NetBSD Problem Report #52383
From khorben@defora.org Sun Jul 9 14:12:05 2017
Return-Path: <khorben@defora.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 96BE67A20E
for <gnats-bugs@gnats.NetBSD.org>; Sun, 9 Jul 2017 14:12:05 +0000 (UTC)
Message-Id: <20170709141201.84A691097E@tungsten.defora.rom>
Date: Sun, 9 Jul 2017 16:12:01 +0200 (CEST)
From: Pierre Pronchery <khorben@defora.org>
Reply-To:
To: gnats-bugs@NetBSD.org
Subject: NetBSD 7 crashes with and urndis(4) devices since newer USB stack
X-Send-Pr-Version: 3.95
>Number: 52383
>Category: kern
>Synopsis: Crash when connecting specific USB devices
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: skrll
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jul 09 14:15:00 +0000 2017
>Closed-Date: Wed Jan 03 21:45:14 +0000 2018
>Last-Modified: Wed Jan 03 21:45:14 +0000 2018
>Originator: Pierre Pronchery <khorben@defora.org>
>Release: NetBSD 7.1_STABLE
>Organization:
>Environment:
System: NetBSD Amnesiac 7.1_STABLE NetBSD 7.1_STABLE (GENERIC) amd64
Architecture: x86_64
Machine: amd64
>Description:
Connecting my Jolla Jolla (1st generation) phone after boot-time results
in the following crash: (transcribed manually)
urndis0: usb errors on rx: IOERROR
urndis0: at uhub1 port 3 (addr 3) disconnected
uvm_fault(0xffffffff8106f240, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff8087c932 cs 8 rflags 10246 cr2 36 ilevel 0 rsp fffffe8116c25c48
curlwp 0xfffffe8116a8c1c0 pid 0.65 lowest kstack 0xfffffe8116c232c0
kernel: page fault trap, code=0
Stopped in pid 0.65 (system) at netbsd:vmem_alloc+0x3f: movq 0(%rax),%rdi
db{1}> bt
vmem_alloc() at netbsd:vmem_alloc+0x3f
uvm_km_kmem_alloc() at netbsd:uvm_km_kmem_alloc+0x46
kmem_intr_alloc() at netbsd:kmem_intr_alloc+0x6d
usbd_set_config_index() at netbsd:usbd_set_config_index+0x27f
usbd_probe_and_attack() at netbsd:usbd_probe_and_attack+0xaa
usbd_new_device() at netbsd:usbd_new_device+0x417
uhub_explore() at netbsd:uhub_explore+0x2c1
uhub_explore() at netbsd:uhub_explore+0x9d
usb_discover.isra.0() at netbsd:usb_discover.isra.0+0x3e
usb_event_thread() at netbsd:usb_event_thread+0x74
db{1}>
I did not observe this with the former USB stack (eg before the
nick-nhusb merge).
I believe this happens independently of setting the BIOS to forcing
visibility of the controller in USB 2.0 or 3.0 mode to the OS.
>How-To-Repeat:
Connect an urndis(4) device past boot time. Repeat a couple times if
there is no instant crash. This may otherwise be related to the multiple
"USB personalities" of the device (eg switching the USB mode after
connecting, as on most smartphones).
>Fix:
Currently unknown.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->skrll
Responsible-Changed-By: skrll@NetBSD.org
Responsible-Changed-When: Sun, 09 Jul 2017 15:05:49 +0000
Responsible-Changed-Why:
Take
From: Soren Jacobsen <snj@blef.org>
To: gnats-bugs@NetBSD.org
Cc: khorben@defora.org
Subject: Re: kern/52383: NetBSD 7 crashes with and urndis(4) devices since
newer USB stack
Date: Thu, 24 Aug 2017 22:01:28 -0700
Do you see this on netbsd-8 too?
State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 27 Sep 2017 08:01:45 +0000
State-Changed-Why:
Feedback requested
From: Pierre Pronchery <khorben@defora.org>
To: Soren Jacobsen <snj@NetBSD.org>, gnats-bugs@NetBSD.org,
Nick Hudson <skrll@NetBSD.org>
Cc:
Subject: Re: kern/52383: NetBSD 7 crashes with and urndis(4) devices since
newer USB stack
Date: Sat, 4 Nov 2017 17:42:51 +0100
Hi Soren, Nick,
On 25/08/2017 07:05, Soren Jacobsen wrote:
> The following reply was made to PR kern/52383; it has been noted by GNATS.
>
> From: Soren Jacobsen <snj@blef.org>
> To: gnats-bugs@NetBSD.org
> Cc: khorben@defora.org
> Subject: Re: kern/52383: NetBSD 7 crashes with and urndis(4) devices since
> newer USB stack
> Date: Thu, 24 Aug 2017 22:01:28 -0700
>
> Do you see this on netbsd-8 too?
I just got the chance to test it, and unfortunately yes :(
(Last commit message: 310, 311, 317, 322, 323, 325, 327-329)
Here is the backtrace I obtained, on NetBSD/amd64 again:
(typed here by hand)
> panic: kernel diagnostic assertion "requested_size > 0" failed: file "[...]/src/sys/kern/subr_kmem.c", line 261
> fatal breakpoint trap in supervisor mode
> trap type 1 code 0 rip 0xffffffff80224a05 cs 0x0 rflags 0x246 cr2 0x4f8b10 ilevel 0 rsp 0xfffffe81167e5b30
> curlwp 0xfffffe81167171c0 pid 0.76 lowest kstack 0xfffffe81167e22c0
> Stopped in pid 0.76 (system) at netbsd:breakpoint+0x5: leave
> db{0}> bt
> breakpoint() at netbsd:breakpoint+0x5
> vpanic() at netbsd:vpanic+0x140
> cb_voltag_convert_in() at netbsd:ch_voltag_convert_in
> kmem_intr_alloc() at netbsd:kmem_intr_alloc+0x161
> kmem_alloc() at netbsd:kmem_alloc+0x4a
> usbd_set_config_index.part.7() at netbsd:usbd_set_config_index.part.7+0x225
> usbd_probe_and_attach() at netbsd:usbd_probe_and_attach+0xa7
> xhci_new_device() at netbsd:xhci_new_device+0x671
> usbd_new_device() at netbsd:usbd_new_device+0x3e
> uhub_explore() at netbsd:uhub_explore+0x2f4
> usb_discover.isra.2() at netbsd:usb_discover.isra.2+0x4e
> usb_event_thread() at netbsd:usb_event_thread+0x7c
HTH,
--
khorben
State-Changed-From-To: feedback->open
State-Changed-By: khorben@NetBSD.org
State-Changed-When: Sat, 04 Nov 2017 16:47:15 +0000
State-Changed-Why:
Feedback given.
From: Nick Hudson <nick.hudson@gmx.co.uk>
To: gnats-bugs@NetBSD.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org,
khorben@NetBSD.org, Pierre Pronchery <khorben@defora.org>
Cc:
Subject: Re: kern/52383 (Crash when connecting specific USB devices)
Date: Wed, 22 Nov 2017 13:07:37 +0000
This is a multi-part message in MIME format.
--------------6ED6D61BE31EDDD8BE23A09A
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
> panic: kernel diagnostic assertion "requested_size > 0" failed: file "[...]/src/sys/kern/subr_kmem.c", line 261
Should be handled better by the diff
Why this is happening is a different subject. Can you get usbdebug/*hcidebug for the HCD the device is attached to please?
Thanks,
Nick
--------------6ED6D61BE31EDDD8BE23A09A
Content-Type: text/plain; charset=UTF-8;
name="usbd_subr.c.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="usbd_subr.c.diff"
SW5kZXg6IHN5cy9kZXYvdXNiL3VzYl9zdWJyLmMKPT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
L2N2c3Jvb3Qvc3JjL3N5cy9kZXYvdXNiL3VzYl9zdWJyLmMsdgpyZXRyaWV2aW5nIHJldmlz
aW9uIDEuMjIxCmRpZmYgLXUgLXAgLXIxLjIyMSB1c2Jfc3Vici5jCi0tLSBzeXMvZGV2L3Vz
Yi91c2Jfc3Vici5jCTI4IE9jdCAyMDE3IDAwOjM3OjEyIC0wMDAwCTEuMjIxCisrKyBzeXMv
ZGV2L3VzYi91c2Jfc3Vici5jCTIyIE5vdiAyMDE3IDEzOjAwOjU1IC0wMDAwCkBAIC02MDks
NiArNjA5LDExIEBAIHVzYmRfc2V0X2NvbmZpZ19pbmRleChzdHJ1Y3QgdXNiZF9kZXZpY2UK
IAkJcmV0dXJuIGVycjsKIAl9CiAJbGVuID0gVUdFVFcoY2Qud1RvdGFsTGVuZ3RoKTsKKwlp
ZiAobGVuID09IDApIHsKKwkJRFBSSU5URigiemVybyBsZW5ndGggZGVzY3JpcHRvciIsIDAs
IDAsIDAsIDApOworCQlyZXR1cm4gVVNCRF9JTlZBTDsKKwl9CisJCQogCWNkcCA9IGttZW1f
YWxsb2MobGVuLCBLTV9TTEVFUCk7CiAKIAkvKiBHZXQgdGhlIGZ1bGwgZGVzY3JpcHRvci4g
IFRyeSBhIGZldyB0aW1lcyBmb3Igc2xvdyBkZXZpY2VzLiAqLwo=
--------------6ED6D61BE31EDDD8BE23A09A--
State-Changed-From-To: open->feedback
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Wed, 22 Nov 2017 19:13:08 +0000
State-Changed-Why:
Feedback requested
From: Pierre Pronchery <khorben@defora.org>
To: Nick Hudson <nick.hudson@gmx.co.uk>, gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52383 (Crash when connecting specific USB devices)
Date: Fri, 8 Dec 2017 14:41:30 +0100
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--spW01H4GlEpuAfWB1NO6tRAM4bXrsmR65
Content-Type: multipart/mixed; boundary="g5UqfEA986TrAIdGj5J4kQgMVAbU9w5F3";
protected-headers="v1"
From: Pierre Pronchery <khorben@defora.org>
To: Nick Hudson <nick.hudson@gmx.co.uk>, gnats-bugs@NetBSD.org
Message-ID: <320310b9-fc9e-40bd-bf81-d8a28f6da795@defora.org>
Subject: Re: kern/52383 (Crash when connecting specific USB devices)
References: <pr-kern-52383@gnats.netbsd.org>
<20170709141201.84A691097E@tungsten.defora.rom>
<20171104164715.ECC217A1EC@mollari.NetBSD.org>
<163bba19-4a61-f88e-3deb-1f453cba97ba@gmx.co.uk>
In-Reply-To: <163bba19-4a61-f88e-3deb-1f453cba97ba@gmx.co.uk>
--g5UqfEA986TrAIdGj5J4kQgMVAbU9w5F3
Content-Type: multipart/mixed;
boundary="------------FFB1CA1FAED165B0238928E4"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------FFB1CA1FAED165B0238928E4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Nick,
On 22/11/2017 14:07, Nick Hudson wrote:
> =C2=A0> panic: kernel diagnostic assertion "requested_size > 0" failed:=
file
> "[...]/src/sys/kern/subr_kmem.c", line 261
>=20
> Should be handled better by the diff
I found the real problem: until a specific USB configuration is chosen
by the user, the device provides no interface
(usb_config_descriptor_t.bNumInterfaces). The crash happens therefore a
few lines after your change, here:
> 725 /* Allocate and fill interface data. */
> 726 nifc =3D cdp->bNumInterface; =
=20
> 727 dev->ud_ifaces =3D kmem_alloc(nifc * sizeof(struct usbd_in=
terface),
> 728 KM_SLEEP);
In any case, it looks sensible to protect ourselves against malicious
USB devices by being generally more defensive while probing.
What do you think of the patch attached?
Thanks for your help!
--=20
khorben
--------------FFB1CA1FAED165B0238928E4
Content-Type: text/x-patch;
name="patch-usb_subr.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="patch-usb_subr.diff"
Index: sys/dev/usb/usb_subr.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/dev/usb/usb_subr.c,v
retrieving revision 1.221
diff -p -u -r1.221 usb_subr.c
--- sys/dev/usb/usb_subr.c 28 Oct 2017 00:37:12 -0000 1.221
+++ sys/dev/usb/usb_subr.c 8 Dec 2017 13:38:43 -0000
@@ -609,6 +609,10 @@ usbd_set_config_index(struct usbd_device
return err;
}
len =3D UGETW(cd.wTotalLength);
+ if (len =3D=3D 0) {
+ DPRINTF("empty short descriptor", 0, 0, 0, 0);
+ return USBD_INVAL;
+ }
cdp =3D kmem_alloc(len, KM_SLEEP);
=20
/* Get the full descriptor. Try a few times for slow devices. */
@@ -635,6 +639,11 @@ usbd_set_config_index(struct usbd_device
err =3D usbd_get_bos_desc(dev, index, &bd);
if (!err) {
int blen =3D UGETW(bd.wTotalLength);
+ if (blen =3D=3D 0) {
+ DPRINTF("empty bos descriptor", 0, 0, 0, 0);
+ err =3D USBD_INVAL;
+ goto bad;
+ }
bdp =3D kmem_alloc(blen, KM_SLEEP);
=20
/* Get the full desc */
@@ -724,6 +733,11 @@ usbd_set_config_index(struct usbd_device
=20
/* Allocate and fill interface data. */
nifc =3D cdp->bNumInterface;
+ if (nifc =3D=3D 0) {
+ DPRINTF("no interfaces", 0, 0, 0, 0);
+ err =3D USBD_INVAL;
+ goto bad;
+ }
dev->ud_ifaces =3D kmem_alloc(nifc * sizeof(struct usbd_interface),
KM_SLEEP);
DPRINTFN(5, "dev=3D%#jx cdesc=3D%#jx", (uintptr_t)dev, (uintptr_t)cdp,
--------------FFB1CA1FAED165B0238928E4--
--g5UqfEA986TrAIdGj5J4kQgMVAbU9w5F3--
--spW01H4GlEpuAfWB1NO6tRAM4bXrsmR65
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEjPEp1wC4bxBrX8svMDjL25iGlwMFAloqlo0THGtob3JiZW5A
ZGVmb3JhLm9yZwAKCRAwOMvbmIaXA2BLD/4qoBLkVhZYRILvmj5WjTY1BH392jcW
9kUwbkudC8qCbR7jYfqs9pVe2h7Lj95zcNwvg+gz2krnGOBQcvEEcYv5J10RZDQp
kyGmAxbn/BlJQ/014+1Dnz8BT5LT+ay79th6UF+QrgJ/I4l59PVZqIHHNFIoWpMy
fLBScvNLgbCqr6RpIUva/GLh27MIjknt/kg6UhyPIDaBsiGGPtWJShS+u7l4AsS0
fFhJ6yC2LZObEMO4fXJ447wSKb2z+KbmV7fZGsXAhPqIyB3P4W0Eu+JdZ69+MxTO
MNF58ApVbwuwl5hD2fFdYd27T7yYTHxp42ohsWCbZeiD3E1RAPP98ALENxzhmei/
bddK1u8xvN7/GZTnVVaCV+XHZjHBy1mKPUUCVlwMvxYm3gamM8KiwVTBl1AQvwlz
mqdLajyrlIxpyOoqI1yXtsAxMt/OgG25bopAzjUcGN7RR5wHJmBM8XZkZ9ocY2aQ
yk7POKvUE1wYWYqWdQdYnelzwQgDp4/e1ZSmqYU8Qca4+nizZ08LzqtdJTSA/Dsi
aD9J15K/Q0Aqj7mK/W1KoOAe35li57lfJ4uyvpflUUqigK5keo2wxr5UZFZShrkZ
AqWXhMG5zvNcGoHpSLEpm0Ge0JI4JKB9EHtGw9FdcoTVh+jmoFGyhBkXwVcrfVsO
Q0Gisv0NgJvT+A==
=Q2Qk
-----END PGP SIGNATURE-----
--spW01H4GlEpuAfWB1NO6tRAM4bXrsmR65--
State-Changed-From-To: feedback->open
State-Changed-By: khorben@NetBSD.org
State-Changed-When: Fri, 08 Dec 2017 13:52:48 +0000
State-Changed-Why:
Feedback given.
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, skrll@NetBSD.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, Pierre Pronchery <khorben@defora.org>
Cc:
Subject: Re: kern/52383 (Crash when connecting specific USB devices)
Date: Fri, 8 Dec 2017 09:32:26 -0500
On Dec 8, 1:45pm, khorben@defora.org (Pierre Pronchery) wrote:
-- Subject: Re: kern/52383 (Crash when connecting specific USB devices)
LGTM!
christos
From: "Pierre Pronchery" <khorben@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52383 CVS commit: src/sys/dev/usb
Date: Fri, 8 Dec 2017 14:46:18 +0000
Module Name: src
Committed By: khorben
Date: Fri Dec 8 14:46:18 UTC 2017
Modified Files:
src/sys/dev/usb: usb_subr.c
Log Message:
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll@NetBSD.org>, thanks!
Fixes PR kern/52383.
XXX pull-up to netbsd-7, netbsd-8
LGTM xtos@
To generate a diff of this commit:
cvs rdiff -u -r1.221 -r1.222 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: khorben@NetBSD.org
State-Changed-When: Fri, 08 Dec 2017 14:51:24 +0000
State-Changed-Why:
Fix committed in -current and relevant for both netbsd-7 and netbsd-8 branches.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52383 CVS commit: [netbsd-8] src/sys/dev/usb
Date: Thu, 21 Dec 2017 21:32:10 +0000
Module Name: src
Committed By: snj
Date: Thu Dec 21 21:32:10 UTC 2017
Modified Files:
src/sys/dev/usb [netbsd-8]: usb_subr.c
Log Message:
Pull up following revision(s) (requested by khorben in ticket #447):
sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll@NetBSD.org>, thanks!
Fixes PR kern/52383.
To generate a diff of this commit:
cvs rdiff -u -r1.220.2.1 -r1.220.2.2 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52383 CVS commit: [netbsd-7] src/sys/dev/usb
Date: Wed, 3 Jan 2018 21:18:03 +0000
Module Name: src
Committed By: snj
Date: Wed Jan 3 21:18:03 UTC 2018
Modified Files:
src/sys/dev/usb [netbsd-7]: usb_subr.c
Log Message:
Pull up following revision(s) (requested by khorben in ticket #1541):
sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll@NetBSD.org>, thanks!
Fixes PR kern/52383.
To generate a diff of this commit:
cvs rdiff -u -r1.196.4.3 -r1.196.4.4 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: khorben@NetBSD.org
State-Changed-When: Wed, 03 Jan 2018 21:45:14 +0000
State-Changed-Why:
Pulled-up to the netbsd-8 and netbsd-7 branches.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home