Charles I have found the stack corruption bug at very long last. The problem lies in yaffs_CheckECCOnTags (using an ecc value that is too big created by yaffs_CalcTagsECC) unsigned char *b=((yaffs_tagsUnion *)tags)->asBytes points to a datastructure that is 8 bytes long. ecc is obtained and if non-zero is decremented and b[ecc/8]^=(1<<(ecc &7)) This is fine for all values of ecc>=0 and <=7*8 else bounds are broken. Adding a printk for ecc just before this shows values for ecc up to 4018. This fills in values in a datastructure above the local variable pointed to by yaffs_Tags *tags which mashes the saved register on the stack that just happened to point to a yaffs_Object * whose dereferenced in->MyObj was NULL which ... you get the picture. Changing the value form oxff to 0x7f in yaffs_CalcTagsECC does not help.Most of the ecc values are greater than 63. [Incidentally, I trapped this by adding a local char array delaration to functions preceeding the kernel panic. The asrrays were zeroed and referenced by a file global static pointer. A function to check the pointed to memory area for change was polled within deeper routines passing a string reference to the current location of calling to narrow down the problem. The corruption once detected triggered a printk of the location reference and caused a deliberate *(char *)0=1 to panic the kernel. The terminal log was then examined as a trace. It worked rather well.] Time for a beer. Nick ------------------------------------------- Nick Bane Cambridge, UK. +44(0)1954 71927 --------------------------------------------------------------------------------------- This mailing list is hosted by Toby Churchill open software (www.toby-churchill.org). If mailing list membership is no longer wanted you can remove yourself from the list by sending an email to yaffs-request@toby-churchill.org with the text "unsubscribe" (without the quotes) as the subject.