~hc/RK356X_SDK_RELEASE.git

..	..	@@ -180,6 +180,8 @@
180	180
181	181	trace_ext4_evict_inode(inode);
182	182
	183	+ if (EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)
	184	+ ext4_evict_ea_inode(inode);
183	185	if (inode->i_nlink) {
184	186	/*
185	187	* When journalling data dirty buffers are tracked only in the
..	..	@@ -224,13 +226,13 @@
224	226
225	227	/*
226	228	* For inodes with journalled data, transaction commit could have
227		- * dirtied the inode. Flush worker is ignoring it because of I_FREEING
228		- * flag but we still need to remove the inode from the writeback lists.
	229	+ * dirtied the inode. And for inodes with dioread_nolock, unwritten
	230	+ * extents converting worker could merge extents and also have dirtied
	231	+ * the inode. Flush worker is ignoring it because of I_FREEING flag but
	232	+ * we still need to remove the inode from the writeback lists.
229	233	*/
230		- if (!list_empty_careful(&inode->i_io_list)) {
231		- WARN_ON_ONCE(!ext4_should_journal_data(inode));
	234	+ if (!list_empty_careful(&inode->i_io_list))
232	235	inode_io_list_del(inode);
233		- }
234	236
235	237	/*
236	238	* Protect us against freezing - iput() caller didn't have to have any
..	..	@@ -337,6 +339,12 @@
337	339	ext4_xattr_inode_array_free(ea_inode_array);
338	340	return;
339	341	no_delete:
	342	+ /*
	343	+ * Check out some where else accidentally dirty the evicting inode,
	344	+ * which may probably cause inode use-after-free issues later.
	345	+ */
	346	+ WARN_ON_ONCE(!list_empty_careful(&inode->i_io_list));
	347	+
340	348	if (!list_empty(&EXT4_I(inode)->i_fc_list))
341	349	ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_NOMEM);
342	350	ext4_clear_inode(inode); /* We must guarantee clearing of inode... */
..	..	@@ -647,16 +655,6 @@
647	655	*/
648	656	ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE);
649	657	}
650		-
651		- /*
652		- * Update reserved blocks/metadata blocks after successful
653		- * block allocation which had been deferred till now. We don't
654		- * support fallocate for non extent files. So we can update
655		- * reserve space here.
656		- */
657		- if ((retval > 0) &&
658		- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE))
659		- ext4_da_update_reserve_space(inode, retval, 1);
660	658	}
661	659
662	660	if (retval > 0) {
..	..	@@ -1307,7 +1305,8 @@
1307	1305
1308	1306	trace_android_fs_datawrite_end(inode, pos, len);
1309	1307	trace_ext4_write_end(inode, pos, len, copied);
1310		- if (inline_data) {
	1308	+ if (inline_data &&
	1309	+ ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
1311	1310	ret = ext4_write_inline_data_end(inode, pos, len,
1312	1311	copied, page);
1313	1312	if (ret < 0) {
..	..	@@ -3587,7 +3586,7 @@
3587	3586	*/
3588	3587	flags &= ~IOMAP_WRITE;
3589	3588	ret = ext4_iomap_begin(inode, offset, length, flags, iomap, srcmap);
3590		- WARN_ON_ONCE(iomap->type != IOMAP_MAPPED);
	3589	+ WARN_ON_ONCE(!ret && iomap->type != IOMAP_MAPPED);
3591	3590	return ret;
3592	3591	}
3593	3592
..	..	@@ -3911,7 +3910,7 @@
3911	3910	* starting from file offset 'from'. The range to be zero'd must
3912	3911	* be contained with in one block. If the specified range exceeds
3913	3912	* the end of the block it will be shortened to end of the block
3914		- * that cooresponds to 'from'
	3913	+ * that corresponds to 'from'
3915	3914	*/
3916	3915	static int ext4_block_zero_page_range(handle_t *handle,
3917	3916	struct address_space *mapping, loff_t from, loff_t length)
..	..	@@ -4317,7 +4316,8 @@
4317	4316
4318	4317	/* If we zero-out tail of the page, we have to create jinode for jbd2 */
4319	4318	if (inode->i_size & (inode->i_sb->s_blocksize - 1)) {
4320		- if (ext4_inode_attach_jinode(inode) < 0)
	4319	+ err = ext4_inode_attach_jinode(inode);
	4320	+ if (err)
4321	4321	goto out_trace;
4322	4322	}
4323	4323
..	..	@@ -4418,8 +4418,16 @@
4418	4418	inodes_per_block = EXT4_SB(sb)->s_inodes_per_block;
4419	4419	inode_offset = ((ino - 1) %
4420	4420	EXT4_INODES_PER_GROUP(sb));
4421		- block = ext4_inode_table(sb, gdp) + (inode_offset / inodes_per_block);
4422	4421	iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb);
	4422	+
	4423	+ block = ext4_inode_table(sb, gdp);
	4424	+ if ((block <= le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) \|\|
	4425	+ (block >= ext4_blocks_count(EXT4_SB(sb)->s_es))) {
	4426	+ ext4_error(sb, "Invalid inode table block %llu in "
	4427	+ "block_group %u", block, iloc->block_group);
	4428	+ return -EFSCORRUPTED;
	4429	+ }
	4430	+ block += (inode_offset / inodes_per_block);
4423	4431
4424	4432	bh = sb_getblk(sb, block);
4425	4433	if (unlikely(!bh))
..	..	@@ -4654,8 +4662,13 @@
4654	4662
4655	4663	if (EXT4_INODE_HAS_XATTR_SPACE(inode) &&
4656	4664	*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
	4665	+ int err;
	4666	+
4657	4667	ext4_set_inode_state(inode, EXT4_STATE_XATTR);
4658		- return ext4_find_inline_data_nolock(inode);
	4668	+ err = ext4_find_inline_data_nolock(inode);
	4669	+ if (!err && ext4_has_inline_data(inode))
	4670	+ ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
	4671	+ return err;
4659	4672	} else
4660	4673	EXT4_I(inode)->i_inline_off = 0;
4661	4674	return 0;
..	..	@@ -4689,6 +4702,24 @@
4689	4702	return inode_peek_iversion(inode);
4690	4703	}
4691	4704
	4705	+static const char check_igot_inode(struct inode inode, ext4_iget_flags flags)
	4706	+
	4707	+{
	4708	+ if (flags & EXT4_IGET_EA_INODE) {
	4709	+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
	4710	+ return "missing EA_INODE flag";
	4711	+ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) \|\|
	4712	+ EXT4_I(inode)->i_file_acl)
	4713	+ return "ea_inode with extended attributes";
	4714	+ } else {
	4715	+ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
	4716	+ return "unexpected EA_INODE flag";
	4717	+ }
	4718	+ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD))
	4719	+ return "unexpected bad inode w/o EXT4_IGET_BAD";
	4720	+ return NULL;
	4721	+}
	4722	+
4692	4723	struct inode __ext4_iget(struct super_block sb, unsigned long ino,
4693	4724	ext4_iget_flags flags, const char *function,
4694	4725	unsigned int line)
..	..	@@ -4697,6 +4728,7 @@
4697	4728	struct ext4_inode *raw_inode;
4698	4729	struct ext4_inode_info *ei;
4699	4730	struct inode *inode;
	4731	+ const char *err_str;
4700	4732	journal_t *journal = EXT4_SB(sb)->s_journal;
4701	4733	long ret;
4702	4734	loff_t size;
..	..	@@ -4720,8 +4752,14 @@
4720	4752	inode = iget_locked(sb, ino);
4721	4753	if (!inode)
4722	4754	return ERR_PTR(-ENOMEM);
4723		- if (!(inode->i_state & I_NEW))
	4755	+ if (!(inode->i_state & I_NEW)) {
	4756	+ if ((err_str = check_igot_inode(inode, flags)) != NULL) {
	4757	+ ext4_error_inode(inode, function, line, 0, err_str);
	4758	+ iput(inode);
	4759	+ return ERR_PTR(-EFSCORRUPTED);
	4760	+ }
4724	4761	return inode;
	4762	+ }
4725	4763
4726	4764	ei = EXT4_I(inode);
4727	4765	iloc.bh = NULL;
..	..	@@ -4730,13 +4768,6 @@
4730	4768	if (ret < 0)
4731	4769	goto bad_inode;
4732	4770	raw_inode = ext4_raw_inode(&iloc);
4733		-
4734		- if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
4735		- ext4_error_inode(inode, function, line, 0,
4736		- "iget: root inode unallocated");
4737		- ret = -EFSCORRUPTED;
4738		- goto bad_inode;
4739		- }
4740	4771
4741	4772	if ((flags & EXT4_IGET_HANDLE) &&
4742	4773	(raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) {
..	..	@@ -4810,11 +4841,16 @@
4810	4841	* NeilBrown 1999oct15
4811	4842	*/
4812	4843	if (inode->i_nlink == 0) {
4813		- if ((inode->i_mode == 0 \|\|
	4844	+ if ((inode->i_mode == 0 \|\| flags & EXT4_IGET_SPECIAL \|\|
4814	4845	!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) &&
4815	4846	ino != EXT4_BOOT_LOADER_INO) {
4816		- /* this inode is deleted */
4817		- ret = -ESTALE;
	4847	+ /* this inode is deleted or unallocated */
	4848	+ if (flags & EXT4_IGET_SPECIAL) {
	4849	+ ext4_error_inode(inode, function, line, 0,
	4850	+ "iget: special inode unallocated");
	4851	+ ret = -EFSCORRUPTED;
	4852	+ } else
	4853	+ ret = -ESTALE;
4818	4854	goto bad_inode;
4819	4855	}
4820	4856	/* The only unlinked inodes we let through here have
..	..	@@ -4992,8 +5028,13 @@
4992	5028	if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb))
4993	5029	ext4_error_inode(inode, function, line, 0,
4994	5030	"casefold flag without casefold feature");
4995		- brelse(iloc.bh);
	5031	+ if ((err_str = check_igot_inode(inode, flags)) != NULL) {
	5032	+ ext4_error_inode(inode, function, line, 0, err_str);
	5033	+ ret = -EFSCORRUPTED;
	5034	+ goto bad_inode;
	5035	+ }
4996	5036
	5037	+ brelse(iloc.bh);
4997	5038	unlock_new_inode(inode);
4998	5039	return inode;
4999	5040
..	..	@@ -5442,7 +5483,7 @@
5442	5483	if (error)
5443	5484	return error;
5444	5485	}
5445		- ext4_fc_start_update(inode);
	5486	+
5446	5487	if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, inode->i_uid)) \|\|
5447	5488	(ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, inode->i_gid))) {
5448	5489	handle_t *handle;
..	..	@@ -5466,7 +5507,6 @@
5466	5507
5467	5508	if (error) {
5468	5509	ext4_journal_stop(handle);
5469		- ext4_fc_stop_update(inode);
5470	5510	return error;
5471	5511	}
5472	5512	/* Update corresponding info in inode so that everything is in
..	..	@@ -5478,7 +5518,6 @@
5478	5518	error = ext4_mark_inode_dirty(handle, inode);
5479	5519	ext4_journal_stop(handle);
5480	5520	if (unlikely(error)) {
5481		- ext4_fc_stop_update(inode);
5482	5521	return error;
5483	5522	}
5484	5523	}
..	..	@@ -5493,12 +5532,10 @@
5493	5532	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
5494	5533
5495	5534	if (attr->ia_size > sbi->s_bitmap_maxbytes) {
5496		- ext4_fc_stop_update(inode);
5497	5535	return -EFBIG;
5498	5536	}
5499	5537	}
5500	5538	if (!S_ISREG(inode->i_mode)) {
5501		- ext4_fc_stop_update(inode);
5502	5539	return -EINVAL;
5503	5540	}
5504	5541
..	..	@@ -5624,7 +5661,6 @@
5624	5661	ext4_std_error(inode->i_sb, error);
5625	5662	if (!error)
5626	5663	error = rc;
5627		- ext4_fc_stop_update(inode);
5628	5664	return error;
5629	5665	}
5630	5666
..	..	@@ -5890,6 +5926,14 @@
5890	5926	return 0;
5891	5927	}
5892	5928
	5929	+ /*
	5930	+ * We may need to allocate external xattr block so we need quotas
	5931	+ * initialized. Here we can be called with various locks held so we
	5932	+ * cannot affort to initialize quotas ourselves. So just bail.
	5933	+ */
	5934	+ if (dquot_initialize_needed(inode))
	5935	+ return -EAGAIN;
	5936	+
5893	5937	/* try to expand with EAs present */
5894	5938	error = ext4_expand_extra_isize_ea(inode, new_extra_isize,
5895	5939	raw_inode, handle);