NetBSD Problem Report #59624
From www@netbsd.org Mon Sep 1 08:36:53 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 3C0D51A923A
for <gnats-bugs@gnats.NetBSD.org>; Mon, 1 Sep 2025 08:36:53 +0000 (UTC)
Message-Id: <20250901083652.36F301A923E@mollari.NetBSD.org>
Date: Mon, 1 Sep 2025 08:36:52 +0000 (UTC)
From: emmankoko519@gmail.com
Reply-To: emmankoko519@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Booting NetBSD-11 from USB on my Dell machine panics and hangs
X-Send-Pr-Version: www-1.0
>Number: 59624
>Category: install
>Synopsis: Booting NetBSD-11 from USB on my Dell machine panics and hangs
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: install-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 01 08:40:00 +0000 2025
>Closed-Date: Mon Oct 06 13:18:11 +0000 2025
>Last-Modified: Sun Oct 19 10:20:03 +0000 2025
>Originator: Emmanuel Nyarko
>Release: NetBSD-11
>Organization:
NetBSD
>Environment:
amd64
>Description:
Booting NetBSD-11 on Dell (amd64) panics on kernel assertion in setting the config index, emits trace and hangs.
This is a trace of what is happening.
vpanic()
kern_assert()
usbd_set_config_index()
ugenif_attach()
ugen_attach()
config_attach_internal()
config_found_acquire()
config_found()
usbd_attachwholedevice()
usbd_probe_and_attach()
usbd_new_device()
uhub_explore()
uhub_explore()
usb_discover()
usb_event_thread()
>How-To-Repeat:
by Installing netbsd-11 on Intel x64 based processor Dell machine.
>Fix:
>Release-Note:
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59624 CVS commit: src/sys/dev/usb
Date: Sun, 5 Oct 2025 20:04:30 +0000
Module Name: src
Committed By: riastradh
Date: Sun Oct 5 20:04:30 UTC 2025
Modified Files:
src/sys/dev/usb: usb_subr.c usbdivar.h xhci.c
Log Message:
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
Reported-by: syzbot+017911f90e0f9766bc71@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=e6d4449a128e73a9a88100a5cc833e5cae9fecae
To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.280 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.139 -r1.140 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.190 -r1.191 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59624 CVS commit: src/sys/dev/usb
Date: Sun, 5 Oct 2025 20:41:04 +0000
Module Name: src
Committed By: riastradh
Date: Sun Oct 5 20:41:04 UTC 2025
Modified Files:
src/sys/dev/usb: usb_subr.c
Log Message:
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
Reported-by: syzbot+017911f90e0f9766bc71@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=e6d4449a128e73a9a88100a5cc833e5cae9fecae
To generate a diff of this commit:
cvs rdiff -u -r1.280 -r1.281 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 06 Oct 2025 13:18:11 +0000
State-Changed-Why:
Duplicate, closing in favour of the PR with more specific diagnostic
history:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
https://gnats.NetBSD.org/59185
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59624 CVS commit: [netbsd-11] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:08:33 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:08:33 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-11]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #58):
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.279.4.1 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.139 -r1.139.2.1 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.188.2.2 -r1.188.2.3 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59624 CVS commit: [netbsd-10] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:11:03 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:11:03 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-10]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1175):
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.277 -r1.277.4.1 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.137 -r1.137.4.1 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.175.2.4 -r1.175.2.5 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59624 CVS commit: [netbsd-9] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:16:36 +0000
Module Name: src
Committed By: martin
Date: Sun Oct 19 10:16:36 UTC 2025
Modified Files:
src/sys/dev/usb [netbsd-9]: usb_subr.c usbdivar.h xhci.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1974):
sys/dev/usb/usb_subr.c: revision 1.247
sys/dev/usb/xhci.c: revision 1.191
sys/dev/usb/usb_subr.c: revision 1.280
sys/dev/usb/usb_subr.c: revision 1.281
sys/dev/usb/usbdivar.h: revision 1.140
sys/dev/usb/usb_subr.c: revision 1.275
Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in
usb_free_device().
usb: Insert assertion to diagnose ud_cdesc/ud_ifaces inconsistency.
Syzbot found a way to see ud_cdesc=NULL but ud_ifaces!=NULL.
Maybe it's a race with two threads somehow doing usbd_free_device at
the same time when only one should, but let's rule this case out
early on to make it easier to prove it has to be a race.
usb(9): Record config index, not just number, in struct usbd_device.
The index is a zero-based index in [0, bNumConfigurations), or -1 for
unconfigured.
The number is an arbitrary value of a config descriptor's
bConfigurationValue field, or 0 for unconfigured -- with the tricky
caveat that bConfigurationValue might also be 0.
Preparation for fixing:
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
ud_config is a device-provided quantity in the config descriptor's
bConfigurationValue, and a faulty (or malicious) device can provide 0
for that value, which coincides with our software sentinel value
USBD_UNCONFIG_NO of 0.
Instead of testing ud_config, test ud_configidx, which is an index in
[0, bNumConfigurations) or -1, for which the device cannot confuse us
by a value that coincides with the sentinel -1.
PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
Latitude 7490
PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
and hangs
PR kern/57447: HEAD fails to probe USB devices and fails to boot up
To generate a diff of this commit:
cvs rdiff -u -r1.235.2.1 -r1.235.2.2 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.118.4.1 -r1.118.4.2 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.107.2.12 -r1.107.2.13 src/sys/dev/usb/xhci.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home