[Yaffs] Kernel panic - null pointer dereference in yaffs_ren…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Sujit Reddy Thumma at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Sujit Reddy Thumma
Date:  
To: yaffs
Subject: [Yaffs] Kernel panic - null pointer dereference in yaffs_rename()
Hi,

I see a random crash due to kernel panic in yaffs_rename(). Following is
the crash dump.

<1>[ 31 NULL pointer dereference at virtual address 0000005c
<1>[ 31.471994] pgd = e9294000
<1>[ 31.472004] [0000005c] *pgd=29761831, *pte=00000000, *ppte=00000000
<0>[ 31.472029] Internal error: Oops: 17 1 PREEMPT
<4>[ 31.472059] Modules linked in: [last unloaded: librasdioif]
<4>[ 31.472098] CPU: 0 Tainted: P (3.0.8-perf-00013-gcec6400 #1)
<4>[ 31.472143] PC is at yaffs_rename+0xe0/0x158
<4>[ 31.472169] LR is at yaffs_rename+0xc4/0x158
<4>[ 31.472198] pc : [<c01e312c>] lr : [<c01e3110>] psr: a0000013
<4>[ 31.472206] sp : e561fe68 ip 31.472249] r10: 00000001 r9 : e561e000
r8 : e9781000
<4>[ 31.472278] r7 : e981a9a8 r6 : ed53c8
………
<0>[ 31.478984] ffe0: 401c5794 5044cbc0 401ac9ad 400f6c7c 60000010
002ceca8 00000000 00000000
<4>[ 31.479056] [<c01e312c>] (yaffs_rename+0xe0/0x158) from [<c0131cec>]
(vfs_rename+0x298/0x414)
<4>[ 31.479116] [<c0131cec>] (vfs_rename+0x298/0x414) from [<c013376c>]
(sys_renameat+0x168/0x1e0)
<4>[ 31.479174] [<c013376c>] (sys_renameat+0x168/0x1e0) from
[<c003b180>] (ret_fast_syscall+0x0/0x30)
<0>[ 31.479233] Code: e3570000 0a000006 e5963020 e3a01007 (e593205c)
<4>[ [<c0519d78>] (panic+0x60/0x178)ort+0x34/0x94) from
[<c003acec>]1.486076] Exception stack(0xe5616174] fe40: e9781000
e561e000 00<


Comparing it with objdump output the crash point refers to
new_dentry->d_inode being NULL. When passed to inode_dec_link_count() it
tries to dereference and crash. 

         if (ret_val == YAFFS_OK) {
                 if (target)
                         inode_dec_link_count(new_dentry->d_inode);



Can the "target = yaffs_find_by_name()" return NON-NULL even if
new_dentry->d_inode is NULL? Could there be any race condition while
deleting a directory and renaming the same, concurrently in different
contexts?

The issue is very rare to reproduce and seen only twice in normal user
power on-off scenarios. So can't really test much to see if there are
any race conditions.


--
Regards,
Sujit Reddy Thumma

Sent by a consultant of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum.


This message was posted to the following mailing lists:
YAFFS
Mailing List Info | Nearby Messages		<-Re: [Yaffs] is this a bug or my mis-use[Yaffs] Patches for max strikes mount option and MTD EUCLEAN error propagation->
Stoneboat Mailing List Archive administrated by JennyLurker (version 2.3)