Re: [Yaffs] Maybe using a YFREED string in yaffs_DeleteSymLi…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MChris David at <-
MCharles Manning at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Charles Manning
Date:  
To: yaffs
Subject: Re: [Yaffs] Maybe using a YFREED string in yaffs_DeleteSymLink
What do you mean by "no longer mountable"?

I'll take a look at your analysis to see what's going on.

-- Charles


On Wednesday 02 December 2009 11:33:52 Chris David wrote:
> Hello,
>
> I've been trying to figure out why sometimes our NAND device becomes
> corrupt and is no longer mountable. The symptom appears to be that in
> the yaffs_ScanBackwards function, around line 6719 in yaffs_guts.c,
> under the YAFFS_OBJECT_TYPE_SYMLINK case, there is a call:
> yaffs_CloneString(oh->alias), and this is returning an empty string.
> How could this happen? Well, I have a possible explanation and a
> patch.
>
> diff -u build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig
> build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c ---
> build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c.orig  2009-12-01
> 14:41:27.000000000 -0800 +++
> build_mipsel/linux-2.6.23-msp2/fs/yaffs2/yaffs_guts.c       2009-12-01
> 14:42:21.000000000 -0800 @@ -5157,9 +5157,10 @@

>
>  static int yaffs_DeleteSymLink(yaffs_Object * in)
>  {
> +       int retv;
> +       retv = yaffs_DoGenericObjectDeletion(in);
>         YFREE(in->variant.symLinkVariant.alias);
> -
> -       return yaffs_DoGenericObjectDeletion(in);
> +       return retv;
>  }

>
> static int yaffs_DeleteHardLink(yaffs_Object * in)
>
> I observed the following by analyzing the code. There could be a call
> stack as follows:
>
> yaffs_DeleteSymLink(yaffs_Object * in)
> yaffs_DoGenericObjectDeletion(in)
> yaffs_ChangeObjectName(in, ...
> yaffs_UpdateObjectHeader(obj, ...
>
> which gets to about line 3806 (still yaffs_guts.c), where there is:
> yaffs_strncpy(oh->alias,
> in->variant.symLinkVariant.alias,
> YAFFS_MAX_ALIAS_LENGTH);
>
> well, in->variant.symLinkVariant.alias is already freed at this point.
> The above patch would fix this.
>
> I am not 100% confident in my findings. Does anyone agree that this
> could be a real bug? I was thinking that if
> in->myDev->deletedDir->variantType is set to something other than
> YAFFS_OBJECT_TYPE_DIRECTORY, perhaps it isn't.
>
> Thanks,
>
> -Chris
>
>
>
>
>
>
>
>
> _______________________________________________
> yaffs mailing list
>
> http://lists.aleph1.co.uk/cgi-bin/mailman/listinfo/yaffs




This message was posted to the following mailing lists:
YAFFS
Mailing List Info | Nearby Messages		<-[Yaffs] Maybe using a YFREED string in yaffs_DeleteSymLinkRe: [Yaffs] Maybe using a YFREED string in yaffs_DeleteSymLink->
Stoneboat Mailing List Archive administrated by JennyLurker (version 2.3)