NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

PR/57447 CVS commit: [netbsd-9] src/sys/dev/usb



The following reply was made to PR kern/57447; it has been noted by GNATS.

From: "Martin Husemann" <martin%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/57447 CVS commit: [netbsd-9] src/sys/dev/usb
Date: Sun, 19 Oct 2025 10:16:36 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Sun Oct 19 10:16:36 UTC 2025
 
 Modified Files:
 	src/sys/dev/usb [netbsd-9]: usb_subr.c usbdivar.h xhci.c
 
 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #1974):
 
 	sys/dev/usb/usb_subr.c: revision 1.247
 	sys/dev/usb/xhci.c: revision 1.191
 	sys/dev/usb/usb_subr.c: revision 1.280
 	sys/dev/usb/usb_subr.c: revision 1.281
 	sys/dev/usb/usbdivar.h: revision 1.140
 	sys/dev/usb/usb_subr.c: revision 1.275
 
 Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in
 usb_free_device().
 
 usb: Insert assertion to diagnose ud_cdesc/ud_ifaces inconsistency.
 Syzbot found a way to see ud_cdesc=NULL but ud_ifaces!=NULL.
 
 Maybe it's a race with two threads somehow doing usbd_free_device at
 the same time when only one should, but let's rule this case out
 early on to make it easier to prove it has to be a race.
 
 usb(9): Record config index, not just number, in struct usbd_device.
 
 The index is a zero-based index in [0, bNumConfigurations), or -1 for
 unconfigured.
 
 The number is an arbitrary value of a config descriptor's
 bConfigurationValue field, or 0 for unconfigured -- with the tricky
 caveat that bConfigurationValue might also be 0.
 
 Preparation for fixing:
 PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
 Latitude 7490
 PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
 and hangs
 PR kern/57447: HEAD fails to probe USB devices and fails to boot up
 
 usb(9): Use ud_configidx, not ud_config, to see if unconfigured.
 ud_config is a device-provided quantity in the config descriptor's
 bConfigurationValue, and a faulty (or malicious) device can provide 0
 for that value, which coincides with our software sentinel value
 USBD_UNCONFIG_NO of 0.
 
 Instead of testing ud_config, test ud_configidx, which is an index in
 [0, bNumConfigurations) or -1, for which the device cannot confuse us
 by a value that coincides with the sentinel -1.
 
 PR kern/59185: panic over KASSERTMSG(dev->ud_ifaces == NULL) on Dell
 Latitude 7490
 PR kern/59624: Booting NetBSD-11 from USB on my Dell machine panics
 and hangs
 PR kern/57447: HEAD fails to probe USB devices and fails to boot up
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.235.2.1 -r1.235.2.2 src/sys/dev/usb/usb_subr.c
 cvs rdiff -u -r1.118.4.1 -r1.118.4.2 src/sys/dev/usb/usbdivar.h
 cvs rdiff -u -r1.107.2.12 -r1.107.2.13 src/sys/dev/usb/xhci.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
 


Home | Main Index | Thread Index | Old Index