Hi, --- a/yaffs_vfs_single.c +++ b/yaffs_vfs_single.c @@ -493,7 +493,7 @@ static int yaffs_rename(struct inode *old_dir, struct dentry *old_dentry, yaffs_gross_unlock(dev); if (ret_val == YAFFS_OK) { - if (target) + if (target && new_dentry->d_inode) inode_dec_link_count(new_dentry->d_inode); update_dir_time(old_dir); This can solve the issue mentioned below. I will send out a formal patch if you agree on this. On 7/16/2012 12:44 PM, Sujit Reddy Thumma wrote: > Hi, > > I see a random crash due to kernel panic in yaffs_rename(). Following is > the crash dump. > > <1>[ 31 NULL pointer dereference at virtual address 0000005c > <1>[ 31.471994] pgd = e9294000 > <1>[ 31.472004] [0000005c] *pgd=29761831, *pte=00000000, *ppte=00000000 > <0>[ 31.472029] Internal error: Oops: 17 1 PREEMPT > <4>[ 31.472059] Modules linked in: [last unloaded: librasdioif] > <4>[ 31.472098] CPU: 0 Tainted: P (3.0.8-perf-00013-gcec6400 #1) > <4>[ 31.472143] PC is at yaffs_rename+0xe0/0x158 > <4>[ 31.472169] LR is at yaffs_rename+0xc4/0x158 > <4>[ 31.472198] pc : [] lr : [] psr: a0000013 > <4>[ 31.472206] sp : e561fe68 ip 31.472249] r10: 00000001 r9 : e561e000 > r8 : e9781000 > <4>[ 31.472278] r7 : e981a9a8 r6 : ed53c8 > ……… > <0>[ 31.478984] ffe0: 401c5794 5044cbc0 401ac9ad 400f6c7c 60000010 > 002ceca8 00000000 00000000 > <4>[ 31.479056] [] (yaffs_rename+0xe0/0x158) from [] > (vfs_rename+0x298/0x414) > <4>[ 31.479116] [] (vfs_rename+0x298/0x414) from [] > (sys_renameat+0x168/0x1e0) > <4>[ 31.479174] [] (sys_renameat+0x168/0x1e0) from > [] (ret_fast_syscall+0x0/0x30) > <0>[ 31.479233] Code: e3570000 0a000006 e5963020 e3a01007 (e593205c) > <4>[ [] (panic+0x60/0x178)ort+0x34/0x94) from > []1.486076] Exception stack(0xe5616174] fe40: e9781000 > e561e000 00< > > > Comparing it with objdump output the crash point refers to > new_dentry->d_inode being NULL. When passed to inode_dec_link_count() it > tries to dereference and crash. > > if (ret_val == YAFFS_OK) { > if (target) > inode_dec_link_count(new_dentry->d_inode); > > > Can the "target = yaffs_find_by_name()" return NON-NULL even if > new_dentry->d_inode is NULL? Could there be any race condition while > deleting a directory and renaming the same, concurrently in different > contexts? > > The issue is very rare to reproduce and seen only twice in normal user > power on-off scenarios. So can't really test much to see if there are > any race conditions. > > -- Regards, Sujit Reddy Thumma Sent by a consultant of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum.