13 files changed, 257 insertions, 172 deletions
diff --git a/fs/ntfs/ChangeLog b/fs/ntfs/ChangeLog
index 49eafbdb15c1..de58579a1d0e 100644
--- a/fs/ntfs/ChangeLog
+++ b/fs/ntfs/ChangeLog
@@ -29,7 +29,8 @@ ToDo/Notes:
          The Windows boot will run chkdsk and then reboot.  The user can then
          immediately boot into Linux rather than having to do a full Windows
          boot first before rebooting into Linux and we will recognize such a
-          journal and empty it as it is clean by definition.
+          journal and empty it as it is clean by definition.  Note, this only
+          works if chkdsk left the journal in an obviously clean state.
        - Support journals ($LogFile) with only one restart page as well as
          journals with two different restart pages.  We sanity check both and
          either use the only sane one or the more recent one of the two in the
@@ -92,6 +93,18 @@ ToDo/Notes:
          an octal number to conform to how chmod(1) works, too.  Thanks to
          Giuseppe Bilotta and Horst von Brand for pointing out the errors of
          my ways.
+        - Fix various bugs in the runlist merging code.  (Based on libntfs
+          changes by Richard Russon.)
+        - Fix sparse warnings that have crept in over time.
+        - Change ntfs_cluster_free() to require a write locked runlist on entry
+          since we otherwise get into a lock reversal deadlock if a read locked
+          runlist is passed in. In the process also change it to take an ntfs
+          inode instead of a vfs inode as parameter.
+        - Fix the definition of the CHKD ntfs record magic.  It had an off by
+          two error causing it to be CHKB instead of CHKD.
+        - Fix a stupid bug in __ntfs_bitmap_set_bits_in_run() which caused the
+          count to become negative and hence we had a wild memset() scribbling
+          all over the system's ram.
 2.1.23 - Implement extension of resident files and make writing safe as well as
         many bug fixes, cleanups, and enhancements...
diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
index b6cc8cf24626..5e80c07c6a4d 100644
--- a/fs/ntfs/aops.c
+++ b/fs/ntfs/aops.c
@@ -59,39 +59,49 @@ static void ntfs_end_buffer_async_read(struct buffer_head *bh, int uptodate)
        unsigned long flags;
        struct buffer_head *first, *tmp;
        struct page *page;
+        struct inode *vi;
        ntfs_inode *ni;
        int page_uptodate = 1;
        page = bh->b_page;
-        ni = NTFS_I(page->mapping->host);
+        vi = page->mapping->host;
+        ni = NTFS_I(vi);
        if (likely(uptodate)) {
-                s64 file_ofs, initialized_size;
+                loff_t i_size;
+                s64 file_ofs, init_size;
                set_buffer_uptodate(bh);
                file_ofs = ((s64)page->index << PAGE_CACHE_SHIFT) +
                                bh_offset(bh);
                read_lock_irqsave(&ni->size_lock, flags);
-                initialized_size = ni->initialized_size;
+                init_size = ni->initialized_size;
+                i_size = i_size_read(vi);
                read_unlock_irqrestore(&ni->size_lock, flags);
+                if (unlikely(init_size > i_size)) {
+                        /* Race with shrinking truncate. */
+                        init_size = i_size;
+                }
                /* Check for the current buffer head overflowing. */
-                if (file_ofs + bh->b_size > initialized_size) {
+                if (unlikely(file_ofs + bh->b_size > init_size)) {
-                        char *addr;
+                        u8 *kaddr;
-                        int ofs = 0;
+                        int ofs;
-                        if (file_ofs < initialized_size)
+                        ofs = 0;
-                                ofs = initialized_size - file_ofs;
+                        if (file_ofs < init_size)
-                        addr = kmap_atomic(page, KM_BIO_SRC_IRQ);
+                                ofs = init_size - file_ofs;
-                        memset(addr + bh_offset(bh) + ofs, 0, bh->b_size - ofs);
+                        kaddr = kmap_atomic(page, KM_BIO_SRC_IRQ);
+                        memset(kaddr + bh_offset(bh) + ofs, 0,
+                                        bh->b_size - ofs);
+                        kunmap_atomic(kaddr, KM_BIO_SRC_IRQ);
                        flush_dcache_page(page);
-                        kunmap_atomic(addr, KM_BIO_SRC_IRQ);
                }
        } else {
                clear_buffer_uptodate(bh);
                SetPageError(page);
-                ntfs_error(ni->vol->sb, "Buffer I/O error, logical block %llu.",
+                ntfs_error(ni->vol->sb, "Buffer I/O error, logical block "
-                                (unsigned long long)bh->b_blocknr);
+                                "0x%llx.", (unsigned long long)bh->b_blocknr);
        }
        first = page_buffers(page);
        local_irq_save(flags);
@@ -124,7 +134,7 @@ static void ntfs_end_buffer_async_read(struct buffer_head *bh, int uptodate)
                if (likely(page_uptodate && !PageError(page)))
                        SetPageUptodate(page);
        } else {
-                char *addr;
+                u8 *kaddr;
                unsigned int i, recs;
                u32 rec_size;
@@ -132,12 +142,12 @@ static void ntfs_end_buffer_async_read(struct buffer_head *bh, int uptodate)
                recs = PAGE_CACHE_SIZE / rec_size;
                /* Should have been verified before we got here... */
                BUG_ON(!recs);
-                addr = kmap_atomic(page, KM_BIO_SRC_IRQ);
+                kaddr = kmap_atomic(page, KM_BIO_SRC_IRQ);
                for (i = 0; i < recs; i++)
-                        post_read_mst_fixup((NTFS_RECORD*)(addr +
+                        post_read_mst_fixup((NTFS_RECORD*)(kaddr +
                                        i * rec_size), rec_size);
+                kunmap_atomic(kaddr, KM_BIO_SRC_IRQ);
                flush_dcache_page(page);
-                kunmap_atomic(addr, KM_BIO_SRC_IRQ);
                if (likely(page_uptodate && !PageError(page)))
                        SetPageUptodate(page);
        }
@@ -168,8 +178,11 @@ still_busy:
 */
 static int ntfs_read_block(struct page *page)
 {
+        loff_t i_size;
        VCN vcn;
        LCN lcn;
+        s64 init_size;
+        struct inode *vi;
        ntfs_inode *ni;
        ntfs_volume *vol;
        runlist_element *rl;
@@ -180,7 +193,8 @@ static int ntfs_read_block(struct page *page)
        int i, nr;
        unsigned char blocksize_bits;
-        ni = NTFS_I(page->mapping->host);
+        vi = page->mapping->host;
+        ni = NTFS_I(vi);
        vol = ni->vol;
        /* $MFT/$DATA must have its complete runlist in memory at all times. */
@@ -199,11 +213,28 @@ static int ntfs_read_block(struct page *page)
        bh = head = page_buffers(page);
        BUG_ON(!bh);
+        /*
+         * We may be racing with truncate.  To avoid some of the problems we
+         * now take a snapshot of the various sizes and use those for the whole
+         * of the function.  In case of an extending truncate it just means we
+         * may leave some buffers unmapped which are now allocated.  This is
+         * not a problem since these buffers will just get mapped when a write
+         * occurs.  In case of a shrinking truncate, we will detect this later
+         * on due to the runlist being incomplete and if the page is being
+         * fully truncated, truncate will throw it away as soon as we unlock
+         * it so no need to worry what we do with it.
+         */
        iblock = (s64)page->index << (PAGE_CACHE_SHIFT - blocksize_bits);
        read_lock_irqsave(&ni->size_lock, flags);
        lblock = (ni->allocated_size + blocksize - 1) >> blocksize_bits;
-        zblock = (ni->initialized_size + blocksize - 1) >> blocksize_bits;
+        init_size = ni->initialized_size;
+        i_size = i_size_read(vi);
        read_unlock_irqrestore(&ni->size_lock, flags);
+        if (unlikely(init_size > i_size)) {
+                /* Race with shrinking truncate. */
+                init_size = i_size;
+        }
+        zblock = (init_size + blocksize - 1) >> blocksize_bits;
        /* Loop through all the buffers in the page. */
        rl = NULL;
@@ -366,6 +397,8 @@ handle_zblock:
 */
 static int ntfs_readpage(struct file *file, struct page *page)
 {
+        loff_t i_size;
+        struct inode *vi;
        ntfs_inode *ni, *base_ni;
        u8 *kaddr;
        ntfs_attr_search_ctx *ctx;
@@ -384,14 +417,17 @@ retry_readpage:
                unlock_page(page);
                return 0;
        }
-        ni = NTFS_I(page->mapping->host);
+        vi = page->mapping->host;
+        ni = NTFS_I(vi);
        /*
         * Only $DATA attributes can be encrypted and only unnamed $DATA
         * attributes can be compressed.  Index root can have the flags set but
         * this means to create compressed/encrypted files, not that the
-         * attribute is compressed/encrypted.
+         * attribute is compressed/encrypted.  Note we need to check for
+         * AT_INDEX_ALLOCATION since this is the type of both directory and
+         * index inodes.
         */
-        if (ni->type != AT_INDEX_ROOT) {
+        if (ni->type != AT_INDEX_ALLOCATION) {
                /* If attribute is encrypted, deny access, just like NT4. */
                if (NInoEncrypted(ni)) {
                        BUG_ON(ni->type != AT_DATA);
@@ -456,7 +492,12 @@ retry_readpage:
        read_lock_irqsave(&ni->size_lock, flags);
        if (unlikely(attr_len > ni->initialized_size))
                attr_len = ni->initialized_size;
+        i_size = i_size_read(vi);
        read_unlock_irqrestore(&ni->size_lock, flags);
+        if (unlikely(attr_len > i_size)) {
+                /* Race with shrinking truncate. */
+                attr_len = i_size;
+        }
        kaddr = kmap_atomic(page, KM_USER0);
        /* Copy the data to the page. */
        memcpy(kaddr, (u8*)ctx->attr +
@@ -1341,9 +1382,11 @@ retry_writepage:
         * Only $DATA attributes can be encrypted and only unnamed $DATA
         * attributes can be compressed.  Index root can have the flags set but
         * this means to create compressed/encrypted files, not that the
-         * attribute is compressed/encrypted.
+         * attribute is compressed/encrypted.  Note we need to check for
+         * AT_INDEX_ALLOCATION since this is the type of both directory and
+         * index inodes.
         */
-        if (ni->type != AT_INDEX_ROOT) {
+        if (ni->type != AT_INDEX_ALLOCATION) {
                /* If file is encrypted, deny access, just like NT4. */
                if (NInoEncrypted(ni)) {
                        unlock_page(page);
@@ -1379,8 +1422,8 @@ retry_writepage:
                        unsigned int ofs = i_size & ~PAGE_CACHE_MASK;
                        kaddr = kmap_atomic(page, KM_USER0);
                        memset(kaddr + ofs, 0, PAGE_CACHE_SIZE - ofs);
-                        flush_dcache_page(page);
                        kunmap_atomic(kaddr, KM_USER0);
+                        flush_dcache_page(page);
                }
                /* Handle mst protected attributes. */
                if (NInoMstProtected(ni))
@@ -1443,34 +1486,33 @@ retry_writepage:
        BUG_ON(PageWriteback(page));
        set_page_writeback(page);
        unlock_page(page);
-        /*
-         * Here, we do not need to zero the out of bounds area everytime
-         * because the below memcpy() already takes care of the
-         * mmap-at-end-of-file requirements.  If the file is converted to a
-         * non-resident one, then the code path use is switched to the
-         * non-resident one where the zeroing happens on each ntfs_writepage()
-         * invocation.
-         */
        attr_len = le32_to_cpu(ctx->attr->data.resident.value_length);
        i_size = i_size_read(vi);
        if (unlikely(attr_len > i_size)) {
+                /* Race with shrinking truncate or a failed truncate. */
                attr_len = i_size;
-                ctx->attr->data.resident.value_length = cpu_to_le32(attr_len);
+                /*
+                 * If the truncate failed, fix it up now.  If a concurrent
+                 * truncate, we do its job, so it does not have to do anything.
+                 */
+                err = ntfs_resident_attr_value_resize(ctx->mrec, ctx->attr,
+                                attr_len);
+                /* Shrinking cannot fail. */
+                BUG_ON(err);
        }
        kaddr = kmap_atomic(page, KM_USER0);
        /* Copy the data from the page to the mft record. */
        memcpy((u8*)ctx->attr +
                        le16_to_cpu(ctx->attr->data.resident.value_offset),
                        kaddr, attr_len);
-        flush_dcache_mft_record_page(ctx->ntfs_ino);
        /* Zero out of bounds area in the page cache page. */
        memset(kaddr + attr_len, 0, PAGE_CACHE_SIZE - attr_len);
-        flush_dcache_page(page);
        kunmap_atomic(kaddr, KM_USER0);
+        flush_dcache_mft_record_page(ctx->ntfs_ino);
+        flush_dcache_page(page);
+        /* We are done with the page. */
        end_page_writeback(page);
+        /* Finally, mark the mft record dirty, so it gets written back. */
-        /* Mark the mft record dirty, so it gets written back. */
        mark_mft_record_dirty(ctx->ntfs_ino);
        ntfs_attr_put_search_ctx(ctx);
        unmap_mft_record(base_ni);
diff --git a/fs/ntfs/bitmap.c b/fs/ntfs/bitmap.c
index 12cf2e30c7dd..7a190cdc60e2 100644
--- a/fs/ntfs/bitmap.c
+++ b/fs/ntfs/bitmap.c
@@ -1,7 +1,7 @@
 /*
 * bitmap.c - NTFS kernel bitmap handling.  Part of the Linux-NTFS project.
 *
- * Copyright (c) 2004 Anton Altaparmakov
+ * Copyright (c) 2004-2005 Anton Altaparmakov
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
@@ -90,7 +90,8 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit,
        /* If the first byte is partial, modify the appropriate bits in it. */
        if (bit) {
                u8 *byte = kaddr + pos;
-                while ((bit & 7) && cnt--) {
+                while ((bit & 7) && cnt) {
+                        cnt--;
                        if (value)
                                *byte |= 1 << bit++;
                        else
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index dc4bbe3acf5c..7ec045131808 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1166,6 +1166,8 @@ err_out:
 *
 * Return 0 on success and -errno on error.  In the error case, the inode will
 * have had make_bad_inode() executed on it.
+ *
+ * Note this cannot be called for AT_INDEX_ALLOCATION.
 */
 static int ntfs_read_locked_attr_inode(struct inode *base_vi, struct inode *vi)
 {
@@ -1242,8 +1244,8 @@ static int ntfs_read_locked_attr_inode(struct inode *base_vi, struct inode *vi)
                        }
                }
                /*
-                 * The encryption flag set in an index root just means to
+                 * The compressed/sparse flag set in an index root just means
-                 * compress all files.
+                 * to compress all files.
                 */
                if (NInoMstProtected(ni) && ni->type != AT_INDEX_ROOT) {
                        ntfs_error(vi->i_sb, "Found mst protected attribute "
@@ -1319,8 +1321,7 @@ static int ntfs_read_locked_attr_inode(struct inode *base_vi, struct inode *vi)
                                        "the mapping pairs array.");
                        goto unm_err_out;
                }
-                if ((NInoCompressed(ni) || NInoSparse(ni)) &&
+                if (NInoCompressed(ni) || NInoSparse(ni)) {
-                                ni->type != AT_INDEX_ROOT) {
                        if (a->data.non_resident.compression_unit != 4) {
                                ntfs_error(vi->i_sb, "Found nonstandard "
                                                "compression unit (%u instead "
diff --git a/fs/ntfs/layout.h b/fs/ntfs/layout.h
index 609ad1728ce4..5c248d404f05 100644
--- a/fs/ntfs/layout.h
+++ b/fs/ntfs/layout.h
@@ -123,7 +123,7 @@ enum {
        magic_RCRD = const_cpu_to_le32(0x44524352), /* Log record page. */
        /* Found in $LogFile/$DATA.  (May be found in $MFT/$DATA, also?) */
-        magic_CHKD = const_cpu_to_le32(0x424b4843), /* Modified by chkdsk. */
+        magic_CHKD = const_cpu_to_le32(0x444b4843), /* Modified by chkdsk. */
        /* Found in all ntfs record containing records. */
        magic_BAAD = const_cpu_to_le32(0x44414142), /* Failed multi sector
@@ -308,10 +308,8 @@ typedef le16 MFT_RECORD_FLAGS;
 * The _LE versions are to be applied on little endian MFT_REFs.
 * Note: The _LE versions will return a CPU endian formatted value!
 */
-typedef enum {
+#define MFT_REF_MASK_CPU 0x0000ffffffffffffULL
-        MFT_REF_MASK_CPU        = 0x0000ffffffffffffULL,
+#define MFT_REF_MASK_LE const_cpu_to_le64(MFT_REF_MASK_CPU)
-        MFT_REF_MASK_LE         = const_cpu_to_le64(0x0000ffffffffffffULL),
-} MFT_REF_CONSTS;
 typedef u64 MFT_REF;
 typedef le64 leMFT_REF;
diff --git a/fs/ntfs/lcnalloc.c b/fs/ntfs/lcnalloc.c
index 7b5934290685..5af3bf0b7eee 100644
--- a/fs/ntfs/lcnalloc.c
+++ b/fs/ntfs/lcnalloc.c
@@ -779,14 +779,13 @@ out:
 /**
 * __ntfs_cluster_free - free clusters on an ntfs volume
- * @vi:         vfs inode whose runlist describes the clusters to free
+ * @ni:         ntfs inode whose runlist describes the clusters to free
- * @start_vcn:  vcn in the runlist of @vi at which to start freeing clusters
+ * @start_vcn:  vcn in the runlist of @ni at which to start freeing clusters
 * @count:      number of clusters to free or -1 for all clusters
- * @write_locked:       true if the runlist is locked for writing
 * @is_rollback:        true if this is a rollback operation
 *
 * Free @count clusters starting at the cluster @start_vcn in the runlist
- * described by the vfs inode @vi.
+ * described by the vfs inode @ni.
 *
 * If @count is -1, all clusters from @start_vcn to the end of the runlist are
 * deallocated.  Thus, to completely free all clusters in a runlist, use
@@ -801,31 +800,28 @@ out:
 * Return the number of deallocated clusters (not counting sparse ones) on
 * success and -errno on error.
 *
- * Locking: - The runlist described by @vi must be locked on entry and is
+ * Locking: - The runlist described by @ni must be locked for writing on entry
- *            locked on return.  Note if the runlist is locked for reading the
+ *            and is locked on return.  Note the runlist may be modified when
- *            lock may be dropped and reacquired.  Note the runlist may be
+ *            needed runlist fragments need to be mapped.
- *            modified when needed runlist fragments need to be mapped.
 *          - The volume lcn bitmap must be unlocked on entry and is unlocked
 *            on return.
 *          - This function takes the volume lcn bitmap lock for writing and
 *            modifies the bitmap contents.
 */
-s64 __ntfs_cluster_free(struct inode *vi, const VCN start_vcn, s64 count,
+s64 __ntfs_cluster_free(ntfs_inode *ni, const VCN start_vcn, s64 count,
-                const BOOL write_locked, const BOOL is_rollback)
+                const BOOL is_rollback)
 {
        s64 delta, to_free, total_freed, real_freed;
-        ntfs_inode *ni;
        ntfs_volume *vol;
        struct inode *lcnbmp_vi;
        runlist_element *rl;
        int err;
-        BUG_ON(!vi);
+        BUG_ON(!ni);
        ntfs_debug("Entering for i_ino 0x%lx, start_vcn 0x%llx, count "
-                        "0x%llx.%s", vi->i_ino, (unsigned long long)start_vcn,
+                        "0x%llx.%s", ni->mft_no, (unsigned long long)start_vcn,
                        (unsigned long long)count,
                        is_rollback ? " (rollback)" : "");
-        ni = NTFS_I(vi);
        vol = ni->vol;
        lcnbmp_vi = vol->lcnbmp_ino;
        BUG_ON(!lcnbmp_vi);
@@ -843,7 +839,7 @@ s64 __ntfs_cluster_free(struct inode *vi, const VCN start_vcn, s64 count,
        total_freed = real_freed = 0;
-        rl = ntfs_attr_find_vcn_nolock(ni, start_vcn, write_locked);
+        rl = ntfs_attr_find_vcn_nolock(ni, start_vcn, TRUE);
        if (IS_ERR(rl)) {
                if (!is_rollback)
                        ntfs_error(vol->sb, "Failed to find first runlist "
@@ -897,7 +893,7 @@ s64 __ntfs_cluster_free(struct inode *vi, const VCN start_vcn, s64 count,
                        /* Attempt to map runlist. */
                        vcn = rl->vcn;
-                        rl = ntfs_attr_find_vcn_nolock(ni, vcn, write_locked);
+                        rl = ntfs_attr_find_vcn_nolock(ni, vcn, TRUE);
                        if (IS_ERR(rl)) {
                                err = PTR_ERR(rl);
                                if (!is_rollback)
@@ -965,8 +961,7 @@ err_out:
         * If rollback fails, set the volume errors flag, emit an error
         * message, and return the error code.
         */
-        delta = __ntfs_cluster_free(vi, start_vcn, total_freed, write_locked,
+        delta = __ntfs_cluster_free(ni, start_vcn, total_freed, TRUE);
-                        TRUE);
        if (delta < 0) {
                ntfs_error(vol->sb, "Failed to rollback (error %i).  Leaving "
                                "inconsistent metadata!  Unmount and run "
diff --git a/fs/ntfs/lcnalloc.h b/fs/ntfs/lcnalloc.h
index e4d7fb98d685..a6a8827882e7 100644
--- a/fs/ntfs/lcnalloc.h
+++ b/fs/ntfs/lcnalloc.h
@@ -2,7 +2,7 @@
 * lcnalloc.h - Exports for NTFS kernel cluster (de)allocation.  Part of the
 *              Linux-NTFS project.
 *
- * Copyright (c) 2004 Anton Altaparmakov
+ * Copyright (c) 2004-2005 Anton Altaparmakov
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
@@ -28,6 +28,7 @@
 #include <linux/fs.h>
 #include "types.h"
+#include "inode.h"
 #include "runlist.h"
 #include "volume.h"
@@ -42,18 +43,17 @@ extern runlist_element *ntfs_cluster_alloc(ntfs_volume *vol,
                const VCN start_vcn, const s64 count, const LCN start_lcn,
                const NTFS_CLUSTER_ALLOCATION_ZONES zone);
-extern s64 __ntfs_cluster_free(struct inode *vi, const VCN start_vcn,
+extern s64 __ntfs_cluster_free(ntfs_inode *ni, const VCN start_vcn,
-                s64 count, const BOOL write_locked, const BOOL is_rollback);
+                s64 count, const BOOL is_rollback);
 /**
 * ntfs_cluster_free - free clusters on an ntfs volume
- * @vi:         vfs inode whose runlist describes the clusters to free
+ * @ni:         ntfs inode whose runlist describes the clusters to free
- * @start_vcn:  vcn in the runlist of @vi at which to start freeing clusters
+ * @start_vcn:  vcn in the runlist of @ni at which to start freeing clusters
 * @count:      number of clusters to free or -1 for all clusters
- * @write_locked:       true if the runlist is locked for writing
 *
 * Free @count clusters starting at the cluster @start_vcn in the runlist
- * described by the vfs inode @vi.
+ * described by the ntfs inode @ni.
 *
 * If @count is -1, all clusters from @start_vcn to the end of the runlist are
 * deallocated.  Thus, to completely free all clusters in a runlist, use
@@ -65,19 +65,18 @@ extern s64 __ntfs_cluster_free(struct inode *vi, const VCN start_vcn,
 * Return the number of deallocated clusters (not counting sparse ones) on
 * success and -errno on error.
 *
- * Locking: - The runlist described by @vi must be locked on entry and is
+ * Locking: - The runlist described by @ni must be locked for writing on entry
- *            locked on return.  Note if the runlist is locked for reading the
+ *            and is locked on return.  Note the runlist may be modified when
- *            lock may be dropped and reacquired.  Note the runlist may be
+ *            needed runlist fragments need to be mapped.
- *            modified when needed runlist fragments need to be mapped.
 *          - The volume lcn bitmap must be unlocked on entry and is unlocked
 *            on return.
 *          - This function takes the volume lcn bitmap lock for writing and
 *            modifies the bitmap contents.
 */
-static inline s64 ntfs_cluster_free(struct inode *vi, const VCN start_vcn,
+static inline s64 ntfs_cluster_free(ntfs_inode *ni, const VCN start_vcn,
-                s64 count, const BOOL write_locked)
+                s64 count)
 {
-        return __ntfs_cluster_free(vi, start_vcn, count, write_locked, FALSE);
+        return __ntfs_cluster_free(ni, start_vcn, count, FALSE);
 }
 extern int ntfs_cluster_free_from_rl_nolock(ntfs_volume *vol,
diff --git a/fs/ntfs/logfile.c b/fs/ntfs/logfile.c
index 0173e95500d9..0fd70295cca6 100644
--- a/fs/ntfs/logfile.c
+++ b/fs/ntfs/logfile.c
@@ -51,7 +51,8 @@ static BOOL ntfs_check_restart_page_header(struct inode *vi,
                RESTART_PAGE_HEADER *rp, s64 pos)
 {
        u32 logfile_system_page_size, logfile_log_page_size;
-        u16 usa_count, usa_ofs, usa_end, ra_ofs;
+        u16 ra_ofs, usa_count, usa_ofs, usa_end = 0;
+        BOOL have_usa = TRUE;
        ntfs_debug("Entering.");
        /*
@@ -86,6 +87,14 @@ static BOOL ntfs_check_restart_page_header(struct inode *vi,
                                (int)sle16_to_cpu(rp->minor_ver));
                return FALSE;
        }
+        /*
+         * If chkdsk has been run the restart page may not be protected by an
+         * update sequence array.
+         */
+        if (ntfs_is_chkd_record(rp->magic) && !le16_to_cpu(rp->usa_count)) {
+                have_usa = FALSE;
+                goto skip_usa_checks;
+        }
        /* Verify the size of the update sequence array. */
        usa_count = 1 + (logfile_system_page_size >> NTFS_BLOCK_SIZE_BITS);
        if (usa_count != le16_to_cpu(rp->usa_count)) {
@@ -102,6 +111,7 @@ static BOOL ntfs_check_restart_page_header(struct inode *vi,
                                "inconsistent update sequence array offset.");
                return FALSE;
        }
+skip_usa_checks:
        /*
         * Verify the position of the restart area.  It must be:
         *      - aligned to 8-byte boundary,
@@ -109,7 +119,8 @@ static BOOL ntfs_check_restart_page_header(struct inode *vi,
         *      - within the system page size.
         */
        ra_ofs = le16_to_cpu(rp->restart_area_offset);
-        if (ra_ofs & 7 || ra_ofs < usa_end ||
+        if (ra_ofs & 7 || (have_usa ? ra_ofs < usa_end :
+                        ra_ofs < sizeof(RESTART_PAGE_HEADER)) ||
                        ra_ofs > logfile_system_page_size) {
                ntfs_error(vi->i_sb, "$LogFile restart page specifies "
                                "inconsistent restart area offset.");
@@ -402,8 +413,12 @@ static int ntfs_check_and_load_restart_page(struct inode *vi,
                        idx++;
                } while (to_read > 0);
        }
-        /* Perform the multi sector transfer deprotection on the buffer. */
+        /*
-        if (post_read_mst_fixup((NTFS_RECORD*)trp,
+         * Perform the multi sector transfer deprotection on the buffer if the
+         * restart page is protected.
+         */
+        if ((!ntfs_is_chkd_record(trp->magic) || le16_to_cpu(trp->usa_count))
+                        && post_read_mst_fixup((NTFS_RECORD*)trp,
                        le32_to_cpu(rp->system_page_size))) {
                /*
                 * A multi sector tranfer error was detected.  We only need to
@@ -615,11 +630,16 @@ is_empty:
                 * Otherwise just throw it away.
                 */
                if (rstr2_lsn > rstr1_lsn) {
+                        ntfs_debug("Using second restart page as it is more "
+                                        "recent.");
                        ntfs_free(rstr1_ph);
                        rstr1_ph = rstr2_ph;
                        /* rstr1_lsn = rstr2_lsn; */
-                } else
+                } else {
+                        ntfs_debug("Using first restart page as it is more "
+                                        "recent.");
                        ntfs_free(rstr2_ph);
+                }
                rstr2_ph = NULL;
        }
        /* All consistency checks passed. */
diff --git a/fs/ntfs/logfile.h b/fs/ntfs/logfile.h
index 42388f95ea6d..a51f3dd0e9eb 100644
--- a/fs/ntfs/logfile.h
+++ b/fs/ntfs/logfile.h
@@ -113,7 +113,7 @@ typedef struct {
 */
 enum {
        RESTART_VOLUME_IS_CLEAN = const_cpu_to_le16(0x0002),
-        RESTART_SPACE_FILLER    = 0xffff, /* gcc: Force enum bit width to 16. */
+        RESTART_SPACE_FILLER    = const_cpu_to_le16(0xffff), /* gcc: Force enum bit width to 16. */
 } __attribute__ ((__packed__));
 typedef le16 RESTART_AREA_FLAGS;
diff --git a/fs/ntfs/malloc.h b/fs/ntfs/malloc.h
index 3288bcc2c4aa..590887b943f5 100644
--- a/fs/ntfs/malloc.h
+++ b/fs/ntfs/malloc.h
@@ -1,7 +1,7 @@
 /*
 * malloc.h - NTFS kernel memory handling. Part of the Linux-NTFS project.
 *
- * Copyright (c) 2001-2004 Anton Altaparmakov
+ * Copyright (c) 2001-2005 Anton Altaparmakov
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
@@ -40,7 +40,7 @@
 * Depending on @gfp_mask the allocation may be guaranteed to succeed.
 */
 static inline void *__ntfs_malloc(unsigned long size,
-                unsigned int __nocast gfp_mask)
+                gfp_t gfp_mask)
 {
        if (likely(size <= PAGE_SIZE)) {
                BUG_ON(!size);
diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c
index 2c32b84385a8..b011369b5956 100644
--- a/fs/ntfs/mft.c
+++ b/fs/ntfs/mft.c
@@ -58,7 +58,8 @@ static inline MFT_RECORD *map_mft_record_page(ntfs_inode *ni)
         * overflowing the unsigned long, but I don't think we would ever get
         * here if the volume was that big...
         */
-        index = ni->mft_no << vol->mft_record_size_bits >> PAGE_CACHE_SHIFT;
+        index = (u64)ni->mft_no << vol->mft_record_size_bits >>
+                        PAGE_CACHE_SHIFT;
        ofs = (ni->mft_no << vol->mft_record_size_bits) & ~PAGE_CACHE_MASK;
        i_size = i_size_read(mft_vi);
@@ -1953,7 +1954,7 @@ restore_undo_alloc:
        a = ctx->attr;
        a->data.non_resident.highest_vcn = cpu_to_sle64(old_last_vcn - 1);
 undo_alloc:
-        if (ntfs_cluster_free(vol->mft_ino, old_last_vcn, -1, TRUE) < 0) {
+        if (ntfs_cluster_free(mft_ni, old_last_vcn, -1) < 0) {
                ntfs_error(vol->sb, "Failed to free clusters from mft data "
                                "attribute.%s", es);
                NVolSetErrors(vol);
diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index f5b2ac929081..061b5ff6b73c 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -2,7 +2,7 @@
 * runlist.c - NTFS runlist handling code.  Part of the Linux-NTFS project.
 *
 * Copyright (c) 2001-2005 Anton Altaparmakov
- * Copyright (c) 2002 Richard Russon
+ * Copyright (c) 2002-2005 Richard Russon
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
@@ -158,17 +158,21 @@ static inline BOOL ntfs_are_rl_mergeable(runlist_element *dst,
        BUG_ON(!dst);
        BUG_ON(!src);
-        if ((dst->lcn < 0) || (src->lcn < 0)) {   /* Are we merging holes? */
+        /* We can merge unmapped regions even if they are misaligned. */
-                if (dst->lcn == LCN_HOLE && src->lcn == LCN_HOLE)
+        if ((dst->lcn == LCN_RL_NOT_MAPPED) && (src->lcn == LCN_RL_NOT_MAPPED))
-                        return TRUE;
+                return TRUE;
+        /* If the runs are misaligned, we cannot merge them. */
+        if ((dst->vcn + dst->length) != src->vcn)
                return FALSE;
-        }
+        /* If both runs are non-sparse and contiguous, we can merge them. */
-        if ((dst->lcn + dst->length) != src->lcn) /* Are the runs contiguous? */
+        if ((dst->lcn >= 0) && (src->lcn >= 0) &&
-                return FALSE;
+                        ((dst->lcn + dst->length) == src->lcn))
-        if ((dst->vcn + dst->length) != src->vcn) /* Are the runs misaligned? */
+                return TRUE;
-                return FALSE;
+        /* If we are merging two holes, we can merge them. */
+        if ((dst->lcn == LCN_HOLE) && (src->lcn == LCN_HOLE))
-        return TRUE;
+                return TRUE;
+        /* Cannot merge. */
+        return FALSE;
 }
 /**
@@ -214,14 +218,15 @@ static inline void __ntfs_rl_merge(runlist_element *dst, runlist_element *src)
 static inline runlist_element *ntfs_rl_append(runlist_element *dst,
                int dsize, runlist_element *src, int ssize, int loc)
 {
-        BOOL right;
+        BOOL right = FALSE;     /* Right end of @src needs merging. */
-        int magic;
+        int marker;             /* End of the inserted runs. */
        BUG_ON(!dst);
        BUG_ON(!src);
        /* First, check if the right hand end needs merging. */
-        right = ntfs_are_rl_mergeable(src + ssize - 1, dst + loc + 1);
+        if ((loc + 1) < dsize)
+                right = ntfs_are_rl_mergeable(src + ssize - 1, dst + loc + 1);
        /* Space required: @dst size + @src size, less one if we merged. */
        dst = ntfs_rl_realloc(dst, dsize, dsize + ssize - right);
@@ -236,18 +241,19 @@ static inline runlist_element *ntfs_rl_append(runlist_element *dst,
        if (right)
                __ntfs_rl_merge(src + ssize - 1, dst + loc + 1);
-        magic = loc + ssize;
+        /* First run after the @src runs that have been inserted. */
+        marker = loc + ssize + 1;
        /* Move the tail of @dst out of the way, then copy in @src. */
-        ntfs_rl_mm(dst, magic + 1, loc + 1 + right, dsize - loc - 1 - right);
+        ntfs_rl_mm(dst, marker, loc + 1 + right, dsize - (loc + 1 + right));
        ntfs_rl_mc(dst, loc + 1, src, 0, ssize);
        /* Adjust the size of the preceding hole. */
        dst[loc].length = dst[loc + 1].vcn - dst[loc].vcn;
        /* We may have changed the length of the file, so fix the end marker */
-        if (dst[magic + 1].lcn == LCN_ENOENT)
+        if (dst[marker].lcn == LCN_ENOENT)
-                dst[magic + 1].vcn = dst[magic].vcn + dst[magic].length;
+                dst[marker].vcn = dst[marker - 1].vcn + dst[marker - 1].length;
        return dst;
 }
@@ -279,18 +285,17 @@ static inline runlist_element *ntfs_rl_append(runlist_element *dst,
 static inline runlist_element *ntfs_rl_insert(runlist_element *dst,
                int dsize, runlist_element *src, int ssize, int loc)
 {
-        BOOL left = FALSE;
+        BOOL left = FALSE;      /* Left end of @src needs merging. */
-        BOOL disc = FALSE;      /* Discontinuity */
+        BOOL disc = FALSE;      /* Discontinuity between @dst and @src. */
-        BOOL hole = FALSE;      /* Following a hole */
+        int marker;             /* End of the inserted runs. */
-        int magic;
        BUG_ON(!dst);
        BUG_ON(!src);
-        /* disc => Discontinuity between the end of @dst and the start of @src.
+        /*
-         *         This means we might need to insert a hole.
+         * disc => Discontinuity between the end of @dst and the start of @src.
-         * hole => @dst ends with a hole or an unmapped region which we can
+         *         This means we might need to insert a "not mapped" run.
-         *         extend to match the discontinuity. */
+         */
        if (loc == 0)
                disc = (src[0].vcn > 0);
        else {
@@ -303,58 +308,49 @@ static inline runlist_element *ntfs_rl_insert(runlist_element *dst,
                        merged_length += src->length;
                disc = (src[0].vcn > dst[loc - 1].vcn + merged_length);
-                if (disc)
-                        hole = (dst[loc - 1].lcn == LCN_HOLE);
        }
+        /*
-        /* Space required: @dst size + @src size, less one if we merged, plus
+         * Space required: @dst size + @src size, less one if we merged, plus
-         * one if there was a discontinuity, less one for a trailing hole. */
+         * one if there was a discontinuity.
-        dst = ntfs_rl_realloc(dst, dsize, dsize + ssize - left + disc - hole);
+         */
+        dst = ntfs_rl_realloc(dst, dsize, dsize + ssize - left + disc);
        if (IS_ERR(dst))
                return dst;
        /*
         * We are guaranteed to succeed from here so can start modifying the
         * original runlist.
         */
        if (left)
                __ntfs_rl_merge(dst + loc - 1, src);
+        /*
-        magic = loc + ssize - left + disc - hole;
+         * First run after the @src runs that have been inserted.
+         * Nominally,  @marker equals @loc + @ssize, i.e. location + number of
+         * runs in @src.  However, if @left, then the first run in @src has
+         * been merged with one in @dst.  And if @disc, then @dst and @src do
+         * not meet and we need an extra run to fill the gap.
+         */
+        marker = loc + ssize - left + disc;
        /* Move the tail of @dst out of the way, then copy in @src. */
-        ntfs_rl_mm(dst, magic, loc, dsize - loc);
+        ntfs_rl_mm(dst, marker, loc, dsize - loc);
-        ntfs_rl_mc(dst, loc + disc - hole, src, left, ssize - left);
+        ntfs_rl_mc(dst, loc + disc, src, left, ssize - left);
-        /* Adjust the VCN of the last run ... */
+        /* Adjust the VCN of the first run after the insertion... */
-        if (dst[magic].lcn <= LCN_HOLE)
+        dst[marker].vcn = dst[marker - 1].vcn + dst[marker - 1].length;
-                dst[magic].vcn = dst[magic - 1].vcn + dst[magic - 1].length;
        /* ... and the length. */
-        if (dst[magic].lcn == LCN_HOLE || dst[magic].lcn == LCN_RL_NOT_MAPPED)
+        if (dst[marker].lcn == LCN_HOLE || dst[marker].lcn == LCN_RL_NOT_MAPPED)
-                dst[magic].length = dst[magic + 1].vcn - dst[magic].vcn;
+                dst[marker].length = dst[marker + 1].vcn - dst[marker].vcn;
-        /* Writing beyond the end of the file and there's a discontinuity. */
+        /* Writing beyond the end of the file and there is a discontinuity. */
        if (disc) {
-                if (hole)
+                if (loc > 0) {
-                        dst[loc - 1].length = dst[loc].vcn - dst[loc - 1].vcn;
+                        dst[loc].vcn = dst[loc - 1].vcn + dst[loc - 1].length;
-                else {
+                        dst[loc].length = dst[loc + 1].vcn - dst[loc].vcn;
-                        if (loc > 0) {
+                } else {
-                                dst[loc].vcn = dst[loc - 1].vcn +
+                        dst[loc].vcn = 0;
-                                                dst[loc - 1].length;
+                        dst[loc].length = dst[loc + 1].vcn;
-                                dst[loc].length = dst[loc + 1].vcn -
-                                                dst[loc].vcn;
-                        } else {
-                                dst[loc].vcn = 0;
-                                dst[loc].length = dst[loc + 1].vcn;
-                        }
-                        dst[loc].lcn = LCN_RL_NOT_MAPPED;
                }
+                dst[loc].lcn = LCN_RL_NOT_MAPPED;
-                magic += hole;
-                if (dst[magic].lcn == LCN_ENOENT)
-                        dst[magic].vcn = dst[magic - 1].vcn +
-                                        dst[magic - 1].length;
        }
        return dst;
 }
@@ -385,20 +381,23 @@ static inline runlist_element *ntfs_rl_insert(runlist_element *dst,
 static inline runlist_element *ntfs_rl_replace(runlist_element *dst,
                int dsize, runlist_element *src, int ssize, int loc)
 {
-        BOOL left = FALSE;
+        BOOL left = FALSE;      /* Left end of @src needs merging. */
-        BOOL right;
+        BOOL right = FALSE;     /* Right end of @src needs merging. */
-        int magic;
+        int tail;               /* Start of tail of @dst. */
+        int marker;             /* End of the inserted runs. */
        BUG_ON(!dst);
        BUG_ON(!src);
-        /* First, merge the left and right ends, if necessary. */
+        /* First, see if the left and right ends need merging. */
-        right = ntfs_are_rl_mergeable(src + ssize - 1, dst + loc + 1);
+        if ((loc + 1) < dsize)
+                right = ntfs_are_rl_mergeable(src + ssize - 1, dst + loc + 1);
        if (loc > 0)
                left = ntfs_are_rl_mergeable(dst + loc - 1, src);
+        /*
-        /* Allocate some space. We'll need less if the left, right, or both
+         * Allocate some space.  We will need less if the left, right, or both
-         * ends were merged. */
+         * ends get merged.
+         */
        dst = ntfs_rl_realloc(dst, dsize, dsize + ssize - left - right);
        if (IS_ERR(dst))
                return dst;
@@ -406,21 +405,37 @@ static inline runlist_element *ntfs_rl_replace(runlist_element *dst,
         * We are guaranteed to succeed from here so can start modifying the
         * original runlists.
         */
+        /* First, merge the left and right ends, if necessary. */
        if (right)
                __ntfs_rl_merge(src + ssize - 1, dst + loc + 1);
        if (left)
                __ntfs_rl_merge(dst + loc - 1, src);
+        /*
-        /* FIXME: What does this mean? (AIA) */
+         * Offset of the tail of @dst.  This needs to be moved out of the way
-        magic = loc + ssize - left;
+         * to make space for the runs to be copied from @src, i.e. the first
+         * run of the tail of @dst.
+         * Nominally, @tail equals @loc + 1, i.e. location, skipping the
+         * replaced run.  However, if @right, then one of @dst's runs is
+         * already merged into @src.
+         */
+        tail = loc + right + 1;
+        /*
+         * First run after the @src runs that have been inserted, i.e. where
+         * the tail of @dst needs to be moved to.
+         * Nominally, @marker equals @loc + @ssize, i.e. location + number of
+         * runs in @src.  However, if @left, then the first run in @src has
+         * been merged with one in @dst.
+         */
+        marker = loc + ssize - left;
        /* Move the tail of @dst out of the way, then copy in @src. */
-        ntfs_rl_mm(dst, magic, loc + right + 1, dsize - loc - right - 1);
+        ntfs_rl_mm(dst, marker, tail, dsize - tail);
        ntfs_rl_mc(dst, loc, src, left, ssize - left);
-        /* We may have changed the length of the file, so fix the end marker */
+        /* We may have changed the length of the file, so fix the end marker. */
-        if (dst[magic].lcn == LCN_ENOENT)
+        if (dsize - tail > 0 && dst[marker].lcn == LCN_ENOENT)
-                dst[magic].vcn = dst[magic - 1].vcn + dst[magic - 1].length;
+                dst[marker].vcn = dst[marker - 1].vcn + dst[marker - 1].length;
        return dst;
 }
diff --git a/fs/ntfs/unistr.c b/fs/ntfs/unistr.c
index a389a5a16c84..0ea887fc859c 100644
--- a/fs/ntfs/unistr.c
+++ b/fs/ntfs/unistr.c
@@ -1,7 +1,7 @@
 /*
 * unistr.c - NTFS Unicode string handling. Part of the Linux-NTFS project.
 *
- * Copyright (c) 2001-2004 Anton Altaparmakov
+ * Copyright (c) 2001-2005 Anton Altaparmakov
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published