Summary: | hmt.ko kernel panic - Asus Expertbook B5602 | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Hi Hellcat <federalpioneer> | ||||
Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
Status: | Open --- | ||||||
Severity: | Affects Only Me | CC: | grahamperrin, markj, wulf | ||||
Priority: | --- | Keywords: | crash, regression | ||||
Version: | 14.0-STABLE | ||||||
Hardware: | amd64 | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Hi Hellcat
2023-09-22 01:32:02 UTC
Here we're crashing while parsing a HID report descriptor, it looks like the descriptor is invalid somehow but the driver isn't doing enough validation: 753 if (hi.collevel == 1 && 754 hi.usage >= HID_USAGE2(HUP_BUTTON, left_btn) && 755 hi.usage <= HID_USAGE2(HUP_BUTTON, HMT_BTN_MAX)) { 756 btn = (hi.usage & 0xFFFF) - left_btn; 757 setbit(sc->buttons, btn); 758 sc->btn_loc[btn] = hi.loc; 759 if (btn >= sc->max_button) 760 sc->max_button = btn + 1; 761 break; 762 } In particular, we don't check that "btn" is in the range [0, 7]. I'm not sure if this means that the descriptor is invalid or whether we're missing some special case? Let me know if you need any further data. |