Bug 26072

Summary: ADFS filesystem E+/F+ disc handling for directories larger than 2048 bytes crashes kernel
Product: File System Reporter: Stuart Swales (stuart.swales.croftnuisk)
Component: OtherAssignee: fs_other
Status: CLOSED CODE_FIX    
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.36.2, 2.36.7 Subsystem:
Regression: No Bisected commit-id:
Attachments: Patch for 2.6.36.2 for ADFS E+/F+ directory handling
Patch for 2.6.37 for ADFS E+/F+ directory handling
ADFS 256MB Hard Drive E+ format image for testing (compressed)

Description Stuart Swales 2011-01-04 15:40:08 UTC
Kernel crashes in fs/adfs module when accessing directories with a large number of objects on mounted Acorn ADFS E+/F+ format discs (or images) as the current code writes off the end of the fixed array of struct buffer_head pointers.

Additionally, each directory access that didn't crash would leak a buffer as nr_buffers was not adjusted correctly (always left as one less than required).

The attached patch fixes this by allocating a dynamically-sized set of struct buffer_head pointers if necessary for the E+/F+ case (many directories still do in fact fit in 2048 bytes) and sets the correct nr_buffers so that all buffers are released.

The patch also supplies warnings on malformed directory head/tail structures.

Tested by tar'ing the contents of my RISC PC's E+ format 20Gb HDD which contains a number of large directories that previously crashed the kernel.
Comment 1 Stuart Swales 2011-01-04 15:43:06 UTC
Created attachment 42342 [details]
Patch for 2.6.36.2 for ADFS E+/F+ directory handling
Comment 2 Stuart Swales 2011-01-10 11:53:05 UTC
Created attachment 43122 [details]
Patch for 2.6.37 for ADFS E+/F+ directory handling
Comment 3 Stuart Swales 2011-01-10 12:09:46 UTC
Created attachment 43142 [details]
ADFS 256MB Hard Drive E+ format image for testing (compressed)

Expand image, then mount:

mount -t adfs -o loop,ro,offset=512 testdiscep.hdf /mnt

ls -lR /mnt

Without patch, kernel crashes as this E+ format disc contains a directory larger than 2048 bytes.  With patch, directory is listed as expected.
Comment 4 Florian Mickler 2011-03-28 23:06:41 UTC
A patch referencing this bug report has been merged in v2.6.38-8876-g036a982:

commit 2f09719af705db56032ae480a2d9c32c2a3fcbd3
Author: Stuart Swales <stuart.swales.croftnuisk@gmail.com>
Date:   Tue Mar 22 16:35:04 2011 -0700

    adfs: fix E+/F+ dir size > 2048 crashing kernel