Kernel crashes in fs/adfs module when accessing directories with a large number of objects on mounted Acorn ADFS E+/F+ format discs (or images) as the current code writes off the end of the fixed array of struct buffer_head pointers.
Additionally, each directory access that didn't crash would leak a buffer as nr_buffers was not adjusted correctly (always left as one less than required).
The attached patch fixes this by allocating a dynamically-sized set of struct buffer_head pointers if necessary for the E+/F+ case (many directories still do in fact fit in 2048 bytes) and sets the correct nr_buffers so that all buffers are released.
The patch also supplies warnings on malformed directory head/tail structures.
Tested by tar'ing the contents of my RISC PC's E+ format 20Gb HDD which contains a number of large directories that previously crashed the kernel.
Created attachment 42342 [details]
Patch for 188.8.131.52 for ADFS E+/F+ directory handling
Created attachment 43122 [details]
Patch for 2.6.37 for ADFS E+/F+ directory handling
Created attachment 43142 [details]
ADFS 256MB Hard Drive E+ format image for testing (compressed)
Expand image, then mount:
mount -t adfs -o loop,ro,offset=512 testdiscep.hdf /mnt
ls -lR /mnt
Without patch, kernel crashes as this E+ format disc contains a directory larger than 2048 bytes. With patch, directory is listed as expected.
A patch referencing this bug report has been merged in v2.6.38-8876-g036a982:
Author: Stuart Swales <email@example.com>
Date: Tue Mar 22 16:35:04 2011 -0700
adfs: fix E+/F+ dir size > 2048 crashing kernel