Bug 26072 - ADFS filesystem E+/F+ disc handling for directories larger than 2048 bytes crashes kernel
Summary: ADFS filesystem E+/F+ disc handling for directories larger than 2048 bytes cr...
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-04 15:40 UTC by Stuart Swales
Modified: 2012-06-13 15:00 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.36.2, 2.36.7
Tree: Mainline
Regression: No


Attachments
Patch for 2.6.36.2 for ADFS E+/F+ directory handling (5.78 KB, patch)
2011-01-04 15:43 UTC, Stuart Swales
Details | Diff
Patch for 2.6.37 for ADFS E+/F+ directory handling (5.73 KB, patch)
2011-01-10 11:53 UTC, Stuart Swales
Details | Diff
ADFS 256MB Hard Drive E+ format image for testing (compressed) (241.92 KB, application/octet-stream)
2011-01-10 12:09 UTC, Stuart Swales
Details

Description Stuart Swales 2011-01-04 15:40:08 UTC
Kernel crashes in fs/adfs module when accessing directories with a large number of objects on mounted Acorn ADFS E+/F+ format discs (or images) as the current code writes off the end of the fixed array of struct buffer_head pointers.

Additionally, each directory access that didn't crash would leak a buffer as nr_buffers was not adjusted correctly (always left as one less than required).

The attached patch fixes this by allocating a dynamically-sized set of struct buffer_head pointers if necessary for the E+/F+ case (many directories still do in fact fit in 2048 bytes) and sets the correct nr_buffers so that all buffers are released.

The patch also supplies warnings on malformed directory head/tail structures.

Tested by tar'ing the contents of my RISC PC's E+ format 20Gb HDD which contains a number of large directories that previously crashed the kernel.
Comment 1 Stuart Swales 2011-01-04 15:43:06 UTC
Created attachment 42342 [details]
Patch for 2.6.36.2 for ADFS E+/F+ directory handling
Comment 2 Stuart Swales 2011-01-10 11:53:05 UTC
Created attachment 43122 [details]
Patch for 2.6.37 for ADFS E+/F+ directory handling
Comment 3 Stuart Swales 2011-01-10 12:09:46 UTC
Created attachment 43142 [details]
ADFS 256MB Hard Drive E+ format image for testing (compressed)

Expand image, then mount:

mount -t adfs -o loop,ro,offset=512 testdiscep.hdf /mnt

ls -lR /mnt

Without patch, kernel crashes as this E+ format disc contains a directory larger than 2048 bytes.  With patch, directory is listed as expected.
Comment 4 Florian Mickler 2011-03-28 23:06:41 UTC
A patch referencing this bug report has been merged in v2.6.38-8876-g036a982:

commit 2f09719af705db56032ae480a2d9c32c2a3fcbd3
Author: Stuart Swales <stuart.swales.croftnuisk@gmail.com>
Date:   Tue Mar 22 16:35:04 2011 -0700

    adfs: fix E+/F+ dir size > 2048 crashing kernel

Note You need to log in before you can comment on or make changes to this bug.