Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490

["Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR kern/59185; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: "Emile `iMil' Heitor" <imil%home.imil.net@localhost>,
	Emmanuel Nyarko <emmankoko519%gmail.com@localhost>,
	Salil Wadnerkar <bsdprg%tuta.io@localhost>
Cc: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
Subject: Re: kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell Latitude 7490
Date: Sat, 4 Oct 2025 19:06:11 +0000

 This is a multi-part message in MIME format.
 --=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA
 Content-Transfer-Encoding: quoted-printable
 
 > Date: Sat, 4 Oct 2025 19:03:59 +0000
 > From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 >=20
 > Can you please try the attached patch and see if it helps?
 >=20
 > I suspect this is the same issue as:
 >=20
 > PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
 > and hangs
 > https://gnats.NetBSD.org/59624
 >=20
 > PR kern/57447: HEAD fails to probe USB devices and fails to boot up
 > https://gnats.NetBSD.org/57447
 >=20
 > syzbot: UBSan: Undefined Behavior in usb_free_device (2)
 > https://syzkaller.appspot.com/bug?id=3De6d4449a128e73a9a88100a5cc833e5cae=
 9fecae
 
 ...patch attached this time
 
 --=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA
 Content-Type: text/plain; charset="ISO-8859-1"; name="pr59185-usbconfignoabuse"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment; filename="pr59185-usbconfignoabuse.diff"
 
 diff -r 1c25535fd2c2 sys/compat/common/usb_subr_30.c
 --- a/sys/compat/common/usb_subr_30.c	Mon Sep 29 17:01:48 2025 +0000
 +++ b/sys/compat/common/usb_subr_30.c	Sat Oct 04 19:03:33 2025 +0000
 @@ -147,7 +147,7 @@ usbd_fill_deviceinfo30(struct usbd_devic
  	di->udi_class =3D dev->ud_ddesc.bDeviceClass;
  	di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
  	di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
 -	di->udi_config =3D dev->ud_config;
 +	di->udi_config =3D dev->ud_configno;
  	di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
  	di->udi_speed =3D dev->ud_speed;
 =20
 diff -r 1c25535fd2c2 sys/dev/usb/usb_subr.c
 --- a/sys/dev/usb/usb_subr.c	Mon Sep 29 17:01:48 2025 +0000
 +++ b/sys/dev/usb/usb_subr.c	Sat Oct 04 19:03:33 2025 +0000
 @@ -154,7 +154,6 @@ usbd_get_device_strings(struct usbd_devi
  	usbd_get_device_string(ud, udd->iSerialNumber, &ud->ud_serial);
  }
 =20
 -
  void
  usbd_devinfo_vp(struct usbd_device *dev, char *v, size_t vl, char *p,
      size_t pl, int usedev, int useencoded)
 @@ -691,8 +690,7 @@ usbd_set_config_index(struct usbd_device
  	usbd_status err;
  	int i, ifcidx, nifc, len, selfpowered, power;
 =20
 -
 -	if (index >=3D dev->ud_ddesc.bNumConfigurations &&
 +	if ((unsigned)index >=3D dev->ud_ddesc.bNumConfigurations &&
  	    index !=3D USB_UNCONFIG_INDEX) {
  		/* panic? */
  		printf("usbd_set_config_index: illegal index\n");
 @@ -700,7 +698,7 @@ usbd_set_config_index(struct usbd_device
  	}
 =20
  	/* XXX check that all interfaces are idle */
 -	if (dev->ud_config !=3D USB_UNCONFIG_NO) {
 +	if (dev->ud_configidx !=3D USB_UNCONFIG_INDEX) {
  		DPRINTF("free old config", 0, 0, 0, 0);
  		/* Free all configuration data structures. */
  		nifc =3D dev->ud_cdesc->bNumInterface;
 @@ -718,7 +716,8 @@ usbd_set_config_index(struct usbd_device
  		dev->ud_ifaces =3D NULL;
  		dev->ud_cdesc =3D NULL;
  		dev->ud_bdesc =3D NULL;
 -		dev->ud_config =3D USB_UNCONFIG_NO;
 +		dev->ud_configno =3D USB_UNCONFIG_NO;
 +		dev->ud_configidx =3D USB_UNCONFIG_INDEX;
  	}
 =20
  	if (index =3D=3D USB_UNCONFIG_INDEX) {
 @@ -729,6 +728,8 @@ usbd_set_config_index(struct usbd_device
  			DPRINTF("setting config=3D0 failed, err =3D %jd", err,
  			    0, 0, 0);
  		}
 +		dev->ud_configno =3D USB_UNCONFIG_NO;
 +		dev->ud_configidx =3D USB_UNCONFIG_INDEX;
  		return err;
  	}
 =20
 @@ -881,7 +882,8 @@ usbd_set_config_index(struct usbd_device
  	DPRINTFN(5, "dev=3D%#jx cdesc=3D%#jx", (uintptr_t)dev, (uintptr_t)cdp,
  	    0, 0);
  	dev->ud_cdesc =3D cdp;
 -	dev->ud_config =3D cdp->bConfigurationValue;
 +	dev->ud_configno =3D cdp->bConfigurationValue;
 +	dev->ud_configidx =3D index;
  	for (ifcidx =3D 0; ifcidx < nifc; ifcidx++) {
  		usbd_iface_init(dev, ifcidx);
  		usbd_iface_exlock(&dev->ud_ifaces[ifcidx]);
 @@ -905,8 +907,8 @@ usbd_set_config_index(struct usbd_device
 =20
  bad:
  	/* XXX Use usbd_set_config() to reset the config? */
 -	/* XXX Should we forbid USB_UNCONFIG_NO from bConfigurationValue? */
 -	dev->ud_config =3D USB_UNCONFIG_NO;
 +	dev->ud_configno =3D USB_UNCONFIG_NO;
 +	dev->ud_configidx =3D USB_UNCONFIG_INDEX;
  	KASSERT(dev->ud_ifaces =3D=3D NULL);
  	kmem_free(cdp, len);
  	dev->ud_cdesc =3D NULL;
 @@ -1194,7 +1196,6 @@ usbd_attachinterfaces(device_t parent, s
  		DPRINTF("interface %jd %#jx", i, (uintptr_t)ifaces[i], 0, 0);
  	}
 =20
 -
  	uiaa.uiaa_device =3D dev;
  	uiaa.uiaa_port =3D port;
  	uiaa.uiaa_vendor =3D UGETW(dd->idVendor);
 @@ -1776,7 +1777,7 @@ usbd_fill_deviceinfo(struct usbd_device=20
  	di->udi_class =3D dev->ud_ddesc.bDeviceClass;
  	di->udi_subclass =3D dev->ud_ddesc.bDeviceSubClass;
  	di->udi_protocol =3D dev->ud_ddesc.bDeviceProtocol;
 -	di->udi_config =3D dev->ud_config;
 +	di->udi_config =3D dev->ud_configno;
  	di->udi_power =3D dev->ud_selfpowered ? 0 : dev->ud_power;
  	di->udi_speed =3D dev->ud_speed;
 =20
 diff -r 1c25535fd2c2 sys/dev/usb/usbdi.c
 --- a/sys/dev/usb/usbdi.c	Mon Sep 29 17:01:48 2025 +0000
 +++ b/sys/dev/usb/usbdi.c	Sat Oct 04 19:03:33 2025 +0000
 @@ -169,7 +169,7 @@ usbd_dump_device(struct usbd_device *dev
  	USBHIST_LOG(usbdebug, "     bus =3D %#jx default_pipe =3D %#jx",
  	    (uintptr_t)dev->ud_bus, (uintptr_t)dev->ud_pipe0, 0, 0);
  	USBHIST_LOG(usbdebug, "     address =3D %jd config =3D %jd depth =3D %jd =
 ",
 -	    dev->ud_addr, dev->ud_config, dev->ud_depth, 0);
 +	    dev->ud_addr, dev->ud_configno, dev->ud_depth, 0);
  	USBHIST_LOG(usbdebug, "     speed =3D %jd self_powered =3D %jd "
  	    "power =3D %jd langid =3D %jd",
  	    dev->ud_speed, dev->ud_selfpowered, dev->ud_power, dev->ud_langid);
 diff -r 1c25535fd2c2 sys/dev/usb/usbdivar.h
 --- a/sys/dev/usb/usbdivar.h	Mon Sep 29 17:01:48 2025 +0000
 +++ b/sys/dev/usb/usbdivar.h	Sat Oct 04 19:03:33 2025 +0000
 @@ -201,7 +201,7 @@ struct usbd_device {
  	struct usbd_bus	       *ud_bus;		/* our controller */
  	struct usbd_pipe       *ud_pipe0;	/* pipe 0 */
  	uint8_t			ud_addr;	/* device address */
 -	uint8_t			ud_config;	/* current configuration # */
 +	uint8_t			ud_configno;	/* current configuration # */
  	uint8_t			ud_depth;	/* distance from root hub */
  	uint8_t			ud_speed;	/* low/full/high speed */
  	uint8_t			ud_selfpowered;	/* flag for self powered */
 @@ -230,6 +230,26 @@ struct usbd_device {
  	char		       *ud_serial;	/* serial number, can be NULL */
  	char		       *ud_vendor;	/* vendor string, can be NULL */
  	char		       *ud_product;	/* product string can be NULL */
 +
 +	/*
 +	 * ud_configno above holds a value of bConfigurationValue from
 +	 * the config descriptor, or USB_UNCONFIG_NO=3D0 -- which may
 +	 * _also_ be a value of bConfigurationValue.
 +	 *
 +	 * ud_configidx below holds an index in [0, bNumConfigurations)
 +	 * into the list of configuration descriptors, or
 +	 * USB_UNCONFIG_INDEX=3D-1 to denote that the interface is
 +	 * unconfigured.  Note that ud_configno may be USB_UNCONFIG_NO
 +	 * even if ud_configidx is not USB_UNCONFIG_INDEX, if a screwy
 +	 * device has a config descriptor with bConfigurationValue=3D0.
 +	 *
 +	 * This goes at the end, rather than next to ud_configno where
 +	 * it might properly belong, so the change preserves ABI for
 +	 * pullup to release branches.
 +	 */
 +	int16_t			ud_configidx;
 +
 +	uint8_t			ud_extra[];	/* prevent embedding */
  };
 =20
  struct usbd_interface {
 
 --=_cEFiPfdk98xHDMxf5dg4ZFdv6SEdn8RA--