Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753486AbcDVLWI (ORCPT ); Fri, 22 Apr 2016 07:22:08 -0400 Received: from www381.your-server.de ([78.46.137.84]:35225 "EHLO www381.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752735AbcDVLWE (ORCPT ); Fri, 22 Apr 2016 07:22:04 -0400 Subject: Re: [PATCH] usb: gadget: f_fs: Fix kernel panic for SuperSpeed To: Jim Lin , balbi@kernel.org References: <1461321780-3226-1-git-send-email-jilin@nvidia.com> Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org From: Lars-Peter Clausen Message-ID: <571A0951.2030802@metafoo.de> Date: Fri, 22 Apr 2016 13:21:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0 MIME-Version: 1.0 In-Reply-To: <1461321780-3226-1-git-send-email-jilin@nvidia.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Authenticated-Sender: lars@metafoo.de Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 944 Lines: 20 On 04/22/2016 12:43 PM, Jim Lin wrote: > Android N adds os_desc_compat in v2_descriptor by init_functionfs() > (system/core/adb/usb_linux_client.cpp) to support automatic install > of MTP driver on Windows for USB device mode. > > Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field > and return -EINVAL. > This results in a second adb_write of usb_linux_client.cpp > (system/core/adb/) which doesn't have ss_descriptors filled. > Then later kernel_panic (composite.c) occurs when ss_descriptors > as a pointer with NULL is being accessed. > > Fix is to ignore the checking on reserved1 field so that first > adb_write goes successfully with v2_descriptor which has > ss_descriptors filled. That sounds like the wrong approach. The kernel should not crash if ss_descriptors is not filled. I think the right fix is to make sure that the NULL pointer deref can never happen regardless of which input is supplied by userspace.