NetBSD Problem Report #59185
From imil@home.imil.net Mon Mar 17 05:29:23 2025
Return-Path: <imil@home.imil.net>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 70BF71A9239
for <gnats-bugs@gnats.NetBSD.org>; Mon, 17 Mar 2025 05:29:23 +0000 (UTC)
Message-Id: <20250317053003.7237F1CF47@nbgdb.home.imil.net>
Date: Mon, 17 Mar 2025 05:30:03 +0000 (UTC)
From: imil@home.imil.net
Reply-To: imil@home.imil.net
To: gnats-bugs@NetBSD.org
Subject: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
X-Send-Pr-Version: 3.95
>Number: 59185
>Category: kern
>Synopsis: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 17 05:30:00 +0000 2025
>Closed-Date: Sun Oct 19 22:29:50 +0000 2025
>Last-Modified: Sun Oct 19 22:29:50 +0000 2025
>Originator: Emile `iMil' Heitor
>Release: NetBSD 10.99.12
>Organization:
NetBSD
>Environment:
System: NetBSD outcast 10.99.12 NetBSD 10.99.12 (GENERIC) #15: Sun Mar 16 21:04:03 CET 2025 imil@tatooine:/home/imil/src/github.com/NetBSD-src/sys/arch/amd64/compile/obj/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
At boot, the kernel would panic with the following trace when detecting USB devices
4.1798511 usb_discover() at netbsd:usb_discover+0x4d
4.2098481 usb_event_thread() at netbsd:usb_event_thread+0x48
4.2598841 cpu1: End traceback
4.2598841 fatal breakpoint trap in supervisor mode
4.3098851 trap type 1 code 0 rip 0xffffffff8023541d cs 0x8 rflags 0x202 cr2 0 level 0 rsp 0xffffb60271aelaa0
Stopped in pid 0.193 (system) at netbsd:breakpoint+0x5: leave
vpanic() at netbsd:vpanic+0x171
kern_assert() at netbsd:kern_assert+0x4b
usbd_set_config_index() at netbsd:usbd_set_config_index+0x55c
ugenif_attach() at netbsd:ugenif_attach+0x25b
ugen_attach() at netbsd:ugen_attach+0x5c
config_attach_internal() at netbsd:config_attach_internal+0x1a7
config_found_acquire() at netbsd:config_found_acquire+0x5e
config_found() at netbsd:config_found+0x31
usbd_attachwholedevice() at netbsd:usbd_attachwholedevice+0xe6
usbd_probe_and_attach() at netbsd:usbd_probe_and_attach+0x137
xhci_new_device() at netbsd:xhci_new_device+0x618
uhub_explore() at netbsd:uhub_explore+0x448
usb_discover() at netbsd:usb_discover+0x4d
usb_event_thread() at netbsd:usb_event_thread+0x48
Pictures of the panic, show panic and show kernhist usbhist
https://imil.net/NetBSD/xhci-panic-pr1.jpg
https://imil.net/NetBSD/xhci-panic-pr2.jpg
https://imil.net/NetBSD/xhci-panic-pr3.jpg
https://imil.net/NetBSD/xhci-panic-pr4.jpg
It occurs with or without external USB device plugged in.
>How-To-Repeat:
Boot a NetBSD/amd64 10.99.12 GENERIC kernel on a Dell Latitude 7490
>Fix:
Not a fix, but if the machine must be used, either rebuild a kernel with:
KASSERTMSG(dev->ud_ifaces == NULL, "ud_ifaces=%p", dev->ud_ifaces);
Commented out in sys/dev/usb/usb_subr.c
Or boot the machine with: "userconf=disable xhci*" in /boot.cfg
>Release-Note:
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
Date: Mon, 17 Mar 2025 06:27:10 -0000 (UTC)
imil@home.imil.net writes:
>KASSERTMSG(dev->ud_ifaces == NULL, "ud_ifaces=%p", dev->ud_ifaces);
>Commented out in sys/dev/usb/usb_subr.c
This is the fingerprint reader (vendor 0x0a5c product 0x5834).
Can you try to dump the USB descriptors? The pkgsrc usbutil
package has a usbctl command to do that.
From: Emile `iMil' Heitor <imil@home.imil.net>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
mlelstv@serpens.de
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on
Dell Latitude 7490
Date: Tue, 18 Mar 2025 21:28:53 +0100 (CET)
On Mon, 17 Mar 2025, Michael van Elst via gnats wrote:
> This is the fingerprint reader (vendor 0x0a5c product 0x5834).
> Can you try to dump the USB descriptors? The pkgsrc usbutil
> package has a usbctl command to do that.
$ doas usbctl
DEVICE addr 0
DEVICE descriptor:
bLength=18 bDescriptorType=device(1) bcdUSB=3.00 bDeviceClass=9 bDeviceSubClass=0
bDeviceProtocol=3 bMaxPacketSize=9 idVendor=0x0000 idProduct=0x0000 bcdDevice=100
iManufacturer=1(NetBSD) iProduct=2(xHCI root hub) iSerialNumber=0() bNumConfigurations=1
CONFIGURATION descriptor 0:
bLength=9 bDescriptorType=config(2) wTotalLength=31 bNumInterface=1
bConfigurationValue=1 iConfiguration=0() bmAttributes=40 bMaxPower=0 mA
INTERFACE descriptor 0:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=0 bAlternateSetting=0
bNumEndpoints=1 bInterfaceClass=9 bInterfaceSubClass=0
bInterfaceProtocol=0 iInterface=0()
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-in
bmAttributes=interrupt wMaxPacketSize=2 bInterval=8
Unknown descriptor (class 9/0):
bLength=6 bDescriptorType=48 ...
current configuration 1
HUB descriptor:
bDescLength=11 bDescriptorType=41 bNbrPorts=6 wHubCharacteristics=02
bPwrOn2PwrGood=200 bHubContrCurrent=0 DeviceRemovable=0
Hub status 0000 0000
Port 1 status=0100 change=0000
Port 2 status=0100 change=0000
Port 3 status=2203 change=0000
Port 4 status=0100 change=0000
Port 5 status=0100 change=0000
Port 6 status=0100 change=0000
----------
DEVICE addr 2
DEVICE descriptor:
getstring 2 failed (error=5)
bLength=18 bDescriptorType=device(1) bcdUSB=3.00 bDeviceClass=0 bDeviceSubClass=0
bDeviceProtocol=0 bMaxPacketSize=9 idVendor=0x1f75 idProduct=0x0916 bcdDevice=d
iManufacturer=1( ) iProduct=2() iSerialNumber=3(12080780002052) bNumConfigurations=1
CONFIGURATION descriptor 0:
bLength=9 bDescriptorType=config(2) wTotalLength=44 bNumInterface=1
bConfigurationValue=1 iConfiguration=0() bmAttributes=80 bMaxPower=124 mA
INTERFACE descriptor 0:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=0 bAlternateSetting=0
bNumEndpoints=2 bInterfaceClass=8 bInterfaceSubClass=6
bInterfaceProtocol=80 iInterface=0()
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=2-out
bmAttributes=bulk wMaxPacketSize=1024 bInterval=0
Unknown descriptor (class 8/6):
bLength=6 bDescriptorType=48 ...
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-in
bmAttributes=bulk wMaxPacketSize=1024 bInterval=0
Unknown descriptor (class 8/6):
bLength=6 bDescriptorType=48 ...
current configuration 1
----------
`dmesg` says:
[ 4.191770] ugen0 at uhub1 port 10
[ 4.221767] ugen0: Broadcom Corp (0x0a5c) 5880 (0x5834), rev 1.10/1.01, addr 5
From: Michael van Elst <mlelstv@serpens.de>
To: Emile `iMil' Heitor <imil@home.imil.net>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on
Dell Latitude 7490
Date: Tue, 18 Mar 2025 21:53:53 +0100
On Tue, Mar 18, 2025 at 09:28:53PM +0100, Emile `iMil' Heitor wrote:
> On Mon, 17 Mar 2025, Michael van Elst via gnats wrote:
>
> > This is the fingerprint reader (vendor 0x0a5c product 0x5834).
> > Can you try to dump the USB descriptors? The pkgsrc usbutil
> > package has a usbctl command to do that.
>
> $ doas usbctl
> DEVICE addr 0
> DEVICE addr 2
> `dmesg` says:
>
> [ 4.191770] ugen0 at uhub1 port 10
> [ 4.221767] ugen0: Broadcom Corp (0x0a5c) 5880 (0x5834), rev 1.10/1.01, addr 5
No device addr 5 listed. usbctl usually works when you select the particular
bus and device.
My guess, it's uhub1 at usb1, and then:
usbctl -f /dev/usb1 -a 5
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Emile `iMil' Heitor <imil@home.imil.net>
To: Michael van Elst <mlelstv@serpens.de>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on
Dell Latitude 7490
Date: Tue, 18 Mar 2025 22:01:48 +0100 (CET)
On Tue, 18 Mar 2025, Michael van Elst wrote:
> My guess, it's uhub1 at usb1, and then:
Indeed
$ doas usbctl -f /dev/usb1 -a 5
DEVICE addr 5
DEVICE descriptor:
bLength=18 bDescriptorType=device(1) bcdUSB=1.10 bDeviceClass=0 bDeviceSubClass=0
bDeviceProtocol=0 bMaxPacketSize=64 idVendor=0x0a5c idProduct=0x5834 bcdDevice=101
iManufacturer=1(Broadcom Corp) iProduct=2(5880) iSerialNumber=3(0123456789ABCD) bNumConfigurations=1
CONFIGURATION descriptor 0:
bLength=9 bDescriptorType=config(2) wTotalLength=269 bNumInterface=4
bConfigurationValue=0 iConfiguration=0() bmAttributes=e0 bMaxPower=100 mA
INTERFACE descriptor 0:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=0 bAlternateSetting=0
bNumEndpoints=3 bInterfaceClass=254 bInterfaceSubClass=0
bInterfaceProtocol=0 iInterface=4(Broadcom USH w/touch sensor)
Unknown descriptor (class 254/0):
bLength=16 bDescriptorType=37 ...
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-in
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=1-out
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=5-in
bmAttributes=interrupt wMaxPacketSize=16 bInterval=1
INTERFACE descriptor 1:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=1 bAlternateSetting=0
bNumEndpoints=3 bInterfaceClass=11 bInterfaceSubClass=0
bInterfaceProtocol=0 iInterface=5(Contacted SmartCard)
Unknown descriptor (class 11/0):
bLength=54 bDescriptorType=33 ...
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=2-in
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=2-out
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=6-in
bmAttributes=interrupt wMaxPacketSize=16 bInterval=1
INTERFACE descriptor 2:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=2 bAlternateSetting=0
bNumEndpoints=3 bInterfaceClass=11 bInterfaceSubClass=0
bInterfaceProtocol=0 iInterface=6(Contactless SmartCard)
Unknown descriptor (class 11/0):
bLength=54 bDescriptorType=33 ...
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=3-in
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=3-out
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=7-in
bmAttributes=interrupt wMaxPacketSize=16 bInterval=1
INTERFACE descriptor 3:
bLength=9 bDescriptorType=interface(4) bInterfaceNumber=3 bAlternateSetting=0
bNumEndpoints=3 bInterfaceClass=255 bInterfaceSubClass=0
bInterfaceProtocol=0 iInterface=8(Broadcom NFP)
Unknown descriptor (class 255/0):
bLength=16 bDescriptorType=38 ...
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=4-in
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=4-out
bmAttributes=bulk wMaxPacketSize=64 bInterval=0
ENDPOINT descriptor:
bLength=7 bDescriptorType=endpoint(5) bEndpointAddress=8-in
bmAttributes=interrupt wMaxPacketSize=16 bInterval=1
current configuration 0
------------------------------------------------------------------------
Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net
From: Michael van Elst <mlelstv@serpens.de>
To: Emile `iMil' Heitor <imil@home.imil.net>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on
Dell Latitude 7490
Date: Wed, 19 Mar 2025 00:09:54 +0100
On Tue, Mar 18, 2025 at 10:01:48PM +0100, Emile `iMil' Heitor wrote:
> $ doas usbctl -f /dev/usb1 -a 5
> DEVICE addr 5
> DEVICE descriptor:
> bLength=18 bDescriptorType=device(1) bcdUSB=1.10 bDeviceClass=0 bDeviceSubClass=0
> bDeviceProtocol=0 bMaxPacketSize=64 idVendor=0x0a5c idProduct=0x5834 bcdDevice=101
> iManufacturer=1(Broadcom Corp) iProduct=2(5880) iSerialNumber=3(0123456789ABCD) bNumConfigurations=1
>
> CONFIGURATION descriptor 0:
> bLength=9 bDescriptorType=config(2) wTotalLength=269 bNumInterface=4
> bConfigurationValue=0 iConfiguration=0() bmAttributes=e0 bMaxPower=100 mA
^^^^^^^^^^^^^^^^^^^^^
That's what our code doesn't handle correctly, as we abuse a value of 0 as 'unconfigured'.
usb_subr.c:906
bad:
/* XXX Use usbd_set_config() to reset the config? */
/* XXX Should we forbid USB_UNCONFIG_NO from bConfigurationValue? */
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Taylor R Campbell <riastradh@NetBSD.org>
To: "Emile `iMil' Heitor" <imil@home.imil.net>,
Emmanuel Nyarko <emmankoko519@gmail.com>,
Salil Wadnerkar <bsdprg@tuta.io>
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
Date: Sat, 4 Oct 2025 19:03:59 +0000
Can you please try the attached patch and see if it helps?
I suspect this is the same issue as:
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
https://gnats.NetBSD.org/59624
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
https://gnats.NetBSD.org/57447
syzbot: UBSan: Undefined Behavior in usb_free_device (2)
https://syzkaller.appspot.com/bug?id=3De6d4449a128e73a9a88100a5cc833e5cae9f=
ecae
From: Taylor R Campbell <riastradh@NetBSD.org>
To: "Emile `iMil' Heitor" <imil@home.imil.net>,
Emmanuel Nyarko <emmankoko519@gmail.com>,
Salil Wadnerkar <bsdprg@tuta.io>
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
Date: Sat, 4 Oct 2025 19:06:11 +0000
This is a multi-part message in MIME format.
--=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA
Content-Transfer-Encoding: quoted-printable
> Date: Sat, 4 Oct 2025 19:03:59 +0000
> From: Taylor R Campbell <riastradh@NetBSD.org>
>=20
> Can you please try the attached patch and see if it helps?
>=20
> I suspect this is the same issue as:
>=20
> PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
> and hangs
> https://gnats.NetBSD.org/59624
>=20
> PR kern/57447: HEAD fails to probe USB devices and fails to boot up
> https://gnats.NetBSD.org/57447
>=20
> syzbot: UBSan: Undefined Behavior in usb_free_device (2)
> https://syzkaller.appspot.com/bug?id=3De6d4449a128e73a9a88100a5cc833e5cae=
9fecae
...patch attached this time
--=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA
Content-Type: text/plain; charset="ISO-8859-1"; name="pr59185-usbconfignoabuse"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pr59185-usbconfignoabuse.diff"
diff -r 1c25535fd2c2 sys/compat/common/usb_subr_30.c
--- a/sys/compat/common/usb_subr_30.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/compat/common/usb_subr_30.c Sat Oct 04 19:03:33 2025 +0000
@@ -147,7 +147,7 @@ usbd_fill_deviceinfo30(struct usbd_devic
di->udi_class =3D dev->ud_ddesc.bDeviceClass;
di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
- di->udi_config =3D dev->ud_config;
+ di->udi_config =3D dev->ud_configno;
di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
di->udi_speed =3D dev->ud_speed;
=20
diff -r 1c25535fd2c2 sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usb_subr.c Sat Oct 04 19:03:33 2025 +0000
@@ -154,7 +154,6 @@ usbd_get_device_strings(struct usbd_devi
usbd_get_device_string(ud, udd->iSerialNumber, &ud->ud_serial);
}
=20
-
void
usbd_devinfo_vp(struct usbd_device *dev, char *v, size_t vl, char *p,
size_t pl, int usedev, int useencoded)
@@ -691,8 +690,7 @@ usbd_set_config_index(struct usbd_device
usbd_status err;
int i, ifcidx, nifc, len, selfpowered, power;
=20
-
- if (index >=3D dev->ud_ddesc.bNumConfigurations &&
+ if ((unsigned)index >=3D dev->ud_ddesc.bNumConfigurations &&
index !=3D USB_UNCONFIG_INDEX) {
/* panic? */
printf("usbd_set_config_index: illegal index\n");
@@ -700,7 +698,7 @@ usbd_set_config_index(struct usbd_device
}
=20
/* XXX check that all interfaces are idle */
- if (dev->ud_config !=3D USB_UNCONFIG_NO) {
+ if (dev->ud_configidx !=3D USB_UNCONFIG_INDEX) {
DPRINTF("free old config", 0, 0, 0, 0);
/* Free all configuration data structures. */
nifc =3D dev->ud_cdesc->bNumInterface;
@@ -718,7 +716,8 @@ usbd_set_config_index(struct usbd_device
dev->ud_ifaces =3D NULL;
dev->ud_cdesc =3D NULL;
dev->ud_bdesc =3D NULL;
- dev->ud_config =3D USB_UNCONFIG_NO;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
}
=20
if (index =3D=3D USB_UNCONFIG_INDEX) {
@@ -729,6 +728,8 @@ usbd_set_config_index(struct usbd_device
DPRINTF("setting config=3D0 failed, err =3D %jd", err,
0, 0, 0);
}
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
return err;
}
=20
@@ -881,7 +882,8 @@ usbd_set_config_index(struct usbd_device
DPRINTFN(5, "dev=3D%#jx cdesc=3D%#jx", (uintptr_t)dev, (uintptr_t)cdp,
0, 0);
dev->ud_cdesc =3D cdp;
- dev->ud_config =3D cdp->bConfigurationValue;
+ dev->ud_configno =3D cdp->bConfigurationValue;
+ dev->ud_configidx =3D index;
for (ifcidx =3D 0; ifcidx < nifc; ifcidx++) {
usbd_iface_init(dev, ifcidx);
usbd_iface_exlock(&dev->ud_ifaces[ifcidx]);
@@ -905,8 +907,8 @@ usbd_set_config_index(struct usbd_device
=20
bad:
/* XXX Use usbd_set_config() to reset the config? */
- /* XXX Should we forbid USB_UNCONFIG_NO from bConfigurationValue? */
- dev->ud_config =3D USB_UNCONFIG_NO;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
KASSERT(dev->ud_ifaces =3D=3D NULL);
kmem_free(cdp, len);
dev->ud_cdesc =3D NULL;
@@ -1194,7 +1196,6 @@ usbd_attachinterfaces(device_t parent, s
DPRINTF("interface %jd %#jx", i, (uintptr_t)ifaces[i], 0, 0);
}
=20
-
uiaa.uiaa_device =3D dev;
uiaa.uiaa_port =3D port;
uiaa.uiaa_vendor =3D UGETW(dd->idVendor);
@@ -1776,7 +1777,7 @@ usbd_fill_deviceinfo(struct usbd_device=20
di->udi_class =3D dev->ud_ddesc.bDeviceClass;
di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
- di->udi_config =3D dev->ud_config;
+ di->udi_config =3D dev->ud_configno;
di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
di->udi_speed =3D dev->ud_speed;
=20
diff -r 1c25535fd2c2 sys/dev/usb/usbdi.c
--- a/sys/dev/usb/usbdi.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usbdi.c Sat Oct 04 19:03:33 2025 +0000
@@ -169,7 +169,7 @@ usbd_dump_device(struct usbd_device *dev
USBHIST_LOG(usbdebug, " bus =3D %#jx default_pipe =3D %#jx",
(uintptr_t)dev->ud_bus, (uintptr_t)dev->ud_pipe0, 0, 0);
USBHIST_LOG(usbdebug, " address =3D %jd config =3D %jd depth =3D %jd =
",
- dev->ud_addr, dev->ud_config, dev->ud_depth, 0);
+ dev->ud_addr, dev->ud_configno, dev->ud_depth, 0);
USBHIST_LOG(usbdebug, " speed =3D %jd self_powered =3D %jd "
"power =3D %jd langid =3D %jd",
dev->ud_speed, dev->ud_selfpowered, dev->ud_power, dev->ud_langid);
diff -r 1c25535fd2c2 sys/dev/usb/usbdivar.h
--- a/sys/dev/usb/usbdivar.h Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usbdivar.h Sat Oct 04 19:03:33 2025 +0000
@@ -201,7 +201,7 @@ struct usbd_device {
struct usbd_bus *ud_bus; /* our controller */
struct usbd_pipe *ud_pipe0; /* pipe 0 */
uint8_t ud_addr; /* device address */
- uint8_t ud_config; /* current configuration # */
+ uint8_t ud_configno; /* current configuration # */
uint8_t ud_depth; /* distance from root hub */
uint8_t ud_speed; /* low/full/high speed */
uint8_t ud_selfpowered; /* flag for self powered */
@@ -230,6 +230,26 @@ struct usbd_device {
char *ud_serial; /* serial number, can be NULL */
char *ud_vendor; /* vendor string, can be NULL */
char *ud_product; /* product string can be NULL */
+
+ /*
+ * ud_configno above holds a value of bConfigurationValue from
+ * the config descriptor, or USB_UNCONFIG_NO=3D0 -- which may
+ * _also_ be a value of bConfigurationValue.
+ *
+ * ud_configidx below holds an index in [0, bNumConfigurations)
+ * into the list of configuration descriptors, or
+ * USB_UNCONFIG_INDEX=3D-1 to denote that the interface is
+ * unconfigured. Note that ud_configno may be USB_UNCONFIG_NO
+ * even if ud_configidx is not USB_UNCONFIG_INDEX, if a screwy
+ * device has a config descriptor with bConfigurationValue=3D0.
+ *
+ * This goes at the end, rather than next to ud_configno where
+ * it might properly belong, so the change preserves ABI for
+ * pullup to release branches.
+ */
+ int16_t ud_configidx;
+
+ uint8_t ud_extra[]; /* prevent embedding */
};
=20
struct usbd_interface {
--=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA--
From: Taylor R Campbell <riastradh@NetBSD.org>
To: "Emile `iMil' Heitor" <imil@home.imil.net>,
Emmanuel Nyarko <emmankoko519@gmail.com>,
Salil Wadnerkar <bsdprg@tuta.io>
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
Date: Sat, 4 Oct 2025 19:42:25 +0000
This is a multi-part message in MIME format.
--=_yEQegd6KE+J0RR5NTU8CY9iUdk+bjG6u
Content-Transfer-Encoding: quoted-printable
> Date: Sat, 4 Oct 2025 19:06:11 +0000
> From: Taylor R Campbell <riastradh@NetBSD.org>
>=20
> > Date: Sat, 4 Oct 2025 19:03:59 +0000
> > From: Taylor R Campbell <riastradh@NetBSD.org>
> >=20
> > Can you please try the attached patch and see if it helps?
> >=20
> > I suspect this is the same issue as:
> >=20
> > PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
> > and hangs
> > https://gnats.NetBSD.org/59624
> >=20
> > PR kern/57447: HEAD fails to probe USB devices and fails to boot up
> > https://gnats.NetBSD.org/57447
> >=20
> > syzbot: UBSan: Undefined Behavior in usb_free_device (2)
> > https://syzkaller.appspot.com/bug?id=3De6d4449a128e73a9a88100a5cc833e5c=
ae9fecae
>=20
> ...patch attached this time
Corrected patch attached!
--=_yEQegd6KE+J0RR5NTU8CY9iUdk+bjG6u
Content-Type: text/plain; charset="ISO-8859-1"; name="pr59185-usbconfignoabuse-v2"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pr59185-usbconfignoabuse-v2.diff"
diff -r 1c25535fd2c2 sys/compat/common/usb_subr_30.c
--- a/sys/compat/common/usb_subr_30.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/compat/common/usb_subr_30.c Sat Oct 04 19:41:08 2025 +0000
@@ -147,7 +147,7 @@ usbd_fill_deviceinfo30(struct usbd_devic
di->udi_class =3D dev->ud_ddesc.bDeviceClass;
di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
- di->udi_config =3D dev->ud_config;
+ di->udi_config =3D dev->ud_configno;
di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
di->udi_speed =3D dev->ud_speed;
=20
diff -r 1c25535fd2c2 sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usb_subr.c Sat Oct 04 19:41:08 2025 +0000
@@ -154,7 +154,6 @@ usbd_get_device_strings(struct usbd_devi
usbd_get_device_string(ud, udd->iSerialNumber, &ud->ud_serial);
}
=20
-
void
usbd_devinfo_vp(struct usbd_device *dev, char *v, size_t vl, char *p,
size_t pl, int usedev, int useencoded)
@@ -691,8 +690,7 @@ usbd_set_config_index(struct usbd_device
usbd_status err;
int i, ifcidx, nifc, len, selfpowered, power;
=20
-
- if (index >=3D dev->ud_ddesc.bNumConfigurations &&
+ if ((unsigned)index >=3D dev->ud_ddesc.bNumConfigurations &&
index !=3D USB_UNCONFIG_INDEX) {
/* panic? */
printf("usbd_set_config_index: illegal index\n");
@@ -700,7 +698,7 @@ usbd_set_config_index(struct usbd_device
}
=20
/* XXX check that all interfaces are idle */
- if (dev->ud_config !=3D USB_UNCONFIG_NO) {
+ if (dev->ud_configidx !=3D USB_UNCONFIG_INDEX) {
DPRINTF("free old config", 0, 0, 0, 0);
/* Free all configuration data structures. */
nifc =3D dev->ud_cdesc->bNumInterface;
@@ -718,8 +716,13 @@ usbd_set_config_index(struct usbd_device
dev->ud_ifaces =3D NULL;
dev->ud_cdesc =3D NULL;
dev->ud_bdesc =3D NULL;
- dev->ud_config =3D USB_UNCONFIG_NO;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
}
+ KASSERTMSG(dev->ud_configno =3D=3D USB_UNCONFIG_NO, "ud_configno=3D%u",
+ dev->ud_configno);
+ KASSERTMSG(dev->ud_configidx =3D=3D USB_UNCONFIG_INDEX, "ud_configidx=3D%=
d",
+ dev->ud_configidx);
=20
if (index =3D=3D USB_UNCONFIG_INDEX) {
/* We are unconfiguring the device, so leave unallocated. */
@@ -881,7 +884,8 @@ usbd_set_config_index(struct usbd_device
DPRINTFN(5, "dev=3D%#jx cdesc=3D%#jx", (uintptr_t)dev, (uintptr_t)cdp,
0, 0);
dev->ud_cdesc =3D cdp;
- dev->ud_config =3D cdp->bConfigurationValue;
+ dev->ud_configno =3D cdp->bConfigurationValue;
+ dev->ud_configidx =3D index;
for (ifcidx =3D 0; ifcidx < nifc; ifcidx++) {
usbd_iface_init(dev, ifcidx);
usbd_iface_exlock(&dev->ud_ifaces[ifcidx]);
@@ -905,8 +909,8 @@ usbd_set_config_index(struct usbd_device
=20
bad:
/* XXX Use usbd_set_config() to reset the config? */
- /* XXX Should we forbid USB_UNCONFIG_NO from bConfigurationValue? */
- dev->ud_config =3D USB_UNCONFIG_NO;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
KASSERT(dev->ud_ifaces =3D=3D NULL);
kmem_free(cdp, len);
dev->ud_cdesc =3D NULL;
@@ -1194,7 +1198,6 @@ usbd_attachinterfaces(device_t parent, s
DPRINTF("interface %jd %#jx", i, (uintptr_t)ifaces[i], 0, 0);
}
=20
-
uiaa.uiaa_device =3D dev;
uiaa.uiaa_port =3D port;
uiaa.uiaa_vendor =3D UGETW(dd->idVendor);
@@ -1446,6 +1449,8 @@ usbd_new_device(device_t parent, struct=20
dev->ud_quirks =3D &usbd_no_quirk;
dev->ud_addr =3D USB_START_ADDR;
dev->ud_ddesc.bMaxPacketSize =3D 0;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
dev->ud_depth =3D depth;
dev->ud_powersrc =3D up;
dev->ud_myhub =3D up->up_parent;
@@ -1776,7 +1781,7 @@ usbd_fill_deviceinfo(struct usbd_device=20
di->udi_class =3D dev->ud_ddesc.bDeviceClass;
di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
- di->udi_config =3D dev->ud_config;
+ di->udi_config =3D dev->ud_configno;
di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
di->udi_speed =3D dev->ud_speed;
=20
diff -r 1c25535fd2c2 sys/dev/usb/usbdi.c
--- a/sys/dev/usb/usbdi.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usbdi.c Sat Oct 04 19:41:08 2025 +0000
@@ -169,7 +169,7 @@ usbd_dump_device(struct usbd_device *dev
USBHIST_LOG(usbdebug, " bus =3D %#jx default_pipe =3D %#jx",
(uintptr_t)dev->ud_bus, (uintptr_t)dev->ud_pipe0, 0, 0);
USBHIST_LOG(usbdebug, " address =3D %jd config =3D %jd depth =3D %jd =
",
- dev->ud_addr, dev->ud_config, dev->ud_depth, 0);
+ dev->ud_addr, dev->ud_configno, dev->ud_depth, 0);
USBHIST_LOG(usbdebug, " speed =3D %jd self_powered =3D %jd "
"power =3D %jd langid =3D %jd",
dev->ud_speed, dev->ud_selfpowered, dev->ud_power, dev->ud_langid);
diff -r 1c25535fd2c2 sys/dev/usb/usbdivar.h
--- a/sys/dev/usb/usbdivar.h Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/usbdivar.h Sat Oct 04 19:41:08 2025 +0000
@@ -201,7 +201,7 @@ struct usbd_device {
struct usbd_bus *ud_bus; /* our controller */
struct usbd_pipe *ud_pipe0; /* pipe 0 */
uint8_t ud_addr; /* device address */
- uint8_t ud_config; /* current configuration # */
+ uint8_t ud_configno; /* current configuration # */
uint8_t ud_depth; /* distance from root hub */
uint8_t ud_speed; /* low/full/high speed */
uint8_t ud_selfpowered; /* flag for self powered */
@@ -230,6 +230,26 @@ struct usbd_device {
char *ud_serial; /* serial number, can be NULL */
char *ud_vendor; /* vendor string, can be NULL */
char *ud_product; /* product string can be NULL */
+
+ /*
+ * ud_configno above holds a value of bConfigurationValue from
+ * the config descriptor, or USB_UNCONFIG_NO=3D0 -- which may
+ * _also_ be a value of bConfigurationValue.
+ *
+ * ud_configidx below holds an index in [0, bNumConfigurations)
+ * into the list of configuration descriptors, or
+ * USB_UNCONFIG_INDEX=3D-1 to denote that the interface is
+ * unconfigured. Note that ud_configno may be USB_UNCONFIG_NO
+ * even if ud_configidx is not USB_UNCONFIG_INDEX, if a screwy
+ * device has a config descriptor with bConfigurationValue=3D0.
+ *
+ * This goes at the end, rather than next to ud_configno where
+ * it might properly belong, so the change preserves ABI for
+ * pullup to release branches.
+ */
+ int16_t ud_configidx;
+
+ uint8_t ud_extra[]; /* prevent embedding */
};
=20
struct usbd_interface {
diff -r 1c25535fd2c2 sys/dev/usb/xhci.c
--- a/sys/dev/usb/xhci.c Mon Sep 29 17:01:48 2025 +0000
+++ b/sys/dev/usb/xhci.c Sat Oct 04 19:41:08 2025 +0000
@@ -2861,6 +2861,8 @@ xhci_new_device(device_t parent, struct=20
dev->ud_quirks =3D &usbd_no_quirk;
dev->ud_addr =3D 0;
dev->ud_ddesc.bMaxPacketSize =3D 0;
+ dev->ud_configno =3D USB_UNCONFIG_NO;
+ dev->ud_configidx =3D USB_UNCONFIG_INDEX;
dev->ud_depth =3D depth;
dev->ud_powersrc =3D up;
dev->ud_myhub =3D up->up_parent;
--=_yEQegd6KE+J0RR5NTU8CY9iUdk+bjG6u--
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59185 CVS commit: src/sys/dev/usb
Date: Sun, 5 Oct 2025 20:04:30 +0000
Module Name: src
Committed By: riastradh
Date: Sun Oct 5 20:04:30 UTC 2025
Modified Files:
src/sys/dev/usb: usb_subr.c usbdivar.h xhci.c
Log Message:
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
Reported-by: syzbot+017911f90e0f9766bc71@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=e6d4449a128e73a9a88100a5cc833e5cae9fecae
To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.280 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.139 -r1.140 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.190 -r1.191 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59185 CVS commit: src/sys/dev/usb
Date: Sun, 5 Oct 2025 20:41:04 +0000
Module Name: src
Committed By: riastradh
Date: Sun Oct 5 20:41:04 UTC 2025
Modified Files:
src/sys/dev/usb: usb_subr.c
Log Message:
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
Reported-by: syzbot+017911f90e0f9766bc71@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=e6d4449a128e73a9a88100a5cc833e5cae9fecae
To generate a diff of this commit:
cvs rdiff -u -r1.280 -r1.281 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: Taylor R Campbell <riastradh@NetBSD.org>
Cc: Emile `iMil' Heitor <imil@home.imil.net>,
Salil Wadnerkar <bsdprg@tuta.io>,
"gnats-bugs@netbsd.org" <gnats-bugs@NetBSD.org>,
"netbsd-bugs@netbsd.org" <netbsd-bugs@NetBSD.org>
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
Date: Mon, 6 Oct 2025 10:34:59 +0000
Hi,
> On 4 Oct 2025, at 7:42=E2=80=AFPM, Taylor R Campbell =
<riastradh@NetBSD.org> wrote:
>=20
>> Date: Sat, 4 Oct 2025 19:06:11 +0000
>> From: Taylor R Campbell <riastradh@NetBSD.org>
>>=20
>>> Date: Sat, 4 Oct 2025 19:03:59 +0000
>>> From: Taylor R Campbell <riastradh@NetBSD.org>
>>>=20
>>> Can you please try the attached patch and see if it helps?
>>>=20
>>> I suspect this is the same issue as:
>>>=20
>>> PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
>>> and hangs
>>> https://gnats.NetBSD.org/59624
>>>=20
>>> PR kern/57447: HEAD fails to probe USB devices and fails to boot up
>>> https://gnats.NetBSD.org/57447
>>>=20
>>> syzbot: UBSan: Undefined Behavior in usb_free_device (2)
>>> =
https://syzkaller.appspot.com/bug?id=3De6d4449a128e73a9a88100a5cc833e5cae9=
fecae
>>=20
>> ...patch attached this time
>=20
> Corrected patch attached!
> <pr59185-usbconfignoabuse-v2.diff>
I tested this patch and i am now able to boot from netbsd-11 kernel on =
my Dell machine.
Thanks!
Emmanuel.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 06 Oct 2025 13:19:43 +0000
State-Changed-Why:
fixed in HEAD, needs pullup-9, pullup-10, pullup-11
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 18 Oct 2025 22:49:50 +0000
State-Changed-Why:
pullup-9 #1974
pullup-10 #1175
pullup-11 #57
Responsible-Changed-From-To: kern-bug-people->riastradh
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Sat, 18 Oct 2025 22:51:01 +0000
Responsible-Changed-Why:
mine, and correction to previous:
pullup-11 #58, not #57
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59185 CVS commit: [netbsd-11] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:08:33 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:08:33 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-11]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #58):
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.279.4.1 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.139 -r1.139.2.1 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.188.2.2 -r1.188.2.3 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59185 CVS commit: [netbsd-10] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:11:03 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:11:03 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-10]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1175):
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.277 -r1.277.4.1 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.137 -r1.137.4.1 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.175.2.4 -r1.175.2.5 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59185 CVS commit: [netbsd-9] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:16:36 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:16:36 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-9]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1974):
sys/dev/usb/usb_subr.c: revision 1.247
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
sys/dev/usb/usb_subr.c: revision 1.275
Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in
usb_free_device().
usb: Insert assertion to diagnose ud_cdesc/ud_ifaces inconsistency.
Syzbot found a way to see ud_cdesc=NULL but ud_ifaces!=NULL.
Maybe it's a race with two threads somehow doing usbd_free_device at
the same time when only one should, but let's rule this case out
early on to make it easier to prove it has to be a race.
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.235.2.1 -r1.235.2.2 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.118.4.1 -r1.118.4.2 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.107.2.12 -r1.107.2.13 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sun, 19 Oct 2025 22:29:50 +0000
State-Changed-Why:
fixed in HEAD, pulled up to 9, 10, and 11
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home