36 files changed, 4505 insertions, 1425 deletions
diff --git a/fs/jffs2/Makefile b/fs/jffs2/Makefile
index 77dc5561a04e..7f28ee0bd132 100644
--- a/fs/jffs2/Makefile
+++ b/fs/jffs2/Makefile
@@ -12,6 +12,9 @@ jffs2-y	+= symlink.o build.o erase.o background.o fs.o writev.o
 jffs2-y += super.o debug.o
 jffs2-$(CONFIG_JFFS2_FS_WRITEBUFFER)    += wbuf.o
+jffs2-$(CONFIG_JFFS2_FS_XATTR)          += xattr.o xattr_trusted.o xattr_user.o
+jffs2-$(CONFIG_JFFS2_FS_SECURITY)       += security.o
+jffs2-$(CONFIG_JFFS2_FS_POSIX_ACL)      += acl.o
 jffs2-$(CONFIG_JFFS2_RUBIN)     += compr_rubin.o
 jffs2-$(CONFIG_JFFS2_RTIME)     += compr_rtime.o
 jffs2-$(CONFIG_JFFS2_ZLIB)      += compr_zlib.o
diff --git a/fs/jffs2/README.Locking b/fs/jffs2/README.Locking
index b7943439b6ec..c8f0bd64e53e 100644
--- a/fs/jffs2/README.Locking
+++ b/fs/jffs2/README.Locking
@@ -150,3 +150,24 @@ the buffer.
 Ordering constraints:
        Lock wbuf_sem last, after the alloc_sem or and f->sem.
+        c->xattr_sem
+        ------------
+This read/write semaphore protects against concurrent access to the
+xattr related objects which include stuff in superblock and ic->xref.
+In read-only path, write-semaphore is too much exclusion. It's enough
+by read-semaphore. But you must hold write-semaphore when updating,
+creating or deleting any xattr related object.
+Once xattr_sem released, there would be no assurance for the existence
+of those objects. Thus, a series of processes is often required to retry,
+when updating such a object is necessary under holding read semaphore.
+For example, do_jffs2_getxattr() holds read-semaphore to scan xref and
+xdatum at first. But it retries this process with holding write-semaphore
+after release read-semaphore, if it's necessary to load name/value pair
+from medium.
+Ordering constraints:
+        Lock xattr_sem last, after the alloc_sem.
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
new file mode 100644
index 000000000000..9c2077e7e081
--- /dev/null
+++ b/fs/jffs2/acl.c
@@ -0,0 +1,487 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/time.h>
+#include <linux/crc32.h>
+#include <linux/jffs2.h>
+#include <linux/xattr.h>
+#include <linux/posix_acl_xattr.h>
+#include <linux/mtd/mtd.h>
+#include "nodelist.h"
+static size_t jffs2_acl_size(int count)
+{
+        if (count <= 4) {
+                return sizeof(struct jffs2_acl_header)
+                       + count * sizeof(struct jffs2_acl_entry_short);
+        } else {
+                return sizeof(struct jffs2_acl_header)
+                       + 4 * sizeof(struct jffs2_acl_entry_short)
+                       + (count - 4) * sizeof(struct jffs2_acl_entry);
+        }
+}
+static int jffs2_acl_count(size_t size)
+{
+        size_t s;
+        size -= sizeof(struct jffs2_acl_header);
+        s = size - 4 * sizeof(struct jffs2_acl_entry_short);
+        if (s < 0) {
+                if (size % sizeof(struct jffs2_acl_entry_short))
+                        return -1;
+                return size / sizeof(struct jffs2_acl_entry_short);
+        } else {
+                if (s % sizeof(struct jffs2_acl_entry))
+                        return -1;
+                return s / sizeof(struct jffs2_acl_entry) + 4;
+        }
+}
+static struct posix_acl *jffs2_acl_from_medium(void *value, size_t size)
+{
+        void *end = value + size;
+        struct jffs2_acl_header *header = value;
+        struct jffs2_acl_entry *entry;
+        struct posix_acl *acl;
+        uint32_t ver;
+        int i, count;
+        if (!value)
+                return NULL;
+        if (size < sizeof(struct jffs2_acl_header))
+                return ERR_PTR(-EINVAL);
+        ver = je32_to_cpu(header->a_version);
+        if (ver != JFFS2_ACL_VERSION) {
+                JFFS2_WARNING("Invalid ACL version. (=%u)\n", ver);
+                return ERR_PTR(-EINVAL);
+        }
+        value += sizeof(struct jffs2_acl_header);
+        count = jffs2_acl_count(size);
+        if (count < 0)
+                return ERR_PTR(-EINVAL);
+        if (count == 0)
+                return NULL;
+        acl = posix_acl_alloc(count, GFP_KERNEL);
+        if (!acl)
+                return ERR_PTR(-ENOMEM);
+        for (i=0; i < count; i++) {
+                entry = value;
+                if (value + sizeof(struct jffs2_acl_entry_short) > end)
+                        goto fail;
+                acl->a_entries[i].e_tag = je16_to_cpu(entry->e_tag);
+                acl->a_entries[i].e_perm = je16_to_cpu(entry->e_perm);
+                switch (acl->a_entries[i].e_tag) {
+                        case ACL_USER_OBJ:
+                        case ACL_GROUP_OBJ:
+                        case ACL_MASK:
+                        case ACL_OTHER:
+                                value += sizeof(struct jffs2_acl_entry_short);
+                                acl->a_entries[i].e_id = ACL_UNDEFINED_ID;
+                                break;
+                        case ACL_USER:
+                        case ACL_GROUP:
+                                value += sizeof(struct jffs2_acl_entry);
+                                if (value > end)
+                                        goto fail;
+                                acl->a_entries[i].e_id = je32_to_cpu(entry->e_id);
+                                break;
+                        default:
+                                goto fail;
+                }
+        }
+        if (value != end)
+                goto fail;
+        return acl;
+ fail:
+        posix_acl_release(acl);
+        return ERR_PTR(-EINVAL);
+}
+static void *jffs2_acl_to_medium(const struct posix_acl *acl, size_t *size)
+{
+        struct jffs2_acl_header *header;
+        struct jffs2_acl_entry *entry;
+        void *e;
+        size_t i;
+        *size = jffs2_acl_size(acl->a_count);
+        header = kmalloc(sizeof(*header) + acl->a_count * sizeof(*entry), GFP_KERNEL);
+        if (!header)
+                return ERR_PTR(-ENOMEM);
+        header->a_version = cpu_to_je32(JFFS2_ACL_VERSION);
+        e = header + 1;
+        for (i=0; i < acl->a_count; i++) {
+                entry = e;
+                entry->e_tag = cpu_to_je16(acl->a_entries[i].e_tag);
+                entry->e_perm = cpu_to_je16(acl->a_entries[i].e_perm);
+                switch(acl->a_entries[i].e_tag) {
+                        case ACL_USER:
+                        case ACL_GROUP:
+                                entry->e_id = cpu_to_je32(acl->a_entries[i].e_id);
+                                e += sizeof(struct jffs2_acl_entry);
+                                break;
+                        case ACL_USER_OBJ:
+                        case ACL_GROUP_OBJ:
+                        case ACL_MASK:
+                        case ACL_OTHER:
+                                e += sizeof(struct jffs2_acl_entry_short);
+                                break;
+                        default:
+                                goto fail;
+                }
+        }
+        return header;
+ fail:
+        kfree(header);
+        return ERR_PTR(-EINVAL);
+}
+static struct posix_acl *jffs2_iget_acl(struct inode *inode, struct posix_acl **i_acl)
+{
+        struct posix_acl *acl = JFFS2_ACL_NOT_CACHED;
+        spin_lock(&inode->i_lock);
+        if (*i_acl != JFFS2_ACL_NOT_CACHED)
+                acl = posix_acl_dup(*i_acl);
+        spin_unlock(&inode->i_lock);
+        return acl;
+}
+static void jffs2_iset_acl(struct inode *inode, struct posix_acl **i_acl, struct posix_acl *acl)
+{
+        spin_lock(&inode->i_lock);
+        if (*i_acl != JFFS2_ACL_NOT_CACHED)
+                posix_acl_release(*i_acl);
+        *i_acl = posix_acl_dup(acl);
+        spin_unlock(&inode->i_lock);
+}
+static struct posix_acl *jffs2_get_acl(struct inode *inode, int type)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        struct posix_acl *acl;
+        char *value = NULL;
+        int rc, xprefix;
+        switch (type) {
+        case ACL_TYPE_ACCESS:
+                acl = jffs2_iget_acl(inode, &f->i_acl_access);
+                if (acl != JFFS2_ACL_NOT_CACHED)
+                        return acl;
+                xprefix = JFFS2_XPREFIX_ACL_ACCESS;
+                break;
+        case ACL_TYPE_DEFAULT:
+                acl = jffs2_iget_acl(inode, &f->i_acl_default);
+                if (acl != JFFS2_ACL_NOT_CACHED)
+                        return acl;
+                xprefix = JFFS2_XPREFIX_ACL_DEFAULT;
+                break;
+        default:
+                return ERR_PTR(-EINVAL);
+        }
+        rc = do_jffs2_getxattr(inode, xprefix, "", NULL, 0);
+        if (rc > 0) {
+                value = kmalloc(rc, GFP_KERNEL);
+                if (!value)
+                        return ERR_PTR(-ENOMEM);
+                rc = do_jffs2_getxattr(inode, xprefix, "", value, rc);
+        }
+        if (rc > 0) {
+                acl = jffs2_acl_from_medium(value, rc);
+        } else if (rc == -ENODATA || rc == -ENOSYS) {
+                acl = NULL;
+        } else {
+                acl = ERR_PTR(rc);
+        }
+        if (value)
+                kfree(value);
+        if (!IS_ERR(acl)) {
+                switch (type) {
+                case ACL_TYPE_ACCESS:
+                        jffs2_iset_acl(inode, &f->i_acl_access, acl);
+                        break;
+                case ACL_TYPE_DEFAULT:
+                        jffs2_iset_acl(inode, &f->i_acl_default, acl);
+                        break;
+                }
+        }
+        return acl;
+}
+static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        size_t size = 0;
+        char *value = NULL;
+        int rc, xprefix;
+        if (S_ISLNK(inode->i_mode))
+                return -EOPNOTSUPP;
+        switch (type) {
+        case ACL_TYPE_ACCESS:
+                xprefix = JFFS2_XPREFIX_ACL_ACCESS;
+                if (acl) {
+                        mode_t mode = inode->i_mode;
+                        rc = posix_acl_equiv_mode(acl, &mode);
+                        if (rc < 0)
+                                return rc;
+                        if (inode->i_mode != mode) {
+                                inode->i_mode = mode;
+                                jffs2_dirty_inode(inode);
+                        }
+                        if (rc == 0)
+                                acl = NULL;
+                }
+                break;
+        case ACL_TYPE_DEFAULT:
+                xprefix = JFFS2_XPREFIX_ACL_DEFAULT;
+                if (!S_ISDIR(inode->i_mode))
+                        return acl ? -EACCES : 0;
+                break;
+        default:
+                return -EINVAL;
+        }
+        if (acl) {
+                value = jffs2_acl_to_medium(acl, &size);
+                if (IS_ERR(value))
+                        return PTR_ERR(value);
+        }
+        rc = do_jffs2_setxattr(inode, xprefix, "", value, size, 0);
+        if (!value && rc == -ENODATA)
+                rc = 0;
+        if (value)
+                kfree(value);
+        if (!rc) {
+                switch(type) {
+                case ACL_TYPE_ACCESS:
+                        jffs2_iset_acl(inode, &f->i_acl_access, acl);
+                        break;
+                case ACL_TYPE_DEFAULT:
+                        jffs2_iset_acl(inode, &f->i_acl_default, acl);
+                        break;
+                }
+        }
+        return rc;
+}
+static int jffs2_check_acl(struct inode *inode, int mask)
+{
+        struct posix_acl *acl;
+        int rc;
+        acl = jffs2_get_acl(inode, ACL_TYPE_ACCESS);
+        if (IS_ERR(acl))
+                return PTR_ERR(acl);
+        if (acl) {
+                rc = posix_acl_permission(inode, acl, mask);
+                posix_acl_release(acl);
+                return rc;
+        }
+        return -EAGAIN;
+}
+int jffs2_permission(struct inode *inode, int mask, struct nameidata *nd)
+{
+        return generic_permission(inode, mask, jffs2_check_acl);
+}
+int jffs2_init_acl(struct inode *inode, struct inode *dir)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        struct posix_acl *acl = NULL, *clone;
+        mode_t mode;
+        int rc = 0;
+        f->i_acl_access = JFFS2_ACL_NOT_CACHED;
+        f->i_acl_default = JFFS2_ACL_NOT_CACHED;
+        if (!S_ISLNK(inode->i_mode)) {
+                acl = jffs2_get_acl(dir, ACL_TYPE_DEFAULT);
+                if (IS_ERR(acl))
+                        return PTR_ERR(acl);
+                if (!acl)
+                        inode->i_mode &= ~current->fs->umask;
+        }
+        if (acl) {
+                if (S_ISDIR(inode->i_mode)) {
+                        rc = jffs2_set_acl(inode, ACL_TYPE_DEFAULT, acl);
+                        if (rc)
+                                goto cleanup;
+                }
+                clone = posix_acl_clone(acl, GFP_KERNEL);
+                rc = -ENOMEM;
+                if (!clone)
+                        goto cleanup;
+                mode = inode->i_mode;
+                rc = posix_acl_create_masq(clone, &mode);
+                if (rc >= 0) {
+                        inode->i_mode = mode;
+                        if (rc > 0)
+                                rc = jffs2_set_acl(inode, ACL_TYPE_ACCESS, clone);
+                }
+                posix_acl_release(clone);
+        }
+ cleanup:
+        posix_acl_release(acl);
+        return rc;
+}
+void jffs2_clear_acl(struct inode *inode)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        if (f->i_acl_access && f->i_acl_access != JFFS2_ACL_NOT_CACHED) {
+                posix_acl_release(f->i_acl_access);
+                f->i_acl_access = JFFS2_ACL_NOT_CACHED;
+        }
+        if (f->i_acl_default && f->i_acl_default != JFFS2_ACL_NOT_CACHED) {
+                posix_acl_release(f->i_acl_default);
+                f->i_acl_default = JFFS2_ACL_NOT_CACHED;
+        }
+}
+int jffs2_acl_chmod(struct inode *inode)
+{
+        struct posix_acl *acl, *clone;
+        int rc;
+        if (S_ISLNK(inode->i_mode))
+                return -EOPNOTSUPP;
+        acl = jffs2_get_acl(inode, ACL_TYPE_ACCESS);
+        if (IS_ERR(acl) || !acl)
+                return PTR_ERR(acl);
+        clone = posix_acl_clone(acl, GFP_KERNEL);
+        posix_acl_release(acl);
+        if (!clone)
+                return -ENOMEM;
+        rc = posix_acl_chmod_masq(clone, inode->i_mode);
+        if (!rc)
+                rc = jffs2_set_acl(inode, ACL_TYPE_ACCESS, clone);
+        posix_acl_release(clone);
+        return rc;
+}
+static size_t jffs2_acl_access_listxattr(struct inode *inode, char *list, size_t list_size,
+                                         const char *name, size_t name_len)
+{
+        const int retlen = sizeof(POSIX_ACL_XATTR_ACCESS);
+        if (list && retlen <= list_size)
+                strcpy(list, POSIX_ACL_XATTR_ACCESS);
+        return retlen;
+}
+static size_t jffs2_acl_default_listxattr(struct inode *inode, char *list, size_t list_size,
+                                          const char *name, size_t name_len)
+{
+        const int retlen = sizeof(POSIX_ACL_XATTR_DEFAULT);
+        if (list && retlen <= list_size)
+                strcpy(list, POSIX_ACL_XATTR_DEFAULT);
+        return retlen;
+}
+static int jffs2_acl_getxattr(struct inode *inode, int type, void *buffer, size_t size)
+{
+        struct posix_acl *acl;
+        int rc;
+        acl = jffs2_get_acl(inode, type);
+        if (IS_ERR(acl))
+                return PTR_ERR(acl);
+        if (!acl)
+                return -ENODATA;
+        rc = posix_acl_to_xattr(acl, buffer, size);
+        posix_acl_release(acl);
+        return rc;
+}
+static int jffs2_acl_access_getxattr(struct inode *inode, const char *name, void *buffer, size_t size)
+{
+        if (name[0] != '\0')
+                return -EINVAL;
+        return jffs2_acl_getxattr(inode, ACL_TYPE_ACCESS, buffer, size);
+}
+static int jffs2_acl_default_getxattr(struct inode *inode, const char *name, void *buffer, size_t size)
+{
+        if (name[0] != '\0')
+                return -EINVAL;
+        return jffs2_acl_getxattr(inode, ACL_TYPE_DEFAULT, buffer, size);
+}
+static int jffs2_acl_setxattr(struct inode *inode, int type, const void *value, size_t size)
+{
+        struct posix_acl *acl;
+        int rc;
+        if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+                return -EPERM;
+        if (value) {
+                acl = posix_acl_from_xattr(value, size);
+                if (IS_ERR(acl))
+                        return PTR_ERR(acl);
+                if (acl) {
+                        rc = posix_acl_valid(acl);
+                        if (rc)
+                                goto out;
+                }
+        } else {
+                acl = NULL;
+        }
+        rc = jffs2_set_acl(inode, type, acl);
+ out:
+        posix_acl_release(acl);
+        return rc;
+}
+static int jffs2_acl_access_setxattr(struct inode *inode, const char *name,
+                                     const void *buffer, size_t size, int flags)
+{
+        if (name[0] != '\0')
+                return -EINVAL;
+        return jffs2_acl_setxattr(inode, ACL_TYPE_ACCESS, buffer, size);
+}
+static int jffs2_acl_default_setxattr(struct inode *inode, const char *name,
+                                      const void *buffer, size_t size, int flags)
+{
+        if (name[0] != '\0')
+                return -EINVAL;
+        return jffs2_acl_setxattr(inode, ACL_TYPE_DEFAULT, buffer, size);
+}
+struct xattr_handler jffs2_acl_access_xattr_handler = {
+        .prefix = POSIX_ACL_XATTR_ACCESS,
+        .list   = jffs2_acl_access_listxattr,
+        .get    = jffs2_acl_access_getxattr,
+        .set    = jffs2_acl_access_setxattr,
+};
+struct xattr_handler jffs2_acl_default_xattr_handler = {
+        .prefix = POSIX_ACL_XATTR_DEFAULT,
+        .list   = jffs2_acl_default_listxattr,
+        .get    = jffs2_acl_default_getxattr,
+        .set    = jffs2_acl_default_setxattr,
+};
diff --git a/fs/jffs2/acl.h b/fs/jffs2/acl.h
new file mode 100644
index 000000000000..8893bd1a6ba7
--- /dev/null
+++ b/fs/jffs2/acl.h
@@ -0,0 +1,45 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+struct jffs2_acl_entry {
+        jint16_t        e_tag;
+        jint16_t        e_perm;
+        jint32_t        e_id;
+};
+struct jffs2_acl_entry_short {
+        jint16_t        e_tag;
+        jint16_t        e_perm;
+};
+struct jffs2_acl_header {
+        jint32_t        a_version;
+};
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+#define JFFS2_ACL_NOT_CACHED ((void *)-1)
+extern int jffs2_permission(struct inode *, int, struct nameidata *);
+extern int jffs2_acl_chmod(struct inode *);
+extern int jffs2_init_acl(struct inode *, struct inode *);
+extern void jffs2_clear_acl(struct inode *);
+extern struct xattr_handler jffs2_acl_access_xattr_handler;
+extern struct xattr_handler jffs2_acl_default_xattr_handler;
+#else
+#define jffs2_permission NULL
+#define jffs2_acl_chmod(inode)          (0)
+#define jffs2_init_acl(inode,dir)       (0)
+#define jffs2_clear_acl(inode)
+#endif  /* CONFIG_JFFS2_FS_POSIX_ACL */
diff --git a/fs/jffs2/build.c b/fs/jffs2/build.c
index 70f7a896c04a..02826967ab58 100644
--- a/fs/jffs2/build.c
+++ b/fs/jffs2/build.c
@@ -160,6 +160,7 @@ static int jffs2_build_filesystem(struct jffs2_sb_info *c)
                ic->scan_dents = NULL;
                cond_resched();
        }
+        jffs2_build_xattr_subsystem(c);
        c->flags &= ~JFFS2_SB_FLAG_BUILDING;
        dbg_fsbuild("FS build complete\n");
@@ -178,6 +179,7 @@ exit:
                                jffs2_free_full_dirent(fd);
                        }
                }
+                jffs2_clear_xattr_subsystem(c);
        }
        return ret;
diff --git a/fs/jffs2/compr.c b/fs/jffs2/compr.c
index e7944e665b9f..7001ba26c067 100644
--- a/fs/jffs2/compr.c
+++ b/fs/jffs2/compr.c
@@ -412,7 +412,7 @@ void jffs2_free_comprbuf(unsigned char *comprbuf, unsigned char *orig)
                kfree(comprbuf);
 }
-int jffs2_compressors_init(void)
+int __init jffs2_compressors_init(void)
 {
 /* Registering compressors */
 #ifdef CONFIG_JFFS2_ZLIB
diff --git a/fs/jffs2/compr.h b/fs/jffs2/compr.h
index a77e830d85c5..509b8b1c0811 100644
--- a/fs/jffs2/compr.h
+++ b/fs/jffs2/compr.h
@@ -23,8 +23,8 @@
 #include <linux/errno.h>
 #include <linux/fs.h>
 #include <linux/jffs2.h>
-#include <linux/jffs2_fs_i.h>
+#include "jffs2_fs_i.h"
-#include <linux/jffs2_fs_sb.h>
+#include "jffs2_fs_sb.h"
 #include "nodelist.h"
 #define JFFS2_RUBINMIPS_PRIORITY 10
diff --git a/fs/jffs2/compr_zlib.c b/fs/jffs2/compr_zlib.c
index 5c63e0cdcf4c..3681d0728ac7 100644
--- a/fs/jffs2/compr_zlib.c
+++ b/fs/jffs2/compr_zlib.c
@@ -15,7 +15,6 @@
 #error "The userspace support got too messy and was removed. Update your mkfs.jffs2"
 #endif
-#include <linux/config.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
diff --git a/fs/jffs2/debug.c b/fs/jffs2/debug.c
index 1fe17de713e8..72b4fc13a106 100644
--- a/fs/jffs2/debug.c
+++ b/fs/jffs2/debug.c
@@ -192,13 +192,13 @@ __jffs2_dbg_acct_paranoia_check_nolock(struct jffs2_sb_info *c,
                else
                        my_dirty_size += totlen;
-                if ((!ref2->next_phys) != (ref2 == jeb->last_node)) {
+                if ((!ref_next(ref2)) != (ref2 == jeb->last_node)) {
-                        JFFS2_ERROR("node_ref for node at %#08x (mem %p) has next_phys at %#08x (mem %p), last_node is at %#08x (mem %p).\n",
+                        JFFS2_ERROR("node_ref for node at %#08x (mem %p) has next at %#08x (mem %p), last_node is at %#08x (mem %p).\n",
-                                ref_offset(ref2), ref2, ref_offset(ref2->next_phys), ref2->next_phys,
+                                    ref_offset(ref2), ref2, ref_offset(ref_next(ref2)), ref_next(ref2),
-                                ref_offset(jeb->last_node), jeb->last_node);
+                                    ref_offset(jeb->last_node), jeb->last_node);
                        goto error;
                }
-                ref2 = ref2->next_phys;
+                ref2 = ref_next(ref2);
        }
        if (my_used_size != jeb->used_size) {
@@ -268,9 +268,9 @@ __jffs2_dbg_dump_node_refs_nolock(struct jffs2_sb_info *c,
        }
        printk(JFFS2_DBG);
-        for (ref = jeb->first_node; ; ref = ref->next_phys) {
+        for (ref = jeb->first_node; ; ref = ref_next(ref)) {
                printk("%#08x(%#x)", ref_offset(ref), ref->__totlen);
-                if (ref->next_phys)
+                if (ref_next(ref))
                        printk("->");
                else
                        break;
diff --git a/fs/jffs2/debug.h b/fs/jffs2/debug.h
index 162af6dfe292..3daf3bca0376 100644
--- a/fs/jffs2/debug.h
+++ b/fs/jffs2/debug.h
@@ -13,7 +13,6 @@
 #ifndef _JFFS2_DEBUG_H_
 #define _JFFS2_DEBUG_H_
-#include <linux/config.h>
 #ifndef CONFIG_JFFS2_FS_DEBUG
 #define CONFIG_JFFS2_FS_DEBUG 0
@@ -171,6 +170,12 @@
 #define dbg_memalloc(fmt, ...)
 #endif
+/* Watch the XATTR subsystem */
+#ifdef JFFS2_DBG_XATTR_MESSAGES
+#define dbg_xattr(fmt, ...)  JFFS2_DEBUG(fmt, ##__VA_ARGS__)
+#else
+#define dbg_xattr(fmt, ...)
+#endif 
 /* "Sanity" checks */
 void
diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
index 8bc7a5018e40..edd8371fc6a5 100644
--- a/fs/jffs2/dir.c
+++ b/fs/jffs2/dir.c
@@ -17,8 +17,8 @@
 #include <linux/fs.h>
 #include <linux/crc32.h>
 #include <linux/jffs2.h>
-#include <linux/jffs2_fs_i.h>
+#include "jffs2_fs_i.h"
-#include <linux/jffs2_fs_sb.h>
+#include "jffs2_fs_sb.h"
 #include <linux/time.h>
 #include "nodelist.h"
@@ -57,7 +57,12 @@ struct inode_operations jffs2_dir_inode_operations =
        .rmdir =        jffs2_rmdir,
        .mknod =        jffs2_mknod,
        .rename =       jffs2_rename,
+        .permission =   jffs2_permission,
        .setattr =      jffs2_setattr,
+        .setxattr =     jffs2_setxattr,
+        .getxattr =     jffs2_getxattr,
+        .listxattr =    jffs2_listxattr,
+        .removexattr =  jffs2_removexattr
 };
 /***********************************************************************/
@@ -78,6 +83,9 @@ static struct dentry *jffs2_lookup(struct inode *dir_i, struct dentry *target,
        D1(printk(KERN_DEBUG "jffs2_lookup()\n"));
+        if (target->d_name.len > JFFS2_MAX_NAME_LEN)
+                return ERR_PTR(-ENAMETOOLONG);
        dir_f = JFFS2_INODE_INFO(dir_i);
        c = JFFS2_SB_INFO(dir_i->i_sb);
@@ -206,12 +214,15 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
        ret = jffs2_do_create(c, dir_f, f, ri,
                              dentry->d_name.name, dentry->d_name.len);
-        if (ret) {
+        if (ret)
-                make_bad_inode(inode);
+                goto fail;
-                iput(inode);
-                jffs2_free_raw_inode(ri);
+        ret = jffs2_init_security(inode, dir_i);
-                return ret;
+        if (ret)
-        }
+                goto fail;
+        ret = jffs2_init_acl(inode, dir_i);
+        if (ret)
+                goto fail;
        dir_i->i_mtime = dir_i->i_ctime = ITIME(je32_to_cpu(ri->ctime));
@@ -221,6 +232,12 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
        D1(printk(KERN_DEBUG "jffs2_create: Created ino #%lu with mode %o, nlink %d(%d). nrpages %ld\n",
                  inode->i_ino, inode->i_mode, inode->i_nlink, f->inocache->nlink, inode->i_mapping->nrpages));
        return 0;
+ fail:
+        make_bad_inode(inode);
+        iput(inode);
+        jffs2_free_raw_inode(ri);
+        return ret;
 }
 /***********************************************************************/
@@ -291,7 +308,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
        struct jffs2_full_dnode *fn;
        struct jffs2_full_dirent *fd;
        int namelen;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret, targetlen = strlen(target);
        /* FIXME: If you care. We'd need to use frags for the target
@@ -310,8 +327,8 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
         * Just the node will do for now, though
         */
        namelen = dentry->d_name.len;
-        ret = jffs2_reserve_space(c, sizeof(*ri) + targetlen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space(c, sizeof(*ri) + targetlen, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                jffs2_free_raw_inode(ri);
@@ -339,7 +356,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
        ri->data_crc = cpu_to_je32(crc32(0, target, targetlen));
        ri->node_crc = cpu_to_je32(crc32(0, ri, sizeof(*ri)-8));
-        fn = jffs2_write_dnode(c, f, ri, target, targetlen, phys_ofs, ALLOC_NORMAL);
+        fn = jffs2_write_dnode(c, f, ri, target, targetlen, ALLOC_NORMAL);
        jffs2_free_raw_inode(ri);
@@ -371,8 +388,20 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
        up(&f->sem);
        jffs2_complete_reservation(c);
-        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
+        ret = jffs2_init_security(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_init_acl(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
        if (ret) {
                /* Eep. */
                jffs2_clear_inode(inode);
@@ -404,7 +433,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
        rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
        rd->name_crc = cpu_to_je32(crc32(0, dentry->d_name.name, namelen));
-        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, phys_ofs, ALLOC_NORMAL);
+        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, ALLOC_NORMAL);
        if (IS_ERR(fd)) {
                /* dirent failed to write. Delete the inode normally
@@ -442,7 +471,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
        struct jffs2_full_dnode *fn;
        struct jffs2_full_dirent *fd;
        int namelen;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
        mode |= S_IFDIR;
@@ -457,8 +486,8 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
         * Just the node will do for now, though
         */
        namelen = dentry->d_name.len;
-        ret = jffs2_reserve_space(c, sizeof(*ri), &phys_ofs, &alloclen, ALLOC_NORMAL,
+        ret = jffs2_reserve_space(c, sizeof(*ri), &alloclen, ALLOC_NORMAL,
-                                JFFS2_SUMMARY_INODE_SIZE);
+                                  JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                jffs2_free_raw_inode(ri);
@@ -483,7 +512,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
        ri->data_crc = cpu_to_je32(0);
        ri->node_crc = cpu_to_je32(crc32(0, ri, sizeof(*ri)-8));
-        fn = jffs2_write_dnode(c, f, ri, NULL, 0, phys_ofs, ALLOC_NORMAL);
+        fn = jffs2_write_dnode(c, f, ri, NULL, 0, ALLOC_NORMAL);
        jffs2_free_raw_inode(ri);
@@ -501,8 +530,20 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
        up(&f->sem);
        jffs2_complete_reservation(c);
-        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
+        ret = jffs2_init_security(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_init_acl(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
        if (ret) {
                /* Eep. */
                jffs2_clear_inode(inode);
@@ -534,7 +575,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
        rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
        rd->name_crc = cpu_to_je32(crc32(0, dentry->d_name.name, namelen));
-        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, phys_ofs, ALLOC_NORMAL);
+        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, ALLOC_NORMAL);
        if (IS_ERR(fd)) {
                /* dirent failed to write. Delete the inode normally
@@ -588,12 +629,12 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
        struct jffs2_full_dnode *fn;
        struct jffs2_full_dirent *fd;
        int namelen;
-        jint16_t dev;
+        union jffs2_device_node dev;
        int devlen = 0;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
-        if (!old_valid_dev(rdev))
+        if (!new_valid_dev(rdev))
                return -EINVAL;
        ri = jffs2_alloc_raw_inode();
@@ -602,17 +643,15 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
        c = JFFS2_SB_INFO(dir_i->i_sb);
-        if (S_ISBLK(mode) || S_ISCHR(mode)) {
+        if (S_ISBLK(mode) || S_ISCHR(mode))
-                dev = cpu_to_je16(old_encode_dev(rdev));
+                devlen = jffs2_encode_dev(&dev, rdev);
-                devlen = sizeof(dev);
-        }
        /* Try to reserve enough space for both node and dirent.
         * Just the node will do for now, though
         */
        namelen = dentry->d_name.len;
-        ret = jffs2_reserve_space(c, sizeof(*ri) + devlen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space(c, sizeof(*ri) + devlen, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                jffs2_free_raw_inode(ri);
@@ -639,7 +678,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
        ri->data_crc = cpu_to_je32(crc32(0, &dev, devlen));
        ri->node_crc = cpu_to_je32(crc32(0, ri, sizeof(*ri)-8));
-        fn = jffs2_write_dnode(c, f, ri, (char *)&dev, devlen, phys_ofs, ALLOC_NORMAL);
+        fn = jffs2_write_dnode(c, f, ri, (char *)&dev, devlen, ALLOC_NORMAL);
        jffs2_free_raw_inode(ri);
@@ -657,8 +696,20 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
        up(&f->sem);
        jffs2_complete_reservation(c);
-        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
+        ret = jffs2_init_security(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_init_acl(inode, dir_i);
+        if (ret) {
+                jffs2_clear_inode(inode);
+                return ret;
+        }
+        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
        if (ret) {
                /* Eep. */
                jffs2_clear_inode(inode);
@@ -693,7 +744,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
        rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
        rd->name_crc = cpu_to_je32(crc32(0, dentry->d_name.name, namelen));
-        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, phys_ofs, ALLOC_NORMAL);
+        fd = jffs2_write_dirent(c, dir_f, rd, dentry->d_name.name, namelen, ALLOC_NORMAL);
        if (IS_ERR(fd)) {
                /* dirent failed to write. Delete the inode normally
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index dad68fdffe9e..ad0121088dde 100644
--- a/fs/jffs2/erase.c
+++ b/fs/jffs2/erase.c
@@ -30,7 +30,6 @@ static void jffs2_erase_callback(struct erase_info *);
 #endif
 static void jffs2_erase_failed(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb, uint32_t bad_offset);
 static void jffs2_erase_succeeded(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb);
-static void jffs2_free_all_node_refs(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb);
 static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb);
 static void jffs2_erase_block(struct jffs2_sb_info *c,
@@ -54,8 +53,7 @@ static void jffs2_erase_block(struct jffs2_sb_info *c,
        if (!instr) {
                printk(KERN_WARNING "kmalloc for struct erase_info in jffs2_erase_block failed. Refiling block for later\n");
                spin_lock(&c->erase_completion_lock);
-                list_del(&jeb->list);
+                list_move(&jeb->list, &c->erase_pending_list);
-                list_add(&jeb->list, &c->erase_pending_list);
                c->erasing_size -= c->sector_size;
                c->dirty_size += c->sector_size;
                jeb->dirty_size = c->sector_size;
@@ -87,8 +85,7 @@ static void jffs2_erase_block(struct jffs2_sb_info *c,
                /* Erase failed immediately. Refile it on the list */
                D1(printk(KERN_DEBUG "Erase at 0x%08x failed: %d. Refiling on erase_pending_list\n", jeb->offset, ret));
                spin_lock(&c->erase_completion_lock);
-                list_del(&jeb->list);
+                list_move(&jeb->list, &c->erase_pending_list);
-                list_add(&jeb->list, &c->erase_pending_list);
                c->erasing_size -= c->sector_size;
                c->dirty_size += c->sector_size;
                jeb->dirty_size = c->sector_size;
@@ -136,7 +133,7 @@ void jffs2_erase_pending_blocks(struct jffs2_sb_info *c, int count)
                        c->used_size -= jeb->used_size;
                        c->dirty_size -= jeb->dirty_size;
                        jeb->wasted_size = jeb->used_size = jeb->dirty_size = jeb->free_size = 0;
-                        jffs2_free_all_node_refs(c, jeb);
+                        jffs2_free_jeb_node_refs(c, jeb);
                        list_add(&jeb->list, &c->erasing_list);
                        spin_unlock(&c->erase_completion_lock);
@@ -162,8 +159,7 @@ static void jffs2_erase_succeeded(struct jffs2_sb_info *c, struct jffs2_eraseblo
 {
        D1(printk(KERN_DEBUG "Erase completed successfully at 0x%08x\n", jeb->offset));
        spin_lock(&c->erase_completion_lock);
-        list_del(&jeb->list);
+        list_move_tail(&jeb->list, &c->erase_complete_list);
-        list_add_tail(&jeb->list, &c->erase_complete_list);
        spin_unlock(&c->erase_completion_lock);
        /* Ensure that kupdated calls us again to mark them clean */
        jffs2_erase_pending_trigger(c);
@@ -179,8 +175,7 @@ static void jffs2_erase_failed(struct jffs2_sb_info *c, struct jffs2_eraseblock
                if (!jffs2_write_nand_badblock(c, jeb, bad_offset)) {
                        /* We'd like to give this block another try. */
                        spin_lock(&c->erase_completion_lock);
-                        list_del(&jeb->list);
+                        list_move(&jeb->list, &c->erase_pending_list);
-                        list_add(&jeb->list, &c->erase_pending_list);
                        c->erasing_size -= c->sector_size;
                        c->dirty_size += c->sector_size;
                        jeb->dirty_size = c->sector_size;
@@ -192,8 +187,7 @@ static void jffs2_erase_failed(struct jffs2_sb_info *c, struct jffs2_eraseblock
        spin_lock(&c->erase_completion_lock);
        c->erasing_size -= c->sector_size;
        c->bad_size += c->sector_size;
-        list_del(&jeb->list);
+        list_move(&jeb->list, &c->bad_list);
-        list_add(&jeb->list, &c->bad_list);
        c->nr_erasing_blocks--;
        spin_unlock(&c->erase_completion_lock);
        wake_up(&c->erase_wait);
@@ -254,7 +248,8 @@ static inline void jffs2_remove_node_refs_from_ino_list(struct jffs2_sb_info *c,
        /* PARANOIA */
        if (!ic) {
-                printk(KERN_WARNING "inode_cache not found in remove_node_refs()!!\n");
+                JFFS2_WARNING("inode_cache/xattr_datum/xattr_ref"
+                              " not found in remove_node_refs()!!\n");
                return;
        }
@@ -279,26 +274,42 @@ static inline void jffs2_remove_node_refs_from_ino_list(struct jffs2_sb_info *c,
                printk("\n");
        });
-        if (ic->nodes == (void *)ic && ic->nlink == 0)
+        switch (ic->class) {
-                jffs2_del_ino_cache(c, ic);
+#ifdef CONFIG_JFFS2_FS_XATTR
+                case RAWNODE_CLASS_XATTR_DATUM:
+                        jffs2_release_xattr_datum(c, (struct jffs2_xattr_datum *)ic);
+                        break;
+                case RAWNODE_CLASS_XATTR_REF:
+                        jffs2_release_xattr_ref(c, (struct jffs2_xattr_ref *)ic);
+                        break;
+#endif
+                default:
+                        if (ic->nodes == (void *)ic && ic->nlink == 0)
+                                jffs2_del_ino_cache(c, ic);
+        }
 }
-static void jffs2_free_all_node_refs(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
+void jffs2_free_jeb_node_refs(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
 {
-        struct jffs2_raw_node_ref *ref;
+        struct jffs2_raw_node_ref *block, *ref;
        D1(printk(KERN_DEBUG "Freeing all node refs for eraseblock offset 0x%08x\n", jeb->offset));
-        while(jeb->first_node) {
-                ref = jeb->first_node;
-                jeb->first_node = ref->next_phys;
-                /* Remove from the inode-list */
+        block = ref = jeb->first_node;
-                if (ref->next_in_ino)
+        while (ref) {
+                if (ref->flash_offset == REF_LINK_NODE) {
+                        ref = ref->next_in_ino;
+                        jffs2_free_refblock(block);
+                        block = ref;
+                        continue;
+                }
+                if (ref->flash_offset != REF_EMPTY_NODE && ref->next_in_ino)
                        jffs2_remove_node_refs_from_ino_list(c, ref, jeb);
                /* else it was a non-inode node or already removed, so don't bother */
-                jffs2_free_raw_node_ref(ref);
+                ref++;
        }
-        jeb->last_node = NULL;
+        jeb->first_node = jeb->last_node = NULL;
 }
 static int jffs2_block_check_erase(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb, uint32_t *bad_offset)
@@ -351,7 +362,6 @@ fail:
 static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
 {
-        struct jffs2_raw_node_ref *marker_ref = NULL;
        size_t retlen;
        int ret;
        uint32_t bad_offset;
@@ -373,12 +383,8 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
                                goto filebad;
                }
-                jeb->first_node = jeb->last_node = NULL;
+                /* Everything else got zeroed before the erase */
                jeb->free_size = c->sector_size;
-                jeb->used_size = 0;
-                jeb->dirty_size = 0;
-                jeb->wasted_size = 0;
        } else {
                struct kvec vecs[1];
@@ -388,11 +394,7 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
                        .totlen =       cpu_to_je32(c->cleanmarker_size)
                };
-                marker_ref = jffs2_alloc_raw_node_ref();
+                jffs2_prealloc_raw_node_refs(c, jeb, 1);
-                if (!marker_ref) {
-                        printk(KERN_WARNING "Failed to allocate raw node ref for clean marker. Refiling\n");
-                        goto refile;
-                }
                marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4));
@@ -408,21 +410,13 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
                                printk(KERN_WARNING "Short write to newly-erased block at 0x%08x: Wanted %zd, got %zd\n",
                                       jeb->offset, sizeof(marker), retlen);
-                        jffs2_free_raw_node_ref(marker_ref);
                        goto filebad;
                }
-                marker_ref->next_in_ino = NULL;
+                /* Everything else got zeroed before the erase */
-                marker_ref->next_phys = NULL;
+                jeb->free_size = c->sector_size;
-                marker_ref->flash_offset = jeb->offset | REF_NORMAL;
+                /* FIXME Special case for cleanmarker in empty block */
-                marker_ref->__totlen = c->cleanmarker_size;
+                jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
-                jeb->first_node = jeb->last_node = marker_ref;
-                jeb->free_size = c->sector_size - c->cleanmarker_size;
-                jeb->used_size = c->cleanmarker_size;
-                jeb->dirty_size = 0;
-                jeb->wasted_size = 0;
        }
        spin_lock(&c->erase_completion_lock);
diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
index 9f4171213e58..3ed6e3e120b6 100644
--- a/fs/jffs2/file.c
+++ b/fs/jffs2/file.c
@@ -54,10 +54,15 @@ const struct file_operations jffs2_file_operations =
 struct inode_operations jffs2_file_inode_operations =
 {
-        .setattr =      jffs2_setattr
+        .permission =   jffs2_permission,
+        .setattr =      jffs2_setattr,
+        .setxattr =     jffs2_setxattr,
+        .getxattr =     jffs2_getxattr,
+        .listxattr =    jffs2_listxattr,
+        .removexattr =  jffs2_removexattr
 };
-struct address_space_operations jffs2_file_address_operations =
+const struct address_space_operations jffs2_file_address_operations =
 {
        .readpage =     jffs2_readpage,
        .prepare_write =jffs2_prepare_write,
@@ -129,13 +134,13 @@ static int jffs2_prepare_write (struct file *filp, struct page *pg,
                struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
                struct jffs2_raw_inode ri;
                struct jffs2_full_dnode *fn;
-                uint32_t phys_ofs, alloc_len;
+                uint32_t alloc_len;
                D1(printk(KERN_DEBUG "Writing new hole frag 0x%x-0x%x between current EOF and new page\n",
                          (unsigned int)inode->i_size, pageofs));
-                ret = jffs2_reserve_space(c, sizeof(ri), &phys_ofs, &alloc_len,
+                ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
-                                        ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+                                          ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
                if (ret)
                        return ret;
@@ -161,7 +166,7 @@ static int jffs2_prepare_write (struct file *filp, struct page *pg,
                ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8));
                ri.data_crc = cpu_to_je32(0);
-                fn = jffs2_write_dnode(c, f, &ri, NULL, 0, phys_ofs, ALLOC_NORMAL);
+                fn = jffs2_write_dnode(c, f, &ri, NULL, 0, ALLOC_NORMAL);
                if (IS_ERR(fn)) {
                        ret = PTR_ERR(fn);
@@ -215,12 +220,20 @@ static int jffs2_commit_write (struct file *filp, struct page *pg,
        D1(printk(KERN_DEBUG "jffs2_commit_write(): ino #%lu, page at 0x%lx, range %d-%d, flags %lx\n",
                  inode->i_ino, pg->index << PAGE_CACHE_SHIFT, start, end, pg->flags));
-        if (!start && end == PAGE_CACHE_SIZE) {
+        if (end == PAGE_CACHE_SIZE) {
-                /* We need to avoid deadlock with page_cache_read() in
+                if (!start) {
-                   jffs2_garbage_collect_pass(). So we have to mark the
+                        /* We need to avoid deadlock with page_cache_read() in
-                   page up to date, to prevent page_cache_read() from
+                           jffs2_garbage_collect_pass(). So we have to mark the
-                   trying to re-lock it. */
+                           page up to date, to prevent page_cache_read() from
-                SetPageUptodate(pg);
+                           trying to re-lock it. */
+                        SetPageUptodate(pg);
+                } else {
+                        /* When writing out the end of a page, write out the 
+                           _whole_ page. This helps to reduce the number of
+                           nodes in files which have many short writes, like
+                           syslog files. */
+                        start = aligned_start = 0;
+                }
        }
        ri = jffs2_alloc_raw_inode();
diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index 09e5d10b8840..4780f82825d6 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -12,7 +12,6 @@
 */
 #include <linux/capability.h>
-#include <linux/config.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/fs.h>
@@ -33,11 +32,11 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
        struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
        struct jffs2_raw_inode *ri;
-        unsigned short dev;
+        union jffs2_device_node dev;
        unsigned char *mdata = NULL;
        int mdatalen = 0;
        unsigned int ivalid;
-        uint32_t phys_ofs, alloclen;
+        uint32_t alloclen;
        int ret;
        D1(printk(KERN_DEBUG "jffs2_setattr(): ino #%lu\n", inode->i_ino));
        ret = inode_change_ok(inode, iattr);
@@ -51,20 +50,24 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
           it out again with the appropriate data attached */
        if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
                /* For these, we don't actually need to read the old node */
-                dev = old_encode_dev(inode->i_rdev);
+                mdatalen = jffs2_encode_dev(&dev, inode->i_rdev);
                mdata = (char *)&dev;
-                mdatalen = sizeof(dev);
                D1(printk(KERN_DEBUG "jffs2_setattr(): Writing %d bytes of kdev_t\n", mdatalen));
        } else if (S_ISLNK(inode->i_mode)) {
+                down(&f->sem);
                mdatalen = f->metadata->size;
                mdata = kmalloc(f->metadata->size, GFP_USER);
-                if (!mdata)
+                if (!mdata) {
+                        up(&f->sem);
                        return -ENOMEM;
+                }
                ret = jffs2_read_dnode(c, f, f->metadata, mdata, 0, mdatalen);
                if (ret) {
+                        up(&f->sem);
                        kfree(mdata);
                        return ret;
                }
+                up(&f->sem);
                D1(printk(KERN_DEBUG "jffs2_setattr(): Writing %d bytes of symlink target\n", mdatalen));
        }
@@ -75,8 +78,8 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
                return -ENOMEM;
        }
-        ret = jffs2_reserve_space(c, sizeof(*ri) + mdatalen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space(c, sizeof(*ri) + mdatalen, &alloclen,
-                                ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+                                  ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                jffs2_free_raw_inode(ri);
                if (S_ISLNK(inode->i_mode & S_IFMT))
@@ -127,7 +130,7 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
        else
                ri->data_crc = cpu_to_je32(0);
-        new_metadata = jffs2_write_dnode(c, f, ri, mdata, mdatalen, phys_ofs, ALLOC_NORMAL);
+        new_metadata = jffs2_write_dnode(c, f, ri, mdata, mdatalen, ALLOC_NORMAL);
        if (S_ISLNK(inode->i_mode))
                kfree(mdata);
@@ -180,12 +183,17 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
 int jffs2_setattr(struct dentry *dentry, struct iattr *iattr)
 {
-        return jffs2_do_setattr(dentry->d_inode, iattr);
+        int rc;
+        rc = jffs2_do_setattr(dentry->d_inode, iattr);
+        if (!rc && (iattr->ia_valid & ATTR_MODE))
+                rc = jffs2_acl_chmod(dentry->d_inode);
+        return rc;
 }
-int jffs2_statfs(struct super_block *sb, struct kstatfs *buf)
+int jffs2_statfs(struct dentry *dentry, struct kstatfs *buf)
 {
-        struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
+        struct jffs2_sb_info *c = JFFS2_SB_INFO(dentry->d_sb);
        unsigned long avail;
        buf->f_type = JFFS2_SUPER_MAGIC;
@@ -218,7 +226,6 @@ void jffs2_clear_inode (struct inode *inode)
        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
        D1(printk(KERN_DEBUG "jffs2_clear_inode(): ino #%lu mode %o\n", inode->i_ino, inode->i_mode));
        jffs2_do_clear_inode(c, f);
 }
@@ -227,6 +234,8 @@ void jffs2_read_inode (struct inode *inode)
        struct jffs2_inode_info *f;
        struct jffs2_sb_info *c;
        struct jffs2_raw_inode latest_node;
+        union jffs2_device_node jdev;
+        dev_t rdev = 0;
        int ret;
        D1(printk(KERN_DEBUG "jffs2_read_inode(): inode->i_ino == %lu\n", inode->i_ino));
@@ -258,7 +267,6 @@ void jffs2_read_inode (struct inode *inode)
        inode->i_blocks = (inode->i_size + 511) >> 9;
        switch (inode->i_mode & S_IFMT) {
-                jint16_t rdev;
        case S_IFLNK:
                inode->i_op = &jffs2_symlink_inode_operations;
@@ -292,8 +300,16 @@ void jffs2_read_inode (struct inode *inode)
        case S_IFBLK:
        case S_IFCHR:
                /* Read the device numbers from the media */
+                if (f->metadata->size != sizeof(jdev.old) &&
+                    f->metadata->size != sizeof(jdev.new)) {
+                        printk(KERN_NOTICE "Device node has strange size %d\n", f->metadata->size);
+                        up(&f->sem);
+                        jffs2_do_clear_inode(c, f);
+                        make_bad_inode(inode);
+                        return;
+                }
                D1(printk(KERN_DEBUG "Reading device numbers from flash\n"));
-                if (jffs2_read_dnode(c, f, f->metadata, (char *)&rdev, 0, sizeof(rdev)) < 0) {
+                if (jffs2_read_dnode(c, f, f->metadata, (char *)&jdev, 0, f->metadata->size) < 0) {
                        /* Eep */
                        printk(KERN_NOTICE "Read device numbers for inode %lu failed\n", (unsigned long)inode->i_ino);
                        up(&f->sem);
@@ -301,12 +317,15 @@ void jffs2_read_inode (struct inode *inode)
                        make_bad_inode(inode);
                        return;
                }
+                if (f->metadata->size == sizeof(jdev.old))
+                        rdev = old_decode_dev(je16_to_cpu(jdev.old));
+                else
+                        rdev = new_decode_dev(je32_to_cpu(jdev.new));
        case S_IFSOCK:
        case S_IFIFO:
                inode->i_op = &jffs2_file_inode_operations;
-                init_special_inode(inode, inode->i_mode,
+                init_special_inode(inode, inode->i_mode, rdev);
-                                   old_decode_dev((je16_to_cpu(rdev))));
                break;
        default:
@@ -492,6 +511,8 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent)
        }
        memset(c->inocache_list, 0, INOCACHE_HASHSIZE * sizeof(struct jffs2_inode_cache *));
+        jffs2_init_xattr_subsystem(c);
        if ((ret = jffs2_do_mount_fs(c)))
                goto out_inohash;
@@ -526,6 +547,7 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent)
        else
                kfree(c->blocks);
 out_inohash:
+        jffs2_clear_xattr_subsystem(c);
        kfree(c->inocache_list);
 out_wbuf:
        jffs2_flash_cleanup(c);
@@ -639,13 +661,6 @@ static int jffs2_flash_setup(struct jffs2_sb_info *c) {
                        return ret;
        }
-        /* add setups for other bizarre flashes here... */
-        if (jffs2_nor_ecc(c)) {
-                ret = jffs2_nor_ecc_flash_setup(c);
-                if (ret)
-                        return ret;
-        }
        /* and Dataflash */
        if (jffs2_dataflash(c)) {
                ret = jffs2_dataflash_setup(c);
@@ -669,11 +684,6 @@ void jffs2_flash_cleanup(struct jffs2_sb_info *c) {
                jffs2_nand_flash_cleanup(c);
        }
-        /* add cleanups for other bizarre flashes here... */
-        if (jffs2_nor_ecc(c)) {
-                jffs2_nor_ecc_flash_cleanup(c);
-        }
        /* and DataFlash */
        if (jffs2_dataflash(c)) {
                jffs2_dataflash_cleanup(c);
diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c
index f9ffece453a3..daff3341ff92 100644
--- a/fs/jffs2/gc.c
+++ b/fs/jffs2/gc.c
@@ -125,6 +125,7 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
        struct jffs2_eraseblock *jeb;
        struct jffs2_raw_node_ref *raw;
        int ret = 0, inum, nlink;
+        int xattr = 0;
        if (down_interruptible(&c->alloc_sem))
                return -EINTR;
@@ -138,7 +139,7 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
                   the node CRCs etc. Do it now. */
                /* checked_ino is protected by the alloc_sem */
-                if (c->checked_ino > c->highest_ino) {
+                if (c->checked_ino > c->highest_ino && xattr) {
                        printk(KERN_CRIT "Checked all inodes but still 0x%x bytes of unchecked space?\n",
                               c->unchecked_size);
                        jffs2_dbg_dump_block_lists_nolock(c);
@@ -148,6 +149,9 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
                spin_unlock(&c->erase_completion_lock);
+                if (!xattr)
+                        xattr = jffs2_verify_xattr(c);
                spin_lock(&c->inocache_lock);
                ic = jffs2_get_ino_cache(c, c->checked_ino++);
@@ -161,6 +165,7 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
                        D1(printk(KERN_DEBUG "Skipping check of ino #%d with nlink zero\n",
                                  ic->ino));
                        spin_unlock(&c->inocache_lock);
+                        jffs2_xattr_delete_inode(c, ic);
                        continue;
                }
                switch(ic->state) {
@@ -181,6 +186,10 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
                           and trigger the BUG() above while we haven't yet
                           finished checking all its nodes */
                        D1(printk(KERN_DEBUG "Waiting for ino #%u to finish reading\n", ic->ino));
+                        /* We need to come back again for the _same_ inode. We've
+                         made no progress in this case, but that should be OK */
+                        c->checked_ino--;
                        up(&c->alloc_sem);
                        sleep_on_spinunlock(&c->inocache_wq, &c->inocache_lock);
                        return 0;
@@ -231,7 +240,7 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
        while(ref_obsolete(raw)) {
                D1(printk(KERN_DEBUG "Node at 0x%08x is obsolete... skipping\n", ref_offset(raw)));
-                raw = raw->next_phys;
+                raw = ref_next(raw);
                if (unlikely(!raw)) {
                        printk(KERN_WARNING "eep. End of raw list while still supposedly nodes to GC\n");
                        printk(KERN_WARNING "erase block at 0x%08x. free_size 0x%08x, dirty_size 0x%08x, used_size 0x%08x\n",
@@ -248,16 +257,36 @@ int jffs2_garbage_collect_pass(struct jffs2_sb_info *c)
        if (!raw->next_in_ino) {
                /* Inode-less node. Clean marker, snapshot or something like that */
-                /* FIXME: If it's something that needs to be copied, including something
-                   we don't grok that has JFFS2_NODETYPE_RWCOMPAT_COPY, we should do so */
                spin_unlock(&c->erase_completion_lock);
-                jffs2_mark_node_obsolete(c, raw);
+                if (ref_flags(raw) == REF_PRISTINE) {
+                        /* It's an unknown node with JFFS2_FEATURE_RWCOMPAT_COPY */
+                        jffs2_garbage_collect_pristine(c, NULL, raw);
+                } else {
+                        /* Just mark it obsolete */
+                        jffs2_mark_node_obsolete(c, raw);
+                }
                up(&c->alloc_sem);
                goto eraseit_lock;
        }
        ic = jffs2_raw_ref_to_ic(raw);
+#ifdef CONFIG_JFFS2_FS_XATTR
+        /* When 'ic' refers xattr_datum/xattr_ref, this node is GCed as xattr.
+         * We can decide whether this node is inode or xattr by ic->class.     */
+        if (ic->class == RAWNODE_CLASS_XATTR_DATUM
+            || ic->class == RAWNODE_CLASS_XATTR_REF) {
+                spin_unlock(&c->erase_completion_lock);
+                if (ic->class == RAWNODE_CLASS_XATTR_DATUM) {
+                        ret = jffs2_garbage_collect_xattr_datum(c, (struct jffs2_xattr_datum *)ic, raw);
+                } else {
+                        ret = jffs2_garbage_collect_xattr_ref(c, (struct jffs2_xattr_ref *)ic, raw);
+                }
+                goto release_sem;
+        }
+#endif
        /* We need to hold the inocache. Either the erase_completion_lock or
           the inocache_lock are sufficient; we trade down since the inocache_lock
           causes less contention. */
@@ -499,7 +528,6 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
                                          struct jffs2_raw_node_ref *raw)
 {
        union jffs2_node_union *node;
-        struct jffs2_raw_node_ref *nraw;
        size_t retlen;
        int ret;
        uint32_t phys_ofs, alloclen;
@@ -508,15 +536,16 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
        D1(printk(KERN_DEBUG "Going to GC REF_PRISTINE node at 0x%08x\n", ref_offset(raw)));
-        rawlen = ref_totlen(c, c->gcblock, raw);
+        alloclen = rawlen = ref_totlen(c, c->gcblock, raw);
        /* Ask for a small amount of space (or the totlen if smaller) because we
           don't want to force wastage of the end of a block if splitting would
           work. */
-        ret = jffs2_reserve_space_gc(c, min_t(uint32_t, sizeof(struct jffs2_raw_inode) +
+        if (ic && alloclen > sizeof(struct jffs2_raw_inode) + JFFS2_MIN_DATA_LEN)
-                                JFFS2_MIN_DATA_LEN, rawlen), &phys_ofs, &alloclen, rawlen);
+                alloclen = sizeof(struct jffs2_raw_inode) + JFFS2_MIN_DATA_LEN;
-                                /* this is not the exact summary size of it,
-                                        it is only an upper estimation */
+        ret = jffs2_reserve_space_gc(c, alloclen, &alloclen, rawlen);
+        /* 'rawlen' is not the exact summary size; it is only an upper estimation */
        if (ret)
                return ret;
@@ -580,22 +609,17 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
                }
                break;
        default:
-                printk(KERN_WARNING "Unknown node type for REF_PRISTINE node at 0x%08x: 0x%04x\n",
+                /* If it's inode-less, we don't _know_ what it is. Just copy it intact */
-                       ref_offset(raw), je16_to_cpu(node->u.nodetype));
+                if (ic) {
-                goto bail;
+                        printk(KERN_WARNING "Unknown node type for REF_PRISTINE node at 0x%08x: 0x%04x\n",
-        }
+                               ref_offset(raw), je16_to_cpu(node->u.nodetype));
+                        goto bail;
-        nraw = jffs2_alloc_raw_node_ref();
+                }
-        if (!nraw) {
-                ret = -ENOMEM;
-                goto out_node;
        }
        /* OK, all the CRCs are good; this node can just be copied as-is. */
 retry:
-        nraw->flash_offset = phys_ofs;
+        phys_ofs = write_ofs(c);
-        nraw->__totlen = rawlen;
-        nraw->next_phys = NULL;
        ret = jffs2_flash_write(c, phys_ofs, rawlen, &retlen, (char *)node);
@@ -603,17 +627,11 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
                printk(KERN_NOTICE "Write of %d bytes at 0x%08x failed. returned %d, retlen %zd\n",
                       rawlen, phys_ofs, ret, retlen);
                if (retlen) {
-                        /* Doesn't belong to any inode */
+                        jffs2_add_physical_node_ref(c, phys_ofs | REF_OBSOLETE, rawlen, NULL);
-                        nraw->next_in_ino = NULL;
-                        nraw->flash_offset |= REF_OBSOLETE;
-                        jffs2_add_physical_node_ref(c, nraw);
-                        jffs2_mark_node_obsolete(c, nraw);
                } else {
-                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", nraw->flash_offset);
+                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", phys_ofs);
-                        jffs2_free_raw_node_ref(nraw);
                }
-                if (!retried && (nraw = jffs2_alloc_raw_node_ref())) {
+                if (!retried) {
                        /* Try to reallocate space and retry */
                        uint32_t dummy;
                        struct jffs2_eraseblock *jeb = &c->blocks[phys_ofs / c->sector_size];
@@ -625,7 +643,7 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
                        jffs2_dbg_acct_sanity_check(c,jeb);
                        jffs2_dbg_acct_paranoia_check(c, jeb);
-                        ret = jffs2_reserve_space_gc(c, rawlen, &phys_ofs, &dummy, rawlen);
+                        ret = jffs2_reserve_space_gc(c, rawlen, &dummy, rawlen);
                                                /* this is not the exact summary size of it,
                                                        it is only an upper estimation */
@@ -638,25 +656,13 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
                                goto retry;
                        }
                        D1(printk(KERN_DEBUG "Failed to allocate space to retry failed write: %d!\n", ret));
-                        jffs2_free_raw_node_ref(nraw);
                }
-                jffs2_free_raw_node_ref(nraw);
                if (!ret)
                        ret = -EIO;
                goto out_node;
        }
-        nraw->flash_offset |= REF_PRISTINE;
+        jffs2_add_physical_node_ref(c, phys_ofs | REF_PRISTINE, rawlen, ic);
-        jffs2_add_physical_node_ref(c, nraw);
-        /* Link into per-inode list. This is safe because of the ic
-           state being INO_STATE_GC. Note that if we're doing this
-           for an inode which is in-core, the 'nraw' pointer is then
-           going to be fetched from ic->nodes by our caller. */
-        spin_lock(&c->erase_completion_lock);
-        nraw->next_in_ino = ic->nodes;
-        ic->nodes = nraw;
-        spin_unlock(&c->erase_completion_lock);
        jffs2_mark_node_obsolete(c, raw);
        D1(printk(KERN_DEBUG "WHEEE! GC REF_PRISTINE node at 0x%08x succeeded\n", ref_offset(raw)));
@@ -675,19 +681,16 @@ static int jffs2_garbage_collect_metadata(struct jffs2_sb_info *c, struct jffs2_
        struct jffs2_full_dnode *new_fn;
        struct jffs2_raw_inode ri;
        struct jffs2_node_frag *last_frag;
-        jint16_t dev;
+        union jffs2_device_node dev;
        char *mdata = NULL, mdatalen = 0;
-        uint32_t alloclen, phys_ofs, ilen;
+        uint32_t alloclen, ilen;
        int ret;
        if (S_ISBLK(JFFS2_F_I_MODE(f)) ||
            S_ISCHR(JFFS2_F_I_MODE(f)) ) {
                /* For these, we don't actually need to read the old node */
-                /* FIXME: for minor or major > 255. */
+                mdatalen = jffs2_encode_dev(&dev, JFFS2_F_I_RDEV(f));
-                dev = cpu_to_je16(((JFFS2_F_I_RDEV_MAJ(f) << 8) |
-                        JFFS2_F_I_RDEV_MIN(f)));
                mdata = (char *)&dev;
-                mdatalen = sizeof(dev);
                D1(printk(KERN_DEBUG "jffs2_garbage_collect_metadata(): Writing %d bytes of kdev_t\n", mdatalen));
        } else if (S_ISLNK(JFFS2_F_I_MODE(f))) {
                mdatalen = fn->size;
@@ -706,7 +709,7 @@ static int jffs2_garbage_collect_metadata(struct jffs2_sb_info *c, struct jffs2_
        }
-        ret = jffs2_reserve_space_gc(c, sizeof(ri) + mdatalen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space_gc(c, sizeof(ri) + mdatalen, &alloclen,
                                JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                printk(KERN_WARNING "jffs2_reserve_space_gc of %zd bytes for garbage_collect_metadata failed: %d\n",
@@ -744,7 +747,7 @@ static int jffs2_garbage_collect_metadata(struct jffs2_sb_info *c, struct jffs2_
        ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8));
        ri.data_crc = cpu_to_je32(crc32(0, mdata, mdatalen));
-        new_fn = jffs2_write_dnode(c, f, &ri, mdata, mdatalen, phys_ofs, ALLOC_GC);
+        new_fn = jffs2_write_dnode(c, f, &ri, mdata, mdatalen, ALLOC_GC);
        if (IS_ERR(new_fn)) {
                printk(KERN_WARNING "Error writing new dnode: %ld\n", PTR_ERR(new_fn));
@@ -765,7 +768,7 @@ static int jffs2_garbage_collect_dirent(struct jffs2_sb_info *c, struct jffs2_er
 {
        struct jffs2_full_dirent *new_fd;
        struct jffs2_raw_dirent rd;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
        rd.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
@@ -787,14 +790,14 @@ static int jffs2_garbage_collect_dirent(struct jffs2_sb_info *c, struct jffs2_er
        rd.node_crc = cpu_to_je32(crc32(0, &rd, sizeof(rd)-8));
        rd.name_crc = cpu_to_je32(crc32(0, fd->name, rd.nsize));
-        ret = jffs2_reserve_space_gc(c, sizeof(rd)+rd.nsize, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space_gc(c, sizeof(rd)+rd.nsize, &alloclen,
                                JFFS2_SUMMARY_DIRENT_SIZE(rd.nsize));
        if (ret) {
                printk(KERN_WARNING "jffs2_reserve_space_gc of %zd bytes for garbage_collect_dirent failed: %d\n",
                       sizeof(rd)+rd.nsize, ret);
                return ret;
        }
-        new_fd = jffs2_write_dirent(c, f, &rd, fd->name, rd.nsize, phys_ofs, ALLOC_GC);
+        new_fd = jffs2_write_dirent(c, f, &rd, fd->name, rd.nsize, ALLOC_GC);
        if (IS_ERR(new_fd)) {
                printk(KERN_WARNING "jffs2_write_dirent in garbage_collect_dirent failed: %ld\n", PTR_ERR(new_fd));
@@ -922,7 +925,7 @@ static int jffs2_garbage_collect_hole(struct jffs2_sb_info *c, struct jffs2_eras
        struct jffs2_raw_inode ri;
        struct jffs2_node_frag *frag;
        struct jffs2_full_dnode *new_fn;
-        uint32_t alloclen, phys_ofs, ilen;
+        uint32_t alloclen, ilen;
        int ret;
        D1(printk(KERN_DEBUG "Writing replacement hole node for ino #%u from offset 0x%x to 0x%x\n",
@@ -1001,14 +1004,14 @@ static int jffs2_garbage_collect_hole(struct jffs2_sb_info *c, struct jffs2_eras
        ri.data_crc = cpu_to_je32(0);
        ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8));
-        ret = jffs2_reserve_space_gc(c, sizeof(ri), &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space_gc(c, sizeof(ri), &alloclen,
-                                JFFS2_SUMMARY_INODE_SIZE);
+                                     JFFS2_SUMMARY_INODE_SIZE);
        if (ret) {
                printk(KERN_WARNING "jffs2_reserve_space_gc of %zd bytes for garbage_collect_hole failed: %d\n",
                       sizeof(ri), ret);
                return ret;
        }
-        new_fn = jffs2_write_dnode(c, f, &ri, NULL, 0, phys_ofs, ALLOC_GC);
+        new_fn = jffs2_write_dnode(c, f, &ri, NULL, 0, ALLOC_GC);
        if (IS_ERR(new_fn)) {
                printk(KERN_WARNING "Error writing new hole node: %ld\n", PTR_ERR(new_fn));
@@ -1070,7 +1073,7 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era
 {
        struct jffs2_full_dnode *new_fn;
        struct jffs2_raw_inode ri;
-        uint32_t alloclen, phys_ofs, offset, orig_end, orig_start;
+        uint32_t alloclen, offset, orig_end, orig_start;
        int ret = 0;
        unsigned char *comprbuf = NULL, *writebuf;
        unsigned long pg;
@@ -1227,7 +1230,7 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era
                uint32_t cdatalen;
                uint16_t comprtype = JFFS2_COMPR_NONE;
-                ret = jffs2_reserve_space_gc(c, sizeof(ri) + JFFS2_MIN_DATA_LEN, &phys_ofs,
+                ret = jffs2_reserve_space_gc(c, sizeof(ri) + JFFS2_MIN_DATA_LEN,
                                        &alloclen, JFFS2_SUMMARY_INODE_SIZE);
                if (ret) {
@@ -1264,7 +1267,7 @@ static int jffs2_garbage_collect_dnode(struct jffs2_sb_info *c, struct jffs2_era
                ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8));
                ri.data_crc = cpu_to_je32(crc32(0, comprbuf, cdatalen));
-                new_fn = jffs2_write_dnode(c, f, &ri, comprbuf, cdatalen, phys_ofs, ALLOC_GC);
+                new_fn = jffs2_write_dnode(c, f, &ri, comprbuf, cdatalen, ALLOC_GC);
                jffs2_free_comprbuf(comprbuf, writebuf);
diff --git a/fs/jffs2/histo.h b/fs/jffs2/histo.h
deleted file mode 100644
index 22a93a08210c..000000000000
--- a/fs/jffs2/histo.h
+++ /dev/null
@@ -1,3 +0,0 @@
-/* This file provides the bit-probabilities for the input file */
-#define BIT_DIVIDER 629
-static int bits[9] = { 179,167,183,165,159,198,178,119,}; /* ia32 .so files */
diff --git a/fs/jffs2/jffs2_fs_i.h b/fs/jffs2/jffs2_fs_i.h
new file mode 100644
index 000000000000..2e0cc8e00b85
--- /dev/null
+++ b/fs/jffs2/jffs2_fs_i.h
@@ -0,0 +1,55 @@
+/* $Id: jffs2_fs_i.h,v 1.19 2005/11/07 11:14:52 gleixner Exp $ */
+#ifndef _JFFS2_FS_I
+#define _JFFS2_FS_I
+#include <linux/version.h>
+#include <linux/rbtree.h>
+#include <linux/posix_acl.h>
+#include <asm/semaphore.h>
+struct jffs2_inode_info {
+        /* We need an internal mutex similar to inode->i_mutex.
+           Unfortunately, we can't used the existing one, because
+           either the GC would deadlock, or we'd have to release it
+           before letting GC proceed. Or we'd have to put ugliness
+           into the GC code so it didn't attempt to obtain the i_mutex
+           for the inode(s) which are already locked */
+        struct semaphore sem;
+        /* The highest (datanode) version number used for this ino */
+        uint32_t highest_version;
+        /* List of data fragments which make up the file */
+        struct rb_root fragtree;
+        /* There may be one datanode which isn't referenced by any of the
+           above fragments, if it contains a metadata update but no actual
+           data - or if this is a directory inode */
+        /* This also holds the _only_ dnode for symlinks/device nodes,
+           etc. */
+        struct jffs2_full_dnode *metadata;
+        /* Directory entries */
+        struct jffs2_full_dirent *dents;
+        /* The target path if this is the inode of a symlink */
+        unsigned char *target;
+        /* Some stuff we just have to keep in-core at all times, for each inode. */
+        struct jffs2_inode_cache *inocache;
+        uint16_t flags;
+        uint8_t usercompr;
+#if !defined (__ECOS)
+#if LINUX_VERSION_CODE > KERNEL_VERSION(2,5,2)
+        struct inode vfs_inode;
+#endif
+#endif
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+        struct posix_acl *i_acl_access;
+        struct posix_acl *i_acl_default;
+#endif
+};
+#endif /* _JFFS2_FS_I */
diff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h
new file mode 100644
index 000000000000..b98594992eed
--- /dev/null
+++ b/fs/jffs2/jffs2_fs_sb.h
@@ -0,0 +1,136 @@
+/* $Id: jffs2_fs_sb.h,v 1.54 2005/09/21 13:37:34 dedekind Exp $ */
+#ifndef _JFFS2_FS_SB
+#define _JFFS2_FS_SB
+#include <linux/types.h>
+#include <linux/spinlock.h>
+#include <linux/workqueue.h>
+#include <linux/completion.h>
+#include <asm/semaphore.h>
+#include <linux/timer.h>
+#include <linux/wait.h>
+#include <linux/list.h>
+#include <linux/rwsem.h>
+#define JFFS2_SB_FLAG_RO 1
+#define JFFS2_SB_FLAG_SCANNING 2 /* Flash scanning is in progress */
+#define JFFS2_SB_FLAG_BUILDING 4 /* File system building is in progress */
+struct jffs2_inodirty;
+/* A struct for the overall file system control.  Pointers to
+   jffs2_sb_info structs are named `c' in the source code.
+   Nee jffs_control
+*/
+struct jffs2_sb_info {
+        struct mtd_info *mtd;
+        uint32_t highest_ino;
+        uint32_t checked_ino;
+        unsigned int flags;
+        struct task_struct *gc_task;    /* GC task struct */
+        struct completion gc_thread_start; /* GC thread start completion */
+        struct completion gc_thread_exit; /* GC thread exit completion port */
+        struct semaphore alloc_sem;     /* Used to protect all the following
+                                           fields, and also to protect against
+                                           out-of-order writing of nodes. And GC. */
+        uint32_t cleanmarker_size;      /* Size of an _inline_ CLEANMARKER
+                                         (i.e. zero for OOB CLEANMARKER */
+        uint32_t flash_size;
+        uint32_t used_size;
+        uint32_t dirty_size;
+        uint32_t wasted_size;
+        uint32_t free_size;
+        uint32_t erasing_size;
+        uint32_t bad_size;
+        uint32_t sector_size;
+        uint32_t unchecked_size;
+        uint32_t nr_free_blocks;
+        uint32_t nr_erasing_blocks;
+        /* Number of free blocks there must be before we... */
+        uint8_t resv_blocks_write;      /* ... allow a normal filesystem write */
+        uint8_t resv_blocks_deletion;   /* ... allow a normal filesystem deletion */
+        uint8_t resv_blocks_gctrigger;  /* ... wake up the GC thread */
+        uint8_t resv_blocks_gcbad;      /* ... pick a block from the bad_list to GC */
+        uint8_t resv_blocks_gcmerge;    /* ... merge pages when garbage collecting */
+        uint32_t nospc_dirty_size;
+        uint32_t nr_blocks;
+        struct jffs2_eraseblock *blocks;        /* The whole array of blocks. Used for getting blocks
+                                                 * from the offset (blocks[ofs / sector_size]) */
+        struct jffs2_eraseblock *nextblock;     /* The block we're currently filling */
+        struct jffs2_eraseblock *gcblock;       /* The block we're currently garbage-collecting */
+        struct list_head clean_list;            /* Blocks 100% full of clean data */
+        struct list_head very_dirty_list;       /* Blocks with lots of dirty space */
+        struct list_head dirty_list;            /* Blocks with some dirty space */
+        struct list_head erasable_list;         /* Blocks which are completely dirty, and need erasing */
+        struct list_head erasable_pending_wbuf_list;    /* Blocks which need erasing but only after the current wbuf is flushed */
+        struct list_head erasing_list;          /* Blocks which are currently erasing */
+        struct list_head erase_pending_list;    /* Blocks which need erasing now */
+        struct list_head erase_complete_list;   /* Blocks which are erased and need the clean marker written to them */
+        struct list_head free_list;             /* Blocks which are free and ready to be used */
+        struct list_head bad_list;              /* Bad blocks. */
+        struct list_head bad_used_list;         /* Bad blocks with valid data in. */
+        spinlock_t erase_completion_lock;       /* Protect free_list and erasing_list
+                                                   against erase completion handler */
+        wait_queue_head_t erase_wait;           /* For waiting for erases to complete */
+        wait_queue_head_t inocache_wq;
+        struct jffs2_inode_cache **inocache_list;
+        spinlock_t inocache_lock;
+        /* Sem to allow jffs2_garbage_collect_deletion_dirent to
+           drop the erase_completion_lock while it's holding a pointer
+           to an obsoleted node. I don't like this. Alternatives welcomed. */
+        struct semaphore erase_free_sem;
+        uint32_t wbuf_pagesize; /* 0 for NOR and other flashes with no wbuf */
+#ifdef CONFIG_JFFS2_FS_WRITEBUFFER
+        /* Write-behind buffer for NAND flash */
+        unsigned char *wbuf;
+        unsigned char *oobbuf;
+        uint32_t wbuf_ofs;
+        uint32_t wbuf_len;
+        struct jffs2_inodirty *wbuf_inodes;
+        struct rw_semaphore wbuf_sem;   /* Protects the write buffer */
+        /* Information about out-of-band area usage... */
+        struct nand_ecclayout *ecclayout;
+        uint32_t badblock_pos;
+        uint32_t fsdata_pos;
+        uint32_t fsdata_len;
+#endif
+        struct jffs2_summary *summary;          /* Summary information */
+#ifdef CONFIG_JFFS2_FS_XATTR
+#define XATTRINDEX_HASHSIZE     (57)
+        uint32_t highest_xid;
+        uint32_t highest_xseqno;
+        struct list_head xattrindex[XATTRINDEX_HASHSIZE];
+        struct list_head xattr_unchecked;
+        struct list_head xattr_dead_list;
+        struct jffs2_xattr_ref *xref_dead_list;
+        struct jffs2_xattr_ref *xref_temp;
+        struct rw_semaphore xattr_sem;
+        uint32_t xdatum_mem_usage;
+        uint32_t xdatum_mem_threshold;
+#endif
+        /* OS-private pointer for getting back to master superblock info */
+        void *os_priv;
+};
+#endif /* _JFFS2_FB_SB */
diff --git a/fs/jffs2/malloc.c b/fs/jffs2/malloc.c
index 036cbd11c004..8310c95478e9 100644
--- a/fs/jffs2/malloc.c
+++ b/fs/jffs2/malloc.c
@@ -26,6 +26,10 @@ static kmem_cache_t *tmp_dnode_info_slab;
 static kmem_cache_t *raw_node_ref_slab;
 static kmem_cache_t *node_frag_slab;
 static kmem_cache_t *inode_cache_slab;
+#ifdef CONFIG_JFFS2_FS_XATTR
+static kmem_cache_t *xattr_datum_cache;
+static kmem_cache_t *xattr_ref_cache;
+#endif
 int __init jffs2_create_slab_caches(void)
 {
@@ -53,8 +57,8 @@ int __init jffs2_create_slab_caches(void)
        if (!tmp_dnode_info_slab)
                goto err;
-        raw_node_ref_slab = kmem_cache_create("jffs2_raw_node_ref",
+        raw_node_ref_slab = kmem_cache_create("jffs2_refblock",
-                                              sizeof(struct jffs2_raw_node_ref),
+                                              sizeof(struct jffs2_raw_node_ref) * (REFS_PER_BLOCK + 1),
                                              0, 0, NULL, NULL);
        if (!raw_node_ref_slab)
                goto err;
@@ -68,8 +72,24 @@ int __init jffs2_create_slab_caches(void)
        inode_cache_slab = kmem_cache_create("jffs2_inode_cache",
                                             sizeof(struct jffs2_inode_cache),
                                             0, 0, NULL, NULL);
-        if (inode_cache_slab)
+        if (!inode_cache_slab)
-                return 0;
+                goto err;
+#ifdef CONFIG_JFFS2_FS_XATTR
+        xattr_datum_cache = kmem_cache_create("jffs2_xattr_datum",
+                                             sizeof(struct jffs2_xattr_datum),
+                                             0, 0, NULL, NULL);
+        if (!xattr_datum_cache)
+                goto err;
+        xattr_ref_cache = kmem_cache_create("jffs2_xattr_ref",
+                                           sizeof(struct jffs2_xattr_ref),
+                                           0, 0, NULL, NULL);
+        if (!xattr_ref_cache)
+                goto err;
+#endif
+        return 0;
 err:
        jffs2_destroy_slab_caches();
        return -ENOMEM;
@@ -91,6 +111,12 @@ void jffs2_destroy_slab_caches(void)
                kmem_cache_destroy(node_frag_slab);
        if(inode_cache_slab)
                kmem_cache_destroy(inode_cache_slab);
+#ifdef CONFIG_JFFS2_FS_XATTR
+        if (xattr_datum_cache)
+                kmem_cache_destroy(xattr_datum_cache);
+        if (xattr_ref_cache)
+                kmem_cache_destroy(xattr_ref_cache);
+#endif
 }
 struct jffs2_full_dirent *jffs2_alloc_full_dirent(int namesize)
@@ -164,15 +190,65 @@ void jffs2_free_tmp_dnode_info(struct jffs2_tmp_dnode_info *x)
        kmem_cache_free(tmp_dnode_info_slab, x);
 }
-struct jffs2_raw_node_ref *jffs2_alloc_raw_node_ref(void)
+struct jffs2_raw_node_ref *jffs2_alloc_refblock(void)
 {
        struct jffs2_raw_node_ref *ret;
        ret = kmem_cache_alloc(raw_node_ref_slab, GFP_KERNEL);
-        dbg_memalloc("%p\n", ret);
+        if (ret) {
+                int i = 0;
+                for (i=0; i < REFS_PER_BLOCK; i++) {
+                        ret[i].flash_offset = REF_EMPTY_NODE;
+                        ret[i].next_in_ino = NULL;
+                }
+                ret[i].flash_offset = REF_LINK_NODE;
+                ret[i].next_in_ino = NULL;
+        }
        return ret;
 }
-void jffs2_free_raw_node_ref(struct jffs2_raw_node_ref *x)
+int jffs2_prealloc_raw_node_refs(struct jffs2_sb_info *c,
+                                 struct jffs2_eraseblock *jeb, int nr)
+{
+        struct jffs2_raw_node_ref **p, *ref;
+        int i = nr;
+        dbg_memalloc("%d\n", nr);
+        p = &jeb->last_node;
+        ref = *p;
+        dbg_memalloc("Reserving %d refs for block @0x%08x\n", nr, jeb->offset);
+        /* If jeb->last_node is really a valid node then skip over it */
+        if (ref && ref->flash_offset != REF_EMPTY_NODE)
+                ref++;
+        while (i) {
+                if (!ref) {
+                        dbg_memalloc("Allocating new refblock linked from %p\n", p);
+                        ref = *p = jffs2_alloc_refblock();
+                        if (!ref)
+                                return -ENOMEM;
+                }
+                if (ref->flash_offset == REF_LINK_NODE) {
+                        p = &ref->next_in_ino;
+                        ref = *p;
+                        continue;
+                }
+                i--;
+                ref++;
+        }
+        jeb->allocated_refs = nr;
+        dbg_memalloc("Reserved %d refs for block @0x%08x, last_node is %p (%08x,%p)\n",
+                  nr, jeb->offset, jeb->last_node, jeb->last_node->flash_offset,
+                  jeb->last_node->next_in_ino);
+        return 0;
+}
+void jffs2_free_refblock(struct jffs2_raw_node_ref *x)
 {
        dbg_memalloc("%p\n", x);
        kmem_cache_free(raw_node_ref_slab, x);
@@ -205,3 +281,42 @@ void jffs2_free_inode_cache(struct jffs2_inode_cache *x)
        dbg_memalloc("%p\n", x);
        kmem_cache_free(inode_cache_slab, x);
 }
+#ifdef CONFIG_JFFS2_FS_XATTR
+struct jffs2_xattr_datum *jffs2_alloc_xattr_datum(void)
+{
+        struct jffs2_xattr_datum *xd;
+        xd = kmem_cache_alloc(xattr_datum_cache, GFP_KERNEL);
+        dbg_memalloc("%p\n", xd);
+        memset(xd, 0, sizeof(struct jffs2_xattr_datum));
+        xd->class = RAWNODE_CLASS_XATTR_DATUM;
+        xd->node = (void *)xd;
+        INIT_LIST_HEAD(&xd->xindex);
+        return xd;
+}
+void jffs2_free_xattr_datum(struct jffs2_xattr_datum *xd)
+{
+        dbg_memalloc("%p\n", xd);
+        kmem_cache_free(xattr_datum_cache, xd);
+}
+struct jffs2_xattr_ref *jffs2_alloc_xattr_ref(void)
+{
+        struct jffs2_xattr_ref *ref;
+        ref = kmem_cache_alloc(xattr_ref_cache, GFP_KERNEL);
+        dbg_memalloc("%p\n", ref);
+        memset(ref, 0, sizeof(struct jffs2_xattr_ref));
+        ref->class = RAWNODE_CLASS_XATTR_REF;
+        ref->node = (void *)ref;
+        return ref;
+}
+void jffs2_free_xattr_ref(struct jffs2_xattr_ref *ref)
+{
+        dbg_memalloc("%p\n", ref);
+        kmem_cache_free(xattr_ref_cache, ref);
+}
+#endif
diff --git a/fs/jffs2/nodelist.c b/fs/jffs2/nodelist.c
index 1d46677afd17..7675b33396c7 100644
--- a/fs/jffs2/nodelist.c
+++ b/fs/jffs2/nodelist.c
@@ -438,8 +438,7 @@ static int check_node_data(struct jffs2_sb_info *c, struct jffs2_tmp_dnode_info
        if (c->mtd->point) {
                err = c->mtd->point(c->mtd, ofs, len, &retlen, &buffer);
                if (!err && retlen < tn->csize) {
-                        JFFS2_WARNING("MTD point returned len too short: %zu "
+                        JFFS2_WARNING("MTD point returned len too short: %zu instead of %u.\n", retlen, tn->csize);
-                                        "instead of %u.\n", retlen, tn->csize);
                        c->mtd->unpoint(c->mtd, buffer, ofs, len);
                } else if (err)
                        JFFS2_WARNING("MTD point failed: error code %d.\n", err);
@@ -462,8 +461,7 @@ static int check_node_data(struct jffs2_sb_info *c, struct jffs2_tmp_dnode_info
                }
                if (retlen != len) {
-                        JFFS2_ERROR("short read at %#08x: %zd instead of %d.\n",
+                        JFFS2_ERROR("short read at %#08x: %zd instead of %d.\n", ofs, retlen, len);
-                                        ofs, retlen, len);
                        err = -EIO;
                        goto free_out;
                }
@@ -908,6 +906,9 @@ void jffs2_del_ino_cache(struct jffs2_sb_info *c, struct jffs2_inode_cache *old)
 {
        struct jffs2_inode_cache **prev;
+#ifdef CONFIG_JFFS2_FS_XATTR
+        BUG_ON(old->xref);
+#endif
        dbg_inocache("del %p (ino #%u)\n", old, old->ino);
        spin_lock(&c->inocache_lock);
@@ -940,6 +941,7 @@ void jffs2_free_ino_caches(struct jffs2_sb_info *c)
                this = c->inocache_list[i];
                while (this) {
                        next = this->next;
+                        jffs2_xattr_free_inode(c, this);
                        jffs2_free_inode_cache(this);
                        this = next;
                }
@@ -954,9 +956,13 @@ void jffs2_free_raw_node_refs(struct jffs2_sb_info *c)
        for (i=0; i<c->nr_blocks; i++) {
                this = c->blocks[i].first_node;
-                while(this) {
+                while (this) {
-                        next = this->next_phys;
+                        if (this[REFS_PER_BLOCK].flash_offset == REF_LINK_NODE)
-                        jffs2_free_raw_node_ref(this);
+                                next = this[REFS_PER_BLOCK].next_in_ino;
+                        else
+                                next = NULL;
+                        jffs2_free_refblock(this);
                        this = next;
                }
                c->blocks[i].first_node = c->blocks[i].last_node = NULL;
@@ -1047,3 +1053,169 @@ void jffs2_kill_fragtree(struct rb_root *root, struct jffs2_sb_info *c)
                cond_resched();
        }
 }
+struct jffs2_raw_node_ref *jffs2_link_node_ref(struct jffs2_sb_info *c,
+                                               struct jffs2_eraseblock *jeb,
+                                               uint32_t ofs, uint32_t len,
+                                               struct jffs2_inode_cache *ic)
+{
+        struct jffs2_raw_node_ref *ref;
+        BUG_ON(!jeb->allocated_refs);
+        jeb->allocated_refs--;
+        ref = jeb->last_node;
+        dbg_noderef("Last node at %p is (%08x,%p)\n", ref, ref->flash_offset,
+                    ref->next_in_ino);
+        while (ref->flash_offset != REF_EMPTY_NODE) {
+                if (ref->flash_offset == REF_LINK_NODE)
+                        ref = ref->next_in_ino;
+                else
+                        ref++;
+        }
+        dbg_noderef("New ref is %p (%08x becomes %08x,%p) len 0x%x\n", ref, 
+                    ref->flash_offset, ofs, ref->next_in_ino, len);
+        ref->flash_offset = ofs;
+        if (!jeb->first_node) {
+                jeb->first_node = ref;
+                BUG_ON(ref_offset(ref) != jeb->offset);
+        } else if (unlikely(ref_offset(ref) != jeb->offset + c->sector_size - jeb->free_size)) {
+                uint32_t last_len = ref_totlen(c, jeb, jeb->last_node);
+                JFFS2_ERROR("Adding new ref %p at (0x%08x-0x%08x) not immediately after previous (0x%08x-0x%08x)\n",
+                            ref, ref_offset(ref), ref_offset(ref)+len,
+                            ref_offset(jeb->last_node), 
+                            ref_offset(jeb->last_node)+last_len);
+                BUG();
+        }
+        jeb->last_node = ref;
+        if (ic) {
+                ref->next_in_ino = ic->nodes;
+                ic->nodes = ref;
+        } else {
+                ref->next_in_ino = NULL;
+        }
+        switch(ref_flags(ref)) {
+        case REF_UNCHECKED:
+                c->unchecked_size += len;
+                jeb->unchecked_size += len;
+                break;
+        case REF_NORMAL:
+        case REF_PRISTINE:
+                c->used_size += len;
+                jeb->used_size += len;
+                break;
+        case REF_OBSOLETE:
+                c->dirty_size += len;
+                jeb->dirty_size += len;
+                break;
+        }
+        c->free_size -= len;
+        jeb->free_size -= len;
+#ifdef TEST_TOTLEN
+        /* Set (and test) __totlen field... for now */
+        ref->__totlen = len;
+        ref_totlen(c, jeb, ref);
+#endif
+        return ref;
+}
+/* No locking, no reservation of 'ref'. Do not use on a live file system */
+int jffs2_scan_dirty_space(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
+                           uint32_t size)
+{
+        if (!size)
+                return 0;
+        if (unlikely(size > jeb->free_size)) {
+                printk(KERN_CRIT "Dirty space 0x%x larger then free_size 0x%x (wasted 0x%x)\n",
+                       size, jeb->free_size, jeb->wasted_size);
+                BUG();
+        }
+        /* REF_EMPTY_NODE is !obsolete, so that works OK */
+        if (jeb->last_node && ref_obsolete(jeb->last_node)) {
+#ifdef TEST_TOTLEN
+                jeb->last_node->__totlen += size;
+#endif
+                c->dirty_size += size;
+                c->free_size -= size;
+                jeb->dirty_size += size;
+                jeb->free_size -= size;
+        } else {
+                uint32_t ofs = jeb->offset + c->sector_size - jeb->free_size;
+                ofs |= REF_OBSOLETE;
+                jffs2_link_node_ref(c, jeb, ofs, size, NULL);
+        }
+        return 0;
+}
+/* Calculate totlen from surrounding nodes or eraseblock */
+static inline uint32_t __ref_totlen(struct jffs2_sb_info *c,
+                                    struct jffs2_eraseblock *jeb,
+                                    struct jffs2_raw_node_ref *ref)
+{
+        uint32_t ref_end;
+        struct jffs2_raw_node_ref *next_ref = ref_next(ref);
+        if (next_ref)
+                ref_end = ref_offset(next_ref);
+        else {
+                if (!jeb)
+                        jeb = &c->blocks[ref->flash_offset / c->sector_size];
+                /* Last node in block. Use free_space */
+                if (unlikely(ref != jeb->last_node)) {
+                        printk(KERN_CRIT "ref %p @0x%08x is not jeb->last_node (%p @0x%08x)\n",
+                               ref, ref_offset(ref), jeb->last_node, jeb->last_node?ref_offset(jeb->last_node):0);
+                        BUG();
+                }
+                ref_end = jeb->offset + c->sector_size - jeb->free_size;
+        }
+        return ref_end - ref_offset(ref);
+}
+uint32_t __jffs2_ref_totlen(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
+                            struct jffs2_raw_node_ref *ref)
+{
+        uint32_t ret;
+        ret = __ref_totlen(c, jeb, ref);
+#ifdef TEST_TOTLEN
+        if (unlikely(ret != ref->__totlen)) {
+                if (!jeb)
+                        jeb = &c->blocks[ref->flash_offset / c->sector_size];
+                printk(KERN_CRIT "Totlen for ref at %p (0x%08x-0x%08x) miscalculated as 0x%x instead of %x\n",
+                       ref, ref_offset(ref), ref_offset(ref)+ref->__totlen,
+                       ret, ref->__totlen);
+                if (ref_next(ref)) {
+                        printk(KERN_CRIT "next %p (0x%08x-0x%08x)\n", ref_next(ref), ref_offset(ref_next(ref)),
+                               ref_offset(ref_next(ref))+ref->__totlen);
+                } else 
+                        printk(KERN_CRIT "No next ref. jeb->last_node is %p\n", jeb->last_node);
+                printk(KERN_CRIT "jeb->wasted_size %x, dirty_size %x, used_size %x, free_size %x\n", jeb->wasted_size, jeb->dirty_size, jeb->used_size, jeb->free_size);
+#if defined(JFFS2_DBG_DUMPS) || defined(JFFS2_DBG_PARANOIA_CHECKS)
+                __jffs2_dbg_dump_node_refs_nolock(c, jeb);
+#endif
+                WARN_ON(1);
+                ret = ref->__totlen;
+        }
+#endif /* TEST_TOTLEN */
+        return ret;
+}
diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h
index 23a67bb3052f..f752baa8d399 100644
--- a/fs/jffs2/nodelist.h
+++ b/fs/jffs2/nodelist.h
@@ -14,12 +14,13 @@
 #ifndef __JFFS2_NODELIST_H__
 #define __JFFS2_NODELIST_H__
-#include <linux/config.h>
 #include <linux/fs.h>
 #include <linux/types.h>
 #include <linux/jffs2.h>
-#include <linux/jffs2_fs_sb.h>
+#include "jffs2_fs_sb.h"
-#include <linux/jffs2_fs_i.h>
+#include "jffs2_fs_i.h"
+#include "xattr.h"
+#include "acl.h"
 #include "summary.h"
 #ifdef __ECOS
@@ -75,14 +76,50 @@
 struct jffs2_raw_node_ref
 {
        struct jffs2_raw_node_ref *next_in_ino; /* Points to the next raw_node_ref
-                for this inode. If this is the last, it points to the inode_cache
+                for this object. If this _is_ the last, it points to the inode_cache,
-                for this inode instead. The inode_cache will have NULL in the first
+                xattr_ref or xattr_datum instead. The common part of those structures
-                word so you know when you've got there :) */
+                has NULL in the first word. See jffs2_raw_ref_to_ic() below */
-        struct jffs2_raw_node_ref *next_phys;
        uint32_t flash_offset;
+#define TEST_TOTLEN
+#ifdef TEST_TOTLEN
        uint32_t __totlen; /* This may die; use ref_totlen(c, jeb, ) below */
+#endif
 };
+#define REF_LINK_NODE ((int32_t)-1)
+#define REF_EMPTY_NODE ((int32_t)-2)
+/* Use blocks of about 256 bytes */
+#define REFS_PER_BLOCK ((255/sizeof(struct jffs2_raw_node_ref))-1)
+static inline struct jffs2_raw_node_ref *ref_next(struct jffs2_raw_node_ref *ref)
+{
+        ref++;
+        /* Link to another block of refs */
+        if (ref->flash_offset == REF_LINK_NODE) {
+                ref = ref->next_in_ino;
+                if (!ref)
+                        return ref;
+        }
+        /* End of chain */
+        if (ref->flash_offset == REF_EMPTY_NODE)
+                return NULL;
+        return ref;
+}
+static inline struct jffs2_inode_cache *jffs2_raw_ref_to_ic(struct jffs2_raw_node_ref *raw)
+{
+        while(raw->next_in_ino)
+                raw = raw->next_in_ino;
+        /* NB. This can be a jffs2_xattr_datum or jffs2_xattr_ref and
+           not actually a jffs2_inode_cache. Check ->class */
+        return ((struct jffs2_inode_cache *)raw);
+}
        /* flash_offset & 3 always has to be zero, because nodes are
           always aligned at 4 bytes. So we have a couple of extra bits
           to play with, which indicate the node's status; see below: */
@@ -95,6 +132,11 @@ struct jffs2_raw_node_ref
 #define ref_obsolete(ref)       (((ref)->flash_offset & 3) == REF_OBSOLETE)
 #define mark_ref_normal(ref)    do { (ref)->flash_offset = ref_offset(ref) | REF_NORMAL; } while(0)
+/* NB: REF_PRISTINE for an inode-less node (ref->next_in_ino == NULL) indicates
+   it is an unknown node of type JFFS2_NODETYPE_RWCOMPAT_COPY, so it'll get
+   copied. If you need to do anything different to GC inode-less nodes, then
+   you need to modify gc.c accordingly. */
 /* For each inode in the filesystem, we need to keep a record of
   nlink, because it would be a PITA to scan the whole directory tree
   at read_inode() time to calculate it, and to keep sufficient information
@@ -103,15 +145,27 @@ struct jffs2_raw_node_ref
   a pointer to the first physical node which is part of this inode, too.
 */
 struct jffs2_inode_cache {
+        /* First part of structure is shared with other objects which
+           can terminate the raw node refs' next_in_ino list -- which
+           currently struct jffs2_xattr_datum and struct jffs2_xattr_ref. */
        struct jffs2_full_dirent *scan_dents; /* Used during scan to hold
                temporary lists of dirents, and later must be set to
                NULL to mark the end of the raw_node_ref->next_in_ino
                chain. */
-        struct jffs2_inode_cache *next;
        struct jffs2_raw_node_ref *nodes;
+        uint8_t class;  /* It's used for identification */
+        /* end of shared structure */
+        uint8_t flags;
+        uint16_t state;
        uint32_t ino;
+        struct jffs2_inode_cache *next;
+#ifdef CONFIG_JFFS2_FS_XATTR
+        struct jffs2_xattr_ref *xref;
+#endif
        int nlink;
-        int state;
 };
 /* Inode states for 'state' above. We need the 'GC' state to prevent
@@ -125,8 +179,16 @@ struct jffs2_inode_cache {
 #define INO_STATE_READING       5       /* In read_inode() */
 #define INO_STATE_CLEARING      6       /* In clear_inode() */
+#define INO_FLAGS_XATTR_CHECKED 0x01    /* has no duplicate xattr_ref */
+#define RAWNODE_CLASS_INODE_CACHE       0
+#define RAWNODE_CLASS_XATTR_DATUM       1
+#define RAWNODE_CLASS_XATTR_REF         2
 #define INOCACHE_HASHSIZE 128
+#define write_ofs(c) ((c)->nextblock->offset + (c)->sector_size - (c)->nextblock->free_size)
 /*
  Larger representation of a raw node, kept in-core only when the
  struct inode for this particular ino is instantiated.
@@ -192,6 +254,7 @@ struct jffs2_eraseblock
        uint32_t wasted_size;
        uint32_t free_size;     /* Note that sector_size - free_size
                                   is the address of the first free space */
+        uint32_t allocated_refs;
        struct jffs2_raw_node_ref *first_node;
        struct jffs2_raw_node_ref *last_node;
@@ -203,57 +266,7 @@ static inline int jffs2_blocks_use_vmalloc(struct jffs2_sb_info *c)
        return ((c->flash_size / c->sector_size) * sizeof (struct jffs2_eraseblock)) > (128 * 1024);
 }
-/* Calculate totlen from surrounding nodes or eraseblock */
+#define ref_totlen(a, b, c) __jffs2_ref_totlen((a), (b), (c))
-static inline uint32_t __ref_totlen(struct jffs2_sb_info *c,
-                                    struct jffs2_eraseblock *jeb,
-                                    struct jffs2_raw_node_ref *ref)
-{
-        uint32_t ref_end;
-        if (ref->next_phys)
-                ref_end = ref_offset(ref->next_phys);
-        else {
-                if (!jeb)
-                        jeb = &c->blocks[ref->flash_offset / c->sector_size];
-                /* Last node in block. Use free_space */
-                BUG_ON(ref != jeb->last_node);
-                ref_end = jeb->offset + c->sector_size - jeb->free_size;
-        }
-        return ref_end - ref_offset(ref);
-}
-static inline uint32_t ref_totlen(struct jffs2_sb_info *c,
-                                  struct jffs2_eraseblock *jeb,
-                                  struct jffs2_raw_node_ref *ref)
-{
-        uint32_t ret;
-#if CONFIG_JFFS2_FS_DEBUG > 0
-        if (jeb && jeb != &c->blocks[ref->flash_offset / c->sector_size]) {
-                printk(KERN_CRIT "ref_totlen called with wrong block -- at 0x%08x instead of 0x%08x; ref 0x%08x\n",
-                       jeb->offset, c->blocks[ref->flash_offset / c->sector_size].offset, ref_offset(ref));
-                BUG();
-        }
-#endif
-#if 1
-        ret = ref->__totlen;
-#else
-        /* This doesn't actually work yet */
-        ret = __ref_totlen(c, jeb, ref);
-        if (ret != ref->__totlen) {
-                printk(KERN_CRIT "Totlen for ref at %p (0x%08x-0x%08x) miscalculated as 0x%x instead of %x\n",
-                       ref, ref_offset(ref), ref_offset(ref)+ref->__totlen,
-                       ret, ref->__totlen);
-                if (!jeb)
-                        jeb = &c->blocks[ref->flash_offset / c->sector_size];
-                jffs2_dbg_dump_node_refs_nolock(c, jeb);
-                BUG();
-        }
-#endif
-        return ret;
-}
 #define ALLOC_NORMAL    0       /* Normal allocation */
 #define ALLOC_DELETION  1       /* Deletion node. Best to allow it */
@@ -268,13 +281,15 @@ static inline uint32_t ref_totlen(struct jffs2_sb_info *c,
 #define PAD(x) (((x)+3)&~3)
-static inline struct jffs2_inode_cache *jffs2_raw_ref_to_ic(struct jffs2_raw_node_ref *raw)
+static inline int jffs2_encode_dev(union jffs2_device_node *jdev, dev_t rdev)
 {
-        while(raw->next_in_ino) {
+        if (old_valid_dev(rdev)) {
-                raw = raw->next_in_ino;
+                jdev->old = cpu_to_je16(old_encode_dev(rdev));
+                return sizeof(jdev->old);
+        } else {
+                jdev->new = cpu_to_je32(new_encode_dev(rdev));
+                return sizeof(jdev->new);
        }
-        return ((struct jffs2_inode_cache *)raw);
 }
 static inline struct jffs2_node_frag *frag_first(struct rb_root *root)
@@ -299,7 +314,6 @@ static inline struct jffs2_node_frag *frag_last(struct rb_root *root)
        return rb_entry(node, struct jffs2_node_frag, rb);
 }
-#define rb_parent(rb) ((rb)->rb_parent)
 #define frag_next(frag) rb_entry(rb_next(&(frag)->rb), struct jffs2_node_frag, rb)
 #define frag_prev(frag) rb_entry(rb_prev(&(frag)->rb), struct jffs2_node_frag, rb)
 #define frag_parent(frag) rb_entry(rb_parent(&(frag)->rb), struct jffs2_node_frag, rb)
@@ -324,28 +338,44 @@ void jffs2_obsolete_node_frag(struct jffs2_sb_info *c, struct jffs2_node_frag *t
 int jffs2_add_full_dnode_to_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_full_dnode *fn);
 void jffs2_truncate_fragtree (struct jffs2_sb_info *c, struct rb_root *list, uint32_t size);
 int jffs2_add_older_frag_to_fragtree(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_tmp_dnode_info *tn);
+struct jffs2_raw_node_ref *jffs2_link_node_ref(struct jffs2_sb_info *c,
+                                               struct jffs2_eraseblock *jeb,
+                                               uint32_t ofs, uint32_t len,
+                                               struct jffs2_inode_cache *ic);
+extern uint32_t __jffs2_ref_totlen(struct jffs2_sb_info *c,
+                                   struct jffs2_eraseblock *jeb,
+                                   struct jffs2_raw_node_ref *ref);
 /* nodemgmt.c */
 int jffs2_thread_should_wake(struct jffs2_sb_info *c);
-int jffs2_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs,
+int jffs2_reserve_space(struct jffs2_sb_info *c, uint32_t minsize,
                        uint32_t *len, int prio, uint32_t sumsize);
-int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs,
+int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize,
                        uint32_t *len, uint32_t sumsize);
-int jffs2_add_physical_node_ref(struct jffs2_sb_info *c, struct jffs2_raw_node_ref *new);
+struct jffs2_raw_node_ref *jffs2_add_physical_node_ref(struct jffs2_sb_info *c, 
+                                                       uint32_t ofs, uint32_t len,
+                                                       struct jffs2_inode_cache *ic);
 void jffs2_complete_reservation(struct jffs2_sb_info *c);
 void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref *raw);
 /* write.c */
 int jffs2_do_new_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, uint32_t mode, struct jffs2_raw_inode *ri);
-struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_raw_inode *ri, const unsigned char *data, uint32_t datalen, uint32_t flash_ofs, int alloc_mode);
+struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
-struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_raw_dirent *rd, const unsigned char *name, uint32_t namelen, uint32_t flash_ofs, int alloc_mode);
+                                           struct jffs2_raw_inode *ri, const unsigned char *data,
+                                           uint32_t datalen, int alloc_mode);
+struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
+                                             struct jffs2_raw_dirent *rd, const unsigned char *name,
+                                             uint32_t namelen, int alloc_mode);
 int jffs2_write_inode_range(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
                            struct jffs2_raw_inode *ri, unsigned char *buf,
                            uint32_t offset, uint32_t writelen, uint32_t *retlen);
-int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, struct jffs2_inode_info *f, struct jffs2_raw_inode *ri, const char *name, int namelen);
+int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, struct jffs2_inode_info *f,
-int jffs2_do_unlink(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, const char *name, int namelen, struct jffs2_inode_info *dead_f, uint32_t time);
+                    struct jffs2_raw_inode *ri, const char *name, int namelen);
-int jffs2_do_link (struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, uint32_t ino, uint8_t type, const char *name, int namelen, uint32_t time);
+int jffs2_do_unlink(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, const char *name,
+                    int namelen, struct jffs2_inode_info *dead_f, uint32_t time);
+int jffs2_do_link(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, uint32_t ino,
+                   uint8_t type, const char *name, int namelen, uint32_t time);
 /* readinode.c */
@@ -368,12 +398,19 @@ struct jffs2_raw_inode *jffs2_alloc_raw_inode(void);
 void jffs2_free_raw_inode(struct jffs2_raw_inode *);
 struct jffs2_tmp_dnode_info *jffs2_alloc_tmp_dnode_info(void);
 void jffs2_free_tmp_dnode_info(struct jffs2_tmp_dnode_info *);
-struct jffs2_raw_node_ref *jffs2_alloc_raw_node_ref(void);
+int jffs2_prealloc_raw_node_refs(struct jffs2_sb_info *c,
-void jffs2_free_raw_node_ref(struct jffs2_raw_node_ref *);
+                                 struct jffs2_eraseblock *jeb, int nr);
+void jffs2_free_refblock(struct jffs2_raw_node_ref *);
 struct jffs2_node_frag *jffs2_alloc_node_frag(void);
 void jffs2_free_node_frag(struct jffs2_node_frag *);
 struct jffs2_inode_cache *jffs2_alloc_inode_cache(void);
 void jffs2_free_inode_cache(struct jffs2_inode_cache *);
+#ifdef CONFIG_JFFS2_FS_XATTR
+struct jffs2_xattr_datum *jffs2_alloc_xattr_datum(void);
+void jffs2_free_xattr_datum(struct jffs2_xattr_datum *);
+struct jffs2_xattr_ref *jffs2_alloc_xattr_ref(void);
+void jffs2_free_xattr_ref(struct jffs2_xattr_ref *);
+#endif
 /* gc.c */
 int jffs2_garbage_collect_pass(struct jffs2_sb_info *c);
@@ -393,12 +430,14 @@ int jffs2_fill_scan_buf(struct jffs2_sb_info *c, void *buf,
                                uint32_t ofs, uint32_t len);
 struct jffs2_inode_cache *jffs2_scan_make_ino_cache(struct jffs2_sb_info *c, uint32_t ino);
 int jffs2_scan_classify_jeb(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb);
+int jffs2_scan_dirty_space(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb, uint32_t size);
 /* build.c */
 int jffs2_do_mount_fs(struct jffs2_sb_info *c);
 /* erase.c */
 void jffs2_erase_pending_blocks(struct jffs2_sb_info *c, int count);
+void jffs2_free_jeb_node_refs(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb);
 #ifdef CONFIG_JFFS2_FS_WRITEBUFFER
 /* wbuf.c */
diff --git a/fs/jffs2/nodemgmt.c b/fs/jffs2/nodemgmt.c
index 49127a1f0458..d88376992ed9 100644
--- a/fs/jffs2/nodemgmt.c
+++ b/fs/jffs2/nodemgmt.c
@@ -23,13 +23,12 @@
 *      jffs2_reserve_space - request physical space to write nodes to flash
 *      @c: superblock info
 *      @minsize: Minimum acceptable size of allocation
- *      @ofs: Returned value of node offset
 *      @len: Returned value of allocation length
 *      @prio: Allocation type - ALLOC_{NORMAL,DELETION}
 *
 *      Requests a block of physical space on the flash. Returns zero for success
- *      and puts 'ofs' and 'len' into the appriopriate place, or returns -ENOSPC
+ *      and puts 'len' into the appropriate place, or returns -ENOSPC or other 
- *      or other error if appropriate.
+ *      error if appropriate. Doesn't return len since that's 
 *
 *      If it returns zero, jffs2_reserve_space() also downs the per-filesystem
 *      allocation semaphore, to prevent more than one allocation from being
@@ -40,9 +39,9 @@
 */
 static int jffs2_do_reserve_space(struct jffs2_sb_info *c,  uint32_t minsize,
-                                        uint32_t *ofs, uint32_t *len, uint32_t sumsize);
+                                  uint32_t *len, uint32_t sumsize);
-int jffs2_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs,
+int jffs2_reserve_space(struct jffs2_sb_info *c, uint32_t minsize,
                        uint32_t *len, int prio, uint32_t sumsize)
 {
        int ret = -EAGAIN;
@@ -132,19 +131,21 @@ int jffs2_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs
                        spin_lock(&c->erase_completion_lock);
                }
-                ret = jffs2_do_reserve_space(c, minsize, ofs, len, sumsize);
+                ret = jffs2_do_reserve_space(c, minsize, len, sumsize);
                if (ret) {
                        D1(printk(KERN_DEBUG "jffs2_reserve_space: ret is %d\n", ret));
                }
        }
        spin_unlock(&c->erase_completion_lock);
+        if (!ret)
+                ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
        if (ret)
                up(&c->alloc_sem);
        return ret;
 }
-int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs,
+int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize,
-                        uint32_t *len, uint32_t sumsize)
+                           uint32_t *len, uint32_t sumsize)
 {
        int ret = -EAGAIN;
        minsize = PAD(minsize);
@@ -153,12 +154,15 @@ int jffs2_reserve_space_gc(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *
        spin_lock(&c->erase_completion_lock);
        while(ret == -EAGAIN) {
-                ret = jffs2_do_reserve_space(c, minsize, ofs, len, sumsize);
+                ret = jffs2_do_reserve_space(c, minsize, len, sumsize);
                if (ret) {
                        D1(printk(KERN_DEBUG "jffs2_reserve_space_gc: looping, ret is %d\n", ret));
                }
        }
        spin_unlock(&c->erase_completion_lock);
+        if (!ret)
+                ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
        return ret;
 }
@@ -207,8 +211,7 @@ static int jffs2_find_nextblock(struct jffs2_sb_info *c)
                        struct jffs2_eraseblock *ejeb;
                        ejeb = list_entry(c->erasable_list.next, struct jffs2_eraseblock, list);
-                        list_del(&ejeb->list);
+                        list_move_tail(&ejeb->list, &c->erase_pending_list);
-                        list_add_tail(&ejeb->list, &c->erase_pending_list);
                        c->nr_erasing_blocks++;
                        jffs2_erase_pending_trigger(c);
                        D1(printk(KERN_DEBUG "jffs2_find_nextblock: Triggering erase of erasable block at 0x%08x\n",
@@ -259,10 +262,11 @@ static int jffs2_find_nextblock(struct jffs2_sb_info *c)
 }
 /* Called with alloc sem _and_ erase_completion_lock */
-static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uint32_t *ofs, uint32_t *len, uint32_t sumsize)
+static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize,
+                                  uint32_t *len, uint32_t sumsize)
 {
        struct jffs2_eraseblock *jeb = c->nextblock;
-        uint32_t reserved_size;                         /* for summary information at the end of the jeb */
+        uint32_t reserved_size;                         /* for summary information at the end of the jeb */
        int ret;
 restart:
@@ -312,6 +316,8 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
                }
        } else {
                if (jeb && minsize > jeb->free_size) {
+                        uint32_t waste;
                        /* Skip the end of this block and file it as having some dirty space */
                        /* If there's a pending write to it, flush now */
@@ -324,10 +330,26 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
                                goto restart;
                        }
-                        c->wasted_size += jeb->free_size;
+                        spin_unlock(&c->erase_completion_lock);
-                        c->free_size -= jeb->free_size;
-                        jeb->wasted_size += jeb->free_size;
+                        ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
-                        jeb->free_size = 0;
+                        if (ret)
+                                return ret;
+                        /* Just lock it again and continue. Nothing much can change because
+                           we hold c->alloc_sem anyway. In fact, it's not entirely clear why
+                           we hold c->erase_completion_lock in the majority of this function...
+                           but that's a question for another (more caffeine-rich) day. */
+                        spin_lock(&c->erase_completion_lock);
+                        waste = jeb->free_size;
+                        jffs2_link_node_ref(c, jeb,
+                                            (jeb->offset + c->sector_size - waste) | REF_OBSOLETE,
+                                            waste, NULL);
+                        /* FIXME: that made it count as dirty. Convert to wasted */
+                        jeb->dirty_size -= waste;
+                        c->dirty_size -= waste;
+                        jeb->wasted_size += waste;
+                        c->wasted_size += waste;
                        jffs2_close_nextblock(c, jeb);
                        jeb = NULL;
@@ -349,7 +371,6 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
        }
        /* OK, jeb (==c->nextblock) is now pointing at a block which definitely has
           enough space */
-        *ofs = jeb->offset + (c->sector_size - jeb->free_size);
        *len = jeb->free_size - reserved_size;
        if (c->cleanmarker_size && jeb->used_size == c->cleanmarker_size &&
@@ -365,7 +386,8 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
                spin_lock(&c->erase_completion_lock);
        }
-        D1(printk(KERN_DEBUG "jffs2_do_reserve_space(): Giving 0x%x bytes at 0x%x\n", *len, *ofs));
+        D1(printk(KERN_DEBUG "jffs2_do_reserve_space(): Giving 0x%x bytes at 0x%x\n",
+                  *len, jeb->offset + (c->sector_size - jeb->free_size)));
        return 0;
 }
@@ -374,7 +396,6 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
 *      @c: superblock info
 *      @new: new node reference to add
 *      @len: length of this physical node
- *      @dirty: dirty flag for new node
 *
 *      Should only be used to report nodes for which space has been allocated
 *      by jffs2_reserve_space.
@@ -382,42 +403,30 @@ static int jffs2_do_reserve_space(struct jffs2_sb_info *c, uint32_t minsize, uin
 *      Must be called with the alloc_sem held.
 */
-int jffs2_add_physical_node_ref(struct jffs2_sb_info *c, struct jffs2_raw_node_ref *new)
+struct jffs2_raw_node_ref *jffs2_add_physical_node_ref(struct jffs2_sb_info *c,
+                                                       uint32_t ofs, uint32_t len,
+                                                       struct jffs2_inode_cache *ic)
 {
        struct jffs2_eraseblock *jeb;
-        uint32_t len;
+        struct jffs2_raw_node_ref *new;
-        jeb = &c->blocks[new->flash_offset / c->sector_size];
+        jeb = &c->blocks[ofs / c->sector_size];
-        len = ref_totlen(c, jeb, new);
-        D1(printk(KERN_DEBUG "jffs2_add_physical_node_ref(): Node at 0x%x(%d), size 0x%x\n", ref_offset(new), ref_flags(new), len));
+        D1(printk(KERN_DEBUG "jffs2_add_physical_node_ref(): Node at 0x%x(%d), size 0x%x\n",
+                  ofs & ~3, ofs & 3, len));
 #if 1
-        /* we could get some obsolete nodes after nextblock was refiled
+        /* Allow non-obsolete nodes only to be added at the end of c->nextblock, 
-           in wbuf.c */
+           if c->nextblock is set. Note that wbuf.c will file obsolete nodes
-        if ((c->nextblock || !ref_obsolete(new))
+           even after refiling c->nextblock */
-            &&(jeb != c->nextblock || ref_offset(new) != jeb->offset + (c->sector_size - jeb->free_size))) {
+        if ((c->nextblock || ((ofs & 3) != REF_OBSOLETE))
+            && (jeb != c->nextblock || (ofs & ~3) != jeb->offset + (c->sector_size - jeb->free_size))) {
                printk(KERN_WARNING "argh. node added in wrong place\n");
-                jffs2_free_raw_node_ref(new);
+                return ERR_PTR(-EINVAL);
-                return -EINVAL;
        }
 #endif
        spin_lock(&c->erase_completion_lock);
-        if (!jeb->first_node)
+        new = jffs2_link_node_ref(c, jeb, ofs, len, ic);
-                jeb->first_node = new;
-        if (jeb->last_node)
-                jeb->last_node->next_phys = new;
-        jeb->last_node = new;
-        jeb->free_size -= len;
-        c->free_size -= len;
-        if (ref_obsolete(new)) {
-                jeb->dirty_size += len;
-                c->dirty_size += len;
-        } else {
-                jeb->used_size += len;
-                c->used_size += len;
-        }
        if (!jeb->free_size && !jeb->dirty_size && !ISDIRTY(jeb->wasted_size)) {
                /* If it lives on the dirty_list, jffs2_reserve_space will put it there */
@@ -438,7 +447,7 @@ int jffs2_add_physical_node_ref(struct jffs2_sb_info *c, struct jffs2_raw_node_r
        spin_unlock(&c->erase_completion_lock);
-        return 0;
+        return new;
 }
@@ -470,8 +479,9 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
        struct jffs2_unknown_node n;
        int ret, addedsize;
        size_t retlen;
+        uint32_t freed_len;
-        if(!ref) {
+        if(unlikely(!ref)) {
                printk(KERN_NOTICE "EEEEEK. jffs2_mark_node_obsolete called with NULL node\n");
                return;
        }
@@ -499,32 +509,34 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
        spin_lock(&c->erase_completion_lock);
+        freed_len = ref_totlen(c, jeb, ref);
        if (ref_flags(ref) == REF_UNCHECKED) {
-                D1(if (unlikely(jeb->unchecked_size < ref_totlen(c, jeb, ref))) {
+                D1(if (unlikely(jeb->unchecked_size < freed_len)) {
                        printk(KERN_NOTICE "raw unchecked node of size 0x%08x freed from erase block %d at 0x%08x, but unchecked_size was already 0x%08x\n",
-                               ref_totlen(c, jeb, ref), blocknr, ref->flash_offset, jeb->used_size);
+                               freed_len, blocknr, ref->flash_offset, jeb->used_size);
                        BUG();
                })
-                D1(printk(KERN_DEBUG "Obsoleting previously unchecked node at 0x%08x of len %x: ", ref_offset(ref), ref_totlen(c, jeb, ref)));
+                D1(printk(KERN_DEBUG "Obsoleting previously unchecked node at 0x%08x of len %x: ", ref_offset(ref), freed_len));
-                jeb->unchecked_size -= ref_totlen(c, jeb, ref);
+                jeb->unchecked_size -= freed_len;
-                c->unchecked_size -= ref_totlen(c, jeb, ref);
+                c->unchecked_size -= freed_len;
        } else {
-                D1(if (unlikely(jeb->used_size < ref_totlen(c, jeb, ref))) {
+                D1(if (unlikely(jeb->used_size < freed_len)) {
                        printk(KERN_NOTICE "raw node of size 0x%08x freed from erase block %d at 0x%08x, but used_size was already 0x%08x\n",
-                               ref_totlen(c, jeb, ref), blocknr, ref->flash_offset, jeb->used_size);
+                               freed_len, blocknr, ref->flash_offset, jeb->used_size);
                        BUG();
                })
-                D1(printk(KERN_DEBUG "Obsoleting node at 0x%08x of len %#x: ", ref_offset(ref), ref_totlen(c, jeb, ref)));
+                D1(printk(KERN_DEBUG "Obsoleting node at 0x%08x of len %#x: ", ref_offset(ref), freed_len));
-                jeb->used_size -= ref_totlen(c, jeb, ref);
+                jeb->used_size -= freed_len;
-                c->used_size -= ref_totlen(c, jeb, ref);
+                c->used_size -= freed_len;
        }
        // Take care, that wasted size is taken into concern
-        if ((jeb->dirty_size || ISDIRTY(jeb->wasted_size + ref_totlen(c, jeb, ref))) && jeb != c->nextblock) {
+        if ((jeb->dirty_size || ISDIRTY(jeb->wasted_size + freed_len)) && jeb != c->nextblock) {
-                D1(printk(KERN_DEBUG "Dirtying\n"));
+                D1(printk("Dirtying\n"));
-                addedsize = ref_totlen(c, jeb, ref);
+                addedsize = freed_len;
-                jeb->dirty_size += ref_totlen(c, jeb, ref);
+                jeb->dirty_size += freed_len;
-                c->dirty_size += ref_totlen(c, jeb, ref);
+                c->dirty_size += freed_len;
                /* Convert wasted space to dirty, if not a bad block */
                if (jeb->wasted_size) {
@@ -543,10 +555,10 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
                        }
                }
        } else {
-                D1(printk(KERN_DEBUG "Wasting\n"));
+                D1(printk("Wasting\n"));
                addedsize = 0;
-                jeb->wasted_size += ref_totlen(c, jeb, ref);
+                jeb->wasted_size += freed_len;
-                c->wasted_size += ref_totlen(c, jeb, ref);
+                c->wasted_size += freed_len;
        }
        ref->flash_offset = ref_offset(ref) | REF_OBSOLETE;
@@ -622,7 +634,7 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
        /* The erase_free_sem is locked, and has been since before we marked the node obsolete
           and potentially put its eraseblock onto the erase_pending_list. Thus, we know that
           the block hasn't _already_ been erased, and that 'ref' itself hasn't been freed yet
-           by jffs2_free_all_node_refs() in erase.c. Which is nice. */
+           by jffs2_free_jeb_node_refs() in erase.c. Which is nice. */
        D1(printk(KERN_DEBUG "obliterating obsoleted node at 0x%08x\n", ref_offset(ref)));
        ret = jffs2_flash_read(c, ref_offset(ref), sizeof(n), &retlen, (char *)&n);
@@ -634,8 +646,8 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
                printk(KERN_WARNING "Short read from obsoleted node at 0x%08x: %zd\n", ref_offset(ref), retlen);
                goto out_erase_sem;
        }
-        if (PAD(je32_to_cpu(n.totlen)) != PAD(ref_totlen(c, jeb, ref))) {
+        if (PAD(je32_to_cpu(n.totlen)) != PAD(freed_len)) {
-                printk(KERN_WARNING "Node totlen on flash (0x%08x) != totlen from node ref (0x%08x)\n", je32_to_cpu(n.totlen), ref_totlen(c, jeb, ref));
+                printk(KERN_WARNING "Node totlen on flash (0x%08x) != totlen from node ref (0x%08x)\n", je32_to_cpu(n.totlen), freed_len);
                goto out_erase_sem;
        }
        if (!(je16_to_cpu(n.nodetype) & JFFS2_NODE_ACCURATE)) {
@@ -677,57 +689,23 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
                *p = ref->next_in_ino;
                ref->next_in_ino = NULL;
-                if (ic->nodes == (void *)ic && ic->nlink == 0)
+                switch (ic->class) {
-                        jffs2_del_ino_cache(c, ic);
+#ifdef CONFIG_JFFS2_FS_XATTR
+                        case RAWNODE_CLASS_XATTR_DATUM:
-                spin_unlock(&c->erase_completion_lock);
+                                jffs2_release_xattr_datum(c, (struct jffs2_xattr_datum *)ic);
-        }
+                                break;
+                        case RAWNODE_CLASS_XATTR_REF:
+                                jffs2_release_xattr_ref(c, (struct jffs2_xattr_ref *)ic);
-        /* Merge with the next node in the physical list, if there is one
+                                break;
-           and if it's also obsolete and if it doesn't belong to any inode */
+#endif
-        if (ref->next_phys && ref_obsolete(ref->next_phys) &&
+                        default:
-            !ref->next_phys->next_in_ino) {
+                                if (ic->nodes == (void *)ic && ic->nlink == 0)
-                struct jffs2_raw_node_ref *n = ref->next_phys;
+                                        jffs2_del_ino_cache(c, ic);
+                                break;
-                spin_lock(&c->erase_completion_lock);
-                ref->__totlen += n->__totlen;
-                ref->next_phys = n->next_phys;
-                if (jeb->last_node == n) jeb->last_node = ref;
-                if (jeb->gc_node == n) {
-                        /* gc will be happy continuing gc on this node */
-                        jeb->gc_node=ref;
                }
                spin_unlock(&c->erase_completion_lock);
-                jffs2_free_raw_node_ref(n);
        }
-        /* Also merge with the previous node in the list, if there is one
-           and that one is obsolete */
-        if (ref != jeb->first_node ) {
-                struct jffs2_raw_node_ref *p = jeb->first_node;
-                spin_lock(&c->erase_completion_lock);
-                while (p->next_phys != ref)
-                        p = p->next_phys;
-                if (ref_obsolete(p) && !ref->next_in_ino) {
-                        p->__totlen += ref->__totlen;
-                        if (jeb->last_node == ref) {
-                                jeb->last_node = p;
-                        }
-                        if (jeb->gc_node == ref) {
-                                /* gc will be happy continuing gc on this node */
-                                jeb->gc_node=p;
-                        }
-                        p->next_phys = ref->next_phys;
-                        jffs2_free_raw_node_ref(ref);
-                }
-                spin_unlock(&c->erase_completion_lock);
-        }
 out_erase_sem:
        up(&c->erase_free_sem);
 }
diff --git a/fs/jffs2/os-linux.h b/fs/jffs2/os-linux.h
index d307cf548625..9f41fc01a371 100644
--- a/fs/jffs2/os-linux.h
+++ b/fs/jffs2/os-linux.h
@@ -31,9 +31,7 @@ struct kvec;
 #define JFFS2_F_I_MODE(f) (OFNI_EDONI_2SFFJ(f)->i_mode)
 #define JFFS2_F_I_UID(f) (OFNI_EDONI_2SFFJ(f)->i_uid)
 #define JFFS2_F_I_GID(f) (OFNI_EDONI_2SFFJ(f)->i_gid)
+#define JFFS2_F_I_RDEV(f) (OFNI_EDONI_2SFFJ(f)->i_rdev)
-#define JFFS2_F_I_RDEV_MIN(f) (iminor(OFNI_EDONI_2SFFJ(f)))
-#define JFFS2_F_I_RDEV_MAJ(f) (imajor(OFNI_EDONI_2SFFJ(f)))
 #define ITIME(sec) ((struct timespec){sec, 0})
 #define I_SEC(tv) ((tv).tv_sec)
@@ -60,6 +58,10 @@ static inline void jffs2_init_inode_info(struct jffs2_inode_info *f)
        f->target = NULL;
        f->flags = 0;
        f->usercompr = 0;
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+        f->i_acl_access = JFFS2_ACL_NOT_CACHED;
+        f->i_acl_default = JFFS2_ACL_NOT_CACHED;
+#endif
 }
@@ -90,13 +92,10 @@ static inline void jffs2_init_inode_info(struct jffs2_inode_info *f)
 #define jffs2_flash_writev(a,b,c,d,e,f) jffs2_flash_direct_writev(a,b,c,d,e)
 #define jffs2_wbuf_timeout NULL
 #define jffs2_wbuf_process NULL
-#define jffs2_nor_ecc(c) (0)
 #define jffs2_dataflash(c) (0)
-#define jffs2_nor_wbuf_flash(c) (0)
-#define jffs2_nor_ecc_flash_setup(c) (0)
-#define jffs2_nor_ecc_flash_cleanup(c) do {} while (0)
 #define jffs2_dataflash_setup(c) (0)
 #define jffs2_dataflash_cleanup(c) do {} while (0)
+#define jffs2_nor_wbuf_flash(c) (0)
 #define jffs2_nor_wbuf_flash_setup(c) (0)
 #define jffs2_nor_wbuf_flash_cleanup(c) do {} while (0)
@@ -107,9 +106,7 @@ static inline void jffs2_init_inode_info(struct jffs2_inode_info *f)
 #ifdef CONFIG_JFFS2_SUMMARY
 #define jffs2_can_mark_obsolete(c) (0)
 #else
-#define jffs2_can_mark_obsolete(c) \
+#define jffs2_can_mark_obsolete(c) (c->mtd->flags & (MTD_BIT_WRITEABLE))
-  ((c->mtd->type == MTD_NORFLASH && !(c->mtd->flags & (MTD_ECC|MTD_PROGRAM_REGIONS))) || \
-   c->mtd->type == MTD_RAM)
 #endif
 #define jffs2_cleanmarker_oob(c) (c->mtd->type == MTD_NANDFLASH)
@@ -133,15 +130,11 @@ int jffs2_flush_wbuf_pad(struct jffs2_sb_info *c);
 int jffs2_nand_flash_setup(struct jffs2_sb_info *c);
 void jffs2_nand_flash_cleanup(struct jffs2_sb_info *c);
-#define jffs2_nor_ecc(c) (c->mtd->type == MTD_NORFLASH && (c->mtd->flags & MTD_ECC))
-int jffs2_nor_ecc_flash_setup(struct jffs2_sb_info *c);
-void jffs2_nor_ecc_flash_cleanup(struct jffs2_sb_info *c);
 #define jffs2_dataflash(c) (c->mtd->type == MTD_DATAFLASH)
 int jffs2_dataflash_setup(struct jffs2_sb_info *c);
 void jffs2_dataflash_cleanup(struct jffs2_sb_info *c);
-#define jffs2_nor_wbuf_flash(c) (c->mtd->type == MTD_NORFLASH && (c->mtd->flags & MTD_PROGRAM_REGIONS))
+#define jffs2_nor_wbuf_flash(c) (c->mtd->type == MTD_NORFLASH && ! (c->mtd->flags & MTD_BIT_WRITEABLE))
 int jffs2_nor_wbuf_flash_setup(struct jffs2_sb_info *c);
 void jffs2_nor_wbuf_flash_cleanup(struct jffs2_sb_info *c);
@@ -165,7 +158,7 @@ extern struct inode_operations jffs2_dir_inode_operations;
 /* file.c */
 extern const struct file_operations jffs2_file_operations;
 extern struct inode_operations jffs2_file_inode_operations;
-extern struct address_space_operations jffs2_file_address_operations;
+extern const struct address_space_operations jffs2_file_address_operations;
 int jffs2_fsync(struct file *, struct dentry *, int);
 int jffs2_do_readpage_unlock (struct inode *inode, struct page *pg);
@@ -182,7 +175,7 @@ void jffs2_clear_inode (struct inode *);
 void jffs2_dirty_inode(struct inode *inode);
 struct inode *jffs2_new_inode (struct inode *dir_i, int mode,
                               struct jffs2_raw_inode *ri);
-int jffs2_statfs (struct super_block *, struct kstatfs *);
+int jffs2_statfs (struct dentry *, struct kstatfs *);
 void jffs2_write_super (struct super_block *);
 int jffs2_remount_fs (struct super_block *, int *, char *);
 int jffs2_do_fill_super(struct super_block *sb, void *data, int silent);
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
index f1695642d0f7..cc1899268c43 100644
--- a/fs/jffs2/readinode.c
+++ b/fs/jffs2/readinode.c
@@ -66,7 +66,7 @@ static void jffs2_free_tmp_dnode_info_list(struct rb_root *list)
                        jffs2_free_full_dnode(tn->fn);
                        jffs2_free_tmp_dnode_info(tn);
-                        this = this->rb_parent;
+                        this = rb_parent(this);
                        if (!this)
                                break;
@@ -116,19 +116,42 @@ static inline int read_direntry(struct jffs2_sb_info *c, struct jffs2_raw_node_r
                                uint32_t *latest_mctime, uint32_t *mctime_ver)
 {
        struct jffs2_full_dirent *fd;
+        uint32_t crc;
-        /* The direntry nodes are checked during the flash scanning */
-        BUG_ON(ref_flags(ref) == REF_UNCHECKED);
        /* Obsoleted. This cannot happen, surely? dwmw2 20020308 */
        BUG_ON(ref_obsolete(ref));
-        /* Sanity check */
+        crc = crc32(0, rd, sizeof(*rd) - 8);
-        if (unlikely(PAD((rd->nsize + sizeof(*rd))) != PAD(je32_to_cpu(rd->totlen)))) {
+        if (unlikely(crc != je32_to_cpu(rd->node_crc))) {
-                JFFS2_ERROR("illegal nsize in node at %#08x: nsize %#02x, totlen %#04x\n",
+                JFFS2_NOTICE("header CRC failed on dirent node at %#08x: read %#08x, calculated %#08x\n",
-                       ref_offset(ref), rd->nsize, je32_to_cpu(rd->totlen));
+                             ref_offset(ref), je32_to_cpu(rd->node_crc), crc);
                return 1;
        }
+        /* If we've never checked the CRCs on this node, check them now */
+        if (ref_flags(ref) == REF_UNCHECKED) {
+                struct jffs2_eraseblock *jeb;
+                int len;
+                /* Sanity check */
+                if (unlikely(PAD((rd->nsize + sizeof(*rd))) != PAD(je32_to_cpu(rd->totlen)))) {
+                        JFFS2_ERROR("illegal nsize in node at %#08x: nsize %#02x, totlen %#04x\n",
+                                    ref_offset(ref), rd->nsize, je32_to_cpu(rd->totlen));
+                        return 1;
+                }
+                jeb = &c->blocks[ref->flash_offset / c->sector_size];
+                len = ref_totlen(c, jeb, ref);
+                spin_lock(&c->erase_completion_lock);
+                jeb->used_size += len;
+                jeb->unchecked_size -= len;
+                c->used_size += len;
+                c->unchecked_size -= len;
+                ref->flash_offset = ref_offset(ref) | REF_PRISTINE;
+                spin_unlock(&c->erase_completion_lock);
+        }
        fd = jffs2_alloc_full_dirent(rd->nsize + 1);
        if (unlikely(!fd))
                return -ENOMEM;
@@ -198,13 +221,21 @@ static inline int read_dnode(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
        struct jffs2_tmp_dnode_info *tn;
        uint32_t len, csize;
        int ret = 1;
+        uint32_t crc;
        /* Obsoleted. This cannot happen, surely? dwmw2 20020308 */
        BUG_ON(ref_obsolete(ref));
+        crc = crc32(0, rd, sizeof(*rd) - 8);
+        if (unlikely(crc != je32_to_cpu(rd->node_crc))) {
+                JFFS2_NOTICE("node CRC failed on dnode at %#08x: read %#08x, calculated %#08x\n",
+                             ref_offset(ref), je32_to_cpu(rd->node_crc), crc);
+                return 1;
+        }
        tn = jffs2_alloc_tmp_dnode_info();
        if (!tn) {
-                JFFS2_ERROR("failed to allocate tn (%d bytes).\n", sizeof(*tn));
+                JFFS2_ERROR("failed to allocate tn (%zu bytes).\n", sizeof(*tn));
                return -ENOMEM;
        }
@@ -213,14 +244,6 @@ static inline int read_dnode(struct jffs2_sb_info *c, struct jffs2_raw_node_ref
        /* If we've never checked the CRCs on this node, check them now */
        if (ref_flags(ref) == REF_UNCHECKED) {
-                uint32_t crc;
-                crc = crc32(0, rd, sizeof(*rd) - 8);
-                if (unlikely(crc != je32_to_cpu(rd->node_crc))) {
-                        JFFS2_NOTICE("header CRC failed on node at %#08x: read %#08x, calculated %#08x\n",
-                                        ref_offset(ref), je32_to_cpu(rd->node_crc), crc);
-                        goto free_out;
-                }
                /* Sanity checks */
                if (unlikely(je32_to_cpu(rd->offset) > je32_to_cpu(rd->isize)) ||
@@ -343,7 +366,7 @@ free_out:
 * Helper function for jffs2_get_inode_nodes().
 * It is called every time an unknown node is found.
 *
- * Returns: 0 on succes;
+ * Returns: 0 on success;
 *          1 if the node should be marked obsolete;
 *          negative error code on failure.
 */
@@ -354,37 +377,30 @@ static inline int read_unknown(struct jffs2_sb_info *c, struct jffs2_raw_node_re
        un->nodetype = cpu_to_je16(JFFS2_NODE_ACCURATE | je16_to_cpu(un->nodetype));
-        if (crc32(0, un, sizeof(struct jffs2_unknown_node) - 4) != je32_to_cpu(un->hdr_crc)) {
+        switch(je16_to_cpu(un->nodetype) & JFFS2_COMPAT_MASK) {
-                /* Hmmm. This should have been caught at scan time. */
-                JFFS2_NOTICE("node header CRC failed at %#08x. But it must have been OK earlier.\n", ref_offset(ref));
-                jffs2_dbg_dump_node(c, ref_offset(ref));
-                return 1;
-        } else {
-                switch(je16_to_cpu(un->nodetype) & JFFS2_COMPAT_MASK) {
-                case JFFS2_FEATURE_INCOMPAT:
+        case JFFS2_FEATURE_INCOMPAT:
-                        JFFS2_ERROR("unknown INCOMPAT nodetype %#04X at %#08x\n",
+                JFFS2_ERROR("unknown INCOMPAT nodetype %#04X at %#08x\n",
-                                je16_to_cpu(un->nodetype), ref_offset(ref));
+                            je16_to_cpu(un->nodetype), ref_offset(ref));
-                        /* EEP */
+                /* EEP */
-                        BUG();
+                BUG();
-                        break;
+                break;
-                case JFFS2_FEATURE_ROCOMPAT:
+        case JFFS2_FEATURE_ROCOMPAT:
-                        JFFS2_ERROR("unknown ROCOMPAT nodetype %#04X at %#08x\n",
+                JFFS2_ERROR("unknown ROCOMPAT nodetype %#04X at %#08x\n",
-                                        je16_to_cpu(un->nodetype), ref_offset(ref));
+                            je16_to_cpu(un->nodetype), ref_offset(ref));
-                        BUG_ON(!(c->flags & JFFS2_SB_FLAG_RO));
+                BUG_ON(!(c->flags & JFFS2_SB_FLAG_RO));
-                        break;
+                break;
-                case JFFS2_FEATURE_RWCOMPAT_COPY:
+        case JFFS2_FEATURE_RWCOMPAT_COPY:
-                        JFFS2_NOTICE("unknown RWCOMPAT_COPY nodetype %#04X at %#08x\n",
+                JFFS2_NOTICE("unknown RWCOMPAT_COPY nodetype %#04X at %#08x\n",
-                                        je16_to_cpu(un->nodetype), ref_offset(ref));
+                             je16_to_cpu(un->nodetype), ref_offset(ref));
-                        break;
+                break;
-                case JFFS2_FEATURE_RWCOMPAT_DELETE:
+        case JFFS2_FEATURE_RWCOMPAT_DELETE:
-                        JFFS2_NOTICE("unknown RWCOMPAT_DELETE nodetype %#04X at %#08x\n",
+                JFFS2_NOTICE("unknown RWCOMPAT_DELETE nodetype %#04X at %#08x\n",
-                                        je16_to_cpu(un->nodetype), ref_offset(ref));
+                             je16_to_cpu(un->nodetype), ref_offset(ref));
-                        return 1;
+                return 1;
-                }
        }
        return 0;
@@ -434,7 +450,7 @@ static int read_more(struct jffs2_sb_info *c, struct jffs2_raw_node_ref *ref,
        }
        if (retlen < len) {
-                JFFS2_ERROR("short read at %#08x: %d instead of %d.\n",
+                JFFS2_ERROR("short read at %#08x: %zu instead of %d.\n",
                                offs, retlen, len);
                return -EIO;
        }
@@ -542,13 +558,25 @@ static int jffs2_get_inode_nodes(struct jffs2_sb_info *c, struct jffs2_inode_inf
                }
                if (retlen < len) {
-                        JFFS2_ERROR("short read at %#08x: %d instead of %d.\n", ref_offset(ref), retlen, len);
+                        JFFS2_ERROR("short read at %#08x: %zu instead of %d.\n", ref_offset(ref), retlen, len);
                        err = -EIO;
                        goto free_out;
                }
                node = (union jffs2_node_union *)bufstart;
+                /* No need to mask in the valid bit; it shouldn't be invalid */
+                if (je32_to_cpu(node->u.hdr_crc) != crc32(0, node, sizeof(node->u)-4)) {
+                        JFFS2_NOTICE("Node header CRC failed at %#08x. {%04x,%04x,%08x,%08x}\n",
+                                     ref_offset(ref), je16_to_cpu(node->u.magic),
+                                     je16_to_cpu(node->u.nodetype),
+                                     je32_to_cpu(node->u.totlen),
+                                     je32_to_cpu(node->u.hdr_crc));
+                        jffs2_dbg_dump_node(c, ref_offset(ref));
+                        jffs2_mark_node_obsolete(c, ref);
+                        goto cont;
+                }
                switch (je16_to_cpu(node->u.nodetype)) {
                case JFFS2_NODETYPE_DIRENT:
@@ -606,6 +634,7 @@ static int jffs2_get_inode_nodes(struct jffs2_sb_info *c, struct jffs2_inode_inf
                                goto free_out;
                }
+        cont:
                spin_lock(&c->erase_completion_lock);
        }
@@ -679,12 +708,12 @@ static int jffs2_do_read_inode_internal(struct jffs2_sb_info *c,
                        jffs2_mark_node_obsolete(c, fn->raw);
                BUG_ON(rb->rb_left);
-                if (rb->rb_parent && rb->rb_parent->rb_left == rb) {
+                if (rb_parent(rb) && rb_parent(rb)->rb_left == rb) {
                        /* We were then left-hand child of our parent. We need
                         * to move our own right-hand child into our place. */
                        repl_rb = rb->rb_right;
                        if (repl_rb)
-                                repl_rb->rb_parent = rb->rb_parent;
+                                rb_set_parent(repl_rb, rb_parent(rb));
                } else
                        repl_rb = NULL;
@@ -692,14 +721,14 @@ static int jffs2_do_read_inode_internal(struct jffs2_sb_info *c,
                /* Remove the spent tn from the tree; don't bother rebalancing
                 * but put our right-hand child in our own place. */
-                if (tn->rb.rb_parent) {
+                if (rb_parent(&tn->rb)) {
-                        if (tn->rb.rb_parent->rb_left == &tn->rb)
+                        if (rb_parent(&tn->rb)->rb_left == &tn->rb)
-                                tn->rb.rb_parent->rb_left = repl_rb;
+                                rb_parent(&tn->rb)->rb_left = repl_rb;
-                        else if (tn->rb.rb_parent->rb_right == &tn->rb)
+                        else if (rb_parent(&tn->rb)->rb_right == &tn->rb)
-                                tn->rb.rb_parent->rb_right = repl_rb;
+                                rb_parent(&tn->rb)->rb_right = repl_rb;
                        else BUG();
                } else if (tn->rb.rb_right)
-                        tn->rb.rb_right->rb_parent = NULL;
+                        rb_set_parent(tn->rb.rb_right, NULL);
                jffs2_free_tmp_dnode_info(tn);
                if (ret) {
@@ -939,6 +968,7 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
        struct jffs2_full_dirent *fd, *fds;
        int deleted;
+        jffs2_xattr_delete_inode(c, f->inocache);
        down(&f->sem);
        deleted = f->inocache && !f->inocache->nlink;
diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index cf55b221fc2b..2bfdc33752d3 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -65,6 +65,28 @@ static inline uint32_t EMPTY_SCAN_SIZE(uint32_t sector_size) {
                return DEFAULT_EMPTY_SCAN_SIZE;
 }
+static int file_dirty(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
+{
+        int ret;
+        if ((ret = jffs2_prealloc_raw_node_refs(c, jeb, 1)))
+                return ret;
+        if ((ret = jffs2_scan_dirty_space(c, jeb, jeb->free_size)))
+                return ret;
+        /* Turned wasted size into dirty, since we apparently 
+           think it's recoverable now. */
+        jeb->dirty_size += jeb->wasted_size;
+        c->dirty_size += jeb->wasted_size;
+        c->wasted_size -= jeb->wasted_size;
+        jeb->wasted_size = 0;
+        if (VERYDIRTY(c, jeb->dirty_size)) {
+                list_add(&jeb->list, &c->very_dirty_list);
+        } else {
+                list_add(&jeb->list, &c->dirty_list);
+        }
+        return 0;
+}
 int jffs2_scan_medium(struct jffs2_sb_info *c)
 {
        int i, ret;
@@ -170,34 +192,20 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
                                        (!c->nextblock || c->nextblock->free_size < jeb->free_size)) {
                                /* Better candidate for the next writes to go to */
                                if (c->nextblock) {
-                                        c->nextblock->dirty_size += c->nextblock->free_size + c->nextblock->wasted_size;
+                                        ret = file_dirty(c, c->nextblock);
-                                        c->dirty_size += c->nextblock->free_size + c->nextblock->wasted_size;
+                                        if (ret)
-                                        c->free_size -= c->nextblock->free_size;
+                                                return ret;
-                                        c->wasted_size -= c->nextblock->wasted_size;
-                                        c->nextblock->free_size = c->nextblock->wasted_size = 0;
-                                        if (VERYDIRTY(c, c->nextblock->dirty_size)) {
-                                                list_add(&c->nextblock->list, &c->very_dirty_list);
-                                        } else {
-                                                list_add(&c->nextblock->list, &c->dirty_list);
-                                        }
                                        /* deleting summary information of the old nextblock */
                                        jffs2_sum_reset_collected(c->summary);
                                }
-                                /* update collected summary infromation for the current nextblock */
+                                /* update collected summary information for the current nextblock */
                                jffs2_sum_move_collected(c, s);
                                D1(printk(KERN_DEBUG "jffs2_scan_medium(): new nextblock = 0x%08x\n", jeb->offset));
                                c->nextblock = jeb;
                        } else {
-                                jeb->dirty_size += jeb->free_size + jeb->wasted_size;
+                                ret = file_dirty(c, jeb);
-                                c->dirty_size += jeb->free_size + jeb->wasted_size;
+                                if (ret)
-                                c->free_size -= jeb->free_size;
+                                        return ret;
-                                c->wasted_size -= jeb->wasted_size;
-                                jeb->free_size = jeb->wasted_size = 0;
-                                if (VERYDIRTY(c, jeb->dirty_size)) {
-                                        list_add(&jeb->list, &c->very_dirty_list);
-                                } else {
-                                        list_add(&jeb->list, &c->dirty_list);
-                                }
                        }
                        break;
@@ -222,9 +230,6 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
                }
        }
-        if (jffs2_sum_active() && s)
-                kfree(s);
        /* Nextblock dirty is always seen as wasted, because we cannot recycle it now */
        if (c->nextblock && (c->nextblock->dirty_size)) {
                c->nextblock->wasted_size += c->nextblock->dirty_size;
@@ -242,11 +247,8 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
                D1(printk(KERN_DEBUG "jffs2_scan_medium(): Skipping %d bytes in nextblock to ensure page alignment\n",
                          skip));
-                c->nextblock->wasted_size += skip;
+                jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
-                c->wasted_size += skip;
+                jffs2_scan_dirty_space(c, c->nextblock, skip);
-                c->nextblock->free_size -= skip;
-                c->free_size -= skip;
        }
 #endif
        if (c->nr_erasing_blocks) {
@@ -266,6 +268,9 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
        else
                c->mtd->unpoint(c->mtd, flashbuf, 0, c->mtd->size);
 #endif
+        if (s)
+                kfree(s);
        return ret;
 }
@@ -290,7 +295,7 @@ int jffs2_fill_scan_buf (struct jffs2_sb_info *c, void *buf,
 int jffs2_scan_classify_jeb(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
 {
        if ((jeb->used_size + jeb->unchecked_size) == PAD(c->cleanmarker_size) && !jeb->dirty_size
-                && (!jeb->first_node || !jeb->first_node->next_phys) )
+            && (!jeb->first_node || !ref_next(jeb->first_node)) )
                return BLK_STATE_CLEANMARKER;
        /* move blocks with max 4 byte dirty space to cleanlist */
@@ -306,11 +311,126 @@ int jffs2_scan_classify_jeb(struct jffs2_sb_info *c, struct jffs2_eraseblock *je
                return BLK_STATE_ALLDIRTY;
 }
+#ifdef CONFIG_JFFS2_FS_XATTR
+static int jffs2_scan_xattr_node(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
+                                 struct jffs2_raw_xattr *rx, uint32_t ofs,
+                                 struct jffs2_summary *s)
+{
+        struct jffs2_xattr_datum *xd;
+        uint32_t xid, version, totlen, crc;
+        int err;
+        crc = crc32(0, rx, sizeof(struct jffs2_raw_xattr) - 4);
+        if (crc != je32_to_cpu(rx->node_crc)) {
+                JFFS2_WARNING("node CRC failed at %#08x, read=%#08x, calc=%#08x\n",
+                              ofs, je32_to_cpu(rx->node_crc), crc);
+                if ((err = jffs2_scan_dirty_space(c, jeb, je32_to_cpu(rx->totlen))))
+                        return err;
+                return 0;
+        }
+        xid = je32_to_cpu(rx->xid);
+        version = je32_to_cpu(rx->version);
+        totlen = PAD(sizeof(struct jffs2_raw_xattr)
+                        + rx->name_len + 1 + je16_to_cpu(rx->value_len));
+        if (totlen != je32_to_cpu(rx->totlen)) {
+                JFFS2_WARNING("node length mismatch at %#08x, read=%u, calc=%u\n",
+                              ofs, je32_to_cpu(rx->totlen), totlen);
+                if ((err = jffs2_scan_dirty_space(c, jeb, je32_to_cpu(rx->totlen))))
+                        return err;
+                return 0;
+        }
+        xd = jffs2_setup_xattr_datum(c, xid, version);
+        if (IS_ERR(xd))
+                return PTR_ERR(xd);
+        if (xd->version > version) {
+                struct jffs2_raw_node_ref *raw
+                        = jffs2_link_node_ref(c, jeb, ofs | REF_PRISTINE, totlen, NULL);
+                raw->next_in_ino = xd->node->next_in_ino;
+                xd->node->next_in_ino = raw;
+        } else {
+                xd->version = version;
+                xd->xprefix = rx->xprefix;
+                xd->name_len = rx->name_len;
+                xd->value_len = je16_to_cpu(rx->value_len);
+                xd->data_crc = je32_to_cpu(rx->data_crc);
+                jffs2_link_node_ref(c, jeb, ofs | REF_PRISTINE, totlen, (void *)xd);
+        }
+        if (jffs2_sum_active())
+                jffs2_sum_add_xattr_mem(s, rx, ofs - jeb->offset);
+        dbg_xattr("scaning xdatum at %#08x (xid=%u, version=%u)\n",
+                  ofs, xd->xid, xd->version);
+        return 0;
+}
+static int jffs2_scan_xref_node(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
+                                struct jffs2_raw_xref *rr, uint32_t ofs,
+                                struct jffs2_summary *s)
+{
+        struct jffs2_xattr_ref *ref;
+        uint32_t crc;
+        int err;
+        crc = crc32(0, rr, sizeof(*rr) - 4);
+        if (crc != je32_to_cpu(rr->node_crc)) {
+                JFFS2_WARNING("node CRC failed at %#08x, read=%#08x, calc=%#08x\n",
+                              ofs, je32_to_cpu(rr->node_crc), crc);
+                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(rr->totlen)))))
+                        return err;
+                return 0;
+        }
+        if (PAD(sizeof(struct jffs2_raw_xref)) != je32_to_cpu(rr->totlen)) {
+                JFFS2_WARNING("node length mismatch at %#08x, read=%u, calc=%zd\n",
+                              ofs, je32_to_cpu(rr->totlen),
+                              PAD(sizeof(struct jffs2_raw_xref)));
+                if ((err = jffs2_scan_dirty_space(c, jeb, je32_to_cpu(rr->totlen))))
+                        return err;
+                return 0;
+        }
+        ref = jffs2_alloc_xattr_ref();
+        if (!ref)
+                return -ENOMEM;
+        /* BEFORE jffs2_build_xattr_subsystem() called, 
+         * and AFTER xattr_ref is marked as a dead xref,
+         * ref->xid is used to store 32bit xid, xd is not used
+         * ref->ino is used to store 32bit inode-number, ic is not used
+         * Thoes variables are declared as union, thus using those
+         * are exclusive. In a similar way, ref->next is temporarily
+         * used to chain all xattr_ref object. It's re-chained to
+         * jffs2_inode_cache in jffs2_build_xattr_subsystem() correctly.
+         */
+        ref->ino = je32_to_cpu(rr->ino);
+        ref->xid = je32_to_cpu(rr->xid);
+        ref->xseqno = je32_to_cpu(rr->xseqno);
+        if (ref->xseqno > c->highest_xseqno)
+                c->highest_xseqno = (ref->xseqno & ~XREF_DELETE_MARKER);
+        ref->next = c->xref_temp;
+        c->xref_temp = ref;
+        jffs2_link_node_ref(c, jeb, ofs | REF_PRISTINE, PAD(je32_to_cpu(rr->totlen)), (void *)ref);
+        if (jffs2_sum_active())
+                jffs2_sum_add_xref_mem(s, rr, ofs - jeb->offset);
+        dbg_xattr("scan xref at %#08x (xid=%u, ino=%u)\n",
+                  ofs, ref->xid, ref->ino);
+        return 0;
+}
+#endif
+/* Called with 'buf_size == 0' if buf is in fact a pointer _directly_ into
+   the flash, XIP-style */
 static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
-                                unsigned char *buf, uint32_t buf_size, struct jffs2_summary *s) {
+                                  unsigned char *buf, uint32_t buf_size, struct jffs2_summary *s) {
        struct jffs2_unknown_node *node;
        struct jffs2_unknown_node crcnode;
-        struct jffs2_sum_marker *sm;
        uint32_t ofs, prevofs;
        uint32_t hdr_crc, buf_ofs, buf_len;
        int err;
@@ -344,44 +464,75 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo
 #endif
        if (jffs2_sum_active()) {
-                sm = kmalloc(sizeof(struct jffs2_sum_marker), GFP_KERNEL);
+                struct jffs2_sum_marker *sm;
-                if (!sm) {
+                void *sumptr = NULL;
-                        return -ENOMEM;
+                uint32_t sumlen;
-                }
+              
+                if (!buf_size) {
-                err = jffs2_fill_scan_buf(c, (unsigned char *) sm, jeb->offset + c->sector_size -
+                        /* XIP case. Just look, point at the summary if it's there */
-                                        sizeof(struct jffs2_sum_marker), sizeof(struct jffs2_sum_marker));
+                        sm = (void *)buf + c->sector_size - sizeof(*sm);
-                if (err) {
+                        if (je32_to_cpu(sm->magic) == JFFS2_SUM_MAGIC) {
-                        kfree(sm);
+                                sumptr = buf + je32_to_cpu(sm->offset);
-                        return err;
+                                sumlen = c->sector_size - je32_to_cpu(sm->offset);
-                }
+                        }
+                } else {
-                if (je32_to_cpu(sm->magic) == JFFS2_SUM_MAGIC ) {
+                        /* If NAND flash, read a whole page of it. Else just the end */
-                        err = jffs2_sum_scan_sumnode(c, jeb, je32_to_cpu(sm->offset), &pseudo_random);
+                        if (c->wbuf_pagesize)
-                        if (err) {
+                                buf_len = c->wbuf_pagesize;
-                                kfree(sm);
+                        else
+                                buf_len = sizeof(*sm);
+                        /* Read as much as we want into the _end_ of the preallocated buffer */
+                        err = jffs2_fill_scan_buf(c, buf + buf_size - buf_len, 
+                                                  jeb->offset + c->sector_size - buf_len,
+                                                  buf_len);                             
+                        if (err)
                                return err;
+                        sm = (void *)buf + buf_size - sizeof(*sm);
+                        if (je32_to_cpu(sm->magic) == JFFS2_SUM_MAGIC) {
+                                sumlen = c->sector_size - je32_to_cpu(sm->offset);
+                                sumptr = buf + buf_size - sumlen;
+                                /* Now, make sure the summary itself is available */
+                                if (sumlen > buf_size) {
+                                        /* Need to kmalloc for this. */
+                                        sumptr = kmalloc(sumlen, GFP_KERNEL);
+                                        if (!sumptr)
+                                                return -ENOMEM;
+                                        memcpy(sumptr + sumlen - buf_len, buf + buf_size - buf_len, buf_len);
+                                }
+                                if (buf_len < sumlen) {
+                                        /* Need to read more so that the entire summary node is present */
+                                        err = jffs2_fill_scan_buf(c, sumptr, 
+                                                                  jeb->offset + c->sector_size - sumlen,
+                                                                  sumlen - buf_len);                            
+                                        if (err)
+                                                return err;
+                                }
                        }
                }
-                kfree(sm);
+                if (sumptr) {
+                        err = jffs2_sum_scan_sumnode(c, jeb, sumptr, sumlen, &pseudo_random);
-                ofs = jeb->offset;
+                        if (buf_size && sumlen > buf_size)
-                prevofs = jeb->offset - 1;
+                                kfree(sumptr);
+                        /* If it returns with a real error, bail. 
+                           If it returns positive, that's a block classification
+                           (i.e. BLK_STATE_xxx) so return that too.
+                           If it returns zero, fall through to full scan. */
+                        if (err)
+                                return err;
+                }
        }
        buf_ofs = jeb->offset;
        if (!buf_size) {
+                /* This is the XIP case -- we're reading _directly_ from the flash chip */
                buf_len = c->sector_size;
-                if (jffs2_sum_active()) {
-                        /* must reread because of summary test */
-                        err = jffs2_fill_scan_buf(c, buf, buf_ofs, buf_len);
-                        if (err)
-                                return err;
-                }
        } else {
                buf_len = EMPTY_SCAN_SIZE(c->sector_size);
                err = jffs2_fill_scan_buf(c, buf, buf_ofs, buf_len);
@@ -418,7 +569,10 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo
        if (ofs) {
                D1(printk(KERN_DEBUG "Free space at %08x ends at %08x\n", jeb->offset,
                          jeb->offset + ofs));
-                DIRTY_SPACE(ofs);
+                if ((err = jffs2_prealloc_raw_node_refs(c, jeb, 1)))
+                        return err;
+                if ((err = jffs2_scan_dirty_space(c, jeb, ofs)))
+                        return err;
        }
        /* Now ofs is a complete physical flash offset as it always was... */
@@ -433,6 +587,11 @@ scan_more:
                jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
+                /* Make sure there are node refs available for use */
+                err = jffs2_prealloc_raw_node_refs(c, jeb, 2);
+                if (err)
+                        return err;
                cond_resched();
                if (ofs & 3) {
@@ -442,7 +601,8 @@ scan_more:
                }
                if (ofs == prevofs) {
                        printk(KERN_WARNING "ofs 0x%08x has already been seen. Skipping\n", ofs);
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
@@ -451,7 +611,8 @@ scan_more:
                if (jeb->offset + c->sector_size < ofs + sizeof(*node)) {
                        D1(printk(KERN_DEBUG "Fewer than %zd bytes left to end of block. (%x+%x<%x+%zx) Not reading\n", sizeof(struct jffs2_unknown_node),
                                  jeb->offset, c->sector_size, ofs, sizeof(*node)));
-                        DIRTY_SPACE((jeb->offset + c->sector_size)-ofs);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, (jeb->offset + c->sector_size)-ofs)))
+                                return err;
                        break;
                }
@@ -481,7 +642,8 @@ scan_more:
                                if (*(uint32_t *)(&buf[inbuf_ofs]) != 0xffffffff) {
                                        printk(KERN_WARNING "Empty flash at 0x%08x ends at 0x%08x\n",
                                               empty_start, ofs);
-                                        DIRTY_SPACE(ofs-empty_start);
+                                        if ((err = jffs2_scan_dirty_space(c, jeb, ofs-empty_start)))
+                                                return err;
                                        goto scan_more;
                                }
@@ -494,7 +656,7 @@ scan_more:
                        /* If we're only checking the beginning of a block with a cleanmarker,
                           bail now */
                        if (buf_ofs == jeb->offset && jeb->used_size == PAD(c->cleanmarker_size) &&
-                            c->cleanmarker_size && !jeb->dirty_size && !jeb->first_node->next_phys) {
+                            c->cleanmarker_size && !jeb->dirty_size && !ref_next(jeb->first_node)) {
                                D1(printk(KERN_DEBUG "%d bytes at start of block seems clean... assuming all clean\n", EMPTY_SCAN_SIZE(c->sector_size)));
                                return BLK_STATE_CLEANMARKER;
                        }
@@ -518,20 +680,23 @@ scan_more:
                if (ofs == jeb->offset && je16_to_cpu(node->magic) == KSAMTIB_CIGAM_2SFFJ) {
                        printk(KERN_WARNING "Magic bitmask is backwards at offset 0x%08x. Wrong endian filesystem?\n", ofs);
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
                if (je16_to_cpu(node->magic) == JFFS2_DIRTY_BITMASK) {
                        D1(printk(KERN_DEBUG "Dirty bitmask at 0x%08x\n", ofs));
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
                if (je16_to_cpu(node->magic) == JFFS2_OLD_MAGIC_BITMASK) {
                        printk(KERN_WARNING "Old JFFS2 bitmask found at 0x%08x\n", ofs);
                        printk(KERN_WARNING "You cannot use older JFFS2 filesystems with newer kernels\n");
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
@@ -540,7 +705,8 @@ scan_more:
                        noisy_printk(&noise, "jffs2_scan_eraseblock(): Magic bitmask 0x%04x not found at 0x%08x: 0x%04x instead\n",
                                     JFFS2_MAGIC_BITMASK, ofs,
                                     je16_to_cpu(node->magic));
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
@@ -557,7 +723,8 @@ scan_more:
                                     je32_to_cpu(node->totlen),
                                     je32_to_cpu(node->hdr_crc),
                                     hdr_crc);
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
@@ -568,7 +735,8 @@ scan_more:
                        printk(KERN_WARNING "Node at 0x%08x with length 0x%08x would run over the end of the erase block\n",
                               ofs, je32_to_cpu(node->totlen));
                        printk(KERN_WARNING "Perhaps the file system was created with the wrong erase size?\n");
-                        DIRTY_SPACE(4);
+                        if ((err = jffs2_scan_dirty_space(c, jeb, 4)))
+                                return err;
                        ofs += 4;
                        continue;
                }
@@ -576,7 +744,8 @@ scan_more:
                if (!(je16_to_cpu(node->nodetype) & JFFS2_NODE_ACCURATE)) {
                        /* Wheee. This is an obsoleted node */
                        D2(printk(KERN_DEBUG "Node at 0x%08x is obsolete. Skipping\n", ofs));
-                        DIRTY_SPACE(PAD(je32_to_cpu(node->totlen)));
+                        if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(node->totlen)))))
+                                return err;
                        ofs += PAD(je32_to_cpu(node->totlen));
                        continue;
                }
@@ -614,30 +783,59 @@ scan_more:
                        ofs += PAD(je32_to_cpu(node->totlen));
                        break;
+#ifdef CONFIG_JFFS2_FS_XATTR
+                case JFFS2_NODETYPE_XATTR:
+                        if (buf_ofs + buf_len < ofs + je32_to_cpu(node->totlen)) {
+                                buf_len = min_t(uint32_t, buf_size, jeb->offset + c->sector_size - ofs);
+                                D1(printk(KERN_DEBUG "Fewer than %d bytes (xattr node)"
+                                          " left to end of buf. Reading 0x%x at 0x%08x\n",
+                                          je32_to_cpu(node->totlen), buf_len, ofs));
+                                err = jffs2_fill_scan_buf(c, buf, ofs, buf_len);
+                                if (err)
+                                        return err;
+                                buf_ofs = ofs;
+                                node = (void *)buf;
+                        }
+                        err = jffs2_scan_xattr_node(c, jeb, (void *)node, ofs, s);
+                        if (err)
+                                return err;
+                        ofs += PAD(je32_to_cpu(node->totlen));
+                        break;
+                case JFFS2_NODETYPE_XREF:
+                        if (buf_ofs + buf_len < ofs + je32_to_cpu(node->totlen)) {
+                                buf_len = min_t(uint32_t, buf_size, jeb->offset + c->sector_size - ofs);
+                                D1(printk(KERN_DEBUG "Fewer than %d bytes (xref node)"
+                                          " left to end of buf. Reading 0x%x at 0x%08x\n",
+                                          je32_to_cpu(node->totlen), buf_len, ofs));
+                                err = jffs2_fill_scan_buf(c, buf, ofs, buf_len);
+                                if (err)
+                                        return err;
+                                buf_ofs = ofs;
+                                node = (void *)buf;
+                        }
+                        err = jffs2_scan_xref_node(c, jeb, (void *)node, ofs, s);
+                        if (err)
+                                return err;
+                        ofs += PAD(je32_to_cpu(node->totlen));
+                        break;
+#endif  /* CONFIG_JFFS2_FS_XATTR */
                case JFFS2_NODETYPE_CLEANMARKER:
                        D1(printk(KERN_DEBUG "CLEANMARKER node found at 0x%08x\n", ofs));
                        if (je32_to_cpu(node->totlen) != c->cleanmarker_size) {
                                printk(KERN_NOTICE "CLEANMARKER node found at 0x%08x has totlen 0x%x != normal 0x%x\n",
                                       ofs, je32_to_cpu(node->totlen), c->cleanmarker_size);
-                                DIRTY_SPACE(PAD(sizeof(struct jffs2_unknown_node)));
+                                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(sizeof(struct jffs2_unknown_node)))))
+                                        return err;
                                ofs += PAD(sizeof(struct jffs2_unknown_node));
                        } else if (jeb->first_node) {
                                printk(KERN_NOTICE "CLEANMARKER node found at 0x%08x, not first node in block (0x%08x)\n", ofs, jeb->offset);
-                                DIRTY_SPACE(PAD(sizeof(struct jffs2_unknown_node)));
+                                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(sizeof(struct jffs2_unknown_node)))))
+                                        return err;
                                ofs += PAD(sizeof(struct jffs2_unknown_node));
                        } else {
-                                struct jffs2_raw_node_ref *marker_ref = jffs2_alloc_raw_node_ref();
+                                jffs2_link_node_ref(c, jeb, ofs | REF_NORMAL, c->cleanmarker_size, NULL);
-                                if (!marker_ref) {
-                                        printk(KERN_NOTICE "Failed to allocate node ref for clean marker\n");
-                                        return -ENOMEM;
-                                }
-                                marker_ref->next_in_ino = NULL;
-                                marker_ref->next_phys = NULL;
-                                marker_ref->flash_offset = ofs | REF_NORMAL;
-                                marker_ref->__totlen = c->cleanmarker_size;
-                                jeb->first_node = jeb->last_node = marker_ref;
-                                USED_SPACE(PAD(c->cleanmarker_size));
                                ofs += PAD(c->cleanmarker_size);
                        }
                        break;
@@ -645,7 +843,8 @@ scan_more:
                case JFFS2_NODETYPE_PADDING:
                        if (jffs2_sum_active())
                                jffs2_sum_add_padding_mem(s, je32_to_cpu(node->totlen));
-                        DIRTY_SPACE(PAD(je32_to_cpu(node->totlen)));
+                        if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(node->totlen)))))
+                                return err;
                        ofs += PAD(je32_to_cpu(node->totlen));
                        break;
@@ -656,7 +855,8 @@ scan_more:
                                c->flags |= JFFS2_SB_FLAG_RO;
                                if (!(jffs2_is_readonly(c)))
                                        return -EROFS;
-                                DIRTY_SPACE(PAD(je32_to_cpu(node->totlen)));
+                                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(node->totlen)))))
+                                        return err;
                                ofs += PAD(je32_to_cpu(node->totlen));
                                break;
@@ -666,15 +866,21 @@ scan_more:
                        case JFFS2_FEATURE_RWCOMPAT_DELETE:
                                D1(printk(KERN_NOTICE "Unknown but compatible feature node (0x%04x) found at offset 0x%08x\n", je16_to_cpu(node->nodetype), ofs));
-                                DIRTY_SPACE(PAD(je32_to_cpu(node->totlen)));
+                                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(node->totlen)))))
+                                        return err;
                                ofs += PAD(je32_to_cpu(node->totlen));
                                break;
-                        case JFFS2_FEATURE_RWCOMPAT_COPY:
+                        case JFFS2_FEATURE_RWCOMPAT_COPY: {
                                D1(printk(KERN_NOTICE "Unknown but compatible feature node (0x%04x) found at offset 0x%08x\n", je16_to_cpu(node->nodetype), ofs));
-                                USED_SPACE(PAD(je32_to_cpu(node->totlen)));
+                                jffs2_link_node_ref(c, jeb, ofs | REF_PRISTINE, PAD(je32_to_cpu(node->totlen)), NULL);
+                                /* We can't summarise nodes we don't grok */
+                                jffs2_sum_disable_collecting(s);
                                ofs += PAD(je32_to_cpu(node->totlen));
                                break;
+                                }
                        }
                }
        }
@@ -687,9 +893,9 @@ scan_more:
                }
        }
-        D1(printk(KERN_DEBUG "Block at 0x%08x: free 0x%08x, dirty 0x%08x, unchecked 0x%08x, used 0x%08x\n", jeb->offset,
+        D1(printk(KERN_DEBUG "Block at 0x%08x: free 0x%08x, dirty 0x%08x, unchecked 0x%08x, used 0x%08x, wasted 0x%08x\n",
-                  jeb->free_size, jeb->dirty_size, jeb->unchecked_size, jeb->used_size));
+                  jeb->offset,jeb->free_size, jeb->dirty_size, jeb->unchecked_size, jeb->used_size, jeb->wasted_size));
+        
        /* mark_node_obsolete can add to wasted !! */
        if (jeb->wasted_size) {
                jeb->dirty_size += jeb->wasted_size;
@@ -730,9 +936,9 @@ struct jffs2_inode_cache *jffs2_scan_make_ino_cache(struct jffs2_sb_info *c, uin
 static int jffs2_scan_inode_node(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
                                 struct jffs2_raw_inode *ri, uint32_t ofs, struct jffs2_summary *s)
 {
-        struct jffs2_raw_node_ref *raw;
        struct jffs2_inode_cache *ic;
        uint32_t ino = je32_to_cpu(ri->ino);
+        int err;
        D1(printk(KERN_DEBUG "jffs2_scan_inode_node(): Node at 0x%08x\n", ofs));
@@ -745,12 +951,6 @@ static int jffs2_scan_inode_node(struct jffs2_sb_info *c, struct jffs2_erasebloc
           Which means that the _full_ amount of time to get to proper write mode with GC
           operational may actually be _longer_ than before. Sucks to be me. */
-        raw = jffs2_alloc_raw_node_ref();
-        if (!raw) {
-                printk(KERN_NOTICE "jffs2_scan_inode_node(): allocation of node reference failed\n");
-                return -ENOMEM;
-        }
        ic = jffs2_get_ino_cache(c, ino);
        if (!ic) {
                /* Inocache get failed. Either we read a bogus ino# or it's just genuinely the
@@ -762,30 +962,17 @@ static int jffs2_scan_inode_node(struct jffs2_sb_info *c, struct jffs2_erasebloc
                        printk(KERN_NOTICE "jffs2_scan_inode_node(): CRC failed on node at 0x%08x: Read 0x%08x, calculated 0x%08x\n",
                               ofs, je32_to_cpu(ri->node_crc), crc);
                        /* We believe totlen because the CRC on the node _header_ was OK, just the node itself failed. */
-                        DIRTY_SPACE(PAD(je32_to_cpu(ri->totlen)));
+                        if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(ri->totlen)))))
-                        jffs2_free_raw_node_ref(raw);
+                                return err;
                        return 0;
                }
                ic = jffs2_scan_make_ino_cache(c, ino);
-                if (!ic) {
+                if (!ic)
-                        jffs2_free_raw_node_ref(raw);
                        return -ENOMEM;
-                }
        }
        /* Wheee. It worked */
+        jffs2_link_node_ref(c, jeb, ofs | REF_UNCHECKED, PAD(je32_to_cpu(ri->totlen)), ic);
-        raw->flash_offset = ofs | REF_UNCHECKED;
-        raw->__totlen = PAD(je32_to_cpu(ri->totlen));
-        raw->next_phys = NULL;
-        raw->next_in_ino = ic->nodes;
-        ic->nodes = raw;
-        if (!jeb->first_node)
-                jeb->first_node = raw;
-        if (jeb->last_node)
-                jeb->last_node->next_phys = raw;
-        jeb->last_node = raw;
        D1(printk(KERN_DEBUG "Node is ino #%u, version %d. Range 0x%x-0x%x\n",
                  je32_to_cpu(ri->ino), je32_to_cpu(ri->version),
@@ -794,8 +981,6 @@ static int jffs2_scan_inode_node(struct jffs2_sb_info *c, struct jffs2_erasebloc
        pseudo_random += je32_to_cpu(ri->version);
-        UNCHECKED_SPACE(PAD(je32_to_cpu(ri->totlen)));
        if (jffs2_sum_active()) {
                jffs2_sum_add_inode_mem(s, ri, ofs - jeb->offset);
        }
@@ -806,10 +991,10 @@ static int jffs2_scan_inode_node(struct jffs2_sb_info *c, struct jffs2_erasebloc
 static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
                                  struct jffs2_raw_dirent *rd, uint32_t ofs, struct jffs2_summary *s)
 {
-        struct jffs2_raw_node_ref *raw;
        struct jffs2_full_dirent *fd;
        struct jffs2_inode_cache *ic;
        uint32_t crc;
+        int err;
        D1(printk(KERN_DEBUG "jffs2_scan_dirent_node(): Node at 0x%08x\n", ofs));
@@ -821,7 +1006,8 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
                printk(KERN_NOTICE "jffs2_scan_dirent_node(): Node CRC failed on node at 0x%08x: Read 0x%08x, calculated 0x%08x\n",
                       ofs, je32_to_cpu(rd->node_crc), crc);
                /* We believe totlen because the CRC on the node _header_ was OK, just the node itself failed. */
-                DIRTY_SPACE(PAD(je32_to_cpu(rd->totlen)));
+                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(rd->totlen)))))
+                        return err;
                return 0;
        }
@@ -842,40 +1028,23 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
                jffs2_free_full_dirent(fd);
                /* FIXME: Why do we believe totlen? */
                /* We believe totlen because the CRC on the node _header_ was OK, just the name failed. */
-                DIRTY_SPACE(PAD(je32_to_cpu(rd->totlen)));
+                if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(rd->totlen)))))
+                        return err;
                return 0;
        }
-        raw = jffs2_alloc_raw_node_ref();
-        if (!raw) {
-                jffs2_free_full_dirent(fd);
-                printk(KERN_NOTICE "jffs2_scan_dirent_node(): allocation of node reference failed\n");
-                return -ENOMEM;
-        }
        ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(rd->pino));
        if (!ic) {
                jffs2_free_full_dirent(fd);
-                jffs2_free_raw_node_ref(raw);
                return -ENOMEM;
        }
-        raw->__totlen = PAD(je32_to_cpu(rd->totlen));
+        fd->raw = jffs2_link_node_ref(c, jeb, ofs | REF_PRISTINE, PAD(je32_to_cpu(rd->totlen)), ic);
-        raw->flash_offset = ofs | REF_PRISTINE;
-        raw->next_phys = NULL;
-        raw->next_in_ino = ic->nodes;
-        ic->nodes = raw;
-        if (!jeb->first_node)
-                jeb->first_node = raw;
-        if (jeb->last_node)
-                jeb->last_node->next_phys = raw;
-        jeb->last_node = raw;
-        fd->raw = raw;
        fd->next = NULL;
        fd->version = je32_to_cpu(rd->version);
        fd->ino = je32_to_cpu(rd->ino);
        fd->nhash = full_name_hash(fd->name, rd->nsize);
        fd->type = rd->type;
-        USED_SPACE(PAD(je32_to_cpu(rd->totlen)));
        jffs2_add_fd_to_list(c, fd, &ic->scan_dents);
        if (jffs2_sum_active()) {
diff --git a/fs/jffs2/security.c b/fs/jffs2/security.c
new file mode 100644
index 000000000000..52a9894a6364
--- /dev/null
+++ b/fs/jffs2/security.c
@@ -0,0 +1,82 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/time.h>
+#include <linux/pagemap.h>
+#include <linux/highmem.h>
+#include <linux/crc32.h>
+#include <linux/jffs2.h>
+#include <linux/xattr.h>
+#include <linux/mtd/mtd.h>
+#include <linux/security.h>
+#include "nodelist.h"
+/* ---- Initial Security Label Attachment -------------- */
+int jffs2_init_security(struct inode *inode, struct inode *dir)
+{
+        int rc;
+        size_t len;
+        void *value;
+        char *name;
+        rc = security_inode_init_security(inode, dir, &name, &value, &len);
+        if (rc) {
+                if (rc == -EOPNOTSUPP)
+                        return 0;
+                return rc;
+        }
+        rc = do_jffs2_setxattr(inode, JFFS2_XPREFIX_SECURITY, name, value, len, 0);
+        kfree(name);
+        kfree(value);
+        return rc;
+}
+/* ---- XATTR Handler for "security.*" ----------------- */
+static int jffs2_security_getxattr(struct inode *inode, const char *name,
+                                   void *buffer, size_t size)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_getxattr(inode, JFFS2_XPREFIX_SECURITY, name, buffer, size);
+}
+static int jffs2_security_setxattr(struct inode *inode, const char *name, const void *buffer,
+                                   size_t size, int flags)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_setxattr(inode, JFFS2_XPREFIX_SECURITY, name, buffer, size, flags);
+}
+static size_t jffs2_security_listxattr(struct inode *inode, char *list, size_t list_size,
+                                       const char *name, size_t name_len)
+{
+        size_t retlen = XATTR_SECURITY_PREFIX_LEN + name_len + 1;
+        if (list && retlen <= list_size) {
+                strcpy(list, XATTR_SECURITY_PREFIX);
+                strcpy(list + XATTR_SECURITY_PREFIX_LEN, name);
+        }
+        return retlen;
+}
+struct xattr_handler jffs2_security_xattr_handler = {
+        .prefix = XATTR_SECURITY_PREFIX,
+        .list = jffs2_security_listxattr,
+        .set = jffs2_security_setxattr,
+        .get = jffs2_security_getxattr
+};
diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
index fb9cec61fcf2..c19bd476e8ec 100644
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -5,6 +5,7 @@
 *                     Zoltan Sogor <weth@inf.u-szeged.hu>,
 *                     Patrik Kluba <pajko@halom.u-szeged.hu>,
 *                     University of Szeged, Hungary
+ *               2006  KaiGai Kohei <kaigai@ak.jp.nec.com>
 *
 * For licensing information, see the file 'LICENCE' in this directory.
 *
@@ -42,7 +43,7 @@ int jffs2_sum_init(struct jffs2_sb_info *c)
                return -ENOMEM;
        }
-        dbg_summary("returned succesfully\n");
+        dbg_summary("returned successfully\n");
        return 0;
 }
@@ -81,6 +82,19 @@ static int jffs2_sum_add_mem(struct jffs2_summary *s, union jffs2_sum_mem *item)
                        dbg_summary("dirent (%u) added to summary\n",
                                                je32_to_cpu(item->d.ino));
                        break;
+#ifdef CONFIG_JFFS2_FS_XATTR
+                case JFFS2_NODETYPE_XATTR:
+                        s->sum_size += JFFS2_SUMMARY_XATTR_SIZE;
+                        s->sum_num++;
+                        dbg_summary("xattr (xid=%u, version=%u) added to summary\n",
+                                    je32_to_cpu(item->x.xid), je32_to_cpu(item->x.version));
+                        break;
+                case JFFS2_NODETYPE_XREF:
+                        s->sum_size += JFFS2_SUMMARY_XREF_SIZE;
+                        s->sum_num++;
+                        dbg_summary("xref added to summary\n");
+                        break;
+#endif
                default:
                        JFFS2_WARNING("UNKNOWN node type %u\n",
                                            je16_to_cpu(item->u.nodetype));
@@ -141,6 +155,40 @@ int jffs2_sum_add_dirent_mem(struct jffs2_summary *s, struct jffs2_raw_dirent *r
        return jffs2_sum_add_mem(s, (union jffs2_sum_mem *)temp);
 }
+#ifdef CONFIG_JFFS2_FS_XATTR
+int jffs2_sum_add_xattr_mem(struct jffs2_summary *s, struct jffs2_raw_xattr *rx, uint32_t ofs)
+{
+        struct jffs2_sum_xattr_mem *temp;
+        temp = kmalloc(sizeof(struct jffs2_sum_xattr_mem), GFP_KERNEL);
+        if (!temp)
+                return -ENOMEM;
+        temp->nodetype = rx->nodetype;
+        temp->xid = rx->xid;
+        temp->version = rx->version;
+        temp->offset = cpu_to_je32(ofs);
+        temp->totlen = rx->totlen;
+        temp->next = NULL;
+        return jffs2_sum_add_mem(s, (union jffs2_sum_mem *)temp);
+}
+int jffs2_sum_add_xref_mem(struct jffs2_summary *s, struct jffs2_raw_xref *rr, uint32_t ofs)
+{
+        struct jffs2_sum_xref_mem *temp;
+        temp = kmalloc(sizeof(struct jffs2_sum_xref_mem), GFP_KERNEL);
+        if (!temp)
+                return -ENOMEM;
+        temp->nodetype = rr->nodetype;
+        temp->offset = cpu_to_je32(ofs);
+        temp->next = NULL;
+        return jffs2_sum_add_mem(s, (union jffs2_sum_mem *)temp);
+}
+#endif
 /* Cleanup every collected summary information */
 static void jffs2_sum_clean_collected(struct jffs2_summary *s)
@@ -259,7 +307,34 @@ int jffs2_sum_add_kvec(struct jffs2_sb_info *c, const struct kvec *invecs,
                        return jffs2_sum_add_mem(c->summary, (union jffs2_sum_mem *)temp);
                }
+#ifdef CONFIG_JFFS2_FS_XATTR
+                case JFFS2_NODETYPE_XATTR: {
+                        struct jffs2_sum_xattr_mem *temp;
+                        temp = kmalloc(sizeof(struct jffs2_sum_xattr_mem), GFP_KERNEL);
+                        if (!temp)
+                                goto no_mem;
+                        temp->nodetype = node->x.nodetype;
+                        temp->xid = node->x.xid;
+                        temp->version = node->x.version;
+                        temp->totlen = node->x.totlen;
+                        temp->offset = cpu_to_je32(ofs);
+                        temp->next = NULL;
+                        return jffs2_sum_add_mem(c->summary, (union jffs2_sum_mem *)temp);
+                }
+                case JFFS2_NODETYPE_XREF: {
+                        struct jffs2_sum_xref_mem *temp;
+                        temp = kmalloc(sizeof(struct jffs2_sum_xref_mem), GFP_KERNEL);
+                        if (!temp)
+                                goto no_mem;
+                        temp->nodetype = node->r.nodetype;
+                        temp->offset = cpu_to_je32(ofs);
+                        temp->next = NULL;
+                        return jffs2_sum_add_mem(c->summary, (union jffs2_sum_mem *)temp);
+                }
+#endif
                case JFFS2_NODETYPE_PADDING:
                        dbg_summary("node PADDING\n");
                        c->summary->sum_padded += je32_to_cpu(node->u.totlen);
@@ -288,23 +363,41 @@ no_mem:
        return -ENOMEM;
 }
+static struct jffs2_raw_node_ref *sum_link_node_ref(struct jffs2_sb_info *c,
+                                                    struct jffs2_eraseblock *jeb,
+                                                    uint32_t ofs, uint32_t len,
+                                                    struct jffs2_inode_cache *ic)
+{
+        /* If there was a gap, mark it dirty */
+        if ((ofs & ~3) > c->sector_size - jeb->free_size) {
+                /* Ew. Summary doesn't actually tell us explicitly about dirty space */
+                jffs2_scan_dirty_space(c, jeb, (ofs & ~3) - (c->sector_size - jeb->free_size));
+        }
+        return jffs2_link_node_ref(c, jeb, jeb->offset + ofs, len, ic);
+}
 /* Process the stored summary information - helper function for jffs2_sum_scan_sumnode() */
 static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
                                struct jffs2_raw_summary *summary, uint32_t *pseudo_random)
 {
-        struct jffs2_raw_node_ref *raw;
        struct jffs2_inode_cache *ic;
        struct jffs2_full_dirent *fd;
        void *sp;
        int i, ino;
+        int err;
        sp = summary->sum;
        for (i=0; i<je32_to_cpu(summary->sum_num); i++) {
                dbg_summary("processing summary index %d\n", i);
+                /* Make sure there's a spare ref for dirty space */
+                err = jffs2_prealloc_raw_node_refs(c, jeb, 2);
+                if (err)
+                        return err;
                switch (je16_to_cpu(((struct jffs2_sum_unknown_flash *)sp)->nodetype)) {
                        case JFFS2_NODETYPE_INODE: {
                                struct jffs2_sum_inode_flash *spi;
@@ -312,38 +405,20 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
                                ino = je32_to_cpu(spi->inode);
-                                dbg_summary("Inode at 0x%08x\n",
+                                dbg_summary("Inode at 0x%08x-0x%08x\n",
-                                                        jeb->offset + je32_to_cpu(spi->offset));
+                                            jeb->offset + je32_to_cpu(spi->offset),
+                                            jeb->offset + je32_to_cpu(spi->offset) + je32_to_cpu(spi->totlen));
-                                raw = jffs2_alloc_raw_node_ref();
-                                if (!raw) {
-                                        JFFS2_NOTICE("allocation of node reference failed\n");
-                                        kfree(summary);
-                                        return -ENOMEM;
-                                }
                                ic = jffs2_scan_make_ino_cache(c, ino);
                                if (!ic) {
                                        JFFS2_NOTICE("scan_make_ino_cache failed\n");
-                                        jffs2_free_raw_node_ref(raw);
-                                        kfree(summary);
                                        return -ENOMEM;
                                }
-                                raw->flash_offset = (jeb->offset + je32_to_cpu(spi->offset)) | REF_UNCHECKED;
+                                sum_link_node_ref(c, jeb, je32_to_cpu(spi->offset) | REF_UNCHECKED,
-                                raw->__totlen = PAD(je32_to_cpu(spi->totlen));
+                                                  PAD(je32_to_cpu(spi->totlen)), ic);
-                                raw->next_phys = NULL;
-                                raw->next_in_ino = ic->nodes;
-                                ic->nodes = raw;
-                                if (!jeb->first_node)
-                                        jeb->first_node = raw;
-                                if (jeb->last_node)
-                                        jeb->last_node->next_phys = raw;
-                                jeb->last_node = raw;
-                                *pseudo_random += je32_to_cpu(spi->version);
-                                UNCHECKED_SPACE(PAD(je32_to_cpu(spi->totlen)));
+                                *pseudo_random += je32_to_cpu(spi->version);
                                sp += JFFS2_SUMMARY_INODE_SIZE;
@@ -354,52 +429,33 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
                                struct jffs2_sum_dirent_flash *spd;
                                spd = sp;
-                                dbg_summary("Dirent at 0x%08x\n",
+                                dbg_summary("Dirent at 0x%08x-0x%08x\n",
-                                                        jeb->offset + je32_to_cpu(spd->offset));
+                                            jeb->offset + je32_to_cpu(spd->offset),
+                                            jeb->offset + je32_to_cpu(spd->offset) + je32_to_cpu(spd->totlen));
                                fd = jffs2_alloc_full_dirent(spd->nsize+1);
-                                if (!fd) {
+                                if (!fd)
-                                        kfree(summary);
                                        return -ENOMEM;
-                                }
                                memcpy(&fd->name, spd->name, spd->nsize);
                                fd->name[spd->nsize] = 0;
-                                raw = jffs2_alloc_raw_node_ref();
-                                if (!raw) {
-                                        jffs2_free_full_dirent(fd);
-                                        JFFS2_NOTICE("allocation of node reference failed\n");
-                                        kfree(summary);
-                                        return -ENOMEM;
-                                }
                                ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(spd->pino));
                                if (!ic) {
                                        jffs2_free_full_dirent(fd);
-                                        jffs2_free_raw_node_ref(raw);
-                                        kfree(summary);
                                        return -ENOMEM;
                                }
-                                raw->__totlen = PAD(je32_to_cpu(spd->totlen));
+                                fd->raw = sum_link_node_ref(c, jeb,  je32_to_cpu(spd->offset) | REF_UNCHECKED,
-                                raw->flash_offset = (jeb->offset + je32_to_cpu(spd->offset)) | REF_PRISTINE;
+                                                            PAD(je32_to_cpu(spd->totlen)), ic);
-                                raw->next_phys = NULL;
-                                raw->next_in_ino = ic->nodes;
-                                ic->nodes = raw;
-                                if (!jeb->first_node)
-                                        jeb->first_node = raw;
-                                if (jeb->last_node)
-                                        jeb->last_node->next_phys = raw;
-                                jeb->last_node = raw;
-                                fd->raw = raw;
                                fd->next = NULL;
                                fd->version = je32_to_cpu(spd->version);
                                fd->ino = je32_to_cpu(spd->ino);
                                fd->nhash = full_name_hash(fd->name, spd->nsize);
                                fd->type = spd->type;
-                                USED_SPACE(PAD(je32_to_cpu(spd->totlen)));
                                jffs2_add_fd_to_list(c, fd, &ic->scan_dents);
                                *pseudo_random += je32_to_cpu(spd->version);
@@ -408,48 +464,100 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
                                break;
                        }
+#ifdef CONFIG_JFFS2_FS_XATTR
+                        case JFFS2_NODETYPE_XATTR: {
+                                struct jffs2_xattr_datum *xd;
+                                struct jffs2_sum_xattr_flash *spx;
+                                spx = (struct jffs2_sum_xattr_flash *)sp;
+                                dbg_summary("xattr at %#08x-%#08x (xid=%u, version=%u)\n", 
+                                            jeb->offset + je32_to_cpu(spx->offset),
+                                            jeb->offset + je32_to_cpu(spx->offset) + je32_to_cpu(spx->totlen),
+                                            je32_to_cpu(spx->xid), je32_to_cpu(spx->version));
+                                xd = jffs2_setup_xattr_datum(c, je32_to_cpu(spx->xid),
+                                                                je32_to_cpu(spx->version));
+                                if (IS_ERR(xd))
+                                        return PTR_ERR(xd);
+                                if (xd->version > je32_to_cpu(spx->version)) {
+                                        /* node is not the newest one */
+                                        struct jffs2_raw_node_ref *raw
+                                                = sum_link_node_ref(c, jeb, je32_to_cpu(spx->offset) | REF_UNCHECKED,
+                                                                    PAD(je32_to_cpu(spx->totlen)), NULL);
+                                        raw->next_in_ino = xd->node->next_in_ino;
+                                        xd->node->next_in_ino = raw;
+                                } else {
+                                        xd->version = je32_to_cpu(spx->version);
+                                        sum_link_node_ref(c, jeb, je32_to_cpu(spx->offset) | REF_UNCHECKED,
+                                                          PAD(je32_to_cpu(spx->totlen)), (void *)xd);
+                                }
+                                *pseudo_random += je32_to_cpu(spx->xid);
+                                sp += JFFS2_SUMMARY_XATTR_SIZE;
+                                break;
+                        }
+                        case JFFS2_NODETYPE_XREF: {
+                                struct jffs2_xattr_ref *ref;
+                                struct jffs2_sum_xref_flash *spr;
+                                spr = (struct jffs2_sum_xref_flash *)sp;
+                                dbg_summary("xref at %#08x-%#08x\n",
+                                            jeb->offset + je32_to_cpu(spr->offset),
+                                            jeb->offset + je32_to_cpu(spr->offset) + 
+                                            (uint32_t)PAD(sizeof(struct jffs2_raw_xref)));
+                                ref = jffs2_alloc_xattr_ref();
+                                if (!ref) {
+                                        JFFS2_NOTICE("allocation of xattr_datum failed\n");
+                                        return -ENOMEM;
+                                }
+                                ref->next = c->xref_temp;
+                                c->xref_temp = ref;
+                                sum_link_node_ref(c, jeb, je32_to_cpu(spr->offset) | REF_UNCHECKED,
+                                                  PAD(sizeof(struct jffs2_raw_xref)), (void *)ref);
+                                *pseudo_random += ref->node->flash_offset;
+                                sp += JFFS2_SUMMARY_XREF_SIZE;
+                                break;
+                        }
+#endif
                        default : {
-                                JFFS2_WARNING("Unsupported node type found in summary! Exiting...");
+                                uint16_t nodetype = je16_to_cpu(((struct jffs2_sum_unknown_flash *)sp)->nodetype);
-                                kfree(summary);
+                                JFFS2_WARNING("Unsupported node type %x found in summary! Exiting...\n", nodetype);
-                                return -EIO;
+                                if ((nodetype & JFFS2_COMPAT_MASK) == JFFS2_FEATURE_INCOMPAT)
+                                        return -EIO;
+                                /* For compatible node types, just fall back to the full scan */
+                                c->wasted_size -= jeb->wasted_size;
+                                c->free_size += c->sector_size - jeb->free_size;
+                                c->used_size -= jeb->used_size;
+                                c->dirty_size -= jeb->dirty_size;
+                                jeb->wasted_size = jeb->used_size = jeb->dirty_size = 0;
+                                jeb->free_size = c->sector_size;
+                                jffs2_free_jeb_node_refs(c, jeb);
+                                return -ENOTRECOVERABLE;
                        }
                }
        }
-        kfree(summary);
        return 0;
 }
 /* Process the summary node - called from jffs2_scan_eraseblock() */
 int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
-                                uint32_t ofs, uint32_t *pseudo_random)
+                           struct jffs2_raw_summary *summary, uint32_t sumsize,
+                           uint32_t *pseudo_random)
 {
        struct jffs2_unknown_node crcnode;
-        struct jffs2_raw_node_ref *cache_ref;
+        int ret, ofs;
-        struct jffs2_raw_summary *summary;
-        int ret, sumsize;
        uint32_t crc;
-        sumsize = c->sector_size - ofs;
+        ofs = c->sector_size - sumsize;
-        ofs += jeb->offset;
        dbg_summary("summary found for 0x%08x at 0x%08x (0x%x bytes)\n",
-                                jeb->offset, ofs, sumsize);
+                    jeb->offset, jeb->offset + ofs, sumsize);
-        summary = kmalloc(sumsize, GFP_KERNEL);
-        if (!summary) {
-                return -ENOMEM;
-        }
-        ret = jffs2_fill_scan_buf(c, (unsigned char *)summary, ofs, sumsize);
-        if (ret) {
-                kfree(summary);
-                return ret;
-        }
        /* OK, now check for node validity and CRC */
        crcnode.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
@@ -486,66 +594,49 @@ int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb
                dbg_summary("Summary : CLEANMARKER node \n");
+                ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
+                if (ret)
+                        return ret;
                if (je32_to_cpu(summary->cln_mkr) != c->cleanmarker_size) {
                        dbg_summary("CLEANMARKER node has totlen 0x%x != normal 0x%x\n",
                                je32_to_cpu(summary->cln_mkr), c->cleanmarker_size);
-                        UNCHECKED_SPACE(PAD(je32_to_cpu(summary->cln_mkr)));
+                        if ((ret = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(summary->cln_mkr)))))
+                                return ret;
                } else if (jeb->first_node) {
                        dbg_summary("CLEANMARKER node not first node in block "
                                        "(0x%08x)\n", jeb->offset);
-                        UNCHECKED_SPACE(PAD(je32_to_cpu(summary->cln_mkr)));
+                        if ((ret = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(summary->cln_mkr)))))
+                                return ret;
                } else {
-                        struct jffs2_raw_node_ref *marker_ref = jffs2_alloc_raw_node_ref();
+                        jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL,
+                                            je32_to_cpu(summary->cln_mkr), NULL);
-                        if (!marker_ref) {
-                                JFFS2_NOTICE("Failed to allocate node ref for clean marker\n");
-                                kfree(summary);
-                                return -ENOMEM;
-                        }
-                        marker_ref->next_in_ino = NULL;
-                        marker_ref->next_phys = NULL;
-                        marker_ref->flash_offset = jeb->offset | REF_NORMAL;
-                        marker_ref->__totlen = je32_to_cpu(summary->cln_mkr);
-                        jeb->first_node = jeb->last_node = marker_ref;
-                        USED_SPACE( PAD(je32_to_cpu(summary->cln_mkr)) );
                }
        }
-        if (je32_to_cpu(summary->padded)) {
-                DIRTY_SPACE(je32_to_cpu(summary->padded));
-        }
        ret = jffs2_sum_process_sum_data(c, jeb, summary, pseudo_random);
+        /* -ENOTRECOVERABLE isn't a fatal error -- it means we should do a full
+           scan of this eraseblock. So return zero */
+        if (ret == -ENOTRECOVERABLE)
+                return 0;
        if (ret)
-                return ret;
+                return ret;             /* real error */
        /* for PARANOIA_CHECK */
-        cache_ref = jffs2_alloc_raw_node_ref();
+        ret = jffs2_prealloc_raw_node_refs(c, jeb, 2);
+        if (ret)
-        if (!cache_ref) {
+                return ret;
-                JFFS2_NOTICE("Failed to allocate node ref for cache\n");
-                return -ENOMEM;
-        }
-        cache_ref->next_in_ino = NULL;
-        cache_ref->next_phys = NULL;
-        cache_ref->flash_offset = ofs | REF_NORMAL;
-        cache_ref->__totlen = sumsize;
-        if (!jeb->first_node)
-                jeb->first_node = cache_ref;
-        if (jeb->last_node)
-                jeb->last_node->next_phys = cache_ref;
-        jeb->last_node = cache_ref;
-        USED_SPACE(sumsize);
+        sum_link_node_ref(c, jeb, ofs | REF_NORMAL, sumsize, NULL);
-        jeb->wasted_size += jeb->free_size;
+        if (unlikely(jeb->free_size)) {
-        c->wasted_size += jeb->free_size;
+                JFFS2_WARNING("Free size 0x%x bytes in eraseblock @0x%08x with summary?\n",
-        c->free_size -= jeb->free_size;
+                              jeb->free_size, jeb->offset);
-        jeb->free_size = 0;
+                jeb->wasted_size += jeb->free_size;
+                c->wasted_size += jeb->free_size;
+                c->free_size -= jeb->free_size;
+                jeb->free_size = 0;
+        }
        return jffs2_scan_classify_jeb(c, jeb);
@@ -564,6 +655,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
        union jffs2_sum_mem *temp;
        struct jffs2_sum_marker *sm;
        struct kvec vecs[2];
+        uint32_t sum_ofs;
        void *wpage;
        int ret;
        size_t retlen;
@@ -581,16 +673,17 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
        wpage = c->summary->sum_buf;
        while (c->summary->sum_num) {
+                temp = c->summary->sum_list_head;
-                switch (je16_to_cpu(c->summary->sum_list_head->u.nodetype)) {
+                switch (je16_to_cpu(temp->u.nodetype)) {
                        case JFFS2_NODETYPE_INODE: {
                                struct jffs2_sum_inode_flash *sino_ptr = wpage;
-                                sino_ptr->nodetype = c->summary->sum_list_head->i.nodetype;
+                                sino_ptr->nodetype = temp->i.nodetype;
-                                sino_ptr->inode = c->summary->sum_list_head->i.inode;
+                                sino_ptr->inode = temp->i.inode;
-                                sino_ptr->version = c->summary->sum_list_head->i.version;
+                                sino_ptr->version = temp->i.version;
-                                sino_ptr->offset = c->summary->sum_list_head->i.offset;
+                                sino_ptr->offset = temp->i.offset;
-                                sino_ptr->totlen = c->summary->sum_list_head->i.totlen;
+                                sino_ptr->totlen = temp->i.totlen;
                                wpage += JFFS2_SUMMARY_INODE_SIZE;
@@ -600,30 +693,60 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
                        case JFFS2_NODETYPE_DIRENT: {
                                struct jffs2_sum_dirent_flash *sdrnt_ptr = wpage;
-                                sdrnt_ptr->nodetype = c->summary->sum_list_head->d.nodetype;
+                                sdrnt_ptr->nodetype = temp->d.nodetype;
-                                sdrnt_ptr->totlen = c->summary->sum_list_head->d.totlen;
+                                sdrnt_ptr->totlen = temp->d.totlen;
-                                sdrnt_ptr->offset = c->summary->sum_list_head->d.offset;
+                                sdrnt_ptr->offset = temp->d.offset;
-                                sdrnt_ptr->pino = c->summary->sum_list_head->d.pino;
+                                sdrnt_ptr->pino = temp->d.pino;
-                                sdrnt_ptr->version = c->summary->sum_list_head->d.version;
+                                sdrnt_ptr->version = temp->d.version;
-                                sdrnt_ptr->ino = c->summary->sum_list_head->d.ino;
+                                sdrnt_ptr->ino = temp->d.ino;
-                                sdrnt_ptr->nsize = c->summary->sum_list_head->d.nsize;
+                                sdrnt_ptr->nsize = temp->d.nsize;
-                                sdrnt_ptr->type = c->summary->sum_list_head->d.type;
+                                sdrnt_ptr->type = temp->d.type;
-                                memcpy(sdrnt_ptr->name, c->summary->sum_list_head->d.name,
+                                memcpy(sdrnt_ptr->name, temp->d.name,
-                                                        c->summary->sum_list_head->d.nsize);
+                                                        temp->d.nsize);
-                                wpage += JFFS2_SUMMARY_DIRENT_SIZE(c->summary->sum_list_head->d.nsize);
+                                wpage += JFFS2_SUMMARY_DIRENT_SIZE(temp->d.nsize);
                                break;
                        }
+#ifdef CONFIG_JFFS2_FS_XATTR
+                        case JFFS2_NODETYPE_XATTR: {
+                                struct jffs2_sum_xattr_flash *sxattr_ptr = wpage;
+                                temp = c->summary->sum_list_head;
+                                sxattr_ptr->nodetype = temp->x.nodetype;
+                                sxattr_ptr->xid = temp->x.xid;
+                                sxattr_ptr->version = temp->x.version;
+                                sxattr_ptr->offset = temp->x.offset;
+                                sxattr_ptr->totlen = temp->x.totlen;
+                                wpage += JFFS2_SUMMARY_XATTR_SIZE;
+                                break;
+                        }
+                        case JFFS2_NODETYPE_XREF: {
+                                struct jffs2_sum_xref_flash *sxref_ptr = wpage;
+                                temp = c->summary->sum_list_head;
+                                sxref_ptr->nodetype = temp->r.nodetype;
+                                sxref_ptr->offset = temp->r.offset;
+                                wpage += JFFS2_SUMMARY_XREF_SIZE;
+                                break;
+                        }
+#endif
                        default : {
-                                BUG();  /* unknown node in summary information */
+                                if ((je16_to_cpu(temp->u.nodetype) & JFFS2_COMPAT_MASK)
+                                    == JFFS2_FEATURE_RWCOMPAT_COPY) {
+                                        dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
+                                                    je16_to_cpu(temp->u.nodetype));
+                                        jffs2_sum_disable_collecting(c->summary);
+                                } else {
+                                        BUG();  /* unknown node in summary information */
+                                }
                        }
                }
-                temp = c->summary->sum_list_head;
+                c->summary->sum_list_head = temp->u.next;
-                c->summary->sum_list_head = c->summary->sum_list_head->u.next;
                kfree(temp);
                c->summary->sum_num--;
@@ -645,25 +768,34 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
        vecs[1].iov_base = c->summary->sum_buf;
        vecs[1].iov_len = datasize;
-        dbg_summary("JFFS2: writing out data to flash to pos : 0x%08x\n",
+        sum_ofs = jeb->offset + c->sector_size - jeb->free_size;
-                        jeb->offset + c->sector_size - jeb->free_size);
-        spin_unlock(&c->erase_completion_lock);
+        dbg_summary("JFFS2: writing out data to flash to pos : 0x%08x\n",
-        ret = jffs2_flash_writev(c, vecs, 2, jeb->offset + c->sector_size -
+                    sum_ofs);
-                                jeb->free_size, &retlen, 0);
-        spin_lock(&c->erase_completion_lock);
+        ret = jffs2_flash_writev(c, vecs, 2, sum_ofs, &retlen, 0);
        if (ret || (retlen != infosize)) {
-                JFFS2_WARNING("Write of %zd bytes at 0x%08x failed. returned %d, retlen %zd\n",
-                        infosize, jeb->offset + c->sector_size - jeb->free_size, ret, retlen);
+                JFFS2_WARNING("Write of %u bytes at 0x%08x failed. returned %d, retlen %zd\n",
+                              infosize, sum_ofs, ret, retlen);
+                if (retlen) {
+                        /* Waste remaining space */
+                        spin_lock(&c->erase_completion_lock);
+                        jffs2_link_node_ref(c, jeb, sum_ofs | REF_OBSOLETE, infosize, NULL);
+                        spin_unlock(&c->erase_completion_lock);
+                }
                c->summary->sum_size = JFFS2_SUMMARY_NOSUM_SIZE;
-                WASTED_SPACE(infosize);
-                return 1;
+                return 0;
        }
+        spin_lock(&c->erase_completion_lock);
+        jffs2_link_node_ref(c, jeb, sum_ofs | REF_NORMAL, infosize, NULL);
+        spin_unlock(&c->erase_completion_lock);
        return 0;
 }
@@ -671,13 +803,16 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
 int jffs2_sum_write_sumnode(struct jffs2_sb_info *c)
 {
-        struct jffs2_raw_node_ref *summary_ref;
+        int datasize, infosize, padsize;
-        int datasize, infosize, padsize, ret;
        struct jffs2_eraseblock *jeb;
+        int ret;
        dbg_summary("called\n");
+        spin_unlock(&c->erase_completion_lock);
        jeb = c->nextblock;
+        jffs2_prealloc_raw_node_refs(c, jeb, 1);
        if (!c->summary->sum_num || !c->summary->sum_list_head) {
                JFFS2_WARNING("Empty summary info!!!\n");
@@ -696,35 +831,11 @@ int jffs2_sum_write_sumnode(struct jffs2_sb_info *c)
                jffs2_sum_disable_collecting(c->summary);
                JFFS2_WARNING("Not enough space for summary, padsize = %d\n", padsize);
+                spin_lock(&c->erase_completion_lock);
                return 0;
        }
        ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize);
-        if (ret)
-                return 0; /* can't write out summary, block is marked as NOSUM_SIZE */
-        /* for ACCT_PARANOIA_CHECK */
-        spin_unlock(&c->erase_completion_lock);
-        summary_ref = jffs2_alloc_raw_node_ref();
        spin_lock(&c->erase_completion_lock);
+        return ret;
-        if (!summary_ref) {
-                JFFS2_NOTICE("Failed to allocate node ref for summary\n");
-                return -ENOMEM;
-        }
-        summary_ref->next_in_ino = NULL;
-        summary_ref->next_phys = NULL;
-        summary_ref->flash_offset = (jeb->offset + c->sector_size - jeb->free_size) | REF_NORMAL;
-        summary_ref->__totlen = infosize;
-        if (!jeb->first_node)
-                jeb->first_node = summary_ref;
-        if (jeb->last_node)
-                jeb->last_node->next_phys = summary_ref;
-        jeb->last_node = summary_ref;
-        USED_SPACE(infosize);
-        return 0;
 }
diff --git a/fs/jffs2/summary.h b/fs/jffs2/summary.h
index b7a678be1709..6bf1f6aa4552 100644
--- a/fs/jffs2/summary.h
+++ b/fs/jffs2/summary.h
@@ -18,23 +18,6 @@
 #include <linux/uio.h>
 #include <linux/jffs2.h>
-#define DIRTY_SPACE(x) do { typeof(x) _x = (x); \
-                c->free_size -= _x; c->dirty_size += _x; \
-                jeb->free_size -= _x ; jeb->dirty_size += _x; \
-                }while(0)
-#define USED_SPACE(x) do { typeof(x) _x = (x); \
-                c->free_size -= _x; c->used_size += _x; \
-                jeb->free_size -= _x ; jeb->used_size += _x; \
-                }while(0)
-#define WASTED_SPACE(x) do { typeof(x) _x = (x); \
-                c->free_size -= _x; c->wasted_size += _x; \
-                jeb->free_size -= _x ; jeb->wasted_size += _x; \
-                }while(0)
-#define UNCHECKED_SPACE(x) do { typeof(x) _x = (x); \
-                c->free_size -= _x; c->unchecked_size += _x; \
-                jeb->free_size -= _x ; jeb->unchecked_size += _x; \
-                }while(0)
 #define BLK_STATE_ALLFF         0
 #define BLK_STATE_CLEAN         1
 #define BLK_STATE_PARTDIRTY     2
@@ -45,6 +28,8 @@
 #define JFFS2_SUMMARY_NOSUM_SIZE 0xffffffff
 #define JFFS2_SUMMARY_INODE_SIZE (sizeof(struct jffs2_sum_inode_flash))
 #define JFFS2_SUMMARY_DIRENT_SIZE(x) (sizeof(struct jffs2_sum_dirent_flash) + (x))
+#define JFFS2_SUMMARY_XATTR_SIZE (sizeof(struct jffs2_sum_xattr_flash))
+#define JFFS2_SUMMARY_XREF_SIZE (sizeof(struct jffs2_sum_xref_flash))
 /* Summary structures used on flash */
@@ -75,11 +60,28 @@ struct jffs2_sum_dirent_flash
        uint8_t name[0];        /* dirent name */
 } __attribute__((packed));
+struct jffs2_sum_xattr_flash
+{
+        jint16_t nodetype;      /* == JFFS2_NODETYPE_XATR */
+        jint32_t xid;           /* xattr identifier */
+        jint32_t version;       /* version number */
+        jint32_t offset;        /* offset on jeb */
+        jint32_t totlen;        /* node length */
+} __attribute__((packed));
+struct jffs2_sum_xref_flash
+{
+        jint16_t nodetype;      /* == JFFS2_NODETYPE_XREF */
+        jint32_t offset;        /* offset on jeb */
+} __attribute__((packed));
 union jffs2_sum_flash
 {
        struct jffs2_sum_unknown_flash u;
        struct jffs2_sum_inode_flash i;
        struct jffs2_sum_dirent_flash d;
+        struct jffs2_sum_xattr_flash x;
+        struct jffs2_sum_xref_flash r;
 };
 /* Summary structures used in the memory */
@@ -114,11 +116,30 @@ struct jffs2_sum_dirent_mem
        uint8_t name[0];        /* dirent name */
 } __attribute__((packed));
+struct jffs2_sum_xattr_mem
+{
+        union jffs2_sum_mem *next;
+        jint16_t nodetype;
+        jint32_t xid;
+        jint32_t version;
+        jint32_t offset;
+        jint32_t totlen;
+} __attribute__((packed));
+struct jffs2_sum_xref_mem
+{
+        union jffs2_sum_mem *next;
+        jint16_t nodetype;
+        jint32_t offset;
+} __attribute__((packed));
 union jffs2_sum_mem
 {
        struct jffs2_sum_unknown_mem u;
        struct jffs2_sum_inode_mem i;
        struct jffs2_sum_dirent_mem d;
+        struct jffs2_sum_xattr_mem x;
+        struct jffs2_sum_xref_mem r;
 };
 /* Summary related information stored in superblock */
@@ -159,8 +180,11 @@ int jffs2_sum_write_sumnode(struct jffs2_sb_info *c);
 int jffs2_sum_add_padding_mem(struct jffs2_summary *s, uint32_t size);
 int jffs2_sum_add_inode_mem(struct jffs2_summary *s, struct jffs2_raw_inode *ri, uint32_t ofs);
 int jffs2_sum_add_dirent_mem(struct jffs2_summary *s, struct jffs2_raw_dirent *rd, uint32_t ofs);
+int jffs2_sum_add_xattr_mem(struct jffs2_summary *s, struct jffs2_raw_xattr *rx, uint32_t ofs);
+int jffs2_sum_add_xref_mem(struct jffs2_summary *s, struct jffs2_raw_xref *rr, uint32_t ofs);
 int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
-                        uint32_t ofs, uint32_t *pseudo_random);
+                           struct jffs2_raw_summary *summary, uint32_t sumlen,
+                           uint32_t *pseudo_random);
 #else                           /* SUMMARY DISABLED */
@@ -176,7 +200,9 @@ int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb
 #define jffs2_sum_add_padding_mem(a,b)
 #define jffs2_sum_add_inode_mem(a,b,c)
 #define jffs2_sum_add_dirent_mem(a,b,c)
-#define jffs2_sum_scan_sumnode(a,b,c,d) (0)
+#define jffs2_sum_add_xattr_mem(a,b,c)
+#define jffs2_sum_add_xref_mem(a,b,c)
+#define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
 #endif /* CONFIG_JFFS2_SUMMARY */
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index ffd8e84b22cc..68e3953419b4 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -11,7 +11,6 @@
 *
 */
-#include <linux/config.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/slab.h>
@@ -111,9 +110,10 @@ static int jffs2_sb_set(struct super_block *sb, void *data)
        return 0;
 }
-static struct super_block *jffs2_get_sb_mtd(struct file_system_type *fs_type,
+static int jffs2_get_sb_mtd(struct file_system_type *fs_type,
-                                              int flags, const char *dev_name,
+                            int flags, const char *dev_name,
-                                              void *data, struct mtd_info *mtd)
+                            void *data, struct mtd_info *mtd,
+                            struct vfsmount *mnt)
 {
        struct super_block *sb;
        struct jffs2_sb_info *c;
@@ -121,19 +121,20 @@ static struct super_block *jffs2_get_sb_mtd(struct file_system_type *fs_type,
        c = kmalloc(sizeof(*c), GFP_KERNEL);
        if (!c)
-                return ERR_PTR(-ENOMEM);
+                return -ENOMEM;
        memset(c, 0, sizeof(*c));
        c->mtd = mtd;
        sb = sget(fs_type, jffs2_sb_compare, jffs2_sb_set, c);
        if (IS_ERR(sb))
-                goto out_put;
+                goto out_error;
        if (sb->s_root) {
                /* New mountpoint for JFFS2 which is already mounted */
                D1(printk(KERN_DEBUG "jffs2_get_sb_mtd(): Device %d (\"%s\") is already mounted\n",
                          mtd->index, mtd->name));
+                ret = simple_set_mnt(mnt, sb);
                goto out_put;
        }
@@ -151,51 +152,57 @@ static struct super_block *jffs2_get_sb_mtd(struct file_system_type *fs_type,
        sb->s_op = &jffs2_super_operations;
        sb->s_flags = flags | MS_NOATIME;
+        sb->s_xattr = jffs2_xattr_handlers;
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+        sb->s_flags |= MS_POSIXACL;
+#endif
        ret = jffs2_do_fill_super(sb, data, flags & MS_SILENT ? 1 : 0);
        if (ret) {
                /* Failure case... */
                up_write(&sb->s_umount);
                deactivate_super(sb);
-                return ERR_PTR(ret);
+                return ret;
        }
        sb->s_flags |= MS_ACTIVE;
-        return sb;
+        return simple_set_mnt(mnt, sb);
+out_error:
+        ret = PTR_ERR(sb);
 out_put:
        kfree(c);
        put_mtd_device(mtd);
-        return sb;
+        return ret;
 }
-static struct super_block *jffs2_get_sb_mtdnr(struct file_system_type *fs_type,
+static int jffs2_get_sb_mtdnr(struct file_system_type *fs_type,
-                                              int flags, const char *dev_name,
+                              int flags, const char *dev_name,
-                                              void *data, int mtdnr)
+                              void *data, int mtdnr,
+                              struct vfsmount *mnt)
 {
        struct mtd_info *mtd;
        mtd = get_mtd_device(NULL, mtdnr);
        if (!mtd) {
                D1(printk(KERN_DEBUG "jffs2: MTD device #%u doesn't appear to exist\n", mtdnr));
-                return ERR_PTR(-EINVAL);
+                return -EINVAL;
        }
-        return jffs2_get_sb_mtd(fs_type, flags, dev_name, data, mtd);
+        return jffs2_get_sb_mtd(fs_type, flags, dev_name, data, mtd, mnt);
 }
-static struct super_block *jffs2_get_sb(struct file_system_type *fs_type,
+static int jffs2_get_sb(struct file_system_type *fs_type,
-                                        int flags, const char *dev_name,
+                        int flags, const char *dev_name,
-                                        void *data)
+                        void *data, struct vfsmount *mnt)
 {
        int err;
        struct nameidata nd;
        int mtdnr;
        if (!dev_name)
-                return ERR_PTR(-EINVAL);
+                return -EINVAL;
        D1(printk(KERN_DEBUG "jffs2_get_sb(): dev_name \"%s\"\n", dev_name));
@@ -217,7 +224,7 @@ static struct super_block *jffs2_get_sb(struct file_system_type *fs_type,
                                mtd = get_mtd_device(NULL, mtdnr);
                                if (mtd) {
                                        if (!strcmp(mtd->name, dev_name+4))
-                                                return jffs2_get_sb_mtd(fs_type, flags, dev_name, data, mtd);
+                                                return jffs2_get_sb_mtd(fs_type, flags, dev_name, data, mtd, mnt);
                                        put_mtd_device(mtd);
                                }
                        }
@@ -230,7 +237,7 @@ static struct super_block *jffs2_get_sb(struct file_system_type *fs_type,
                        if (!*endptr) {
                                /* It was a valid number */
                                D1(printk(KERN_DEBUG "jffs2_get_sb(): mtd%%d, mtdnr %d\n", mtdnr));
-                                return jffs2_get_sb_mtdnr(fs_type, flags, dev_name, data, mtdnr);
+                                return jffs2_get_sb_mtdnr(fs_type, flags, dev_name, data, mtdnr, mnt);
                        }
                }
        }
@@ -244,7 +251,7 @@ static struct super_block *jffs2_get_sb(struct file_system_type *fs_type,
                  err, nd.dentry->d_inode));
        if (err)
-                return ERR_PTR(err);
+                return err;
        err = -EINVAL;
@@ -266,11 +273,11 @@ static struct super_block *jffs2_get_sb(struct file_system_type *fs_type,
        mtdnr = iminor(nd.dentry->d_inode);
        path_release(&nd);
-        return jffs2_get_sb_mtdnr(fs_type, flags, dev_name, data, mtdnr);
+        return jffs2_get_sb_mtdnr(fs_type, flags, dev_name, data, mtdnr, mnt);
 out:
        path_release(&nd);
-        return ERR_PTR(err);
+        return err;
 }
 static void jffs2_put_super (struct super_block *sb)
@@ -293,6 +300,7 @@ static void jffs2_put_super (struct super_block *sb)
                kfree(c->blocks);
        jffs2_flash_cleanup(c);
        kfree(c->inocache_list);
+        jffs2_clear_xattr_subsystem(c);
        if (c->mtd->sync)
                c->mtd->sync(c->mtd);
@@ -320,6 +328,18 @@ static int __init init_jffs2_fs(void)
 {
        int ret;
+        /* Paranoia checks for on-medium structures. If we ask GCC
+           to pack them with __attribute__((packed)) then it _also_
+           assumes that they're not aligned -- so it emits crappy
+           code on some architectures. Ideally we want an attribute
+           which means just 'no padding', without the alignment
+           thing. But GCC doesn't have that -- we have to just
+           hope the structs are the right sizes, instead. */
+        BUG_ON(sizeof(struct jffs2_unknown_node) != 12);
+        BUG_ON(sizeof(struct jffs2_raw_dirent) != 40);
+        BUG_ON(sizeof(struct jffs2_raw_inode) != 68);
+        BUG_ON(sizeof(struct jffs2_raw_summary) != 32);
        printk(KERN_INFO "JFFS2 version 2.2."
 #ifdef CONFIG_JFFS2_FS_WRITEBUFFER
               " (NAND)"
@@ -327,7 +347,7 @@ static int __init init_jffs2_fs(void)
 #ifdef CONFIG_JFFS2_SUMMARY
               " (SUMMARY) "
 #endif
-               " (C) 2001-2003 Red Hat, Inc.\n");
+               " (C) 2001-2006 Red Hat, Inc.\n");
        jffs2_inode_cachep = kmem_cache_create("jffs2_i",
                                             sizeof(struct jffs2_inode_info),
diff --git a/fs/jffs2/symlink.c b/fs/jffs2/symlink.c
index d55754fe8925..fc211b6e9b03 100644
--- a/fs/jffs2/symlink.c
+++ b/fs/jffs2/symlink.c
@@ -24,7 +24,12 @@ struct inode_operations jffs2_symlink_inode_operations =
 {
        .readlink =     generic_readlink,
        .follow_link =  jffs2_follow_link,
-        .setattr =      jffs2_setattr
+        .permission =   jffs2_permission,
+        .setattr =      jffs2_setattr,
+        .setxattr =     jffs2_setxattr,
+        .getxattr =     jffs2_getxattr,
+        .listxattr =    jffs2_listxattr,
+        .removexattr =  jffs2_removexattr
 };
 static void *jffs2_follow_link(struct dentry *dentry, struct nameidata *nd)
diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
index 4cebf0e57c46..b9b700730dfe 100644
--- a/fs/jffs2/wbuf.c
+++ b/fs/jffs2/wbuf.c
@@ -156,69 +156,130 @@ static void jffs2_block_refile(struct jffs2_sb_info *c, struct jffs2_eraseblock
                jffs2_erase_pending_trigger(c);
        }
-        /* Adjust its size counts accordingly */
+        if (!jffs2_prealloc_raw_node_refs(c, jeb, 1)) {
-        c->wasted_size += jeb->free_size;
+                uint32_t oldfree = jeb->free_size;
-        c->free_size -= jeb->free_size;
-        jeb->wasted_size += jeb->free_size;
+                jffs2_link_node_ref(c, jeb, 
-        jeb->free_size = 0;
+                                    (jeb->offset+c->sector_size-oldfree) | REF_OBSOLETE,
+                                    oldfree, NULL);
+                /* convert to wasted */
+                c->wasted_size += oldfree;
+                jeb->wasted_size += oldfree;
+                c->dirty_size -= oldfree;
+                jeb->dirty_size -= oldfree;
+        }
        jffs2_dbg_dump_block_lists_nolock(c);
        jffs2_dbg_acct_sanity_check_nolock(c,jeb);
        jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
 }
+static struct jffs2_raw_node_ref **jffs2_incore_replace_raw(struct jffs2_sb_info *c,
+                                                            struct jffs2_inode_info *f,
+                                                            struct jffs2_raw_node_ref *raw,
+                                                            union jffs2_node_union *node)
+{
+        struct jffs2_node_frag *frag;
+        struct jffs2_full_dirent *fd;
+        dbg_noderef("incore_replace_raw: node at %p is {%04x,%04x}\n",
+                    node, je16_to_cpu(node->u.magic), je16_to_cpu(node->u.nodetype));
+        BUG_ON(je16_to_cpu(node->u.magic) != 0x1985 &&
+               je16_to_cpu(node->u.magic) != 0);
+        switch (je16_to_cpu(node->u.nodetype)) {
+        case JFFS2_NODETYPE_INODE:
+                if (f->metadata && f->metadata->raw == raw) {
+                        dbg_noderef("Will replace ->raw in f->metadata at %p\n", f->metadata);
+                        return &f->metadata->raw;
+                }
+                frag = jffs2_lookup_node_frag(&f->fragtree, je32_to_cpu(node->i.offset));
+                BUG_ON(!frag);
+                /* Find a frag which refers to the full_dnode we want to modify */
+                while (!frag->node || frag->node->raw != raw) {
+                        frag = frag_next(frag);
+                        BUG_ON(!frag);
+                }
+                dbg_noderef("Will replace ->raw in full_dnode at %p\n", frag->node);
+                return &frag->node->raw;
+        case JFFS2_NODETYPE_DIRENT:
+                for (fd = f->dents; fd; fd = fd->next) {
+                        if (fd->raw == raw) {
+                                dbg_noderef("Will replace ->raw in full_dirent at %p\n", fd);
+                                return &fd->raw;
+                        }
+                }
+                BUG();
+        default:
+                dbg_noderef("Don't care about replacing raw for nodetype %x\n",
+                            je16_to_cpu(node->u.nodetype));
+                break;
+        }
+        return NULL;
+}
 /* Recover from failure to write wbuf. Recover the nodes up to the
 * wbuf, not the one which we were starting to try to write. */
 static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
 {
        struct jffs2_eraseblock *jeb, *new_jeb;
-        struct jffs2_raw_node_ref **first_raw, **raw;
+        struct jffs2_raw_node_ref *raw, *next, *first_raw = NULL;
        size_t retlen;
        int ret;
+        int nr_refile = 0;
        unsigned char *buf;
        uint32_t start, end, ofs, len;
-        spin_lock(&c->erase_completion_lock);
        jeb = &c->blocks[c->wbuf_ofs / c->sector_size];
+        spin_lock(&c->erase_completion_lock);
        jffs2_block_refile(c, jeb, REFILE_NOTEMPTY);
+        spin_unlock(&c->erase_completion_lock);
+        BUG_ON(!ref_obsolete(jeb->last_node));
        /* Find the first node to be recovered, by skipping over every
           node which ends before the wbuf starts, or which is obsolete. */
-        first_raw = &jeb->first_node;
+        for (next = raw = jeb->first_node; next; raw = next) {
-        while (*first_raw &&
+                next = ref_next(raw);
-               (ref_obsolete(*first_raw) ||
-                (ref_offset(*first_raw)+ref_totlen(c, jeb, *first_raw)) < c->wbuf_ofs)) {
+                if (ref_obsolete(raw) || 
-                D1(printk(KERN_DEBUG "Skipping node at 0x%08x(%d)-0x%08x which is either before 0x%08x or obsolete\n",
+                    (next && ref_offset(next) <= c->wbuf_ofs)) {
-                          ref_offset(*first_raw), ref_flags(*first_raw),
+                        dbg_noderef("Skipping node at 0x%08x(%d)-0x%08x which is either before 0x%08x or obsolete\n",
-                          (ref_offset(*first_raw) + ref_totlen(c, jeb, *first_raw)),
+                                    ref_offset(raw), ref_flags(raw),
-                          c->wbuf_ofs));
+                                    (ref_offset(raw) + ref_totlen(c, jeb, raw)),
-                first_raw = &(*first_raw)->next_phys;
+                                    c->wbuf_ofs);
+                        continue;
+                }
+                dbg_noderef("First node to be recovered is at 0x%08x(%d)-0x%08x\n",
+                            ref_offset(raw), ref_flags(raw),
+                            (ref_offset(raw) + ref_totlen(c, jeb, raw)));
+                first_raw = raw;
+                break;
        }
-        if (!*first_raw) {
+        if (!first_raw) {
                /* All nodes were obsolete. Nothing to recover. */
                D1(printk(KERN_DEBUG "No non-obsolete nodes to be recovered. Just filing block bad\n"));
-                spin_unlock(&c->erase_completion_lock);
+                c->wbuf_len = 0;
                return;
        }
-        start = ref_offset(*first_raw);
+        start = ref_offset(first_raw);
-        end = ref_offset(*first_raw) + ref_totlen(c, jeb, *first_raw);
+        end = ref_offset(jeb->last_node);
+        nr_refile = 1;
-        /* Find the last node to be recovered */
-        raw = first_raw;
-        while ((*raw)) {
-                if (!ref_obsolete(*raw))
-                        end = ref_offset(*raw) + ref_totlen(c, jeb, *raw);
-                raw = &(*raw)->next_phys;
+        /* Count the number of refs which need to be copied */
-        }
+        while ((raw = ref_next(raw)) != jeb->last_node)
-        spin_unlock(&c->erase_completion_lock);
+                nr_refile++;
-        D1(printk(KERN_DEBUG "wbuf recover %08x-%08x\n", start, end));
+        dbg_noderef("wbuf recover %08x-%08x (%d bytes in %d nodes)\n",
+                    start, end, end - start, nr_refile);
        buf = NULL;
        if (start < c->wbuf_ofs) {
@@ -233,28 +294,37 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
                }
                /* Do the read... */
-                if (jffs2_cleanmarker_oob(c))
+                ret = c->mtd->read(c->mtd, start, c->wbuf_ofs - start, &retlen, buf);
-                        ret = c->mtd->read_ecc(c->mtd, start, c->wbuf_ofs - start, &retlen, buf, NULL, c->oobinfo);
-                else
-                        ret = c->mtd->read(c->mtd, start, c->wbuf_ofs - start, &retlen, buf);
-                if (ret == -EBADMSG && retlen == c->wbuf_ofs - start) {
+                /* ECC recovered ? */
-                        /* ECC recovered */
+                if ((ret == -EUCLEAN || ret == -EBADMSG) &&
+                    (retlen == c->wbuf_ofs - start))
                        ret = 0;
-                }
                if (ret || retlen != c->wbuf_ofs - start) {
                        printk(KERN_CRIT "Old data are already lost in wbuf recovery. Data loss ensues.\n");
                        kfree(buf);
                        buf = NULL;
                read_failed:
-                        first_raw = &(*first_raw)->next_phys;
+                        first_raw = ref_next(first_raw);
+                        nr_refile--;
+                        while (first_raw && ref_obsolete(first_raw)) {
+                                first_raw = ref_next(first_raw);
+                                nr_refile--;
+                        }
                        /* If this was the only node to be recovered, give up */
-                        if (!(*first_raw))
+                        if (!first_raw) {
+                                c->wbuf_len = 0;
                                return;
+                        }
                        /* It wasn't. Go on and try to recover nodes complete in the wbuf */
-                        start = ref_offset(*first_raw);
+                        start = ref_offset(first_raw);
+                        dbg_noderef("wbuf now recover %08x-%08x (%d bytes in %d nodes)\n",
+                                    start, end, end - start, nr_refile);
                } else {
                        /* Read succeeded. Copy the remaining data from the wbuf */
                        memcpy(buf + (c->wbuf_ofs - start), c->wbuf, end - c->wbuf_ofs);
@@ -263,14 +333,23 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
        /* OK... we're to rewrite (end-start) bytes of data from first_raw onwards.
           Either 'buf' contains the data, or we find it in the wbuf */
        /* ... and get an allocation of space from a shiny new block instead */
-        ret = jffs2_reserve_space_gc(c, end-start, &ofs, &len, JFFS2_SUMMARY_NOSUM_SIZE);
+        ret = jffs2_reserve_space_gc(c, end-start, &len, JFFS2_SUMMARY_NOSUM_SIZE);
        if (ret) {
                printk(KERN_WARNING "Failed to allocate space for wbuf recovery. Data loss ensues.\n");
                kfree(buf);
                return;
        }
+        ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, nr_refile);
+        if (ret) {
+                printk(KERN_WARNING "Failed to allocate node refs for wbuf recovery. Data loss ensues.\n");
+                kfree(buf);
+                return;
+        }
+        ofs = write_ofs(c);
        if (end-start >= c->wbuf_pagesize) {
                /* Need to do another write immediately, but it's possible
                   that this is just because the wbuf itself is completely
@@ -288,36 +367,22 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
                if (breakme++ == 20) {
                        printk(KERN_NOTICE "Faking write error at 0x%08x\n", ofs);
                        breakme = 0;
-                        c->mtd->write_ecc(c->mtd, ofs, towrite, &retlen,
+                        c->mtd->write(c->mtd, ofs, towrite, &retlen,
-                                          brokenbuf, NULL, c->oobinfo);
+                                      brokenbuf);
                        ret = -EIO;
                } else
 #endif
-                if (jffs2_cleanmarker_oob(c))
+                        ret = c->mtd->write(c->mtd, ofs, towrite, &retlen,
-                        ret = c->mtd->write_ecc(c->mtd, ofs, towrite, &retlen,
+                                            rewrite_buf);
-                                                rewrite_buf, NULL, c->oobinfo);
-                else
-                        ret = c->mtd->write(c->mtd, ofs, towrite, &retlen, rewrite_buf);
                if (ret || retlen != towrite) {
                        /* Argh. We tried. Really we did. */
                        printk(KERN_CRIT "Recovery of wbuf failed due to a second write error\n");
                        kfree(buf);
-                        if (retlen) {
+                        if (retlen)
-                                struct jffs2_raw_node_ref *raw2;
+                                jffs2_add_physical_node_ref(c, ofs | REF_OBSOLETE, ref_totlen(c, jeb, first_raw), NULL);
-                                raw2 = jffs2_alloc_raw_node_ref();
-                                if (!raw2)
-                                        return;
-                                raw2->flash_offset = ofs | REF_OBSOLETE;
-                                raw2->__totlen = ref_totlen(c, jeb, *first_raw);
-                                raw2->next_phys = NULL;
-                                raw2->next_in_ino = NULL;
-                                jffs2_add_physical_node_ref(c, raw2);
-                        }
                        return;
                }
                printk(KERN_NOTICE "Recovery of wbuf succeeded to %08x\n", ofs);
@@ -326,12 +391,10 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
                c->wbuf_ofs = ofs + towrite;
                memmove(c->wbuf, rewrite_buf + towrite, c->wbuf_len);
                /* Don't muck about with c->wbuf_inodes. False positives are harmless. */
-                kfree(buf);
        } else {
                /* OK, now we're left with the dregs in whichever buffer we're using */
                if (buf) {
                        memcpy(c->wbuf, buf, end-start);
-                        kfree(buf);
                } else {
                        memmove(c->wbuf, c->wbuf + (start - c->wbuf_ofs), end - start);
                }
@@ -343,62 +406,110 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
        new_jeb = &c->blocks[ofs / c->sector_size];
        spin_lock(&c->erase_completion_lock);
-        if (new_jeb->first_node) {
+        for (raw = first_raw; raw != jeb->last_node; raw = ref_next(raw)) {
-                /* Odd, but possible with ST flash later maybe */
+                uint32_t rawlen = ref_totlen(c, jeb, raw);
-                new_jeb->last_node->next_phys = *first_raw;
+                struct jffs2_inode_cache *ic;
-        } else {
+                struct jffs2_raw_node_ref *new_ref;
-                new_jeb->first_node = *first_raw;
+                struct jffs2_raw_node_ref **adjust_ref = NULL;
-        }
+                struct jffs2_inode_info *f = NULL;
-        raw = first_raw;
-        while (*raw) {
-                uint32_t rawlen = ref_totlen(c, jeb, *raw);
                D1(printk(KERN_DEBUG "Refiling block of %08x at %08x(%d) to %08x\n",
-                          rawlen, ref_offset(*raw), ref_flags(*raw), ofs));
+                          rawlen, ref_offset(raw), ref_flags(raw), ofs));
+                ic = jffs2_raw_ref_to_ic(raw);
+                /* Ick. This XATTR mess should be fixed shortly... */
+                if (ic && ic->class == RAWNODE_CLASS_XATTR_DATUM) {
+                        struct jffs2_xattr_datum *xd = (void *)ic;
+                        BUG_ON(xd->node != raw);
+                        adjust_ref = &xd->node;
+                        raw->next_in_ino = NULL;
+                        ic = NULL;
+                } else if (ic && ic->class == RAWNODE_CLASS_XATTR_REF) {
+                        struct jffs2_xattr_datum *xr = (void *)ic;
+                        BUG_ON(xr->node != raw);
+                        adjust_ref = &xr->node;
+                        raw->next_in_ino = NULL;
+                        ic = NULL;
+                } else if (ic && ic->class == RAWNODE_CLASS_INODE_CACHE) {
+                        struct jffs2_raw_node_ref **p = &ic->nodes;
+                        /* Remove the old node from the per-inode list */
+                        while (*p && *p != (void *)ic) {
+                                if (*p == raw) {
+                                        (*p) = (raw->next_in_ino);
+                                        raw->next_in_ino = NULL;
+                                        break;
+                                }
+                                p = &((*p)->next_in_ino);
+                        }
-                if (ref_obsolete(*raw)) {
+                        if (ic->state == INO_STATE_PRESENT && !ref_obsolete(raw)) {
-                        /* Shouldn't really happen much */
+                                /* If it's an in-core inode, then we have to adjust any
-                        new_jeb->dirty_size += rawlen;
+                                   full_dirent or full_dnode structure to point to the
-                        new_jeb->free_size -= rawlen;
+                                   new version instead of the old */
-                        c->dirty_size += rawlen;
+                                f = jffs2_gc_fetch_inode(c, ic->ino, ic->nlink);
-                } else {
+                                if (IS_ERR(f)) {
-                        new_jeb->used_size += rawlen;
+                                        /* Should never happen; it _must_ be present */
-                        new_jeb->free_size -= rawlen;
+                                        JFFS2_ERROR("Failed to iget() ino #%u, err %ld\n",
+                                                    ic->ino, PTR_ERR(f));
+                                        BUG();
+                                }
+                                /* We don't lock f->sem. There's a number of ways we could
+                                   end up in here with it already being locked, and nobody's
+                                   going to modify it on us anyway because we hold the
+                                   alloc_sem. We're only changing one ->raw pointer too,
+                                   which we can get away with without upsetting readers. */
+                                adjust_ref = jffs2_incore_replace_raw(c, f, raw,
+                                                                      (void *)(buf?:c->wbuf) + (ref_offset(raw) - start));
+                        } else if (unlikely(ic->state != INO_STATE_PRESENT &&
+                                            ic->state != INO_STATE_CHECKEDABSENT &&
+                                            ic->state != INO_STATE_GC)) {
+                                JFFS2_ERROR("Inode #%u is in strange state %d!\n", ic->ino, ic->state);
+                                BUG();
+                        }
+                }
+                new_ref = jffs2_link_node_ref(c, new_jeb, ofs | ref_flags(raw), rawlen, ic);
+                if (adjust_ref) {
+                        BUG_ON(*adjust_ref != raw);
+                        *adjust_ref = new_ref;
+                }
+                if (f)
+                        jffs2_gc_release_inode(c, f);
+                if (!ref_obsolete(raw)) {
                        jeb->dirty_size += rawlen;
                        jeb->used_size  -= rawlen;
                        c->dirty_size += rawlen;
+                        c->used_size -= rawlen;
+                        raw->flash_offset = ref_offset(raw) | REF_OBSOLETE;
+                        BUG_ON(raw->next_in_ino);
                }
-                c->free_size -= rawlen;
-                (*raw)->flash_offset = ofs | ref_flags(*raw);
                ofs += rawlen;
-                new_jeb->last_node = *raw;
-                raw = &(*raw)->next_phys;
        }
+        kfree(buf);
        /* Fix up the original jeb now it's on the bad_list */
-        *first_raw = NULL;
+        if (first_raw == jeb->first_node) {
-        if (first_raw == &jeb->first_node) {
-                jeb->last_node = NULL;
                D1(printk(KERN_DEBUG "Failing block at %08x is now empty. Moving to erase_pending_list\n", jeb->offset));
-                list_del(&jeb->list);
+                list_move(&jeb->list, &c->erase_pending_list);
-                list_add(&jeb->list, &c->erase_pending_list);
                c->nr_erasing_blocks++;
                jffs2_erase_pending_trigger(c);
        }
-        else
-                jeb->last_node = container_of(first_raw, struct jffs2_raw_node_ref, next_phys);
        jffs2_dbg_acct_sanity_check_nolock(c, jeb);
-        jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
+        jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
        jffs2_dbg_acct_sanity_check_nolock(c, new_jeb);
-        jffs2_dbg_acct_paranoia_check_nolock(c, new_jeb);
+        jffs2_dbg_acct_paranoia_check_nolock(c, new_jeb);
        spin_unlock(&c->erase_completion_lock);
-        D1(printk(KERN_DEBUG "wbuf recovery completed OK\n"));
+        D1(printk(KERN_DEBUG "wbuf recovery completed OK. wbuf_ofs 0x%08x, len 0x%x\n", c->wbuf_ofs, c->wbuf_len));
 }
 /* Meaning of pad argument:
@@ -412,6 +523,7 @@ static void jffs2_wbuf_recover(struct jffs2_sb_info *c)
 static int __jffs2_flush_wbuf(struct jffs2_sb_info *c, int pad)
 {
+        struct jffs2_eraseblock *wbuf_jeb;
        int ret;
        size_t retlen;
@@ -429,6 +541,10 @@ static int __jffs2_flush_wbuf(struct jffs2_sb_info *c, int pad)
        if (!c->wbuf_len)       /* already checked c->wbuf above */
                return 0;
+        wbuf_jeb = &c->blocks[c->wbuf_ofs / c->sector_size];
+        if (jffs2_prealloc_raw_node_refs(c, wbuf_jeb, c->nextblock->allocated_refs + 1))
+                return -ENOMEM;
        /* claim remaining space on the page
           this happens, if we have a change to a new block,
           or if fsync forces us to flush the writebuffer.
@@ -458,15 +574,12 @@ static int __jffs2_flush_wbuf(struct jffs2_sb_info *c, int pad)
        if (breakme++ == 20) {
                printk(KERN_NOTICE "Faking write error at 0x%08x\n", c->wbuf_ofs);
                breakme = 0;
-                c->mtd->write_ecc(c->mtd, c->wbuf_ofs, c->wbuf_pagesize,
+                c->mtd->write(c->mtd, c->wbuf_ofs, c->wbuf_pagesize, &retlen,
-                                        &retlen, brokenbuf, NULL, c->oobinfo);
+                              brokenbuf);
                ret = -EIO;
        } else
 #endif
-        if (jffs2_cleanmarker_oob(c))
-                ret = c->mtd->write_ecc(c->mtd, c->wbuf_ofs, c->wbuf_pagesize, &retlen, c->wbuf, NULL, c->oobinfo);
-        else
                ret = c->mtd->write(c->mtd, c->wbuf_ofs, c->wbuf_pagesize, &retlen, c->wbuf);
        if (ret || retlen != c->wbuf_pagesize) {
@@ -483,32 +596,34 @@ static int __jffs2_flush_wbuf(struct jffs2_sb_info *c, int pad)
                return ret;
        }
-        spin_lock(&c->erase_completion_lock);
        /* Adjust free size of the block if we padded. */
        if (pad) {
-                struct jffs2_eraseblock *jeb;
+                uint32_t waste = c->wbuf_pagesize - c->wbuf_len;
-                jeb = &c->blocks[c->wbuf_ofs / c->sector_size];
                D1(printk(KERN_DEBUG "jffs2_flush_wbuf() adjusting free_size of %sblock at %08x\n",
-                          (jeb==c->nextblock)?"next":"", jeb->offset));
+                          (wbuf_jeb==c->nextblock)?"next":"", wbuf_jeb->offset));
                /* wbuf_pagesize - wbuf_len is the amount of space that's to be
                   padded. If there is less free space in the block than that,
                   something screwed up */
-                if (jeb->free_size < (c->wbuf_pagesize - c->wbuf_len)) {
+                if (wbuf_jeb->free_size < waste) {
                        printk(KERN_CRIT "jffs2_flush_wbuf(): Accounting error. wbuf at 0x%08x has 0x%03x bytes, 0x%03x left.\n",
-                               c->wbuf_ofs, c->wbuf_len, c->wbuf_pagesize-c->wbuf_len);
+                               c->wbuf_ofs, c->wbuf_len, waste);
                        printk(KERN_CRIT "jffs2_flush_wbuf(): But free_size for block at 0x%08x is only 0x%08x\n",
-                               jeb->offset, jeb->free_size);
+                               wbuf_jeb->offset, wbuf_jeb->free_size);
                        BUG();
                }
-                jeb->free_size -= (c->wbuf_pagesize - c->wbuf_len);
-                c->free_size -= (c->wbuf_pagesize - c->wbuf_len);
+                spin_lock(&c->erase_completion_lock);
-                jeb->wasted_size += (c->wbuf_pagesize - c->wbuf_len);
-                c->wasted_size += (c->wbuf_pagesize - c->wbuf_len);
+                jffs2_link_node_ref(c, wbuf_jeb, (c->wbuf_ofs + c->wbuf_len) | REF_OBSOLETE, waste, NULL);
-        }
+                /* FIXME: that made it count as dirty. Convert to wasted */
+                wbuf_jeb->dirty_size -= waste;
+                c->dirty_size -= waste;
+                wbuf_jeb->wasted_size += waste;
+                c->wasted_size += waste;
+        } else
+                spin_lock(&c->erase_completion_lock);
        /* Stick any now-obsoleted blocks on the erase_pending_list */
        jffs2_refile_wbuf_blocks(c);
@@ -603,20 +718,30 @@ int jffs2_flush_wbuf_pad(struct jffs2_sb_info *c)
        return ret;
 }
-int jffs2_flash_writev(struct jffs2_sb_info *c, const struct kvec *invecs, unsigned long count, loff_t to, size_t *retlen, uint32_t ino)
+static size_t jffs2_fill_wbuf(struct jffs2_sb_info *c, const uint8_t *buf,
+                              size_t len)
+{
+        if (len && !c->wbuf_len && (len >= c->wbuf_pagesize))
+                return 0;
+        if (len > (c->wbuf_pagesize - c->wbuf_len))
+                len = c->wbuf_pagesize - c->wbuf_len;
+        memcpy(c->wbuf + c->wbuf_len, buf, len);
+        c->wbuf_len += (uint32_t) len;
+        return len;
+}
+int jffs2_flash_writev(struct jffs2_sb_info *c, const struct kvec *invecs,
+                       unsigned long count, loff_t to, size_t *retlen,
+                       uint32_t ino)
 {
-        struct kvec outvecs[3];
+        struct jffs2_eraseblock *jeb;
-        uint32_t totlen = 0;
+        size_t wbuf_retlen, donelen = 0;
-        uint32_t split_ofs = 0;
-        uint32_t old_totlen;
-        int ret, splitvec = -1;
-        int invec, outvec;
-        size_t wbuf_retlen;
-        unsigned char *wbuf_ptr;
-        size_t donelen = 0;
        uint32_t outvec_to = to;
+        int ret, invec;
-        /* If not NAND flash, don't bother */
+        /* If not writebuffered flash, don't bother */
        if (!jffs2_is_writebuffered(c))
                return jffs2_flash_direct_writev(c, invecs, count, to, retlen);
@@ -629,34 +754,22 @@ int jffs2_flash_writev(struct jffs2_sb_info *c, const struct kvec *invecs, unsig
                memset(c->wbuf,0xff,c->wbuf_pagesize);
        }
-        /* Fixup the wbuf if we are moving to a new eraseblock.  The checks below
+        /*
-           fail for ECC'd NOR because cleanmarker == 16, so a block starts at
+         * Sanity checks on target address.  It's permitted to write
-           xxx0010.  */
+         * at PAD(c->wbuf_len+c->wbuf_ofs), and it's permitted to
-        if (jffs2_nor_ecc(c)) {
+         * write at the beginning of a new erase block. Anything else,
-                if (((c->wbuf_ofs % c->sector_size) == 0) && !c->wbuf_len) {
+         * and you die.  New block starts at xxx000c (0-b = block
-                        c->wbuf_ofs = PAGE_DIV(to);
+         * header)
-                        c->wbuf_len = PAGE_MOD(to);
+         */
-                        memset(c->wbuf,0xff,c->wbuf_pagesize);
-                }
-        }
-        /* Sanity checks on target address.
-           It's permitted to write at PAD(c->wbuf_len+c->wbuf_ofs),
-           and it's permitted to write at the beginning of a new
-           erase block. Anything else, and you die.
-           New block starts at xxx000c (0-b = block header)
-        */
        if (SECTOR_ADDR(to) != SECTOR_ADDR(c->wbuf_ofs)) {
                /* It's a write to a new block */
                if (c->wbuf_len) {
-                        D1(printk(KERN_DEBUG "jffs2_flash_writev() to 0x%lx causes flush of wbuf at 0x%08x\n", (unsigned long)to, c->wbuf_ofs));
+                        D1(printk(KERN_DEBUG "jffs2_flash_writev() to 0x%lx "
+                                  "causes flush of wbuf at 0x%08x\n",
+                                  (unsigned long)to, c->wbuf_ofs));
                        ret = __jffs2_flush_wbuf(c, PAD_NOACCOUNT);
-                        if (ret) {
+                        if (ret)
-                                /* the underlying layer has to check wbuf_len to do the cleanup */
+                                goto outerr;
-                                D1(printk(KERN_WARNING "jffs2_flush_wbuf() called from jffs2_flash_writev() failed %d\n", ret));
-                                *retlen = 0;
-                                goto exit;
-                        }
                }
                /* set pointer to new block */
                c->wbuf_ofs = PAGE_DIV(to);
@@ -665,165 +778,70 @@ int jffs2_flash_writev(struct jffs2_sb_info *c, const struct kvec *invecs, unsig
        if (to != PAD(c->wbuf_ofs + c->wbuf_len)) {
                /* We're not writing immediately after the writebuffer. Bad. */
-                printk(KERN_CRIT "jffs2_flash_writev(): Non-contiguous write to %08lx\n", (unsigned long)to);
+                printk(KERN_CRIT "jffs2_flash_writev(): Non-contiguous write "
+                       "to %08lx\n", (unsigned long)to);
                if (c->wbuf_len)
                        printk(KERN_CRIT "wbuf was previously %08x-%08x\n",
-                                          c->wbuf_ofs, c->wbuf_ofs+c->wbuf_len);
+                               c->wbuf_ofs, c->wbuf_ofs+c->wbuf_len);
                BUG();
        }
-        /* Note outvecs[3] above. We know count is never greater than 2 */
+        /* adjust alignment offset */
-        if (count > 2) {
+        if (c->wbuf_len != PAGE_MOD(to)) {
-                printk(KERN_CRIT "jffs2_flash_writev(): count is %ld\n", count);
+                c->wbuf_len = PAGE_MOD(to);
-                BUG();
+                /* take care of alignment to next page */
-        }
+                if (!c->wbuf_len) {
+                        c->wbuf_len = c->wbuf_pagesize;
-        invec = 0;
+                        ret = __jffs2_flush_wbuf(c, NOPAD);
-        outvec = 0;
+                        if (ret)
+                                goto outerr;
-        /* Fill writebuffer first, if already in use */
-        if (c->wbuf_len) {
-                uint32_t invec_ofs = 0;
-                /* adjust alignment offset */
-                if (c->wbuf_len != PAGE_MOD(to)) {
-                        c->wbuf_len = PAGE_MOD(to);
-                        /* take care of alignment to next page */
-                        if (!c->wbuf_len)
-                                c->wbuf_len = c->wbuf_pagesize;
-                }
-                while(c->wbuf_len < c->wbuf_pagesize) {
-                        uint32_t thislen;
-                        if (invec == count)
-                                goto alldone;
-                        thislen = c->wbuf_pagesize - c->wbuf_len;
-                        if (thislen >= invecs[invec].iov_len)
-                                thislen = invecs[invec].iov_len;
-                        invec_ofs = thislen;
-                        memcpy(c->wbuf + c->wbuf_len, invecs[invec].iov_base, thislen);
-                        c->wbuf_len += thislen;
-                        donelen += thislen;
-                        /* Get next invec, if actual did not fill the buffer */
-                        if (c->wbuf_len < c->wbuf_pagesize)
-                                invec++;
-                }
-                /* write buffer is full, flush buffer */
-                ret = __jffs2_flush_wbuf(c, NOPAD);
-                if (ret) {
-                        /* the underlying layer has to check wbuf_len to do the cleanup */
-                        D1(printk(KERN_WARNING "jffs2_flush_wbuf() called from jffs2_flash_writev() failed %d\n", ret));
-                        /* Retlen zero to make sure our caller doesn't mark the space dirty.
-                           We've already done everything that's necessary */
-                        *retlen = 0;
-                        goto exit;
-                }
-                outvec_to += donelen;
-                c->wbuf_ofs = outvec_to;
-                /* All invecs done ? */
-                if (invec == count)
-                        goto alldone;
-                /* Set up the first outvec, containing the remainder of the
-                   invec we partially used */
-                if (invecs[invec].iov_len > invec_ofs) {
-                        outvecs[0].iov_base = invecs[invec].iov_base+invec_ofs;
-                        totlen = outvecs[0].iov_len = invecs[invec].iov_len-invec_ofs;
-                        if (totlen > c->wbuf_pagesize) {
-                                splitvec = outvec;
-                                split_ofs = outvecs[0].iov_len - PAGE_MOD(totlen);
-                        }
-                        outvec++;
-                }
-                invec++;
-        }
-        /* OK, now we've flushed the wbuf and the start of the bits
-           we have been asked to write, now to write the rest.... */
-        /* totlen holds the amount of data still to be written */
-        old_totlen = totlen;
-        for ( ; invec < count; invec++,outvec++ ) {
-                outvecs[outvec].iov_base = invecs[invec].iov_base;
-                totlen += outvecs[outvec].iov_len = invecs[invec].iov_len;
-                if (PAGE_DIV(totlen) != PAGE_DIV(old_totlen)) {
-                        splitvec = outvec;
-                        split_ofs = outvecs[outvec].iov_len - PAGE_MOD(totlen);
-                        old_totlen = totlen;
                }
        }
-        /* Now the outvecs array holds all the remaining data to write */
+        for (invec = 0; invec < count; invec++) {
-        /* Up to splitvec,split_ofs is to be written immediately. The rest
+                int vlen = invecs[invec].iov_len;
-           goes into the (now-empty) wbuf */
+                uint8_t *v = invecs[invec].iov_base;
-        if (splitvec != -1) {
-                uint32_t remainder;
-                remainder = outvecs[splitvec].iov_len - split_ofs;
-                outvecs[splitvec].iov_len = split_ofs;
-                /* We did cross a page boundary, so we write some now */
-                if (jffs2_cleanmarker_oob(c))
-                        ret = c->mtd->writev_ecc(c->mtd, outvecs, splitvec+1, outvec_to, &wbuf_retlen, NULL, c->oobinfo);
-                else
-                        ret = jffs2_flash_direct_writev(c, outvecs, splitvec+1, outvec_to, &wbuf_retlen);
-                if (ret < 0 || wbuf_retlen != PAGE_DIV(totlen)) {
+                wbuf_retlen = jffs2_fill_wbuf(c, v, vlen);
-                        /* At this point we have no problem,
-                           c->wbuf is empty. However refile nextblock to avoid
-                           writing again to same address.
-                        */
-                        struct jffs2_eraseblock *jeb;
-                        spin_lock(&c->erase_completion_lock);
+                if (c->wbuf_len == c->wbuf_pagesize) {
+                        ret = __jffs2_flush_wbuf(c, NOPAD);
-                        jeb = &c->blocks[outvec_to / c->sector_size];
+                        if (ret)
-                        jffs2_block_refile(c, jeb, REFILE_ANYWAY);
+                                goto outerr;
-                        *retlen = 0;
-                        spin_unlock(&c->erase_completion_lock);
-                        goto exit;
                }
+                vlen -= wbuf_retlen;
+                outvec_to += wbuf_retlen;
                donelen += wbuf_retlen;
-                c->wbuf_ofs = PAGE_DIV(outvec_to) + PAGE_DIV(totlen);
+                v += wbuf_retlen;
-                if (remainder) {
+                if (vlen >= c->wbuf_pagesize) {
-                        outvecs[splitvec].iov_base += split_ofs;
+                        ret = c->mtd->write(c->mtd, outvec_to, PAGE_DIV(vlen),
-                        outvecs[splitvec].iov_len = remainder;
+                                            &wbuf_retlen, v);
-                } else {
+                        if (ret < 0 || wbuf_retlen != PAGE_DIV(vlen))
-                        splitvec++;
+                                goto outfile;
+                        vlen -= wbuf_retlen;
+                        outvec_to += wbuf_retlen;
+                        c->wbuf_ofs = outvec_to;
+                        donelen += wbuf_retlen;
+                        v += wbuf_retlen;
                }
-        } else {
+                wbuf_retlen = jffs2_fill_wbuf(c, v, vlen);
-                splitvec = 0;
+                if (c->wbuf_len == c->wbuf_pagesize) {
-        }
+                        ret = __jffs2_flush_wbuf(c, NOPAD);
+                        if (ret)
-        /* Now splitvec points to the start of the bits we have to copy
+                                goto outerr;
-           into the wbuf */
+                }
-        wbuf_ptr = c->wbuf;
-        for ( ; splitvec < outvec; splitvec++) {
+                outvec_to += wbuf_retlen;
-                /* Don't copy the wbuf into itself */
+                donelen += wbuf_retlen;
-                if (outvecs[splitvec].iov_base == c->wbuf)
-                        continue;
-                memcpy(wbuf_ptr, outvecs[splitvec].iov_base, outvecs[splitvec].iov_len);
-                wbuf_ptr += outvecs[splitvec].iov_len;
-                donelen += outvecs[splitvec].iov_len;
        }
-        c->wbuf_len = wbuf_ptr - c->wbuf;
-        /* If there's a remainder in the wbuf and it's a non-GC write,
+        /*
-           remember that the wbuf affects this ino */
+         * If there's a remainder in the wbuf and it's a non-GC write,
-alldone:
+         * remember that the wbuf affects this ino
+         */
        *retlen = donelen;
        if (jffs2_sum_active()) {
@@ -836,8 +854,24 @@ alldone:
                jffs2_wbuf_dirties_inode(c, ino);
        ret = 0;
+        up_write(&c->wbuf_sem);
+        return ret;
-exit:
+outfile:
+        /*
+         * At this point we have no problem, c->wbuf is empty. However
+         * refile nextblock to avoid writing again to same address.
+         */
+        spin_lock(&c->erase_completion_lock);
+        jeb = &c->blocks[outvec_to / c->sector_size];
+        jffs2_block_refile(c, jeb, REFILE_ANYWAY);
+        spin_unlock(&c->erase_completion_lock);
+outerr:
+        *retlen = 0;
        up_write(&c->wbuf_sem);
        return ret;
 }
@@ -846,7 +880,8 @@ exit:
 *      This is the entry for flash write.
 *      Check, if we work on NAND FLASH, if so build an kvec and write it via vritev
 */
-int jffs2_flash_write(struct jffs2_sb_info *c, loff_t ofs, size_t len, size_t *retlen, const u_char *buf)
+int jffs2_flash_write(struct jffs2_sb_info *c, loff_t ofs, size_t len,
+                      size_t *retlen, const u_char *buf)
 {
        struct kvec vecs[1];
@@ -871,25 +906,23 @@ int jffs2_flash_read(struct jffs2_sb_info *c, loff_t ofs, size_t len, size_t *re
        /* Read flash */
        down_read(&c->wbuf_sem);
-        if (jffs2_cleanmarker_oob(c))
+        ret = c->mtd->read(c->mtd, ofs, len, retlen, buf);
-                ret = c->mtd->read_ecc(c->mtd, ofs, len, retlen, buf, NULL, c->oobinfo);
-        else
+        if ( (ret == -EBADMSG || ret == -EUCLEAN) && (*retlen == len) ) {
-                ret = c->mtd->read(c->mtd, ofs, len, retlen, buf);
+                if (ret == -EBADMSG)
+                        printk(KERN_WARNING "mtd->read(0x%zx bytes from 0x%llx)"
-        if ( (ret == -EBADMSG) && (*retlen == len) ) {
+                               " returned ECC error\n", len, ofs);
-                printk(KERN_WARNING "mtd->read(0x%zx bytes from 0x%llx) returned ECC error\n",
-                       len, ofs);
                /*
-                 * We have the raw data without ECC correction in the buffer, maybe
+                 * We have the raw data without ECC correction in the buffer,
-                 * we are lucky and all data or parts are correct. We check the node.
+                 * maybe we are lucky and all data or parts are correct. We
-                 * If data are corrupted node check will sort it out.
+                 * check the node.  If data are corrupted node check will sort
-                 * We keep this block, it will fail on write or erase and the we
+                 * it out.  We keep this block, it will fail on write or erase
-                 * mark it bad. Or should we do that now? But we should give him a chance.
+                 * and the we mark it bad. Or should we do that now? But we
-                 * Maybe we had a system crash or power loss before the ecc write or
+                 * should give him a chance.  Maybe we had a system crash or
-                 * a erase was completed.
+                 * power loss before the ecc write or a erase was completed.
                 * So we return success. :)
                 */
-                ret = 0;
+                ret = 0;
        }
        /* if no writebuffer available or write buffer empty, return */
@@ -911,7 +944,7 @@ int jffs2_flash_read(struct jffs2_sb_info *c, loff_t ofs, size_t len, size_t *re
                orbf = (c->wbuf_ofs - ofs);     /* offset in read buffer */
                if (orbf > len)                 /* is write beyond write buffer ? */
                        goto exit;
-                lwbf = len - orbf;              /* number of bytes to copy */
+                lwbf = len - orbf;              /* number of bytes to copy */
                if (lwbf > c->wbuf_len)
                        lwbf = c->wbuf_len;
        }
@@ -923,158 +956,159 @@ exit:
        return ret;
 }
+#define NR_OOB_SCAN_PAGES       4
 /*
- *      Check, if the out of band area is empty
+ * Check, if the out of band area is empty
 */
-int jffs2_check_oob_empty( struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb, int mode)
+int jffs2_check_oob_empty(struct jffs2_sb_info *c,
+                          struct jffs2_eraseblock *jeb, int mode)
 {
-        unsigned char *buf;
+        int i, page, ret;
-        int     ret = 0;
+        int oobsize = c->mtd->oobsize;
-        int     i,len,page;
+        struct mtd_oob_ops ops;
-        size_t  retlen;
-        int     oob_size;
+        ops.len = NR_OOB_SCAN_PAGES * oobsize;
+        ops.ooblen = oobsize;
-        /* allocate a buffer for all oob data in this sector */
+        ops.oobbuf = c->oobbuf;
-        oob_size = c->mtd->oobsize;
+        ops.ooboffs = 0;
-        len = 4 * oob_size;
+        ops.datbuf = NULL;
-        buf = kmalloc(len, GFP_KERNEL);
+        ops.mode = MTD_OOB_PLACE;
-        if (!buf) {
-                printk(KERN_NOTICE "jffs2_check_oob_empty(): allocation of temporary data buffer for oob check failed\n");
+        ret = c->mtd->read_oob(c->mtd, jeb->offset, &ops);
-                return -ENOMEM;
-        }
-        /*
-         * if mode = 0, we scan for a total empty oob area, else we have
-         * to take care of the cleanmarker in the first page of the block
-        */
-        ret = jffs2_flash_read_oob(c, jeb->offset, len , &retlen, buf);
        if (ret) {
-                D1(printk(KERN_WARNING "jffs2_check_oob_empty(): Read OOB failed %d for block at %08x\n", ret, jeb->offset));
+                D1(printk(KERN_WARNING "jffs2_check_oob_empty(): Read OOB "
-                goto out;
+                          "failed %d for block at %08x\n", ret, jeb->offset));
+                return ret;
        }
-        if (retlen < len) {
+        if (ops.retlen < ops.len) {
-                D1(printk(KERN_WARNING "jffs2_check_oob_empty(): Read OOB return short read "
+                D1(printk(KERN_WARNING "jffs2_check_oob_empty(): Read OOB "
-                          "(%zd bytes not %d) for block at %08x\n", retlen, len, jeb->offset));
+                          "returned short read (%zd bytes not %d) for block "
-                ret = -EIO;
+                          "at %08x\n", ops.retlen, ops.len, jeb->offset));
-                goto out;
+                return -EIO;
        }
        /* Special check for first page */
-        for(i = 0; i < oob_size ; i++) {
+        for(i = 0; i < oobsize ; i++) {
                /* Yeah, we know about the cleanmarker. */
                if (mode && i >= c->fsdata_pos &&
                    i < c->fsdata_pos + c->fsdata_len)
                        continue;
-                if (buf[i] != 0xFF) {
+                if (ops.oobbuf[i] != 0xFF) {
-                        D2(printk(KERN_DEBUG "Found %02x at %x in OOB for %08x\n",
+                        D2(printk(KERN_DEBUG "Found %02x at %x in OOB for "
-                                  buf[i], i, jeb->offset));
+                                  "%08x\n", ops.oobbuf[i], i, jeb->offset));
-                        ret = 1;
+                        return 1;
-                        goto out;
                }
        }
        /* we know, we are aligned :) */
-        for (page = oob_size; page < len; page += sizeof(long)) {
+        for (page = oobsize; page < ops.len; page += sizeof(long)) {
-                unsigned long dat = *(unsigned long *)(&buf[page]);
+                long dat = *(long *)(&ops.oobbuf[page]);
-                if(dat != -1) {
+                if(dat != -1)
-                        ret = 1;
+                        return 1;
-                        goto out;
-                }
        }
+        return 0;
-out:
-        kfree(buf);
-        return ret;
 }
 /*
-*       Scan for a valid cleanmarker and for bad blocks
+ * Scan for a valid cleanmarker and for bad blocks
-*       For virtual blocks (concatenated physical blocks) check the cleanmarker
+ */
-*       only in the first page of the first physical block, but scan for bad blocks in all
+int jffs2_check_nand_cleanmarker (struct jffs2_sb_info *c,
-*       physical blocks
+                                  struct jffs2_eraseblock *jeb)
-*/
-int jffs2_check_nand_cleanmarker (struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
 {
        struct jffs2_unknown_node n;
-        unsigned char buf[2 * NAND_MAX_OOBSIZE];
+        struct mtd_oob_ops ops;
-        unsigned char *p;
+        int oobsize = c->mtd->oobsize;
-        int ret, i, cnt, retval = 0;
+        unsigned char *p,*b;
-        size_t retlen, offset;
+        int i, ret;
-        int oob_size;
+        size_t offset = jeb->offset;
-        offset = jeb->offset;
+        /* Check first if the block is bad. */
-        oob_size = c->mtd->oobsize;
+        if (c->mtd->block_isbad(c->mtd, offset)) {
+                D1 (printk(KERN_WARNING "jffs2_check_nand_cleanmarker()"
-        /* Loop through the physical blocks */
+                           ": Bad block at %08x\n", jeb->offset));
-        for (cnt = 0; cnt < (c->sector_size / c->mtd->erasesize); cnt++) {
+                return 2;
-                /* Check first if the block is bad. */
+        }
-                if (c->mtd->block_isbad (c->mtd, offset)) {
-                        D1 (printk (KERN_WARNING "jffs2_check_nand_cleanmarker(): Bad block at %08x\n", jeb->offset));
-                        return 2;
-                }
-                /*
-                   *    We read oob data from page 0 and 1 of the block.
-                   *    page 0 contains cleanmarker and badblock info
-                   *    page 1 contains failure count of this block
-                 */
-                ret = c->mtd->read_oob (c->mtd, offset, oob_size << 1, &retlen, buf);
-                if (ret) {
+        ops.len = oobsize;
-                        D1 (printk (KERN_WARNING "jffs2_check_nand_cleanmarker(): Read OOB failed %d for block at %08x\n", ret, jeb->offset));
+        ops.ooblen = oobsize;
-                        return ret;
+        ops.oobbuf = c->oobbuf;
-                }
+        ops.ooboffs = 0;
-                if (retlen < (oob_size << 1)) {
+        ops.datbuf = NULL;
-                        D1 (printk (KERN_WARNING "jffs2_check_nand_cleanmarker(): Read OOB return short read (%zd bytes not %d) for block at %08x\n", retlen, oob_size << 1, jeb->offset));
+        ops.mode = MTD_OOB_PLACE;
-                        return -EIO;
-                }
-                /* Check cleanmarker only on the first physical block */
+        ret = c->mtd->read_oob(c->mtd, offset, &ops);
-                if (!cnt) {
+        if (ret) {
-                        n.magic = cpu_to_je16 (JFFS2_MAGIC_BITMASK);
+                D1 (printk(KERN_WARNING "jffs2_check_nand_cleanmarker(): "
-                        n.nodetype = cpu_to_je16 (JFFS2_NODETYPE_CLEANMARKER);
+                           "Read OOB failed %d for block at %08x\n",
-                        n.totlen = cpu_to_je32 (8);
+                           ret, jeb->offset));
-                        p = (unsigned char *) &n;
+                return ret;
+        }
-                        for (i = 0; i < c->fsdata_len; i++) {
+        if (ops.retlen < ops.len) {
-                                if (buf[c->fsdata_pos + i] != p[i]) {
+                D1 (printk (KERN_WARNING "jffs2_check_nand_cleanmarker(): "
-                                        retval = 1;
+                            "Read OOB return short read (%zd bytes not %d) "
-                                }
+                            "for block at %08x\n", ops.retlen, ops.len,
-                        }
+                            jeb->offset));
-                        D1(if (retval == 1) {
+                return -EIO;
-                                printk(KERN_WARNING "jffs2_check_nand_cleanmarker(): Cleanmarker node not detected in block at %08x\n", jeb->offset);
-                                printk(KERN_WARNING "OOB at %08x was ", offset);
-                                for (i=0; i < oob_size; i++) {
-                                        printk("%02x ", buf[i]);
-                                }
-                                printk("\n");
-                        })
-                }
-                offset += c->mtd->erasesize;
        }
-        return retval;
+        n.magic = cpu_to_je16 (JFFS2_MAGIC_BITMASK);
+        n.nodetype = cpu_to_je16 (JFFS2_NODETYPE_CLEANMARKER);
+        n.totlen = cpu_to_je32 (8);
+        p = (unsigned char *) &n;
+        b = c->oobbuf + c->fsdata_pos;
+        for (i = c->fsdata_len; i; i--) {
+                if (*b++ != *p++)
+                        ret = 1;
+        }
+        D1(if (ret == 1) {
+                printk(KERN_WARNING "jffs2_check_nand_cleanmarker(): "
+                       "Cleanmarker node not detected in block at %08x\n",
+                       offset);
+                printk(KERN_WARNING "OOB at %08zx was ", offset);
+                for (i=0; i < oobsize; i++)
+                        printk("%02x ", c->oobbuf[i]);
+                printk("\n");
+        });
+        return ret;
 }
-int jffs2_write_nand_cleanmarker(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb)
+int jffs2_write_nand_cleanmarker(struct jffs2_sb_info *c,
+                                 struct jffs2_eraseblock *jeb)
 {
-        struct  jffs2_unknown_node n;
+        struct jffs2_unknown_node n;
-        int     ret;
+        int     ret;
-        size_t  retlen;
+        struct mtd_oob_ops ops;
        n.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
        n.nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER);
        n.totlen = cpu_to_je32(8);
-        ret = jffs2_flash_write_oob(c, jeb->offset + c->fsdata_pos, c->fsdata_len, &retlen, (unsigned char *)&n);
+        ops.len = c->fsdata_len;
+        ops.ooblen = c->fsdata_len;;
+        ops.oobbuf = (uint8_t *)&n;
+        ops.ooboffs = c->fsdata_pos;
+        ops.datbuf = NULL;
+        ops.mode = MTD_OOB_PLACE;
+        ret = c->mtd->write_oob(c->mtd, jeb->offset, &ops);
        if (ret) {
-                D1(printk(KERN_WARNING "jffs2_write_nand_cleanmarker(): Write failed for block at %08x: error %d\n", jeb->offset, ret));
+                D1(printk(KERN_WARNING "jffs2_write_nand_cleanmarker(): "
+                          "Write failed for block at %08x: error %d\n",
+                          jeb->offset, ret));
                return ret;
        }
-        if (retlen != c->fsdata_len) {
+        if (ops.retlen != ops.len) {
-                D1(printk(KERN_WARNING "jffs2_write_nand_cleanmarker(): Short write for block at %08x: %zd not %d\n", jeb->offset, retlen, c->fsdata_len));
+                D1(printk(KERN_WARNING "jffs2_write_nand_cleanmarker(): "
-                return ret;
+                          "Short write for block at %08x: %zd not %d\n",
+                          jeb->offset, ops.retlen, ops.len));
+                return -EIO;
        }
        return 0;
 }
@@ -1108,18 +1142,9 @@ int jffs2_write_nand_badblock(struct jffs2_sb_info *c, struct jffs2_eraseblock *
        return 1;
 }
-#define NAND_JFFS2_OOB16_FSDALEN        8
-static struct nand_oobinfo jffs2_oobinfo_docecc = {
-        .useecc = MTD_NANDECC_PLACE,
-        .eccbytes = 6,
-        .eccpos = {0,1,2,3,4,5}
-};
 static int jffs2_nand_set_oobinfo(struct jffs2_sb_info *c)
 {
-        struct nand_oobinfo *oinfo = &c->mtd->oobinfo;
+        struct nand_ecclayout *oinfo = c->mtd->ecclayout;
        /* Do this only, if we have an oob buffer */
        if (!c->mtd->oobsize)
@@ -1129,33 +1154,23 @@ static int jffs2_nand_set_oobinfo(struct jffs2_sb_info *c)
        c->cleanmarker_size = 0;
        /* Should we use autoplacement ? */
-        if (oinfo && oinfo->useecc == MTD_NANDECC_AUTOPLACE) {
+        if (!oinfo) {
-                D1(printk(KERN_DEBUG "JFFS2 using autoplace on NAND\n"));
+                D1(printk(KERN_DEBUG "JFFS2 on NAND. No autoplacment info found\n"));
-                /* Get the position of the free bytes */
+                return -EINVAL;
-                if (!oinfo->oobfree[0][1]) {
+        }
-                        printk (KERN_WARNING "jffs2_nand_set_oobinfo(): Eeep. Autoplacement selected and no empty space in oob\n");
-                        return -ENOSPC;
-                }
-                c->fsdata_pos = oinfo->oobfree[0][0];
-                c->fsdata_len = oinfo->oobfree[0][1];
-                if (c->fsdata_len > 8)
-                        c->fsdata_len = 8;
-        } else {
-                /* This is just a legacy fallback and should go away soon */
-                switch(c->mtd->ecctype) {
-                case MTD_ECC_RS_DiskOnChip:
-                        printk(KERN_WARNING "JFFS2 using DiskOnChip hardware ECC without autoplacement. Fix it!\n");
-                        c->oobinfo = &jffs2_oobinfo_docecc;
-                        c->fsdata_pos = 6;
-                        c->fsdata_len = NAND_JFFS2_OOB16_FSDALEN;
-                        c->badblock_pos = 15;
-                        break;
-                default:
+        D1(printk(KERN_DEBUG "JFFS2 using autoplace on NAND\n"));
-                        D1(printk(KERN_DEBUG "JFFS2 on NAND. No autoplacment info found\n"));
+        /* Get the position of the free bytes */
-                        return -EINVAL;
+        if (!oinfo->oobfree[0].length) {
-                }
+                printk (KERN_WARNING "jffs2_nand_set_oobinfo(): Eeep."
+                        " Autoplacement selected and no empty space in oob\n");
+                return -ENOSPC;
        }
+        c->fsdata_pos = oinfo->oobfree[0].offset;
+        c->fsdata_len = oinfo->oobfree[0].length;
+        if (c->fsdata_len > 8)
+                c->fsdata_len = 8;
        return 0;
 }
@@ -1165,13 +1180,17 @@ int jffs2_nand_flash_setup(struct jffs2_sb_info *c)
        /* Initialise write buffer */
        init_rwsem(&c->wbuf_sem);
-        c->wbuf_pagesize = c->mtd->oobblock;
+        c->wbuf_pagesize = c->mtd->writesize;
        c->wbuf_ofs = 0xFFFFFFFF;
        c->wbuf = kmalloc(c->wbuf_pagesize, GFP_KERNEL);
        if (!c->wbuf)
                return -ENOMEM;
+        c->oobbuf = kmalloc(NR_OOB_SCAN_PAGES * c->mtd->oobsize, GFP_KERNEL);
+        if (!c->oobbuf)
+                return -ENOMEM;
        res = jffs2_nand_set_oobinfo(c);
 #ifdef BREAKME
@@ -1189,6 +1208,7 @@ int jffs2_nand_flash_setup(struct jffs2_sb_info *c)
 void jffs2_nand_flash_cleanup(struct jffs2_sb_info *c)
 {
        kfree(c->wbuf);
+        kfree(c->oobbuf);
 }
 int jffs2_dataflash_setup(struct jffs2_sb_info *c) {
@@ -1236,33 +1256,14 @@ void jffs2_dataflash_cleanup(struct jffs2_sb_info *c) {
        kfree(c->wbuf);
 }
-int jffs2_nor_ecc_flash_setup(struct jffs2_sb_info *c) {
-        /* Cleanmarker is actually larger on the flashes */
-        c->cleanmarker_size = 16;
-        /* Initialize write buffer */
-        init_rwsem(&c->wbuf_sem);
-        c->wbuf_pagesize = c->mtd->eccsize;
-        c->wbuf_ofs = 0xFFFFFFFF;
-        c->wbuf = kmalloc(c->wbuf_pagesize, GFP_KERNEL);
-        if (!c->wbuf)
-                return -ENOMEM;
-        return 0;
-}
-void jffs2_nor_ecc_flash_cleanup(struct jffs2_sb_info *c) {
-        kfree(c->wbuf);
-}
 int jffs2_nor_wbuf_flash_setup(struct jffs2_sb_info *c) {
-        /* Cleanmarker currently occupies a whole programming region */
+        /* Cleanmarker currently occupies whole programming regions,
-        c->cleanmarker_size = MTD_PROGREGION_SIZE(c->mtd);
+         * either one or 2 for 8Byte STMicro flashes. */
+        c->cleanmarker_size = max(16u, c->mtd->writesize);
        /* Initialize write buffer */
        init_rwsem(&c->wbuf_sem);
-        c->wbuf_pagesize = MTD_PROGREGION_SIZE(c->mtd);
+        c->wbuf_pagesize = c->mtd->writesize;
        c->wbuf_ofs = 0xFFFFFFFF;
        c->wbuf = kmalloc(c->wbuf_pagesize, GFP_KERNEL);
diff --git a/fs/jffs2/write.c b/fs/jffs2/write.c
index 1342f0158e9b..67176792e138 100644
--- a/fs/jffs2/write.c
+++ b/fs/jffs2/write.c
@@ -37,7 +37,6 @@ int jffs2_do_new_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, uint
        f->inocache->nodes = (struct jffs2_raw_node_ref *)f->inocache;
        f->inocache->state = INO_STATE_PRESENT;
        jffs2_add_ino_cache(c, f->inocache);
        D1(printk(KERN_DEBUG "jffs2_do_new_inode(): Assigned ino# %d\n", f->inocache->ino));
        ri->ino = cpu_to_je32(f->inocache->ino);
@@ -57,12 +56,14 @@ int jffs2_do_new_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, uint
 /* jffs2_write_dnode - given a raw_inode, allocate a full_dnode for it,
   write it to the flash, link it into the existing inode/fragment list */
-struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_raw_inode *ri, const unsigned char *data, uint32_t datalen, uint32_t flash_ofs, int alloc_mode)
+struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
+                                           struct jffs2_raw_inode *ri, const unsigned char *data,
+                                           uint32_t datalen, int alloc_mode)
 {
-        struct jffs2_raw_node_ref *raw;
        struct jffs2_full_dnode *fn;
        size_t retlen;
+        uint32_t flash_ofs;
        struct kvec vecs[2];
        int ret;
        int retried = 0;
@@ -78,34 +79,21 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
        vecs[1].iov_base = (unsigned char *)data;
        vecs[1].iov_len = datalen;
-        jffs2_dbg_prewrite_paranoia_check(c, flash_ofs, vecs[0].iov_len + vecs[1].iov_len);
        if (je32_to_cpu(ri->totlen) != sizeof(*ri) + datalen) {
                printk(KERN_WARNING "jffs2_write_dnode: ri->totlen (0x%08x) != sizeof(*ri) (0x%08zx) + datalen (0x%08x)\n", je32_to_cpu(ri->totlen), sizeof(*ri), datalen);
        }
-        raw = jffs2_alloc_raw_node_ref();
-        if (!raw)
-                return ERR_PTR(-ENOMEM);
        fn = jffs2_alloc_full_dnode();
-        if (!fn) {
+        if (!fn)
-                jffs2_free_raw_node_ref(raw);
                return ERR_PTR(-ENOMEM);
-        }
-        fn->ofs = je32_to_cpu(ri->offset);
-        fn->size = je32_to_cpu(ri->dsize);
-        fn->frags = 0;
        /* check number of valid vecs */
        if (!datalen || !data)
                cnt = 1;
 retry:
-        fn->raw = raw;
+        flash_ofs = write_ofs(c);
-        raw->flash_offset = flash_ofs;
+        jffs2_dbg_prewrite_paranoia_check(c, flash_ofs, vecs[0].iov_len + vecs[1].iov_len);
-        raw->__totlen = PAD(sizeof(*ri)+datalen);
-        raw->next_phys = NULL;
        if ((alloc_mode!=ALLOC_GC) && (je32_to_cpu(ri->version) < f->highest_version)) {
                BUG_ON(!retried);
@@ -125,22 +113,16 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
                /* Mark the space as dirtied */
                if (retlen) {
-                        /* Doesn't belong to any inode */
-                        raw->next_in_ino = NULL;
                        /* Don't change raw->size to match retlen. We may have
                           written the node header already, and only the data will
                           seem corrupted, in which case the scan would skip over
                           any node we write before the original intended end of
                           this node */
-                        raw->flash_offset |= REF_OBSOLETE;
+                        jffs2_add_physical_node_ref(c, flash_ofs | REF_OBSOLETE, PAD(sizeof(*ri)+datalen), NULL);
-                        jffs2_add_physical_node_ref(c, raw);
-                        jffs2_mark_node_obsolete(c, raw);
                } else {
-                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", raw->flash_offset);
+                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", flash_ofs);
-                        jffs2_free_raw_node_ref(raw);
                }
-                if (!retried && alloc_mode != ALLOC_NORETRY && (raw = jffs2_alloc_raw_node_ref())) {
+                if (!retried && alloc_mode != ALLOC_NORETRY) {
                        /* Try to reallocate space and retry */
                        uint32_t dummy;
                        struct jffs2_eraseblock *jeb = &c->blocks[flash_ofs / c->sector_size];
@@ -153,19 +135,20 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
                        jffs2_dbg_acct_paranoia_check(c, jeb);
                        if (alloc_mode == ALLOC_GC) {
-                                ret = jffs2_reserve_space_gc(c, sizeof(*ri) + datalen, &flash_ofs,
+                                ret = jffs2_reserve_space_gc(c, sizeof(*ri) + datalen, &dummy,
-                                                        &dummy, JFFS2_SUMMARY_INODE_SIZE);
+                                                             JFFS2_SUMMARY_INODE_SIZE);
                        } else {
                                /* Locking pain */
                                up(&f->sem);
                                jffs2_complete_reservation(c);
-                                ret = jffs2_reserve_space(c, sizeof(*ri) + datalen, &flash_ofs,
+                                ret = jffs2_reserve_space(c, sizeof(*ri) + datalen, &dummy,
-                                                        &dummy, alloc_mode, JFFS2_SUMMARY_INODE_SIZE);
+                                                          alloc_mode, JFFS2_SUMMARY_INODE_SIZE);
                                down(&f->sem);
                        }
                        if (!ret) {
+                                flash_ofs = write_ofs(c);
                                D1(printk(KERN_DEBUG "Allocated space at 0x%08x to retry failed write.\n", flash_ofs));
                                jffs2_dbg_acct_sanity_check(c,jeb);
@@ -174,7 +157,6 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
                                goto retry;
                        }
                        D1(printk(KERN_DEBUG "Failed to allocate space to retry failed write: %d!\n", ret));
-                        jffs2_free_raw_node_ref(raw);
                }
                /* Release the full_dnode which is now useless, and return */
                jffs2_free_full_dnode(fn);
@@ -188,20 +170,17 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
        if ((je32_to_cpu(ri->dsize) >= PAGE_CACHE_SIZE) ||
            ( ((je32_to_cpu(ri->offset)&(PAGE_CACHE_SIZE-1))==0) &&
              (je32_to_cpu(ri->dsize)+je32_to_cpu(ri->offset) ==  je32_to_cpu(ri->isize)))) {
-                raw->flash_offset |= REF_PRISTINE;
+                flash_ofs |= REF_PRISTINE;
        } else {
-                raw->flash_offset |= REF_NORMAL;
+                flash_ofs |= REF_NORMAL;
        }
-        jffs2_add_physical_node_ref(c, raw);
+        fn->raw = jffs2_add_physical_node_ref(c, flash_ofs, PAD(sizeof(*ri)+datalen), f->inocache);
+        fn->ofs = je32_to_cpu(ri->offset);
-        /* Link into per-inode list */
+        fn->size = je32_to_cpu(ri->dsize);
-        spin_lock(&c->erase_completion_lock);
+        fn->frags = 0;
-        raw->next_in_ino = f->inocache->nodes;
-        f->inocache->nodes = raw;
-        spin_unlock(&c->erase_completion_lock);
        D1(printk(KERN_DEBUG "jffs2_write_dnode wrote node at 0x%08x(%d) with dsize 0x%x, csize 0x%x, node_crc 0x%08x, data_crc 0x%08x, totlen 0x%08x\n",
-                  flash_ofs, ref_flags(raw), je32_to_cpu(ri->dsize),
+                  flash_ofs & ~3, flash_ofs & 3, je32_to_cpu(ri->dsize),
                  je32_to_cpu(ri->csize), je32_to_cpu(ri->node_crc),
                  je32_to_cpu(ri->data_crc), je32_to_cpu(ri->totlen)));
@@ -212,12 +191,14 @@ struct jffs2_full_dnode *jffs2_write_dnode(struct jffs2_sb_info *c, struct jffs2
        return fn;
 }
-struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jffs2_inode_info *f, struct jffs2_raw_dirent *rd, const unsigned char *name, uint32_t namelen, uint32_t flash_ofs, int alloc_mode)
+struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
+                                             struct jffs2_raw_dirent *rd, const unsigned char *name,
+                                             uint32_t namelen, int alloc_mode)
 {
-        struct jffs2_raw_node_ref *raw;
        struct jffs2_full_dirent *fd;
        size_t retlen;
        struct kvec vecs[2];
+        uint32_t flash_ofs;
        int retried = 0;
        int ret;
@@ -228,26 +209,16 @@ struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jff
        D1(if(je32_to_cpu(rd->hdr_crc) != crc32(0, rd, sizeof(struct jffs2_unknown_node)-4)) {
                printk(KERN_CRIT "Eep. CRC not correct in jffs2_write_dirent()\n");
                BUG();
-        }
+           });
-           );
        vecs[0].iov_base = rd;
        vecs[0].iov_len = sizeof(*rd);
        vecs[1].iov_base = (unsigned char *)name;
        vecs[1].iov_len = namelen;
-        jffs2_dbg_prewrite_paranoia_check(c, flash_ofs, vecs[0].iov_len + vecs[1].iov_len);
-        raw = jffs2_alloc_raw_node_ref();
-        if (!raw)
-                return ERR_PTR(-ENOMEM);
        fd = jffs2_alloc_full_dirent(namelen+1);
-        if (!fd) {
+        if (!fd)
-                jffs2_free_raw_node_ref(raw);
                return ERR_PTR(-ENOMEM);
-        }
        fd->version = je32_to_cpu(rd->version);
        fd->ino = je32_to_cpu(rd->ino);
@@ -257,11 +228,9 @@ struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jff
        fd->name[namelen]=0;
 retry:
-        fd->raw = raw;
+        flash_ofs = write_ofs(c);
-        raw->flash_offset = flash_ofs;
+        jffs2_dbg_prewrite_paranoia_check(c, flash_ofs, vecs[0].iov_len + vecs[1].iov_len);
-        raw->__totlen = PAD(sizeof(*rd)+namelen);
-        raw->next_phys = NULL;
        if ((alloc_mode!=ALLOC_GC) && (je32_to_cpu(rd->version) < f->highest_version)) {
                BUG_ON(!retried);
@@ -280,15 +249,11 @@ struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jff
                               sizeof(*rd)+namelen, flash_ofs, ret, retlen);
                /* Mark the space as dirtied */
                if (retlen) {
-                        raw->next_in_ino = NULL;
+                        jffs2_add_physical_node_ref(c, flash_ofs | REF_OBSOLETE, PAD(sizeof(*rd)+namelen), NULL);
-                        raw->flash_offset |= REF_OBSOLETE;
-                        jffs2_add_physical_node_ref(c, raw);
-                        jffs2_mark_node_obsolete(c, raw);
                } else {
-                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", raw->flash_offset);
+                        printk(KERN_NOTICE "Not marking the space at 0x%08x as dirty because the flash driver returned retlen zero\n", flash_ofs);
-                        jffs2_free_raw_node_ref(raw);
                }
-                if (!retried && (raw = jffs2_alloc_raw_node_ref())) {
+                if (!retried) {
                        /* Try to reallocate space and retry */
                        uint32_t dummy;
                        struct jffs2_eraseblock *jeb = &c->blocks[flash_ofs / c->sector_size];
@@ -301,39 +266,33 @@ struct jffs2_full_dirent *jffs2_write_dirent(struct jffs2_sb_info *c, struct jff
                        jffs2_dbg_acct_paranoia_check(c, jeb);
                        if (alloc_mode == ALLOC_GC) {
-                                ret = jffs2_reserve_space_gc(c, sizeof(*rd) + namelen, &flash_ofs,
+                                ret = jffs2_reserve_space_gc(c, sizeof(*rd) + namelen, &dummy,
-                                                        &dummy, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
+                                                             JFFS2_SUMMARY_DIRENT_SIZE(namelen));
                        } else {
                                /* Locking pain */
                                up(&f->sem);
                                jffs2_complete_reservation(c);
-                                ret = jffs2_reserve_space(c, sizeof(*rd) + namelen, &flash_ofs,
+                                ret = jffs2_reserve_space(c, sizeof(*rd) + namelen, &dummy,
-                                                        &dummy, alloc_mode, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
+                                                          alloc_mode, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
                                down(&f->sem);
                        }
                        if (!ret) {
+                                flash_ofs = write_ofs(c);
                                D1(printk(KERN_DEBUG "Allocated space at 0x%08x to retry failed write.\n", flash_ofs));
                                jffs2_dbg_acct_sanity_check(c,jeb);
                                jffs2_dbg_acct_paranoia_check(c, jeb);
                                goto retry;
                        }
                        D1(printk(KERN_DEBUG "Failed to allocate space to retry failed write: %d!\n", ret));
-                        jffs2_free_raw_node_ref(raw);
                }
                /* Release the full_dnode which is now useless, and return */
                jffs2_free_full_dirent(fd);
                return ERR_PTR(ret?ret:-EIO);
        }
        /* Mark the space used */
-        raw->flash_offset |= REF_PRISTINE;
+        fd->raw = jffs2_add_physical_node_ref(c, flash_ofs | REF_PRISTINE, PAD(sizeof(*rd)+namelen), f->inocache);
-        jffs2_add_physical_node_ref(c, raw);
-        spin_lock(&c->erase_completion_lock);
-        raw->next_in_ino = f->inocache->nodes;
-        f->inocache->nodes = raw;
-        spin_unlock(&c->erase_completion_lock);
        if (retried) {
                jffs2_dbg_acct_sanity_check(c,NULL);
@@ -359,14 +318,14 @@ int jffs2_write_inode_range(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
                struct jffs2_full_dnode *fn;
                unsigned char *comprbuf = NULL;
                uint16_t comprtype = JFFS2_COMPR_NONE;
-                uint32_t phys_ofs, alloclen;
+                uint32_t alloclen;
                uint32_t datalen, cdatalen;
                int retried = 0;
        retry:
                D2(printk(KERN_DEBUG "jffs2_commit_write() loop: 0x%x to write to 0x%x\n", writelen, offset));
-                ret = jffs2_reserve_space(c, sizeof(*ri) + JFFS2_MIN_DATA_LEN, &phys_ofs,
+                ret = jffs2_reserve_space(c, sizeof(*ri) + JFFS2_MIN_DATA_LEN,
                                        &alloclen, ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
                if (ret) {
                        D1(printk(KERN_DEBUG "jffs2_reserve_space returned %d\n", ret));
@@ -394,7 +353,7 @@ int jffs2_write_inode_range(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
                ri->node_crc = cpu_to_je32(crc32(0, ri, sizeof(*ri)-8));
                ri->data_crc = cpu_to_je32(crc32(0, comprbuf, cdatalen));
-                fn = jffs2_write_dnode(c, f, ri, comprbuf, cdatalen, phys_ofs, ALLOC_NORETRY);
+                fn = jffs2_write_dnode(c, f, ri, comprbuf, cdatalen, ALLOC_NORETRY);
                jffs2_free_comprbuf(comprbuf, buf);
@@ -448,13 +407,13 @@ int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, str
        struct jffs2_raw_dirent *rd;
        struct jffs2_full_dnode *fn;
        struct jffs2_full_dirent *fd;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
        /* Try to reserve enough space for both node and dirent.
         * Just the node will do for now, though
         */
-        ret = jffs2_reserve_space(c, sizeof(*ri), &phys_ofs, &alloclen, ALLOC_NORMAL,
+        ret = jffs2_reserve_space(c, sizeof(*ri), &alloclen, ALLOC_NORMAL,
                                JFFS2_SUMMARY_INODE_SIZE);
        D1(printk(KERN_DEBUG "jffs2_do_create(): reserved 0x%x bytes\n", alloclen));
        if (ret) {
@@ -465,7 +424,7 @@ int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, str
        ri->data_crc = cpu_to_je32(0);
        ri->node_crc = cpu_to_je32(crc32(0, ri, sizeof(*ri)-8));
-        fn = jffs2_write_dnode(c, f, ri, NULL, 0, phys_ofs, ALLOC_NORMAL);
+        fn = jffs2_write_dnode(c, f, ri, NULL, 0, ALLOC_NORMAL);
        D1(printk(KERN_DEBUG "jffs2_do_create created file with mode 0x%x\n",
                  jemode_to_cpu(ri->mode)));
@@ -484,7 +443,7 @@ int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, str
        up(&f->sem);
        jffs2_complete_reservation(c);
-        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
                                ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
        if (ret) {
@@ -516,7 +475,7 @@ int jffs2_do_create(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, str
        rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
        rd->name_crc = cpu_to_je32(crc32(0, name, namelen));
-        fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, phys_ofs, ALLOC_NORMAL);
+        fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, ALLOC_NORMAL);
        jffs2_free_raw_dirent(rd);
@@ -545,7 +504,7 @@ int jffs2_do_unlink(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f,
 {
        struct jffs2_raw_dirent *rd;
        struct jffs2_full_dirent *fd;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
        if (1 /* alternative branch needs testing */ ||
@@ -556,7 +515,7 @@ int jffs2_do_unlink(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f,
                if (!rd)
                        return -ENOMEM;
-                ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
+                ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
                                        ALLOC_DELETION, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
                if (ret) {
                        jffs2_free_raw_dirent(rd);
@@ -580,7 +539,7 @@ int jffs2_do_unlink(struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f,
                rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
                rd->name_crc = cpu_to_je32(crc32(0, name, namelen));
-                fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, phys_ofs, ALLOC_DELETION);
+                fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, ALLOC_DELETION);
                jffs2_free_raw_dirent(rd);
@@ -659,14 +618,14 @@ int jffs2_do_link (struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, uint
 {
        struct jffs2_raw_dirent *rd;
        struct jffs2_full_dirent *fd;
-        uint32_t alloclen, phys_ofs;
+        uint32_t alloclen;
        int ret;
        rd = jffs2_alloc_raw_dirent();
        if (!rd)
                return -ENOMEM;
-        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &phys_ofs, &alloclen,
+        ret = jffs2_reserve_space(c, sizeof(*rd)+namelen, &alloclen,
                                ALLOC_NORMAL, JFFS2_SUMMARY_DIRENT_SIZE(namelen));
        if (ret) {
                jffs2_free_raw_dirent(rd);
@@ -692,7 +651,7 @@ int jffs2_do_link (struct jffs2_sb_info *c, struct jffs2_inode_info *dir_f, uint
        rd->node_crc = cpu_to_je32(crc32(0, rd, sizeof(*rd)-8));
        rd->name_crc = cpu_to_je32(crc32(0, name, namelen));
-        fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, phys_ofs, ALLOC_NORMAL);
+        fd = jffs2_write_dirent(c, dir_f, rd, name, namelen, ALLOC_NORMAL);
        jffs2_free_raw_dirent(rd);
diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c
new file mode 100644
index 000000000000..18e66dbf23b4
--- /dev/null
+++ b/fs/jffs2/xattr.c
@@ -0,0 +1,1326 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/time.h>
+#include <linux/pagemap.h>
+#include <linux/highmem.h>
+#include <linux/crc32.h>
+#include <linux/jffs2.h>
+#include <linux/xattr.h>
+#include <linux/mtd/mtd.h>
+#include "nodelist.h"
+/* -------- xdatum related functions ----------------
+ * xattr_datum_hashkey(xprefix, xname, xvalue, xsize)
+ *   is used to calcurate xdatum hashkey. The reminder of hashkey into XATTRINDEX_HASHSIZE is
+ *   the index of the xattr name/value pair cache (c->xattrindex).
+ * is_xattr_datum_unchecked(c, xd)
+ *   returns 1, if xdatum contains any unchecked raw nodes. if all raw nodes are not
+ *   unchecked, it returns 0.
+ * unload_xattr_datum(c, xd)
+ *   is used to release xattr name/value pair and detach from c->xattrindex.
+ * reclaim_xattr_datum(c)
+ *   is used to reclaim xattr name/value pairs on the xattr name/value pair cache when
+ *   memory usage by cache is over c->xdatum_mem_threshold. Currentry, this threshold 
+ *   is hard coded as 32KiB.
+ * do_verify_xattr_datum(c, xd)
+ *   is used to load the xdatum informations without name/value pair from the medium.
+ *   It's necessary once, because those informations are not collected during mounting
+ *   process when EBS is enabled.
+ *   0 will be returned, if success. An negative return value means recoverable error, and
+ *   positive return value means unrecoverable error. Thus, caller must remove this xdatum
+ *   and xref when it returned positive value.
+ * do_load_xattr_datum(c, xd)
+ *   is used to load name/value pair from the medium.
+ *   The meanings of return value is same as do_verify_xattr_datum().
+ * load_xattr_datum(c, xd)
+ *   is used to be as a wrapper of do_verify_xattr_datum() and do_load_xattr_datum().
+ *   If xd need to call do_verify_xattr_datum() at first, it's called before calling
+ *   do_load_xattr_datum(). The meanings of return value is same as do_verify_xattr_datum().
+ * save_xattr_datum(c, xd)
+ *   is used to write xdatum to medium. xd->version will be incremented.
+ * create_xattr_datum(c, xprefix, xname, xvalue, xsize)
+ *   is used to create new xdatum and write to medium.
+ * delete_xattr_datum(c, xd)
+ *   is used to delete a xdatum. It marks xd JFFS2_XFLAGS_DEAD, and allows
+ *   GC to reclaim those physical nodes.
+ * -------------------------------------------------- */
+static uint32_t xattr_datum_hashkey(int xprefix, const char *xname, const char *xvalue, int xsize)
+{
+        int name_len = strlen(xname);
+        return crc32(xprefix, xname, name_len) ^ crc32(xprefix, xvalue, xsize);
+}
+static int is_xattr_datum_unchecked(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        struct jffs2_raw_node_ref *raw;
+        int rc = 0;
+        spin_lock(&c->erase_completion_lock);
+        for (raw=xd->node; raw != (void *)xd; raw=raw->next_in_ino) {
+                if (ref_flags(raw) == REF_UNCHECKED) {
+                        rc = 1;
+                        break;
+                }
+        }
+        spin_unlock(&c->erase_completion_lock);
+        return rc;
+}
+static void unload_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        D1(dbg_xattr("%s: xid=%u, version=%u\n", __FUNCTION__, xd->xid, xd->version));
+        if (xd->xname) {
+                c->xdatum_mem_usage -= (xd->name_len + 1 + xd->value_len);
+                kfree(xd->xname);
+        }
+        list_del_init(&xd->xindex);
+        xd->hashkey = 0;
+        xd->xname = NULL;
+        xd->xvalue = NULL;
+}
+static void reclaim_xattr_datum(struct jffs2_sb_info *c)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_xattr_datum *xd, *_xd;
+        uint32_t target, before;
+        static int index = 0;
+        int count;
+        if (c->xdatum_mem_threshold > c->xdatum_mem_usage)
+                return;
+        before = c->xdatum_mem_usage;
+        target = c->xdatum_mem_usage * 4 / 5; /* 20% reduction */
+        for (count = 0; count < XATTRINDEX_HASHSIZE; count++) {
+                list_for_each_entry_safe(xd, _xd, &c->xattrindex[index], xindex) {
+                        if (xd->flags & JFFS2_XFLAGS_HOT) {
+                                xd->flags &= ~JFFS2_XFLAGS_HOT;
+                        } else if (!(xd->flags & JFFS2_XFLAGS_BIND)) {
+                                unload_xattr_datum(c, xd);
+                        }
+                        if (c->xdatum_mem_usage <= target)
+                                goto out;
+                }
+                index = (index+1) % XATTRINDEX_HASHSIZE;
+        }
+ out:
+        JFFS2_NOTICE("xdatum_mem_usage from %u byte to %u byte (%u byte reclaimed)\n",
+                     before, c->xdatum_mem_usage, before - c->xdatum_mem_usage);
+}
+static int do_verify_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_eraseblock *jeb;
+        struct jffs2_raw_node_ref *raw;
+        struct jffs2_raw_xattr rx;
+        size_t readlen;
+        uint32_t crc, offset, totlen;
+        int rc;
+        spin_lock(&c->erase_completion_lock);
+        offset = ref_offset(xd->node);
+        if (ref_flags(xd->node) == REF_PRISTINE)
+                goto complete;
+        spin_unlock(&c->erase_completion_lock);
+        rc = jffs2_flash_read(c, offset, sizeof(rx), &readlen, (char *)&rx);
+        if (rc || readlen != sizeof(rx)) {
+                JFFS2_WARNING("jffs2_flash_read()=%d, req=%zu, read=%zu at %#08x\n",
+                              rc, sizeof(rx), readlen, offset);
+                return rc ? rc : -EIO;
+        }
+        crc = crc32(0, &rx, sizeof(rx) - 4);
+        if (crc != je32_to_cpu(rx.node_crc)) {
+                JFFS2_ERROR("node CRC failed at %#08x, read=%#08x, calc=%#08x\n",
+                            offset, je32_to_cpu(rx.hdr_crc), crc);
+                xd->flags |= JFFS2_XFLAGS_INVALID;
+                return EIO;
+        }
+        totlen = PAD(sizeof(rx) + rx.name_len + 1 + je16_to_cpu(rx.value_len));
+        if (je16_to_cpu(rx.magic) != JFFS2_MAGIC_BITMASK
+            || je16_to_cpu(rx.nodetype) != JFFS2_NODETYPE_XATTR
+            || je32_to_cpu(rx.totlen) != totlen
+            || je32_to_cpu(rx.xid) != xd->xid
+            || je32_to_cpu(rx.version) != xd->version) {
+                JFFS2_ERROR("inconsistent xdatum at %#08x, magic=%#04x/%#04x, "
+                            "nodetype=%#04x/%#04x, totlen=%u/%u, xid=%u/%u, version=%u/%u\n",
+                            offset, je16_to_cpu(rx.magic), JFFS2_MAGIC_BITMASK,
+                            je16_to_cpu(rx.nodetype), JFFS2_NODETYPE_XATTR,
+                            je32_to_cpu(rx.totlen), totlen,
+                            je32_to_cpu(rx.xid), xd->xid,
+                            je32_to_cpu(rx.version), xd->version);
+                xd->flags |= JFFS2_XFLAGS_INVALID;
+                return EIO;
+        }
+        xd->xprefix = rx.xprefix;
+        xd->name_len = rx.name_len;
+        xd->value_len = je16_to_cpu(rx.value_len);
+        xd->data_crc = je32_to_cpu(rx.data_crc);
+        spin_lock(&c->erase_completion_lock);
+ complete:
+        for (raw=xd->node; raw != (void *)xd; raw=raw->next_in_ino) {
+                jeb = &c->blocks[ref_offset(raw) / c->sector_size];
+                totlen = PAD(ref_totlen(c, jeb, raw));
+                if (ref_flags(raw) == REF_UNCHECKED) {
+                        c->unchecked_size -= totlen; c->used_size += totlen;
+                        jeb->unchecked_size -= totlen; jeb->used_size += totlen;
+                }
+                raw->flash_offset = ref_offset(raw) | ((xd->node==raw) ? REF_PRISTINE : REF_NORMAL);
+        }
+        spin_unlock(&c->erase_completion_lock);
+        /* unchecked xdatum is chained with c->xattr_unchecked */
+        list_del_init(&xd->xindex);
+        dbg_xattr("success on verfying xdatum (xid=%u, version=%u)\n",
+                  xd->xid, xd->version);
+        return 0;
+}
+static int do_load_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        char *data;
+        size_t readlen;
+        uint32_t crc, length;
+        int i, ret, retry = 0;
+        BUG_ON(ref_flags(xd->node) != REF_PRISTINE);
+        BUG_ON(!list_empty(&xd->xindex));
+ retry:
+        length = xd->name_len + 1 + xd->value_len;
+        data = kmalloc(length, GFP_KERNEL);
+        if (!data)
+                return -ENOMEM;
+        ret = jffs2_flash_read(c, ref_offset(xd->node)+sizeof(struct jffs2_raw_xattr),
+                               length, &readlen, data);
+        if (ret || length!=readlen) {
+                JFFS2_WARNING("jffs2_flash_read() returned %d, request=%d, readlen=%zu, at %#08x\n",
+                              ret, length, readlen, ref_offset(xd->node));
+                kfree(data);
+                return ret ? ret : -EIO;
+        }
+        data[xd->name_len] = '\0';
+        crc = crc32(0, data, length);
+        if (crc != xd->data_crc) {
+                JFFS2_WARNING("node CRC failed (JFFS2_NODETYPE_XREF)"
+                              " at %#08x, read: 0x%08x calculated: 0x%08x\n",
+                              ref_offset(xd->node), xd->data_crc, crc);
+                kfree(data);
+                xd->flags |= JFFS2_XFLAGS_INVALID;
+                return EIO;
+        }
+        xd->flags |= JFFS2_XFLAGS_HOT;
+        xd->xname = data;
+        xd->xvalue = data + xd->name_len+1;
+        c->xdatum_mem_usage += length;
+        xd->hashkey = xattr_datum_hashkey(xd->xprefix, xd->xname, xd->xvalue, xd->value_len);
+        i = xd->hashkey % XATTRINDEX_HASHSIZE;
+        list_add(&xd->xindex, &c->xattrindex[i]);
+        if (!retry) {
+                retry = 1;
+                reclaim_xattr_datum(c);
+                if (!xd->xname)
+                        goto retry;
+        }
+        dbg_xattr("success on loading xdatum (xid=%u, xprefix=%u, xname='%s')\n",
+                  xd->xid, xd->xprefix, xd->xname);
+        return 0;
+}
+static int load_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem);
+         * rc < 0 : recoverable error, try again
+         * rc = 0 : success
+         * rc > 0 : Unrecoverable error, this node should be deleted.
+         */
+        int rc = 0;
+        BUG_ON(xd->flags & JFFS2_XFLAGS_DEAD);
+        if (xd->xname)
+                return 0;
+        if (xd->flags & JFFS2_XFLAGS_INVALID)
+                return EIO;
+        if (unlikely(is_xattr_datum_unchecked(c, xd)))
+                rc = do_verify_xattr_datum(c, xd);
+        if (!rc)
+                rc = do_load_xattr_datum(c, xd);
+        return rc;
+}
+static int save_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_raw_xattr rx;
+        struct kvec vecs[2];
+        size_t length;
+        int rc, totlen;
+        uint32_t phys_ofs = write_ofs(c);
+        BUG_ON(!xd->xname);
+        BUG_ON(xd->flags & (JFFS2_XFLAGS_DEAD|JFFS2_XFLAGS_INVALID));
+        vecs[0].iov_base = &rx;
+        vecs[0].iov_len = sizeof(rx);
+        vecs[1].iov_base = xd->xname;
+        vecs[1].iov_len = xd->name_len + 1 + xd->value_len;
+        totlen = vecs[0].iov_len + vecs[1].iov_len;
+        /* Setup raw-xattr */
+        memset(&rx, 0, sizeof(rx));
+        rx.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
+        rx.nodetype = cpu_to_je16(JFFS2_NODETYPE_XATTR);
+        rx.totlen = cpu_to_je32(PAD(totlen));
+        rx.hdr_crc = cpu_to_je32(crc32(0, &rx, sizeof(struct jffs2_unknown_node) - 4));
+        rx.xid = cpu_to_je32(xd->xid);
+        rx.version = cpu_to_je32(++xd->version);
+        rx.xprefix = xd->xprefix;
+        rx.name_len = xd->name_len;
+        rx.value_len = cpu_to_je16(xd->value_len);
+        rx.data_crc = cpu_to_je32(crc32(0, vecs[1].iov_base, vecs[1].iov_len));
+        rx.node_crc = cpu_to_je32(crc32(0, &rx, sizeof(struct jffs2_raw_xattr) - 4));
+        rc = jffs2_flash_writev(c, vecs, 2, phys_ofs, &length, 0);
+        if (rc || totlen != length) {
+                JFFS2_WARNING("jffs2_flash_writev()=%d, req=%u, wrote=%zu, at %#08x\n",
+                              rc, totlen, length, phys_ofs);
+                rc = rc ? rc : -EIO;
+                if (length)
+                        jffs2_add_physical_node_ref(c, phys_ofs | REF_OBSOLETE, PAD(totlen), NULL);
+                return rc;
+        }
+        /* success */
+        jffs2_add_physical_node_ref(c, phys_ofs | REF_PRISTINE, PAD(totlen), (void *)xd);
+        dbg_xattr("success on saving xdatum (xid=%u, version=%u, xprefix=%u, xname='%s')\n",
+                  xd->xid, xd->version, xd->xprefix, xd->xname);
+        return 0;
+}
+static struct jffs2_xattr_datum *create_xattr_datum(struct jffs2_sb_info *c,
+                                                    int xprefix, const char *xname,
+                                                    const char *xvalue, int xsize)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_xattr_datum *xd;
+        uint32_t hashkey, name_len;
+        char *data;
+        int i, rc;
+        /* Search xattr_datum has same xname/xvalue by index */
+        hashkey = xattr_datum_hashkey(xprefix, xname, xvalue, xsize);
+        i = hashkey % XATTRINDEX_HASHSIZE;
+        list_for_each_entry(xd, &c->xattrindex[i], xindex) {
+                if (xd->hashkey==hashkey
+                    && xd->xprefix==xprefix
+                    && xd->value_len==xsize
+                    && !strcmp(xd->xname, xname)
+                    && !memcmp(xd->xvalue, xvalue, xsize)) {
+                        atomic_inc(&xd->refcnt);
+                        return xd;
+                }
+        }
+        /* Not found, Create NEW XATTR-Cache */
+        name_len = strlen(xname);
+        xd = jffs2_alloc_xattr_datum();
+        if (!xd)
+                return ERR_PTR(-ENOMEM);
+        data = kmalloc(name_len + 1 + xsize, GFP_KERNEL);
+        if (!data) {
+                jffs2_free_xattr_datum(xd);
+                return ERR_PTR(-ENOMEM);
+        }
+        strcpy(data, xname);
+        memcpy(data + name_len + 1, xvalue, xsize);
+        atomic_set(&xd->refcnt, 1);
+        xd->xid = ++c->highest_xid;
+        xd->flags |= JFFS2_XFLAGS_HOT;
+        xd->xprefix = xprefix;
+        xd->hashkey = hashkey;
+        xd->xname = data;
+        xd->xvalue = data + name_len + 1;
+        xd->name_len = name_len;
+        xd->value_len = xsize;
+        xd->data_crc = crc32(0, data, xd->name_len + 1 + xd->value_len);
+        rc = save_xattr_datum(c, xd);
+        if (rc) {
+                kfree(xd->xname);
+                jffs2_free_xattr_datum(xd);
+                return ERR_PTR(rc);
+        }
+        /* Insert Hash Index */
+        i = hashkey % XATTRINDEX_HASHSIZE;
+        list_add(&xd->xindex, &c->xattrindex[i]);
+        c->xdatum_mem_usage += (xd->name_len + 1 + xd->value_len);
+        reclaim_xattr_datum(c);
+        return xd;
+}
+static void delete_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        BUG_ON(atomic_read(&xd->refcnt));
+        unload_xattr_datum(c, xd);
+        xd->flags |= JFFS2_XFLAGS_DEAD;
+        spin_lock(&c->erase_completion_lock);
+        if (xd->node == (void *)xd) {
+                BUG_ON(!(xd->flags & JFFS2_XFLAGS_INVALID));
+                jffs2_free_xattr_datum(xd);
+        } else {
+                list_add(&xd->xindex, &c->xattr_dead_list);
+        }
+        spin_unlock(&c->erase_completion_lock);
+        dbg_xattr("xdatum(xid=%u, version=%u) was removed.\n", xd->xid, xd->version);
+}
+/* -------- xref related functions ------------------
+ * verify_xattr_ref(c, ref)
+ *   is used to load xref information from medium. Because summary data does not
+ *   contain xid/ino, it's necessary to verify once while mounting process.
+ * save_xattr_ref(c, ref)
+ *   is used to write xref to medium. If delete marker is marked, it write
+ *   a delete marker of xref into medium.
+ * create_xattr_ref(c, ic, xd)
+ *   is used to create a new xref and write to medium.
+ * delete_xattr_ref(c, ref)
+ *   is used to delete jffs2_xattr_ref. It marks xref XREF_DELETE_MARKER,
+ *   and allows GC to reclaim those physical nodes.
+ * jffs2_xattr_delete_inode(c, ic)
+ *   is called to remove xrefs related to obsolete inode when inode is unlinked.
+ * jffs2_xattr_free_inode(c, ic)
+ *   is called to release xattr related objects when unmounting. 
+ * check_xattr_ref_inode(c, ic)
+ *   is used to confirm inode does not have duplicate xattr name/value pair.
+ * -------------------------------------------------- */
+static int verify_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref)
+{
+        struct jffs2_eraseblock *jeb;
+        struct jffs2_raw_node_ref *raw;
+        struct jffs2_raw_xref rr;
+        size_t readlen;
+        uint32_t crc, offset, totlen;
+        int rc;
+        spin_lock(&c->erase_completion_lock);
+        if (ref_flags(ref->node) != REF_UNCHECKED)
+                goto complete;
+        offset = ref_offset(ref->node);
+        spin_unlock(&c->erase_completion_lock);
+        rc = jffs2_flash_read(c, offset, sizeof(rr), &readlen, (char *)&rr);
+        if (rc || sizeof(rr) != readlen) {
+                JFFS2_WARNING("jffs2_flash_read()=%d, req=%zu, read=%zu, at %#08x\n",
+                              rc, sizeof(rr), readlen, offset);
+                return rc ? rc : -EIO;
+        }
+        /* obsolete node */
+        crc = crc32(0, &rr, sizeof(rr) - 4);
+        if (crc != je32_to_cpu(rr.node_crc)) {
+                JFFS2_ERROR("node CRC failed at %#08x, read=%#08x, calc=%#08x\n",
+                            offset, je32_to_cpu(rr.node_crc), crc);
+                return EIO;
+        }
+        if (je16_to_cpu(rr.magic) != JFFS2_MAGIC_BITMASK
+            || je16_to_cpu(rr.nodetype) != JFFS2_NODETYPE_XREF
+            || je32_to_cpu(rr.totlen) != PAD(sizeof(rr))) {
+                JFFS2_ERROR("inconsistent xref at %#08x, magic=%#04x/%#04x, "
+                            "nodetype=%#04x/%#04x, totlen=%u/%zu\n",
+                            offset, je16_to_cpu(rr.magic), JFFS2_MAGIC_BITMASK,
+                            je16_to_cpu(rr.nodetype), JFFS2_NODETYPE_XREF,
+                            je32_to_cpu(rr.totlen), PAD(sizeof(rr)));
+                return EIO;
+        }
+        ref->ino = je32_to_cpu(rr.ino);
+        ref->xid = je32_to_cpu(rr.xid);
+        ref->xseqno = je32_to_cpu(rr.xseqno);
+        if (ref->xseqno > c->highest_xseqno)
+                c->highest_xseqno = (ref->xseqno & ~XREF_DELETE_MARKER);
+        spin_lock(&c->erase_completion_lock);
+ complete:
+        for (raw=ref->node; raw != (void *)ref; raw=raw->next_in_ino) {
+                jeb = &c->blocks[ref_offset(raw) / c->sector_size];
+                totlen = PAD(ref_totlen(c, jeb, raw));
+                if (ref_flags(raw) == REF_UNCHECKED) {
+                        c->unchecked_size -= totlen; c->used_size += totlen;
+                        jeb->unchecked_size -= totlen; jeb->used_size += totlen;
+                }
+                raw->flash_offset = ref_offset(raw) | ((ref->node==raw) ? REF_PRISTINE : REF_NORMAL);
+        }
+        spin_unlock(&c->erase_completion_lock);
+        dbg_xattr("success on verifying xref (ino=%u, xid=%u) at %#08x\n",
+                  ref->ino, ref->xid, ref_offset(ref->node));
+        return 0;
+}
+static int save_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_raw_xref rr;
+        size_t length;
+        uint32_t xseqno, phys_ofs = write_ofs(c);
+        int ret;
+        rr.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
+        rr.nodetype = cpu_to_je16(JFFS2_NODETYPE_XREF);
+        rr.totlen = cpu_to_je32(PAD(sizeof(rr)));
+        rr.hdr_crc = cpu_to_je32(crc32(0, &rr, sizeof(struct jffs2_unknown_node) - 4));
+        xseqno = (c->highest_xseqno += 2);
+        if (is_xattr_ref_dead(ref)) {
+                xseqno |= XREF_DELETE_MARKER;
+                rr.ino = cpu_to_je32(ref->ino);
+                rr.xid = cpu_to_je32(ref->xid);
+        } else {
+                rr.ino = cpu_to_je32(ref->ic->ino);
+                rr.xid = cpu_to_je32(ref->xd->xid);
+        }
+        rr.xseqno = cpu_to_je32(xseqno);
+        rr.node_crc = cpu_to_je32(crc32(0, &rr, sizeof(rr) - 4));
+        ret = jffs2_flash_write(c, phys_ofs, sizeof(rr), &length, (char *)&rr);
+        if (ret || sizeof(rr) != length) {
+                JFFS2_WARNING("jffs2_flash_write() returned %d, request=%zu, retlen=%zu, at %#08x\n",
+                              ret, sizeof(rr), length, phys_ofs);
+                ret = ret ? ret : -EIO;
+                if (length)
+                        jffs2_add_physical_node_ref(c, phys_ofs | REF_OBSOLETE, PAD(sizeof(rr)), NULL);
+                return ret;
+        }
+        /* success */
+        ref->xseqno = xseqno;
+        jffs2_add_physical_node_ref(c, phys_ofs | REF_PRISTINE, PAD(sizeof(rr)), (void *)ref);
+        dbg_xattr("success on saving xref (ino=%u, xid=%u)\n", ref->ic->ino, ref->xd->xid);
+        return 0;
+}
+static struct jffs2_xattr_ref *create_xattr_ref(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic,
+                                                struct jffs2_xattr_datum *xd)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_xattr_ref *ref;
+        int ret;
+        ref = jffs2_alloc_xattr_ref();
+        if (!ref)
+                return ERR_PTR(-ENOMEM);
+        ref->ic = ic;
+        ref->xd = xd;
+        ret = save_xattr_ref(c, ref);
+        if (ret) {
+                jffs2_free_xattr_ref(ref);
+                return ERR_PTR(ret);
+        }
+        /* Chain to inode */
+        ref->next = ic->xref;
+        ic->xref = ref;
+        return ref; /* success */
+}
+static void delete_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref)
+{
+        /* must be called under down_write(xattr_sem) */
+        struct jffs2_xattr_datum *xd;
+        xd = ref->xd;
+        ref->xseqno |= XREF_DELETE_MARKER;
+        ref->ino = ref->ic->ino;
+        ref->xid = ref->xd->xid;
+        spin_lock(&c->erase_completion_lock);
+        ref->next = c->xref_dead_list;
+        c->xref_dead_list = ref;
+        spin_unlock(&c->erase_completion_lock);
+        dbg_xattr("xref(ino=%u, xid=%u, xseqno=%u) was removed.\n",
+                  ref->ino, ref->xid, ref->xseqno);
+        if (atomic_dec_and_test(&xd->refcnt))
+                delete_xattr_datum(c, xd);
+}
+void jffs2_xattr_delete_inode(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic)
+{
+        /* It's called from jffs2_clear_inode() on inode removing.
+           When an inode with XATTR is removed, those XATTRs must be removed. */
+        struct jffs2_xattr_ref *ref, *_ref;
+        if (!ic || ic->nlink > 0)
+                return;
+        down_write(&c->xattr_sem);
+        for (ref = ic->xref; ref; ref = _ref) {
+                _ref = ref->next;
+                delete_xattr_ref(c, ref);
+        }
+        ic->xref = NULL;
+        up_write(&c->xattr_sem);
+}
+void jffs2_xattr_free_inode(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic)
+{
+        /* It's called from jffs2_free_ino_caches() until unmounting FS. */
+        struct jffs2_xattr_datum *xd;
+        struct jffs2_xattr_ref *ref, *_ref;
+        down_write(&c->xattr_sem);
+        for (ref = ic->xref; ref; ref = _ref) {
+                _ref = ref->next;
+                xd = ref->xd;
+                if (atomic_dec_and_test(&xd->refcnt)) {
+                        unload_xattr_datum(c, xd);
+                        jffs2_free_xattr_datum(xd);
+                }
+                jffs2_free_xattr_ref(ref);
+        }
+        ic->xref = NULL;
+        up_write(&c->xattr_sem);
+}
+static int check_xattr_ref_inode(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic)
+{
+        /* success of check_xattr_ref_inode() means taht inode (ic) dose not have
+         * duplicate name/value pairs. If duplicate name/value pair would be found,
+         * one will be removed.
+         */
+        struct jffs2_xattr_ref *ref, *cmp, **pref, **pcmp;
+        int rc = 0;
+        if (likely(ic->flags & INO_FLAGS_XATTR_CHECKED))
+                return 0;
+        down_write(&c->xattr_sem);
+ retry:
+        rc = 0;
+        for (ref=ic->xref, pref=&ic->xref; ref; pref=&ref->next, ref=ref->next) {
+                if (!ref->xd->xname) {
+                        rc = load_xattr_datum(c, ref->xd);
+                        if (unlikely(rc > 0)) {
+                                *pref = ref->next;
+                                delete_xattr_ref(c, ref);
+                                goto retry;
+                        } else if (unlikely(rc < 0))
+                                goto out;
+                }
+                for (cmp=ref->next, pcmp=&ref->next; cmp; pcmp=&cmp->next, cmp=cmp->next) {
+                        if (!cmp->xd->xname) {
+                                ref->xd->flags |= JFFS2_XFLAGS_BIND;
+                                rc = load_xattr_datum(c, cmp->xd);
+                                ref->xd->flags &= ~JFFS2_XFLAGS_BIND;
+                                if (unlikely(rc > 0)) {
+                                        *pcmp = cmp->next;
+                                        delete_xattr_ref(c, cmp);
+                                        goto retry;
+                                } else if (unlikely(rc < 0))
+                                        goto out;
+                        }
+                        if (ref->xd->xprefix == cmp->xd->xprefix
+                            && !strcmp(ref->xd->xname, cmp->xd->xname)) {
+                                if (ref->xseqno > cmp->xseqno) {
+                                        *pcmp = cmp->next;
+                                        delete_xattr_ref(c, cmp);
+                                } else {
+                                        *pref = ref->next;
+                                        delete_xattr_ref(c, ref);
+                                }
+                                goto retry;
+                        }
+                }
+        }
+        ic->flags |= INO_FLAGS_XATTR_CHECKED;
+ out:
+        up_write(&c->xattr_sem);
+        return rc;
+}
+/* -------- xattr subsystem functions ---------------
+ * jffs2_init_xattr_subsystem(c)
+ *   is used to initialize semaphore and list_head, and some variables.
+ * jffs2_find_xattr_datum(c, xid)
+ *   is used to lookup xdatum while scanning process.
+ * jffs2_clear_xattr_subsystem(c)
+ *   is used to release any xattr related objects.
+ * jffs2_build_xattr_subsystem(c)
+ *   is used to associate xdatum and xref while super block building process.
+ * jffs2_setup_xattr_datum(c, xid, version)
+ *   is used to insert xdatum while scanning process.
+ * -------------------------------------------------- */
+void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c)
+{
+        int i;
+        for (i=0; i < XATTRINDEX_HASHSIZE; i++)
+                INIT_LIST_HEAD(&c->xattrindex[i]);
+        INIT_LIST_HEAD(&c->xattr_unchecked);
+        INIT_LIST_HEAD(&c->xattr_dead_list);
+        c->xref_dead_list = NULL;
+        c->xref_temp = NULL;
+        init_rwsem(&c->xattr_sem);
+        c->highest_xid = 0;
+        c->highest_xseqno = 0;
+        c->xdatum_mem_usage = 0;
+        c->xdatum_mem_threshold = 32 * 1024;    /* Default 32KB */
+}
+static struct jffs2_xattr_datum *jffs2_find_xattr_datum(struct jffs2_sb_info *c, uint32_t xid)
+{
+        struct jffs2_xattr_datum *xd;
+        int i = xid % XATTRINDEX_HASHSIZE;
+        /* It's only used in scanning/building process. */
+        BUG_ON(!(c->flags & (JFFS2_SB_FLAG_SCANNING|JFFS2_SB_FLAG_BUILDING)));
+        list_for_each_entry(xd, &c->xattrindex[i], xindex) {
+                if (xd->xid==xid)
+                        return xd;
+        }
+        return NULL;
+}
+void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c)
+{
+        struct jffs2_xattr_datum *xd, *_xd;
+        struct jffs2_xattr_ref *ref, *_ref;
+        int i;
+        for (ref=c->xref_temp; ref; ref = _ref) {
+                _ref = ref->next;
+                jffs2_free_xattr_ref(ref);
+        }
+        for (ref=c->xref_dead_list; ref; ref = _ref) {
+                _ref = ref->next;
+                jffs2_free_xattr_ref(ref);
+        }
+        for (i=0; i < XATTRINDEX_HASHSIZE; i++) {
+                list_for_each_entry_safe(xd, _xd, &c->xattrindex[i], xindex) {
+                        list_del(&xd->xindex);
+                        if (xd->xname)
+                                kfree(xd->xname);
+                        jffs2_free_xattr_datum(xd);
+                }
+        }
+        list_for_each_entry_safe(xd, _xd, &c->xattr_dead_list, xindex) {
+                list_del(&xd->xindex);
+                jffs2_free_xattr_datum(xd);
+        }
+}
+#define XREF_TMPHASH_SIZE       (128)
+void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
+{
+        struct jffs2_xattr_ref *ref, *_ref;
+        struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE];
+        struct jffs2_xattr_datum *xd, *_xd;
+        struct jffs2_inode_cache *ic;
+        struct jffs2_raw_node_ref *raw;
+        int i, xdatum_count = 0, xdatum_unchecked_count = 0, xref_count = 0;
+        int xdatum_orphan_count = 0, xref_orphan_count = 0, xref_dead_count = 0;
+        BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
+        /* Phase.1 : Merge same xref */
+        for (i=0; i < XREF_TMPHASH_SIZE; i++)
+                xref_tmphash[i] = NULL;
+        for (ref=c->xref_temp; ref; ref=_ref) {
+                struct jffs2_xattr_ref *tmp;
+                _ref = ref->next;
+                if (ref_flags(ref->node) != REF_PRISTINE) {
+                        if (verify_xattr_ref(c, ref)) {
+                                BUG_ON(ref->node->next_in_ino != (void *)ref);
+                                ref->node->next_in_ino = NULL;
+                                jffs2_mark_node_obsolete(c, ref->node);
+                                jffs2_free_xattr_ref(ref);
+                                continue;
+                        }
+                }
+                i = (ref->ino ^ ref->xid) % XREF_TMPHASH_SIZE;
+                for (tmp=xref_tmphash[i]; tmp; tmp=tmp->next) {
+                        if (tmp->ino == ref->ino && tmp->xid == ref->xid)
+                                break;
+                }
+                if (tmp) {
+                        raw = ref->node;
+                        if (ref->xseqno > tmp->xseqno) {
+                                tmp->xseqno = ref->xseqno;
+                                raw->next_in_ino = tmp->node;
+                                tmp->node = raw;
+                        } else {
+                                raw->next_in_ino = tmp->node->next_in_ino;
+                                tmp->node->next_in_ino = raw;
+                        }
+                        jffs2_free_xattr_ref(ref);
+                        continue;
+                } else {
+                        ref->next = xref_tmphash[i];
+                        xref_tmphash[i] = ref;
+                }
+        }
+        c->xref_temp = NULL;
+        /* Phase.2 : Bind xref with inode_cache and xattr_datum */
+        for (i=0; i < XREF_TMPHASH_SIZE; i++) {
+                for (ref=xref_tmphash[i]; ref; ref=_ref) {
+                        xref_count++;
+                        _ref = ref->next;
+                        if (is_xattr_ref_dead(ref)) {
+                                ref->next = c->xref_dead_list;
+                                c->xref_dead_list = ref;
+                                xref_dead_count++;
+                                continue;
+                        }
+                        /* At this point, ref->xid and ref->ino contain XID and inode number.
+                           ref->xd and ref->ic are not valid yet. */
+                        xd = jffs2_find_xattr_datum(c, ref->xid);
+                        ic = jffs2_get_ino_cache(c, ref->ino);
+                        if (!xd || !ic) {
+                                dbg_xattr("xref(ino=%u, xid=%u, xseqno=%u) is orphan.\n",
+                                          ref->ino, ref->xid, ref->xseqno);
+                                ref->xseqno |= XREF_DELETE_MARKER;
+                                ref->next = c->xref_dead_list;
+                                c->xref_dead_list = ref;
+                                xref_orphan_count++;
+                                continue;
+                        }
+                        ref->xd = xd;
+                        ref->ic = ic;
+                        atomic_inc(&xd->refcnt);
+                        ref->next = ic->xref;
+                        ic->xref = ref;
+                }
+        }
+        /* Phase.3 : Link unchecked xdatum to xattr_unchecked list */
+        for (i=0; i < XATTRINDEX_HASHSIZE; i++) {
+                list_for_each_entry_safe(xd, _xd, &c->xattrindex[i], xindex) {
+                        xdatum_count++;
+                        list_del_init(&xd->xindex);
+                        if (!atomic_read(&xd->refcnt)) {
+                                dbg_xattr("xdatum(xid=%u, version=%u) is orphan.\n",
+                                          xd->xid, xd->version);
+                                xd->flags |= JFFS2_XFLAGS_DEAD;
+                                list_add(&xd->xindex, &c->xattr_unchecked);
+                                xdatum_orphan_count++;
+                                continue;
+                        }
+                        if (is_xattr_datum_unchecked(c, xd)) {
+                                dbg_xattr("unchecked xdatum(xid=%u, version=%u)\n",
+                                          xd->xid, xd->version);
+                                list_add(&xd->xindex, &c->xattr_unchecked);
+                                xdatum_unchecked_count++;
+                        }
+                }
+        }
+        /* build complete */
+        JFFS2_NOTICE("complete building xattr subsystem, %u of xdatum"
+                     " (%u unchecked, %u orphan) and "
+                     "%u of xref (%u dead, %u orphan) found.\n",
+                     xdatum_count, xdatum_unchecked_count, xdatum_orphan_count,
+                     xref_count, xref_dead_count, xref_orphan_count);
+}
+struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
+                                                  uint32_t xid, uint32_t version)
+{
+        struct jffs2_xattr_datum *xd;
+        xd = jffs2_find_xattr_datum(c, xid);
+        if (!xd) {
+                xd = jffs2_alloc_xattr_datum();
+                if (!xd)
+                        return ERR_PTR(-ENOMEM);
+                xd->xid = xid;
+                xd->version = version;
+                if (xd->xid > c->highest_xid)
+                        c->highest_xid = xd->xid;
+                list_add_tail(&xd->xindex, &c->xattrindex[xid % XATTRINDEX_HASHSIZE]);
+        }
+        return xd;
+}
+/* -------- xattr subsystem functions ---------------
+ * xprefix_to_handler(xprefix)
+ *   is used to translate xprefix into xattr_handler.
+ * jffs2_listxattr(dentry, buffer, size)
+ *   is an implementation of listxattr handler on jffs2.
+ * do_jffs2_getxattr(inode, xprefix, xname, buffer, size)
+ *   is an implementation of getxattr handler on jffs2.
+ * do_jffs2_setxattr(inode, xprefix, xname, buffer, size, flags)
+ *   is an implementation of setxattr handler on jffs2.
+ * -------------------------------------------------- */
+struct xattr_handler *jffs2_xattr_handlers[] = {
+        &jffs2_user_xattr_handler,
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        &jffs2_security_xattr_handler,
+#endif
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+        &jffs2_acl_access_xattr_handler,
+        &jffs2_acl_default_xattr_handler,
+#endif
+        &jffs2_trusted_xattr_handler,
+        NULL
+};
+static struct xattr_handler *xprefix_to_handler(int xprefix) {
+        struct xattr_handler *ret;
+        switch (xprefix) {
+        case JFFS2_XPREFIX_USER:
+                ret = &jffs2_user_xattr_handler;
+                break;
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        case JFFS2_XPREFIX_SECURITY:
+                ret = &jffs2_security_xattr_handler;
+                break;
+#endif
+#ifdef CONFIG_JFFS2_FS_POSIX_ACL
+        case JFFS2_XPREFIX_ACL_ACCESS:
+                ret = &jffs2_acl_access_xattr_handler;
+                break;
+        case JFFS2_XPREFIX_ACL_DEFAULT:
+                ret = &jffs2_acl_default_xattr_handler;
+                break;
+#endif
+        case JFFS2_XPREFIX_TRUSTED:
+                ret = &jffs2_trusted_xattr_handler;
+                break;
+        default:
+                ret = NULL;
+                break;
+        }
+        return ret;
+}
+ssize_t jffs2_listxattr(struct dentry *dentry, char *buffer, size_t size)
+{
+        struct inode *inode = dentry->d_inode;
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+        struct jffs2_inode_cache *ic = f->inocache;
+        struct jffs2_xattr_ref *ref, **pref;
+        struct jffs2_xattr_datum *xd;
+        struct xattr_handler *xhandle;
+        ssize_t len, rc;
+        int retry = 0;
+        rc = check_xattr_ref_inode(c, ic);
+        if (unlikely(rc))
+                return rc;
+        down_read(&c->xattr_sem);
+ retry:
+        len = 0;
+        for (ref=ic->xref, pref=&ic->xref; ref; pref=&ref->next, ref=ref->next) {
+                BUG_ON(ref->ic != ic);
+                xd = ref->xd;
+                if (!xd->xname) {
+                        /* xdatum is unchached */
+                        if (!retry) {
+                                retry = 1;
+                                up_read(&c->xattr_sem);
+                                down_write(&c->xattr_sem);
+                                goto retry;
+                        } else {
+                                rc = load_xattr_datum(c, xd);
+                                if (unlikely(rc > 0)) {
+                                        *pref = ref->next;
+                                        delete_xattr_ref(c, ref);
+                                        goto retry;
+                                } else if (unlikely(rc < 0))
+                                        goto out;
+                        }
+                }
+                xhandle = xprefix_to_handler(xd->xprefix);
+                if (!xhandle)
+                        continue;
+                if (buffer) {
+                        rc = xhandle->list(inode, buffer+len, size-len, xd->xname, xd->name_len);
+                } else {
+                        rc = xhandle->list(inode, NULL, 0, xd->xname, xd->name_len);
+                }
+                if (rc < 0)
+                        goto out;
+                len += rc;
+        }
+        rc = len;
+ out:
+        if (!retry) {
+                up_read(&c->xattr_sem);
+        } else {
+                up_write(&c->xattr_sem);
+        }
+        return rc;
+}
+int do_jffs2_getxattr(struct inode *inode, int xprefix, const char *xname,
+                      char *buffer, size_t size)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+        struct jffs2_inode_cache *ic = f->inocache;
+        struct jffs2_xattr_datum *xd;
+        struct jffs2_xattr_ref *ref, **pref;
+        int rc, retry = 0;
+        rc = check_xattr_ref_inode(c, ic);
+        if (unlikely(rc))
+                return rc;
+        down_read(&c->xattr_sem);
+ retry:
+        for (ref=ic->xref, pref=&ic->xref; ref; pref=&ref->next, ref=ref->next) {
+                BUG_ON(ref->ic!=ic);
+                xd = ref->xd;
+                if (xd->xprefix != xprefix)
+                        continue;
+                if (!xd->xname) {
+                        /* xdatum is unchached */
+                        if (!retry) {
+                                retry = 1;
+                                up_read(&c->xattr_sem);
+                                down_write(&c->xattr_sem);
+                                goto retry;
+                        } else {
+                                rc = load_xattr_datum(c, xd);
+                                if (unlikely(rc > 0)) {
+                                        *pref = ref->next;
+                                        delete_xattr_ref(c, ref);
+                                        goto retry;
+                                } else if (unlikely(rc < 0)) {
+                                        goto out;
+                                }
+                        }
+                }
+                if (!strcmp(xname, xd->xname)) {
+                        rc = xd->value_len;
+                        if (buffer) {
+                                if (size < rc) {
+                                        rc = -ERANGE;
+                                } else {
+                                        memcpy(buffer, xd->xvalue, rc);
+                                }
+                        }
+                        goto out;
+                }
+        }
+        rc = -ENODATA;
+ out:
+        if (!retry) {
+                up_read(&c->xattr_sem);
+        } else {
+                up_write(&c->xattr_sem);
+        }
+        return rc;
+}
+int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname,
+                      const char *buffer, size_t size, int flags)
+{
+        struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+        struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+        struct jffs2_inode_cache *ic = f->inocache;
+        struct jffs2_xattr_datum *xd;
+        struct jffs2_xattr_ref *ref, *newref, **pref;
+        uint32_t length, request;
+        int rc;
+        rc = check_xattr_ref_inode(c, ic);
+        if (unlikely(rc))
+                return rc;
+        request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size);
+        rc = jffs2_reserve_space(c, request, &length,
+                                 ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE);
+        if (rc) {
+                JFFS2_WARNING("jffs2_reserve_space()=%d, request=%u\n", rc, request);
+                return rc;
+        }
+        /* Find existing xattr */
+        down_write(&c->xattr_sem);
+ retry:
+        for (ref=ic->xref, pref=&ic->xref; ref; pref=&ref->next, ref=ref->next) {
+                xd = ref->xd;
+                if (xd->xprefix != xprefix)
+                        continue;
+                if (!xd->xname) {
+                        rc = load_xattr_datum(c, xd);
+                        if (unlikely(rc > 0)) {
+                                *pref = ref->next;
+                                delete_xattr_ref(c, ref);
+                                goto retry;
+                        } else if (unlikely(rc < 0))
+                                goto out;
+                }
+                if (!strcmp(xd->xname, xname)) {
+                        if (flags & XATTR_CREATE) {
+                                rc = -EEXIST;
+                                goto out;
+                        }
+                        if (!buffer) {
+                                ref->ino = ic->ino;
+                                ref->xid = xd->xid;
+                                ref->xseqno |= XREF_DELETE_MARKER;
+                                rc = save_xattr_ref(c, ref);
+                                if (!rc) {
+                                        *pref = ref->next;
+                                        spin_lock(&c->erase_completion_lock);
+                                        ref->next = c->xref_dead_list;
+                                        c->xref_dead_list = ref;
+                                        spin_unlock(&c->erase_completion_lock);
+                                        if (atomic_dec_and_test(&xd->refcnt))
+                                                delete_xattr_datum(c, xd);
+                                } else {
+                                        ref->ic = ic;
+                                        ref->xd = xd;
+                                        ref->xseqno &= ~XREF_DELETE_MARKER;
+                                }
+                                goto out;
+                        }
+                        goto found;
+                }
+        }
+        /* not found */
+        if (flags & XATTR_REPLACE) {
+                rc = -ENODATA;
+                goto out;
+        }
+        if (!buffer) {
+                rc = -ENODATA;
+                goto out;
+        }
+ found:
+        xd = create_xattr_datum(c, xprefix, xname, buffer, size);
+        if (IS_ERR(xd)) {
+                rc = PTR_ERR(xd);
+                goto out;
+        }
+        up_write(&c->xattr_sem);
+        jffs2_complete_reservation(c);
+        /* create xattr_ref */
+        request = PAD(sizeof(struct jffs2_raw_xref));
+        rc = jffs2_reserve_space(c, request, &length,
+                                 ALLOC_NORMAL, JFFS2_SUMMARY_XREF_SIZE);
+        down_write(&c->xattr_sem);
+        if (rc) {
+                JFFS2_WARNING("jffs2_reserve_space()=%d, request=%u\n", rc, request);
+                if (atomic_dec_and_test(&xd->refcnt))
+                        delete_xattr_datum(c, xd);
+                up_write(&c->xattr_sem);
+                return rc;
+        }
+        if (ref)
+                *pref = ref->next;
+        newref = create_xattr_ref(c, ic, xd);
+        if (IS_ERR(newref)) {
+                if (ref) {
+                        ref->next = ic->xref;
+                        ic->xref = ref;
+                }
+                rc = PTR_ERR(newref);
+                if (atomic_dec_and_test(&xd->refcnt))
+                        delete_xattr_datum(c, xd);
+        } else if (ref) {
+                delete_xattr_ref(c, ref);
+        }
+ out:
+        up_write(&c->xattr_sem);
+        jffs2_complete_reservation(c);
+        return rc;
+}
+/* -------- garbage collector functions -------------
+ * jffs2_garbage_collect_xattr_datum(c, xd, raw)
+ *   is used to move xdatum into new node.
+ * jffs2_garbage_collect_xattr_ref(c, ref, raw)
+ *   is used to move xref into new node.
+ * jffs2_verify_xattr(c)
+ *   is used to call do_verify_xattr_datum() before garbage collecting.
+ * jffs2_release_xattr_datum(c, xd)
+ *   is used to release an in-memory object of xdatum.
+ * jffs2_release_xattr_ref(c, ref)
+ *   is used to release an in-memory object of xref.
+ * -------------------------------------------------- */
+int jffs2_garbage_collect_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd,
+                                      struct jffs2_raw_node_ref *raw)
+{
+        uint32_t totlen, length, old_ofs;
+        int rc = 0;
+        down_write(&c->xattr_sem);
+        if (xd->node != raw)
+                goto out;
+        if (xd->flags & (JFFS2_XFLAGS_DEAD|JFFS2_XFLAGS_INVALID))
+                goto out;
+        rc = load_xattr_datum(c, xd);
+        if (unlikely(rc)) {
+                rc = (rc > 0) ? 0 : rc;
+                goto out;
+        }
+        old_ofs = ref_offset(xd->node);
+        totlen = PAD(sizeof(struct jffs2_raw_xattr)
+                        + xd->name_len + 1 + xd->value_len);
+        rc = jffs2_reserve_space_gc(c, totlen, &length, JFFS2_SUMMARY_XATTR_SIZE);
+        if (rc) {
+                JFFS2_WARNING("jffs2_reserve_space_gc()=%d, request=%u\n", rc, totlen);
+                rc = rc ? rc : -EBADFD;
+                goto out;
+        }
+        rc = save_xattr_datum(c, xd);
+        if (!rc)
+                dbg_xattr("xdatum (xid=%u, version=%u) GC'ed from %#08x to %08x\n",
+                          xd->xid, xd->version, old_ofs, ref_offset(xd->node));
+ out:
+        if (!rc)
+                jffs2_mark_node_obsolete(c, raw);
+        up_write(&c->xattr_sem);
+        return rc;
+}
+int jffs2_garbage_collect_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref,
+                                    struct jffs2_raw_node_ref *raw)
+{
+        uint32_t totlen, length, old_ofs;
+        int rc = 0;
+        down_write(&c->xattr_sem);
+        BUG_ON(!ref->node);
+        if (ref->node != raw)
+                goto out;
+        if (is_xattr_ref_dead(ref) && (raw->next_in_ino == (void *)ref))
+                goto out;
+        old_ofs = ref_offset(ref->node);
+        totlen = ref_totlen(c, c->gcblock, ref->node);
+        rc = jffs2_reserve_space_gc(c, totlen, &length, JFFS2_SUMMARY_XREF_SIZE);
+        if (rc) {
+                JFFS2_WARNING("%s: jffs2_reserve_space_gc() = %d, request = %u\n",
+                              __FUNCTION__, rc, totlen);
+                rc = rc ? rc : -EBADFD;
+                goto out;
+        }
+        rc = save_xattr_ref(c, ref);
+        if (!rc)
+                dbg_xattr("xref (ino=%u, xid=%u) GC'ed from %#08x to %08x\n",
+                          ref->ic->ino, ref->xd->xid, old_ofs, ref_offset(ref->node));
+ out:
+        if (!rc)
+                jffs2_mark_node_obsolete(c, raw);
+        up_write(&c->xattr_sem);
+        return rc;
+}
+int jffs2_verify_xattr(struct jffs2_sb_info *c)
+{
+        struct jffs2_xattr_datum *xd, *_xd;
+        struct jffs2_eraseblock *jeb;
+        struct jffs2_raw_node_ref *raw;
+        uint32_t totlen;
+        int rc;
+        down_write(&c->xattr_sem);
+        list_for_each_entry_safe(xd, _xd, &c->xattr_unchecked, xindex) {
+                rc = do_verify_xattr_datum(c, xd);
+                if (rc < 0)
+                        continue;
+                list_del_init(&xd->xindex);
+                spin_lock(&c->erase_completion_lock);
+                for (raw=xd->node; raw != (void *)xd; raw=raw->next_in_ino) {
+                        if (ref_flags(raw) != REF_UNCHECKED)
+                                continue;
+                        jeb = &c->blocks[ref_offset(raw) / c->sector_size];
+                        totlen = PAD(ref_totlen(c, jeb, raw));
+                        c->unchecked_size -= totlen; c->used_size += totlen;
+                        jeb->unchecked_size -= totlen; jeb->used_size += totlen;
+                        raw->flash_offset = ref_offset(raw)
+                                | ((xd->node == (void *)raw) ? REF_PRISTINE : REF_NORMAL);
+                }
+                if (xd->flags & JFFS2_XFLAGS_DEAD)
+                        list_add(&xd->xindex, &c->xattr_dead_list);
+                spin_unlock(&c->erase_completion_lock);
+        }
+        up_write(&c->xattr_sem);
+        return list_empty(&c->xattr_unchecked) ? 1 : 0;
+}
+void jffs2_release_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd)
+{
+        /* must be called under spin_lock(&c->erase_completion_lock) */
+        if (atomic_read(&xd->refcnt) || xd->node != (void *)xd)
+                return;
+        list_del(&xd->xindex);
+        jffs2_free_xattr_datum(xd);
+}
+void jffs2_release_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref)
+{
+        /* must be called under spin_lock(&c->erase_completion_lock) */
+        struct jffs2_xattr_ref *tmp, **ptmp;
+        if (ref->node != (void *)ref)
+                return;
+        for (tmp=c->xref_dead_list, ptmp=&c->xref_dead_list; tmp; ptmp=&tmp->next, tmp=tmp->next) {
+                if (ref == tmp) {
+                        *ptmp = tmp->next;
+                        break;
+                }
+        }
+        jffs2_free_xattr_ref(ref);
+}
diff --git a/fs/jffs2/xattr.h b/fs/jffs2/xattr.h
new file mode 100644
index 000000000000..06a5c69dcf8b
--- /dev/null
+++ b/fs/jffs2/xattr.h
@@ -0,0 +1,129 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#ifndef _JFFS2_FS_XATTR_H_
+#define _JFFS2_FS_XATTR_H_
+#include <linux/xattr.h>
+#include <linux/list.h>
+#define JFFS2_XFLAGS_HOT        (0x01)  /* This datum is HOT */
+#define JFFS2_XFLAGS_BIND       (0x02)  /* This datum is not reclaimed */
+#define JFFS2_XFLAGS_DEAD       (0x40)  /* This datum is already dead */
+#define JFFS2_XFLAGS_INVALID    (0x80)  /* This datum contains crc error */
+struct jffs2_xattr_datum
+{
+        void *always_null;
+        struct jffs2_raw_node_ref *node;
+        uint8_t class;
+        uint8_t flags;
+        uint16_t xprefix;               /* see JFFS2_XATTR_PREFIX_* */
+        struct list_head xindex;        /* chained from c->xattrindex[n] */
+        atomic_t refcnt;                /* # of xattr_ref refers this */
+        uint32_t xid;
+        uint32_t version;
+        uint32_t data_crc;
+        uint32_t hashkey;
+        char *xname;            /* XATTR name without prefix */
+        uint32_t name_len;      /* length of xname */
+        char *xvalue;           /* XATTR value */
+        uint32_t value_len;     /* length of xvalue */
+};
+struct jffs2_inode_cache;
+struct jffs2_xattr_ref
+{
+        void *always_null;
+        struct jffs2_raw_node_ref *node;
+        uint8_t class;
+        uint8_t flags;          /* Currently unused */
+        u16 unused;
+        uint32_t xseqno;
+        union {
+                struct jffs2_inode_cache *ic;   /* reference to jffs2_inode_cache */
+                uint32_t ino;                   /* only used in scanning/building  */
+        };
+        union {
+                struct jffs2_xattr_datum *xd;   /* reference to jffs2_xattr_datum */
+                uint32_t xid;                   /* only used in sccanning/building */
+        };
+        struct jffs2_xattr_ref *next;           /* chained from ic->xref_list */
+};
+#define XREF_DELETE_MARKER      (0x00000001)
+static inline int is_xattr_ref_dead(struct jffs2_xattr_ref *ref)
+{
+        return ((ref->xseqno & XREF_DELETE_MARKER) != 0);
+}
+#ifdef CONFIG_JFFS2_FS_XATTR
+extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c);
+extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c);
+extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c);
+extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
+                                                  uint32_t xid, uint32_t version);
+extern void jffs2_xattr_delete_inode(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic);
+extern void jffs2_xattr_free_inode(struct jffs2_sb_info *c, struct jffs2_inode_cache *ic);
+extern int jffs2_garbage_collect_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd,
+                                             struct jffs2_raw_node_ref *raw);
+extern int jffs2_garbage_collect_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref,
+                                           struct jffs2_raw_node_ref *raw);
+extern int jffs2_verify_xattr(struct jffs2_sb_info *c);
+extern void jffs2_release_xattr_datum(struct jffs2_sb_info *c, struct jffs2_xattr_datum *xd);
+extern void jffs2_release_xattr_ref(struct jffs2_sb_info *c, struct jffs2_xattr_ref *ref);
+extern int do_jffs2_getxattr(struct inode *inode, int xprefix, const char *xname,
+                             char *buffer, size_t size);
+extern int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname,
+                             const char *buffer, size_t size, int flags);
+extern struct xattr_handler *jffs2_xattr_handlers[];
+extern struct xattr_handler jffs2_user_xattr_handler;
+extern struct xattr_handler jffs2_trusted_xattr_handler;
+extern ssize_t jffs2_listxattr(struct dentry *, char *, size_t);
+#define jffs2_getxattr          generic_getxattr
+#define jffs2_setxattr          generic_setxattr
+#define jffs2_removexattr       generic_removexattr
+#else
+#define jffs2_init_xattr_subsystem(c)
+#define jffs2_build_xattr_subsystem(c)
+#define jffs2_clear_xattr_subsystem(c)
+#define jffs2_xattr_delete_inode(c, ic)
+#define jffs2_xattr_free_inode(c, ic)
+#define jffs2_verify_xattr(c)                   (1)
+#define jffs2_xattr_handlers    NULL
+#define jffs2_listxattr         NULL
+#define jffs2_getxattr          NULL
+#define jffs2_setxattr          NULL
+#define jffs2_removexattr       NULL
+#endif /* CONFIG_JFFS2_FS_XATTR */
+#ifdef CONFIG_JFFS2_FS_SECURITY
+extern int jffs2_init_security(struct inode *inode, struct inode *dir);
+extern struct xattr_handler jffs2_security_xattr_handler;
+#else
+#define jffs2_init_security(inode,dir)  (0)
+#endif /* CONFIG_JFFS2_FS_SECURITY */
+#endif /* _JFFS2_FS_XATTR_H_ */
diff --git a/fs/jffs2/xattr_trusted.c b/fs/jffs2/xattr_trusted.c
new file mode 100644
index 000000000000..ed046e19dbfa
--- /dev/null
+++ b/fs/jffs2/xattr_trusted.c
@@ -0,0 +1,52 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/jffs2.h>
+#include <linux/xattr.h>
+#include <linux/mtd/mtd.h>
+#include "nodelist.h"
+static int jffs2_trusted_getxattr(struct inode *inode, const char *name,
+                                  void *buffer, size_t size)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_getxattr(inode, JFFS2_XPREFIX_TRUSTED, name, buffer, size);
+}
+static int jffs2_trusted_setxattr(struct inode *inode, const char *name, const void *buffer,
+                                  size_t size, int flags)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_setxattr(inode, JFFS2_XPREFIX_TRUSTED, name, buffer, size, flags);
+}
+static size_t jffs2_trusted_listxattr(struct inode *inode, char *list, size_t list_size,
+                                      const char *name, size_t name_len)
+{
+        size_t retlen = XATTR_TRUSTED_PREFIX_LEN + name_len + 1;
+        if (list && retlen<=list_size) {
+                strcpy(list, XATTR_TRUSTED_PREFIX);
+                strcpy(list + XATTR_TRUSTED_PREFIX_LEN, name);
+        }
+        return retlen;
+}
+struct xattr_handler jffs2_trusted_xattr_handler = {
+        .prefix = XATTR_TRUSTED_PREFIX,
+        .list = jffs2_trusted_listxattr,
+        .set = jffs2_trusted_setxattr,
+        .get = jffs2_trusted_getxattr
+};
diff --git a/fs/jffs2/xattr_user.c b/fs/jffs2/xattr_user.c
new file mode 100644
index 000000000000..2f8e9aa01ea0
--- /dev/null
+++ b/fs/jffs2/xattr_user.c
@@ -0,0 +1,52 @@
+/*
+ * JFFS2 -- Journalling Flash File System, Version 2.
+ *
+ * Copyright (C) 2006  NEC Corporation
+ *
+ * Created by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * For licensing information, see the file 'LICENCE' in this directory.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/jffs2.h>
+#include <linux/xattr.h>
+#include <linux/mtd/mtd.h>
+#include "nodelist.h"
+static int jffs2_user_getxattr(struct inode *inode, const char *name,
+                               void *buffer, size_t size)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_getxattr(inode, JFFS2_XPREFIX_USER, name, buffer, size);
+}
+static int jffs2_user_setxattr(struct inode *inode, const char *name, const void *buffer,
+                               size_t size, int flags)
+{
+        if (!strcmp(name, ""))
+                return -EINVAL;
+        return do_jffs2_setxattr(inode, JFFS2_XPREFIX_USER, name, buffer, size, flags);
+}
+static size_t jffs2_user_listxattr(struct inode *inode, char *list, size_t list_size,
+                                   const char *name, size_t name_len)
+{
+        size_t retlen = XATTR_USER_PREFIX_LEN + name_len + 1;
+        if (list && retlen <= list_size) {
+                strcpy(list, XATTR_USER_PREFIX);
+                strcpy(list + XATTR_USER_PREFIX_LEN, name);
+        }
+        return retlen;
+}
+struct xattr_handler jffs2_user_xattr_handler = {
+        .prefix = XATTR_USER_PREFIX,
+        .list = jffs2_user_listxattr,
+        .set = jffs2_user_setxattr,
+        .get = jffs2_user_getxattr
+};