On 04/22/2016 12:43 PM, Jim Lin wrote: > Android N adds os_desc_compat in v2_descriptor by init_functionfs() > (system/core/adb/usb_linux_client.cpp) to support automatic install > of MTP driver on Windows for USB device mode. > > Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field > and return -EINVAL. > This results in a second adb_write of usb_linux_client.cpp > (system/core/adb/) which doesn't have ss_descriptors filled. > Then later kernel_panic (composite.c) occurs when ss_descriptors > as a pointer with NULL is being accessed. > > Fix is to ignore the checking on reserved1 field so that first > adb_write goes successfully with v2_descriptor which has > ss_descriptors filled. That sounds like the wrong approach. The kernel should not crash if ss_descriptors is not filled. I think the right fix is to make sure that the NULL pointer deref can never happen regardless of which input is supplied by userspace. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
