Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12

Frank Li Frank.li at nxp.com
Tue Dec 9 09:24:56 PST 2025 

On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> On 12/9/25 13:48, Alexandre Belloni wrote:
> >
> > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > Hello Louis,
> > > >
> > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > Hello,
> > > > >
> > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > on one specific server. I suspect it has to do with the large number of
> > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > not sure.
> > > > >
> > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > (basically Ubuntu's).
> > > > Just to be sure, does this also happen with v6.17?
> > > >
> > > > The only change is the shutdown handling so I would guess yes.
> > > >
> > > Hello,
> > >
> > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > 25.10's stock kernel (6.17.0).
> > >
> > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > >
> > > Someone also suggested (they didn't reply to the list though) that I add a
> > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > I have rebuilt with:
> > >
> > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c	2025-11-30 22:42:10.000000000 +0000
> > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c	2025-12-08 18:17:33.151567225 +0000
> > > @@ -1588,6 +1588,7 @@
> > >   	ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > >   	master->datstartaddr = ret;
> > >   	master->maxdevs = ret >> 16;
> > > +	printk("maxdevs: %d\n",  master->maxdevs);
> > >   	master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > >   	master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > >
> > Yes, that was going to be my suggestion.
> >
> I haven't tried with the driver built-in yet. This is what the printk shows:
> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> -110
> maxdevs: 65535

Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.

unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);

master->maxdevs = val >> 16;

Frank

> dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with error
> -110
> maxdevs: 11
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 0 UID: 0 PID: 7363 Comm: (udev-worker) Not tainted 6.18.0 #1
> PREEMPT(voluntary)
> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> 11/28/2025
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x5f/0x90
>  dump_stack+0x10/0x18
>  ubsan_epilogue+0x9/0x39
>  __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
>  dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master]
>  i3c_master_do_daa+0x30/0x90 [i3c]
>  i3c_master_register+0x616/0xa80 [i3c]
>  dw_i3c_common_probe+0x298/0x2d0 [dw_i3c_master]
>  dw_i3c_probe+0x30/0x50 [dw_i3c_master]
>  platform_probe+0x42/0xc0
>  ? driver_sysfs_add+0x63/0xd0
>  really_probe+0xf9/0x370
>  ? pm_runtime_barrier+0x56/0xa0
>  __driver_probe_device+0x8b/0x160
>  driver_probe_device+0x24/0xd0
>  ? __pfx___driver_attach+0x10/0x10
>  __driver_attach+0xef/0x220
>  ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
>  bus_for_each_dev+0x8a/0xe0
>  driver_attach+0x1e/0x30
>  bus_add_driver+0x13e/0x230
>  ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
>  driver_register+0x75/0xf0
>  __platform_driver_register+0x1e/0x30
>  dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master]
>  do_one_initcall+0x59/0x330
>  do_init_module+0x8b/0x290
>  load_module+0x1f2f/0x2320
>  init_module_from_file+0x9b/0x100
>  ? init_module_from_file+0x9b/0x100
>  idempotent_init_module+0x10e/0x300
>  __x64_sys_finit_module+0x73/0xf0
>  ? __secure_computing+0x84/0xe0
>  x64_sys_call+0x1f04/0x2350
>  do_syscall_64+0x82/0xc80
>  ? vfs_read+0x179/0x3a0
>  ? vfs_read+0x179/0x3a0
>  ? __rseq_handle_notify_resume+0xa2/0x4e0
>  ? exit_to_user_mode_loop+0xe6/0x190
>  ? do_syscall_64+0x25c/0xc80
>  ? irqentry_exit+0x43/0x50
>  ? exc_page_fault+0x90/0x1b0
>  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x70c8bf1348cd
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffd8d0e4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 000059c987bf15c0 RCX: 000070c8bf1348cd
> RDX: 0000000000000000 RSI: 000070c8be74b336 RDI: 0000000000000065
> RBP: 00007ffd8d0e4d90 R08: 0000000000000000 R09: 000059c987bc1070
> R10: 0000000000000000 R11: 0000000000000246 R12: 000070c8be74b336
> R13: 0000000000020000 R14: 000059c987be8cd0 R15: 000059c987bb1440
>  </TASK>
> ---[ end trace ]---
> maxdevs: 11
> dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with error
> -110
>
>
> --
> linux-i3c mailing list
> linux-i3c at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c

More information about the linux-i3c mailing list