[PATCH v2] i3c: dw: avoid shift-out-of-bounds when DAA assigns no devices

Frank Li Frank.li at oss.nxp.com
Wed Jul 1 11:27:13 PDT 2026


On Tue, Jun 30, 2026 at 10:29:04AM -0700, Jakub Kicinski wrote:
> On an empty bus ENTDAA assigns nothing, so cmd->rx_len (the count
> of addresses left unassigned) equals master->maxdevs.
>
> The GENMASK() index master->maxdevs - cmd->rx_len - 1 then becomes -1,
> which trips up UBSAN. This happens every time on boot on a Gigabyte/AMD
> server:
>
>     UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:905:12
>     shift exponent 64 is too large for 64-bit type 'long unsigned int'
>     CPU: 7 UID: 0 PID: 963 Comm: (udev-worker) Not tainted 7.0.11-200.fc44.x86_64 #1 PREEMPT(lazy)
>     Hardware name: Giga Computing E163-Z34-AAH1-000/MZ33-DC1-000, BIOS R32_F45 04/01/2026
>     Call Trace:
>      <TASK>
>      dump_stack_lvl+0x5d/0x80
>      ubsan_epilogue+0x5/0x2b
>      __ubsan_handle_shift_out_of_bounds.cold+0xd7/0x1ab
>      dw_i3c_master_daa.cold+0x1b/0x96 [dw_i3c_master]
>      i3c_master_do_daa_ext.part.0+0x3e/0xf0 [i3c]
>
> Skip the mask when no new device was assigned.
>
> Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> ---
Next time add change log here.

Reviewed-by: Frank Li <Frank.Li at nxp.com>

> CC: alexandre.belloni at bootlin.com
> CC: Frank.Li at nxp.com
> CC: adrianhoyin.ng at altera.com
> CC: ustc.gu at gmail.com
> CC: bbrezillon at kernel.org
> CC: vitor.soares at synopsys.com
> ---
>  drivers/i3c/master/dw-i3c-master.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
> index 2f8c0c4683e0..dc3b74822f8e 100644
> --- a/drivers/i3c/master/dw-i3c-master.c
> +++ b/drivers/i3c/master/dw-i3c-master.c
> @@ -888,7 +888,15 @@ static int dw_i3c_master_daa(struct i3c_master_controller *m)
>  	if (!wait_for_completion_timeout(&xfer->comp, XFER_TIMEOUT))
>  		dw_i3c_master_dequeue_xfer(master, xfer);
>
> -	newdevs = GENMASK(master->maxdevs - cmd->rx_len - 1, 0);
> +	/*
> +	 * cmd->rx_len holds the number of addresses ENTDAA left unassigned.
> +	 * On an empty bus rx_len == maxdevs, so avoid GENMASK(-1, 0).
> +	 */
> +	if (cmd->rx_len >= master->maxdevs)
> +		newdevs = 0;
> +	else
> +		newdevs = GENMASK(master->maxdevs - cmd->rx_len - 1, 0);
> +
>  	newdevs &= ~olddevs;
>
>  	for (pos = 0; pos < master->maxdevs; pos++) {
> --
> 2.54.0
>
>
> --
> linux-i3c mailing list
> linux-i3c at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c



More information about the linux-i3c mailing list