Charles
I have found the stack corruption bug at very long last.
The problem lies in yaffs_CheckECCOnTags (using an ecc value that is too big
created by yaffs_CalcTagsECC)
unsigned char *b=((yaffs_tagsUnion *)tags)->asBytes points to a
datastructure that is 8 bytes long.
ecc is obtained and if non-zero is decremented and b[ecc/8]^=(1<<(ecc &7))
This is fine for all values of ecc>=0 and <=7*8 else bounds are broken.
Adding a printk for ecc just before this shows values for ecc up to 4018.
This fills in values in a datastructure above the local variable pointed to
by yaffs_Tags *tags which mashes the saved register on the stack that just
happened to point to a yaffs_Object * whose dereferenced in->MyObj was NULL
which ... you get the picture.
Changing the value form oxff to 0x7f in yaffs_CalcTagsECC does not help.Most
of the ecc values are greater than 63.
[Incidentally, I trapped this by adding a local char array delaration to
functions preceeding the kernel panic. The asrrays were zeroed and
referenced by a file global static pointer. A function to check the pointed
to memory area for change was polled within deeper routines passing a string
reference to the current location of calling to narrow down the problem. The
corruption once detected triggered a printk of the location reference and
caused a deliberate *(char *)0=1 to panic the kernel. The terminal log was
then examined as a trace. It worked rather well.]
Time for a beer.
Nick
-------------------------------------------
Nick Bane
Cambridge, UK.
+44(0)1954 71927
---------------------------------------------------------------------------------------
This mailing list is hosted by Toby Churchill open software (
www.toby-churchill.org).
If mailing list membership is no longer wanted you can remove yourself from the list by
sending an email to
yaffs-request@toby-churchill.org with the text "unsubscribe"
(without the quotes) as the subject.
(text/plain)