New tests that I run cause 100% reproductible kernel crashes.
The problems appears that yaffs_FindObjectByName() can be called with name set to NULL.
The code path come from the two calls yaffs_ChangeObjectName() at the end of
yaffs_UnlinkFile() which set name to NULL and cause a crash when strcmp()
is called in yaffs_FindObjectByName().
For the moment I use the attached patch (beware there is also some traces added)
which test early for NULL name in yaffs_FindObjectByName() and return NULL in this case.
It seems to solve the problem, but it need to be checked.
What I find realy hard to understand is why we didn't find this one sooner
(I run previously a heavy test with lot of file creation and deletion and
everything went good :-().
Luc
--- yaffs_guts.c Sun Jul 31 18:12:52 2005
+++ /tmp/yaffs_guts.c Mon Aug 1 00:36:13 2005
@@ -5599,6 +5599,9 @@ yaffs_Object *yaffs_FindObjectByName(yaf
YBUG();
}
+ if (!name)
+ return NULL;
+
sum = yaffs_CalcNameSum(name);
list_for_each(i,&directory->variant.directoryVariant.children)
@@ -5610,6 +5613,8 @@ yaffs_Object *yaffs_FindObjectByName(yaf
// Special case for lost-n-found
if(l->objectId == YAFFS_OBJECTID_LOSTNFOUND)
{
+printk(KERN_ERR "%s:%d: name = '%s', objId = %d\n", __FUNCTION__, __LINE__, name, l->objectId);
+BUG_ON(!name);
if(yaffs_strcmp(name,YAFFS_LOSTNFOUND_NAME) == 0)
{
return l;
@@ -5618,6 +5623,8 @@ yaffs_Object *yaffs_FindObjectByName(yaf
else if(yaffs_SumCompare(l->sum, sum)||
l->chunkId <= 0) //LostnFound cunk called Objxxx
{
+printk(KERN_ERR "%s:%d: name = '%s', l-sum = %d, sum = %d, chunkId = %d\n", __FUNCTION__, __LINE__, name, l->sum, sum, l->chunkId);
+BUG_ON(!name);
// Do a real check
yaffs_GetObjectName(l,buffer,YAFFS_MAX_NAME_LENGTH);
if(yaffs_strcmp(name,buffer) == 0)
(text/plain)
