NetBSD Problem Report #56145

From www@netbsd.org  Tue May  4 21:00:54 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id AF7401A9241
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  4 May 2021 21:00:54 +0000 (UTC)
Message-Id: <20210504210053.3404C1A9244@mollari.NetBSD.org>
Date: Tue,  4 May 2021 21:00:53 +0000 (UTC)
From: rspmn@arcor.de
Reply-To: rspmn@arcor.de
To: gnats-bugs@NetBSD.org
Subject: umb(4): fix kernel panics and make IP traffic actually work
X-Send-Pr-Version: www-1.0

>Number:         56145
>Category:       kern
>Synopsis:       umb(4): fix kernel panics and make IP traffic actually work
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 04 21:05:00 +0000 2021
>Last-Modified:  Fri Aug 09 22:05:01 +0000 2024
>Originator:     Reinhard Speyerer
>Release:        NetBSD-9.1
>Organization:
>Environment:
NetBSD netbsd 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
[This PR supersedes kern/55956 which can be closed.]

umb(4) has several problems which either cause kernel panics, failed
kernel assertions or prevent IP traffic from working properly:

1. Improper initialization of sc in umb_detach() causes a kernel panic
   on device disconnect. This has been fixed in if_umb.c version 1.19
   on the MAIN branch but is still present on the netbsd-9 branch.

2. Connecting a device which has a MBIM interface and serial ports
   supported by another kernel driver like u3g(4) causes a failed
   kernel assertion in usbd_get_interface_descriptor() because
   umb_attach() passes a NULL pointer.

3. The reception of an IP packet from the device causes a kernel
   panic in umb_decap() due to a missing ifp->if_percpuq assignment
   in umb_attach().

4. Buffer allocation in umb_alloc_xfers() does not take MBIM headers
   into account.

5. IP packets are not sent to the device since umb(4) interfaces have
   the <DETACHED> flag set. Since umb(4) does currently not support
   IPv6 iftshould also be marked as EAFNOSUPPORT in umb_ioctl().

6. The MBIM implementation on the device ignores the IP packet sent
   to it due to a missing initialization of hdr->wNdpIndex in
   umb_encap().
>How-To-Repeat:
Build a kernel with support for umb(4), connect a USB device with a MBIM
interface, set parameters with umbctl(8), perform a ifconfig umb0 up,
wait until umbctl(8)/ifconfig(8) output indicates that there is
an active data connection and then try to pass IP traffic over umb0.

>Fix:
--- if_umb.c.orig	2019-12-17 17:12:53.000000000 +0100
+++ if_umb.c	2021-05-03 22:31:14.332847796 +0200
@@ -396,5 +396,8 @@ umb_attach(device_t parent, device_t sel
 	for (i = 0; i < uiaa->uiaa_nifaces; i++) {
-		id = usbd_get_interface_descriptor(uiaa->uiaa_ifaces[i]);
-		if (id != NULL && id->bInterfaceNumber == data_ifaceno) {
-			sc->sc_data_iface = uiaa->uiaa_ifaces[i];
+		if (uiaa->uiaa_ifaces[i] != NULL) {
+			id = usbd_get_interface_descriptor(uiaa->uiaa_ifaces[i]);
+			if (id != NULL && id->bInterfaceNumber == data_ifaceno) {
+				sc->sc_data_iface = uiaa->uiaa_ifaces[i];
+				uiaa->uiaa_ifaces[i] = NULL;
+			}
 		}
@@ -540,2 +543,3 @@ umb_attach(device_t parent, device_t sel
 	}
+	ifp->if_percpuq = if_percpuq_create(ifp);
 	if_register(ifp);
@@ -658,3 +662,3 @@ umb_alloc_xfers(struct umb_softc *sc)
 		err |= usbd_create_xfer(sc->sc_rx_pipe,
-		    sc->sc_rx_bufsz,
+		    sc->sc_rx_bufsz + MBIM_HDR32_LEN,
 		    0, 0, &sc->sc_rx_xfer);
@@ -663,3 +667,3 @@ umb_alloc_xfers(struct umb_softc *sc)
 		err |= usbd_create_xfer(sc->sc_tx_pipe,
-		    sc->sc_tx_bufsz,
+		    sc->sc_tx_bufsz + MBIM_HDR16_LEN,
 		    0, 0, &sc->sc_tx_xfer);
@@ -746,2 +750,3 @@ umb_ioctl(struct ifnet *ifp, u_long cmd,
 	struct umb_softc *sc = ifp->if_softc;
+	struct in_ifaddr *ia;
 	struct ifaddr *ifa = (struct ifaddr *)data;
@@ -762,2 +767,4 @@ umb_ioctl(struct ifnet *ifp, u_long cmd,
 		case AF_INET:
+			ia = ifatoia(ifa);
+			ia->ia4_flags &= ~IN_IFF_DETACHED;
 			break;
@@ -766,2 +773,3 @@ umb_ioctl(struct ifnet *ifp, u_long cmd,
 		case AF_INET6:
+			error = EAFNOSUPPORT;
 			break;
@@ -1850,2 +1858,3 @@ umb_encap(struct umb_softc *sc, struct m
 	sc->sc_tx_seq++;
+	USETW(hdr->wNdpIndex, sizeof (*hdr));


>Audit-Trail:
From: Reinhard Speyerer <rspmn@arcor.de>
To: gnats-bugs@netbsd.org
Cc: khorben@netbsd.org
Subject: Re: kern/56145: umb(4): fix kernel panics and make IP traffic
 actually work
Date: Fri, 9 Aug 2024 22:41:26 +0200

 Here is an updated patch for if_umb.c 1.26 which fixes the following:

 1. Connecting a device which has a MBIM interface and serial ports
    supported by another kernel driver like u3g(4) causes a failed
    kernel assertion in usbd_get_interface_descriptor() because
    umb_attach() passes a NULL pointer.

 2. The reception of a packet from the device may cause a kernel
    panic in umb_decap() due to a missing ifp->if_percpuq assignment
    in umb_attach().

 3. The MBIM implementation on the device ignores the IP packet sent
    to it due to a missing initialization of hdr->wNdpIndex in
    umb_encap().

 --- if_umb.c.orig	2024-07-24 22:14:17.939793557 +0200
 +++ if_umb.c	2024-08-09 18:53:05.387540279 +0200
 @@ -405,9 +405,12 @@ umb_attach(device_t parent, device_t sel
  	}

  	for (i = 0; i < uiaa->uiaa_nifaces; i++) {
 -		id = usbd_get_interface_descriptor(uiaa->uiaa_ifaces[i]);
 -		if (id != NULL && id->bInterfaceNumber == data_ifaceno) {
 -			sc->sc_data_iface = uiaa->uiaa_ifaces[i];
 +		if (uiaa->uiaa_ifaces[i] != NULL) {
 +			id = usbd_get_interface_descriptor(uiaa->uiaa_ifaces[i]);
 +			if (id != NULL && id->bInterfaceNumber == data_ifaceno) {
 +				sc->sc_data_iface = uiaa->uiaa_ifaces[i];
 +				uiaa->uiaa_ifaces[i] = NULL;
 +			}
  		}
  	}
  	if (sc->sc_data_iface == NULL) {
 @@ -544,6 +547,7 @@ umb_attach(device_t parent, device_t sel

  	/* attach the interface */
  	if_initialize(ifp);
 +	ifp->if_percpuq = if_percpuq_create(ifp);
  	if_register(ifp);
  	if_alloc_sadl(ifp);

 @@ -1854,6 +1858,7 @@ umb_encap(struct umb_softc *sc, struct m
  	USETW(hdr->wHeaderLength, sizeof(*hdr));
  	USETW(hdr->wSequence, sc->sc_tx_seq);
  	sc->sc_tx_seq++;
 +	USETW(hdr->wNdpIndex, sizeof (*hdr));

  	len = m->m_pkthdr.len;


 More work may be needed to make umb(4) useful in practice as the
 umb0 addresses assigned are still marked as <DETACHED> on NetBSD 10.0:

   # umbctl umb0 pin <PIN> apn internet
   # ifconfig umb0 up
   # umbctl umb0
   umb0: state up, mode automatic, registration home network
           provider "o2 - de", dataclass GPRS, signal #99
           phone number "xxxxxxxxxxxxx", roaming "" (denied)
           APN "internet", TX 236800, RX 236800
           firmware "SWI9X15C_05.05.78.00", hardware "MC7304"
   # ifconfig umb0
   umb0: flags=0x8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1430
   ifconfig: umb0: no media types?
           inet6 fe80::208:9bff:feb4:3524%umb0/64 ->  flags 0x8<DETACHED> scopeid 0x4
           inet 10.x.y.71/28 -> 10.x.y.72 flags 0x4<DETACHED>
   # route -n add 8.8.8.8 10.x.y.72
   add host 8.8.8.8: gateway 10.x.y.72
   # ping -n -c 10 -i 1 8.8.8.8
   PING 8.8.8.8 (8.8.8.8): 56 data bytes

   ----8.8.8.8 PING Statistics----
   10 packets transmitted, 0 packets received, 100.0% packet loss

 Reinhard

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.