Hello,

I've been trying to figure out why sometimes our NAND device becomes
corrupt and is no longer mountable.  The symptom appears to be that in
the yaffs_ScanBackwards function, around line 6719 in yaffs_guts.c,
under the YAFFS_OBJECT_TYPE_SYMLINK case, there is a call:
yaffs_CloneString(oh->alias), and this is returning an empty string.
How could this happen?  Well, I have a possible explanation and a
patch.

diff -u build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c
--- build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig  2009-12-01 14:41:27.000000000 -0800
+++ build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c       2009-12-01 14:42:21.000000000 -0800
@@ -5157,9 +5157,10 @@

 static int yaffs_DeleteSymLink(yaffs_Object * in)
 {
+       int retv;
+       retv = yaffs_DoGenericObjectDeletion(in);
        YFREE(in->variant.symLinkVariant.alias);
-
-       return yaffs_DoGenericObjectDeletion(in);
+       return retv;
 }

 static int yaffs_DeleteHardLink(yaffs_Object * in)

I observed the following by analyzing the code.  There could be a call
stack as follows:

yaffs_DeleteSymLink(yaffs_Object * in)
yaffs_DoGenericObjectDeletion(in)
yaffs_ChangeObjectName(in, ...
yaffs_UpdateObjectHeader(obj, ...

which gets to about line 3806 (still yaffs_guts.c), where there is:
yaffs_strncpy(oh->alias,
  in->variant.symLinkVariant.alias,
  YAFFS_MAX_ALIAS_LENGTH);

well, in->variant.symLinkVariant.alias is already freed at this point.
The above patch would fix this.

I am not 100% confident in my findings.  Does anyone agree that this
could be a real bug?  I was thinking that if
in->myDev->deletedDir->variantType is set to something other than
YAFFS_OBJECT_TYPE_DIRECTORY, perhaps it isn't.

Thanks,

-Chris