Kernel crashes in fs/adfs module when accessing directories with a large number of objects on mounted Acorn ADFS E+/F+ format discs (or images) as the current code writes off the end of the fixed array of struct buffer_head pointers. Additionally, each directory access that didn't crash would leak a buffer as nr_buffers was not adjusted correctly (always left as one less than required). The attached patch fixes this by allocating a dynamically-sized set of struct buffer_head pointers if necessary for the E+/F+ case (many directories still do in fact fit in 2048 bytes) and sets the correct nr_buffers so that all buffers are released. The patch also supplies warnings on malformed directory head/tail structures. Tested by tar'ing the contents of my RISC PC's E+ format 20Gb HDD which contains a number of large directories that previously crashed the kernel.
Created attachment 42342 [details] Patch for 2.6.36.2 for ADFS E+/F+ directory handling
Created attachment 43122 [details] Patch for 2.6.37 for ADFS E+/F+ directory handling
Created attachment 43142 [details] ADFS 256MB Hard Drive E+ format image for testing (compressed) Expand image, then mount: mount -t adfs -o loop,ro,offset=512 testdiscep.hdf /mnt ls -lR /mnt Without patch, kernel crashes as this E+ format disc contains a directory larger than 2048 bytes. With patch, directory is listed as expected.
A patch referencing this bug report has been merged in v2.6.38-8876-g036a982: commit 2f09719af705db56032ae480a2d9c32c2a3fcbd3 Author: Stuart Swales <stuart.swales.croftnuisk@gmail.com> Date: Tue Mar 22 16:35:04 2011 -0700 adfs: fix E+/F+ dir size > 2048 crashing kernel