kern/56762: urndis(4) autoconfiguration errors with recent usbdi.c

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/56762: urndis(4) autoconfiguration errors with recent usbdi.c
From: ryoon%NetBSD.org@localhost
Date: Fri, 18 Mar 2022 16:30:01 +0000 (UTC)

>Number:         56762
>Category:       kern
>Synopsis:       urndis(4) autoconfiguration errors with recent usbdi.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 18 16:30:01 +0000 2022
>Originator:     Ryo ONODERA
>Release:        NetBSD 9.99.94
>Organization:
Ryo ONODERA // ryo%tetera.org@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3
>Environment:
	
	
System: NetBSD brownie 9.99.94 NetBSD 9.99.94 (DTRACE7) #31: Thu Mar 17 19:28:39 JST 2022 ryoon@brownie:/usr/world/9.99/amd64/obj/sys/arch/amd64/compile/DTRACE7 amd64
Architecture: x86_64
Machine: amd64
>Description:
sys/dev/usb/usbdi.c r1.237 has two problem in usbd_get_no_alts()
function for my urndis(4) device in Samsung Galaxy A7 (2018) SM-A750C
Android smartphone and cdce(4) devices.

Problem #1:
Error messages are as follows:

urndis0 at uhub4 port 1 configuration 1 interface 0
urndis0: SAMSUNG (0x04e8) SAMSUNG_Android (0x6863), rev 2.00/4.00, addr 9
autoconfiguration error: urndis0: could not find data bulk in
autoconfiguration error: urndis0: could not find data bulk out

bLength of USB interface descriptor is 9 (=sizeof(*d)) or lower.
The USB interface descriptor longer than 9 should be rejected.
In usbd_get_no_alts() function,

	if (d->bLength < sizeof(*d) || d->bLength > end - p)
	   break;

should be

	if (d->bLength > sizeof(*d) || d->bLength > end - p)
	   break;

Problem #2:
For cdce(4) device, valid USB interface descriptor
appears after longer non-interface descriptor.
The current logic in usbd_get_no_alts() function does not check
type of the descriptors before length check.
So 'd->bLength > sizeof(*d)' is true for
the longer non-interface descriptor and usbd_get_no_alts()
function returns 0. And cdce(4) device emits autoconfiguration errors.
The non-interface descriptors should be skipped.
(With xhci chips in my Dell XPS 13 9300 laptop, cdce(4) device
does not work at all. However it is another problem.)

Two problems may be fixed with the following patch.

Index: sys/dev/usb/usbdi.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/usbdi.c,v
retrieving revision 1.238
diff -u -r1.238 usbdi.c
--- sys/dev/usb/usbdi.c	13 Mar 2022 13:07:39 -0000	1.238
+++ sys/dev/usb/usbdi.c	17 Mar 2022 13:26:59 -0000
@@ -978,10 +978,11 @@
 
 	for (n = 0; end - p >= sizeof(*d); p += d->bLength) {
 		d = (usb_interface_descriptor_t *)p;
-		if (d->bLength < sizeof(*d) || d->bLength > end - p)
+		if (d->bDescriptorType != UDESC_INTERFACE)
+			continue;
+		if (d->bLength > sizeof(*d) || d->bLength > end - p)
 			break;
-		if (d->bDescriptorType == UDESC_INTERFACE &&
-		    d->bInterfaceNumber == ifaceno)
+		if (d->bInterfaceNumber == ifaceno)
 			n++;
 	}
 	return n;

Thank you.

>How-To-Repeat:
Plug urndis(4) and cdce(4) devices to NetBSD 9.99.94.
If your cdce(4) device is deteted ure(4), disabling ure(4) in 'boot -c'
will enable cdce(4) for your device.
	
>Fix:
	
See above or download my patch from:
https://www.ryoon.net/~ryoon/src-sys-dev-usb-usbdi.c-urndis-fix-20220317.diff .

>Unformatted:

Prev by Date: kern/56761: Kernel hang/freeze on i915 DRM init
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: kern/56761: Kernel hang/freeze on i915 DRM init
Next by Thread: PR/56730 CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index