[PATCH v2] i3c: dw: avoid shift-out-of-bounds when DAA assigns no devices
Frank Li
Frank.li at oss.nxp.com
Wed Jul 1 11:27:13 PDT 2026
On Tue, Jun 30, 2026 at 10:29:04AM -0700, Jakub Kicinski wrote:
> On an empty bus ENTDAA assigns nothing, so cmd->rx_len (the count
> of addresses left unassigned) equals master->maxdevs.
>
> The GENMASK() index master->maxdevs - cmd->rx_len - 1 then becomes -1,
> which trips up UBSAN. This happens every time on boot on a Gigabyte/AMD
> server:
>
> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:905:12
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 7 UID: 0 PID: 963 Comm: (udev-worker) Not tainted 7.0.11-200.fc44.x86_64 #1 PREEMPT(lazy)
> Hardware name: Giga Computing E163-Z34-AAH1-000/MZ33-DC1-000, BIOS R32_F45 04/01/2026
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_shift_out_of_bounds.cold+0xd7/0x1ab
> dw_i3c_master_daa.cold+0x1b/0x96 [dw_i3c_master]
> i3c_master_do_daa_ext.part.0+0x3e/0xf0 [i3c]
>
> Skip the mask when no new device was assigned.
>
> Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> ---
Next time add change log here.
Reviewed-by: Frank Li <Frank.Li at nxp.com>
> CC: alexandre.belloni at bootlin.com
> CC: Frank.Li at nxp.com
> CC: adrianhoyin.ng at altera.com
> CC: ustc.gu at gmail.com
> CC: bbrezillon at kernel.org
> CC: vitor.soares at synopsys.com
> ---
> drivers/i3c/master/dw-i3c-master.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
> index 2f8c0c4683e0..dc3b74822f8e 100644
> --- a/drivers/i3c/master/dw-i3c-master.c
> +++ b/drivers/i3c/master/dw-i3c-master.c
> @@ -888,7 +888,15 @@ static int dw_i3c_master_daa(struct i3c_master_controller *m)
> if (!wait_for_completion_timeout(&xfer->comp, XFER_TIMEOUT))
> dw_i3c_master_dequeue_xfer(master, xfer);
>
> - newdevs = GENMASK(master->maxdevs - cmd->rx_len - 1, 0);
> + /*
> + * cmd->rx_len holds the number of addresses ENTDAA left unassigned.
> + * On an empty bus rx_len == maxdevs, so avoid GENMASK(-1, 0).
> + */
> + if (cmd->rx_len >= master->maxdevs)
> + newdevs = 0;
> + else
> + newdevs = GENMASK(master->maxdevs - cmd->rx_len - 1, 0);
> +
> newdevs &= ~olddevs;
>
> for (pos = 0; pos < master->maxdevs; pos++) {
> --
> 2.54.0
>
>
> --
> linux-i3c mailing list
> linux-i3c at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
More information about the linux-i3c
mailing list