[prev in list] [next in list] [prev in thread] [next in thread] 

List:       yaffs
Subject:    [Yaffs] Problem with null names in yaffs_FindObjectByName()
From:       Luc Van Oostenryck <lkml () looxix ! net>
Date:       2005-07-31 22:52:44
Message-ID: 42ED563C.1060309 () looxix ! net
[Download RAW message or body]

New tests that I run cause 100% reproductible kernel crashes.
The problems appears that yaffs_FindObjectByName() can be called with name set to NULL.

The code path come from the two calls yaffs_ChangeObjectName() at the end of
yaffs_UnlinkFile() which set name to NULL and cause a crash when strcmp()
is called in yaffs_FindObjectByName().


For the moment I use the attached patch (beware there is also some traces added)
which test early for NULL name in yaffs_FindObjectByName() and return NULL in this case.
It seems to solve the problem, but it need to be checked.

What I find realy hard to understand is why we didn't find this one sooner
(I run previously a heavy test with lot of file creation and deletion and
everything went good :-().


Luc

["pblm-null-name-in-yaffs_FindObjectByName.diff" (text/plain)]

--- yaffs_guts.c	Sun Jul 31 18:12:52 2005
+++ /tmp/yaffs_guts.c	Mon Aug  1 00:36:13 2005
@@ -5599,6 +5599,9 @@ yaffs_Object *yaffs_FindObjectByName(yaf
 		YBUG();
 	}
 
+	if (!name)
+		return NULL;
+
 	sum = yaffs_CalcNameSum(name);
 	
 	list_for_each(i,&directory->variant.directoryVariant.children)
@@ -5610,6 +5613,8 @@ yaffs_Object *yaffs_FindObjectByName(yaf
 			// Special case for lost-n-found
 			if(l->objectId == YAFFS_OBJECTID_LOSTNFOUND)
 			{
+printk(KERN_ERR "%s:%d: name = '%s', objId = %d\n", __FUNCTION__, __LINE__, name, \
l->objectId); +BUG_ON(!name);
 				if(yaffs_strcmp(name,YAFFS_LOSTNFOUND_NAME) == 0)
 				{
 					return l;
@@ -5618,6 +5623,8 @@ yaffs_Object *yaffs_FindObjectByName(yaf
 			else if(yaffs_SumCompare(l->sum, sum)||
 				    l->chunkId <= 0) //LostnFound cunk called Objxxx
 			{
+printk(KERN_ERR "%s:%d: name = '%s', l-sum = %d, sum = %d, chunkId = %d\n", \
__FUNCTION__, __LINE__, name, l->sum, sum, l->chunkId); +BUG_ON(!name);
 				// Do a real check
 				yaffs_GetObjectName(l,buffer,YAFFS_MAX_NAME_LENGTH);
 				if(yaffs_strcmp(name,buffer) == 0)



[prev in list] [next in list] [prev in thread] [next in thread]