Created attachment 245101 [details] debugger stuff - following...the chicken ._. hmt.ko causes kernel panic while booting (or if loaded after) FreeBSD 14 - Beta 2. Disabling this module, or disabling the touchpad in BIOS allows system to boot fully. Hardware: ASUS Expertbook B5602 - 13th Gen (Raptor Lake). Included is the details of the panic and the debug stuff. = <118>Autoloading module: iichid iichid0: <ASUE1210:01 04F3:32D0 I2C HID device> at addr 0x15 on iicbus1 iichid0: Interrupt setup failed. Fallback to sampling hidbus0: <HID bus> on iichid0 <118>Autoloading module: hms hms0: <ASUE1210:01 04F3:32D0 Mouse> on hidbus0 hms0: 2 buttons and [XYWH] coordinates ID=1 <118>Autoloading module: hmt Fatal trap 12: page fault while in kernel mode cpuid = 12; apic id = 28 fault virtual address = 0xfffff80c1597db40 fault code = supervisor write data, page not present instruction pointer = 0x20:0xffffffff82fa0467 stack pointer = 0x28:0xfffffe01357978c0 frame pointer = 0x28:0xfffffe0135797a10 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1613 (devctl) rdi: 0000000000000054 rsi: fffffe0135797948 rdx: 0000000000000003 rcx: 00000002fffffffd r8: 0000000000000003 r9: 0000000000000278 rax: 00000000ffffffff rbx: fffff80010279900 rbp: fffffe0135797a10 r10: 0000000000000000 r11: fffffe01357979d4 r12: 0000000000000001 r13: 0000000000000000 r14: fffff8001597d000 r15: 0000000000000001 trap number = 12 panic: page fault cpuid = 12 time = 1695371528 KDB: stack backtrace: #0 0xffffffff80b8fcad at kdb_backtrace+0x5d #1 0xffffffff80b42db2 at vpanic+0x132 #2 0xffffffff80b42c73 at panic+0x43 #3 0xffffffff8100b81c at trap_fatal+0x40c #4 0xffffffff8100b86f at trap_pfault+0x4f #5 0xffffffff80fe22b8 at calltrap+0x8 #6 0xffffffff80b7dfcf at device_probe_child+0x14f #7 0xffffffff80b7f0cb at device_probe+0x6b #8 0xffffffff80b813b7 at bus_generic_driver_added+0x77 #9 0xffffffff80b7cdd9 at devclass_driver_added+0x39 #10 0xffffffff80b84dcb at device_do_deferred_actions+0x3b #11 0xffffffff80b849e7 at devctl2_ioctl+0x507 #12 0xffffffff809d0b7c at devfs_ioctl+0xcc #13 0xffffffff80c3b264 at vn_ioctl+0xd4 #14 0xffffffff809d121e at devfs_ioctl_f+0x1e #15 0xffffffff80bb11b5 at kern_ioctl+0x255 #16 0xffffffff80bb0ef3 at sys_ioctl+0x123 #17 0xffffffff8100c0d9 at amd64_syscall+0x109 Uptime: 11s Dumping 817 out of 15963 MB:..2%..12%..22%..32%..42%..51%..61%..71%..81%..92% __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 57 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu,
Here we're crashing while parsing a HID report descriptor, it looks like the descriptor is invalid somehow but the driver isn't doing enough validation: 753 if (hi.collevel == 1 && 754 hi.usage >= HID_USAGE2(HUP_BUTTON, left_btn) && 755 hi.usage <= HID_USAGE2(HUP_BUTTON, HMT_BTN_MAX)) { 756 btn = (hi.usage & 0xFFFF) - left_btn; 757 setbit(sc->buttons, btn); 758 sc->btn_loc[btn] = hi.loc; 759 if (btn >= sc->max_button) 760 sc->max_button = btn + 1; 761 break; 762 } In particular, we don't check that "btn" is in the range [0, 7]. I'm not sure if this means that the descriptor is invalid or whether we're missing some special case?
Let me know if you need any further data.
(In reply to Hi Hellcat from comment #2) This looks like the crash I get on boot with the new Framework 16 AMD laptop. Crash is in hmt_probe+0x477/frame 0xfffffe0107aa1a20 (no idea if this is useful). Moving the hmt.ko file out of the way allows boot. It's not yet known if the trackpad works (I need to install X).
Created attachment 253554 [details] hid-parser.diff Recently I was able to reproduce the panic on ASUS TUF laptop. It appeared that using of signed integers for usage values brokes some range checks resulting in OOB access. I hope attached patch fixes the issue.
(In reply to Eirik Oeverby from comment #3) I also have a Framework 16 AMD laptop and get the exact same bug. this bug occurs even on the liveUSB installer image so I can't even install FreeBSD on this laptop. I am not that advanced in FreeBSD and trying to learn though I am an advanced Linux user so can probably figure things out reasonably quickly. I will try mounting the liveUSB on my Desktop FreeBSD and disable the module in loader.conf which I am assuming from a quick google is module_blacklist="hmt.ko" but please correct me if I am wrong. If there is a patch that fixes this will the patch get into the 14.2-RELEASE eventually or would I have to install 14.2-STABLE or 15.0-CURRENT for now and wait until RELEASE (or STABLE) catches up? or would I install with the module blacklisted on 14.2-RELEASE then wait for the patch and apply it myself somehow? Thanks /Oskar
(In reply to Oskar Gibson from comment #5) ok, that didn't work. module_blacklist="hmt.ko" did nothing and the module was still loaded and crashed. do I have to delete/rename/move the module so the loader can't find it or is there another way to blacklist/disable it? sorry for my lack of knowledge, as I said I am still very much learning FreeBSD and have 99% used Gentoo Linux for the last 15 years or so. Thanks /Oskar
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=38b67578fb4bbf568f7012ca3921a4d15cfe7c5d commit 38b67578fb4bbf568f7012ca3921a4d15cfe7c5d Author: Vladimir Kondratyev <wulf@FreeBSD.org> AuthorDate: 2024-12-22 03:16:11 +0000 Commit: Vladimir Kondratyev <wulf@FreeBSD.org> CommitDate: 2024-12-22 03:16:11 +0000 hid: Correctly handle signed/unsigned quantities in kernel HID parser. Wrong signedness of usage value results in inverted range check in hmt(4) driver that allows out of bound array access leading to panic. Reported by: many Sponsored by: Future Crew, LLC Obtained from: NetBSD NetBSD PR: kern/53605 PR: 274014, 282592 sys/dev/hid/hid.c | 91 +++++++++++++++++++++++++++++-------------------------- sys/dev/hid/hid.h | 32 +++++++++---------- 2 files changed, 64 insertions(+), 59 deletions(-)