Hello,
I've been trying to figure out why sometimes our NAND device becomes
corrupt and is no longer mountable. The symptom appears to be that in
the yaffs_ScanBackwards function, around line 6719 in yaffs_guts.c,
under the YAFFS_OBJECT_TYPE_SYMLINK case, there is a call:
yaffs_CloneString(oh->alias), and this is returning an empty string.
How could this happen? Well, I have a possible explanation and a
patch.
diff -u build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c
--- build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig 2009-12-01 14:41:27.000000000 -0800
+++ build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c 2009-12-01 14:42:21.000000000 -0800
@@ -5157,9 +5157,10 @@
static int yaffs_DeleteSymLink(yaffs_Object * in)
{
+ int retv;
+ retv = yaffs_DoGenericObjectDeletion(in);
YFREE(in->variant.symLinkVariant.alias);
-
- return yaffs_DoGenericObjectDeletion(in);
+ return retv;
}
static int yaffs_DeleteHardLink(yaffs_Object * in)
I observed the following by analyzing the code. There could be a call
stack as follows:
yaffs_DeleteSymLink(yaffs_Object * in)
yaffs_DoGenericObjectDeletion(in)
yaffs_ChangeObjectName(in, ...
yaffs_UpdateObjectHeader(obj, ...
which gets to about line 3806 (still yaffs_guts.c), where there is:
yaffs_strncpy(oh->alias,
in->variant.symLinkVariant.alias,
YAFFS_MAX_ALIAS_LENGTH);
well, in->variant.symLinkVariant.alias is already freed at this point.
The above patch would fix this.
I am not 100% confident in my findings. Does anyone agree that this
could be a real bug? I was thinking that if
in->myDev->deletedDir->variantType is set to something other than
YAFFS_OBJECT_TYPE_DIRECTORY, perhaps it isn't.
Thanks,
-Chris
(text/plain)