000000005 R15: 0000000000000001
+FS: 00007f11d44b5b80(0000) GS:ffff888114200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000ef6000 CR3: 000000002e176003 CR4: 00000000001606e0
+Call Trace:
+ xfs_dabuf_map.constprop.18+0x696/0xe50 [xfs]
+ xfs_da_read_buf+0xf5/0x2c0 [xfs]
+ xfs_da3_node_read+0x1d/0x230 [xfs]
+ xfs_attr_inactive+0x3cc/0x5e0 [xfs]
+ xfs_inactive+0x4c8/0x5b0 [xfs]
+ xfs_fs_destroy_inode+0x31b/0x8e0 [xfs]
+ destroy_inode+0xbc/0x190
+ xfs_bulkstat_one_int+0xa8c/0x1200 [xfs]
+ xfs_bulkstat_one+0x16/0x20 [xfs]
+ xfs_bulkstat+0x6fa/0xf20 [xfs]
+ xfs_ioc_bulkstat+0x182/0x2b0 [xfs]
+ xfs_file_ioctl+0xee0/0x12a0 [xfs]
+ do_vfs_ioctl+0x193/0x1000
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x6f/0xb0
+ do_syscall_64+0x9f/0x4d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f11d39a3e5b
+
+The "obvious" cause is that the attr ifork is null despite the inode
+claiming an attr fork having at least one extent, but it's not so
+obvious why we ended up with an inode in that state.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204031
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Bill O'Donnell <billodo@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index 06a7da8dbda5c..38dc0b43c3665 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -3841,15 +3841,28 @@ xfs_bmapi_read(
+ XFS_STATS_INC(mp, xs_blk_mapr);
+
+ ifp = XFS_IFORK_PTR(ip, whichfork);
++ if (!ifp) {
++ /* No CoW fork? Return a hole. */
++ if (whichfork == XFS_COW_FORK) {
++ mval->br_startoff = bno;
++ mval->br_startblock = HOLESTARTBLOCK;
++ mval->br_blockcount = len;
++ mval->br_state = XFS_EXT_NORM;
++ *nmap = 1;
++ return 0;
++ }
+
+- /* No CoW fork? Return a hole. */
+- if (whichfork == XFS_COW_FORK && !ifp) {
+- mval->br_startoff = bno;
+- mval->br_startblock = HOLESTARTBLOCK;
+- mval->br_blockcount = len;
+- mval->br_state = XFS_EXT_NORM;
+- *nmap = 1;
+- return 0;
++ /*
++ * A missing attr ifork implies that the inode says we're in
++ * extents or btree format but failed to pass the inode fork
++ * verifier while trying to load it. Treat that as a file
++ * corruption too.
++ */
++#ifdef DEBUG
++ xfs_alert(mp, "%s: inode %llu missing fork %d",
++ __func__, ip->i_ino, whichfork);
++#endif /* DEBUG */
++ return -EFSCORRUPTED;
+ }
+
+ if (!(ifp->if_flags & XFS_IFEXTENTS)) {
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
