Possible bug?

Possible bug?

[Jani Partanen]

Hello, I just got Intel Arc B570. It seems to work fine but every boot I 
get this in dmesg:

[  342.865944] ------------[ cut here ]------------
[  342.865950] UBSAN: array-index-out-of-bounds in 
drivers/mtd/devices/mtd_intel_dg.c:750:15
[  342.865954] index 0 is out of range for type '<unknown> [*]'
[  342.865957] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 
6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy)
[  342.865961] Hardware name: ASUS System Product Name/ROG CROSSHAIR 
VIII HERO (WI-FI), BIOS 5302 10/03/2025
[  342.865963] Call Trace:
[  342.865967]  <TASK>
[  342.865972]  dump_stack_lvl+0x5d/0x80
[  342.865979]  ubsan_epilogue+0x5/0x2b
[  342.865984]  __ubsan_handle_out_of_bounds.cold+0x54/0x59
[  342.865991]  intel_dg_mtd_probe+0x21b/0x240 [mtd_intel_dg]
[  342.865998]  ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg]
[  342.866002]  auxiliary_bus_probe+0x49/0x80
[  342.866006]  ? srso_return_thunk+0x5/0x5f
[  342.866012]  really_probe+0xde/0x340
[  342.866015]  ? pm_runtime_barrier+0x55/0x90
[  342.866019]  __driver_probe_device+0x78/0x140
[  342.866022]  driver_probe_device+0x1f/0xa0
[  342.866025]  ? __pfx___driver_attach+0x10/0x10
[  342.866027]  __driver_attach+0xcb/0x1e0
[  342.866030]  bus_for_each_dev+0x85/0xd0
[  342.866036]  bus_add_driver+0x12f/0x210
[  342.866040]  ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg]
[  342.866044]  driver_register+0x75/0xe0
[  342.866047]  __auxiliary_driver_register+0x6e/0xd0
[  342.866050]  do_one_initcall+0x5b/0x300
[  342.866058]  do_init_module+0x84/0x280
[  342.866063]  init_module_from_file+0x8a/0xe0
[  342.866071]  idempotent_init_module+0x114/0x310
[  342.866078]  __x64_sys_finit_module+0x6d/0xd0
[  342.866081]  ? syscall_trace_enter+0x108/0x1d0
[  342.866086]  do_syscall_64+0x7e/0x250
[  342.866090]  ? srso_return_thunk+0x5/0x5f
[  342.866092]  ? switch_fpu_return+0x4e/0xd0
[  342.866097]  ? srso_return_thunk+0x5/0x5f
[  342.866099]  ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80
[  342.866102]  ? srso_return_thunk+0x5/0x5f
[  342.866105]  ? do_syscall_64+0xb6/0x250
[  342.866108]  ? srso_return_thunk+0x5/0x5f
[  342.866111]  ? terminate_walk+0xef/0x100
[  342.866115]  ? srso_return_thunk+0x5/0x5f
[  342.866118]  ? path_openat+0x116/0x2a0
[  342.866122]  ? srso_return_thunk+0x5/0x5f
[  342.866125]  ? do_filp_open+0xd8/0x180
[  342.866131]  ? __pfx_page_put_link+0x10/0x10
[  342.866137]  ? srso_return_thunk+0x5/0x5f
[  342.866141]  ? srso_return_thunk+0x5/0x5f
[  342.866144]  ? do_sys_openat2+0xa2/0xe0
[  342.866149]  ? srso_return_thunk+0x5/0x5f
[  342.866152]  ? syscall_exit_work+0x143/0x1b0
[  342.866155]  ? srso_return_thunk+0x5/0x5f
[  342.866157]  ? do_syscall_64+0xb6/0x250
[  342.866161]  ? srso_return_thunk+0x5/0x5f
[  342.866163]  ? srso_return_thunk+0x5/0x5f
[  342.866166]  ? irqentry_exit_to_user_mode+0x2c/0x1c0
[  342.866169]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  342.866172] RIP: 0033:0x7fc5052ff34d
[  342.866187] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48
[  342.866189] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 
0000000000000139
[  342.866193] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 
00007fc5052ff34d
[  342.866194] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 
0000000000000021
[  342.866196] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 
00005572401f3fd0
[  342.866197] R10: 0000000000000000 R11: 0000000000000246 R12: 
00007fc5059d85e1
[  342.866199] R13: 0000000000020000 R14: 0000557240210540 R15: 
0000000000000000
[  342.866205]  </TASK>
[  342.866207] ---[ end trace ]---
[  342.866225] ------------[ cut here ]------------
[  342.866226] UBSAN: array-index-out-of-bounds in 
drivers/mtd/devices/mtd_intel_dg.c:751:15
[  342.866229] index 0 is out of range for type '<unknown> [*]'
[  342.866232] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 
6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy)
[  342.866234] Hardware name: ASUS System Product Name/ROG CROSSHAIR 
VIII HERO (WI-FI), BIOS 5302 10/03/2025
[  342.866236] Call Trace:
[  342.866237]  <TASK>
[  342.866239]  dump_stack_lvl+0x5d/0x80
[  342.866242]  ubsan_epilogue+0x5/0x2b
[  342.866245]  __ubsan_handle_out_of_bounds.cold+0x54/0x59
[  342.866249]  intel_dg_mtd_probe+0x1fa/0x240 [mtd_intel_dg]
[  342.866254]  ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg]
[  342.866258]  auxiliary_bus_probe+0x49/0x80
[  342.866261]  ? srso_return_thunk+0x5/0x5f
[  342.866264]  really_probe+0xde/0x340
[  342.866266]  ? pm_runtime_barrier+0x55/0x90
[  342.866269]  __driver_probe_device+0x78/0x140
[  342.866272]  driver_probe_device+0x1f/0xa0
[  342.866275]  ? __pfx___driver_attach+0x10/0x10
[  342.866277]  __driver_attach+0xcb/0x1e0
[  342.866280]  bus_for_each_dev+0x85/0xd0
[  342.866284]  bus_add_driver+0x12f/0x210
[  342.866289]  ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg]
[  342.866292]  driver_register+0x75/0xe0
[  342.866295]  __auxiliary_driver_register+0x6e/0xd0
[  342.866298]  do_one_initcall+0x5b/0x300
[  342.866304]  do_init_module+0x84/0x280
[  342.866307]  init_module_from_file+0x8a/0xe0
[  342.866316]  idempotent_init_module+0x114/0x310
[  342.866322]  __x64_sys_finit_module+0x6d/0xd0
[  342.866325]  ? syscall_trace_enter+0x108/0x1d0
[  342.866329]  do_syscall_64+0x7e/0x250
[  342.866331]  ? srso_return_thunk+0x5/0x5f
[  342.866334]  ? switch_fpu_return+0x4e/0xd0
[  342.866337]  ? srso_return_thunk+0x5/0x5f
[  342.866340]  ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80
[  342.866342]  ? srso_return_thunk+0x5/0x5f
[  342.866345]  ? do_syscall_64+0xb6/0x250
[  342.866348]  ? srso_return_thunk+0x5/0x5f
[  342.866350]  ? terminate_walk+0xef/0x100
[  342.866353]  ? srso_return_thunk+0x5/0x5f
[  342.866356]  ? path_openat+0x116/0x2a0
[  342.866360]  ? srso_return_thunk+0x5/0x5f
[  342.866363]  ? do_filp_open+0xd8/0x180
[  342.866369]  ? __pfx_page_put_link+0x10/0x10
[  342.866374]  ? srso_return_thunk+0x5/0x5f
[  342.866378]  ? srso_return_thunk+0x5/0x5f
[  342.866381]  ? do_sys_openat2+0xa2/0xe0
[  342.866385]  ? srso_return_thunk+0x5/0x5f
[  342.866388]  ? syscall_exit_work+0x143/0x1b0
[  342.866391]  ? srso_return_thunk+0x5/0x5f
[  342.866394]  ? do_syscall_64+0xb6/0x250
[  342.866397]  ? srso_return_thunk+0x5/0x5f
[  342.866399]  ? srso_return_thunk+0x5/0x5f
[  342.866402]  ? irqentry_exit_to_user_mode+0x2c/0x1c0
[  342.866405]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  342.866407] RIP: 0033:0x7fc5052ff34d
[  342.866411] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48
[  342.866413] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 
0000000000000139
[  342.866415] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 
00007fc5052ff34d
[  342.866416] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 
0000000000000021
[  342.866418] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 
00005572401f3fd0
[  342.866419] R10: 0000000000000000 R11: 0000000000000246 R12: 
00007fc5059d85e1
[  342.866420] R13: 0000000000020000 R14: 0000557240210540 R15: 
0000000000000000
[  342.866427]  </TASK>
[  342.866451] ---[ end trace ]---


I also double checked that it's not some config error in my end by 
starting up Fedora 43 live enviroment what cave me this same error.

As far as I know its related to mtd and here is what I can see:

mtdinfo -a
Count of MTD devices:           4
Present MTD devices:            mtd0, mtd1, mtd2, mtd3
Sysfs interface supported:      yes

mtd0
Name:                           xe.nvm.3584.DESCRIPTOR
Type:                           dataflash
Eraseblock size:                4096 bytes, 4.0 KiB
Amount of eraseblocks:          1 (4096 bytes, 4.0 KiB)
Minimum input/output unit size: 1 byte
Sub-page size:                  1 byte
Character device major/minor:   90:0
Bad blocks are allowed:         false
Device is writable:             false

mtd1
Name:                           xe.nvm.3584.GSC
Type:                           dataflash
Eraseblock size:                4096 bytes, 4.0 KiB
Amount of eraseblocks:          1357 (5558272 bytes, 5.3 MiB)
Minimum input/output unit size: 1 byte
Sub-page size:                  1 byte
Character device major/minor:   90:2
Bad blocks are allowed:         false
Device is writable:             false

mtd2
Name:                           xe.nvm.3584.OptionROM
Type:                           dataflash
Eraseblock size:                4096 bytes, 4.0 KiB
Amount of eraseblocks:          512 (2097152 bytes, 2.0 MiB)
Minimum input/output unit size: 1 byte
Sub-page size:                  1 byte
Character device major/minor:   90:4
Bad blocks are allowed:         false
Device is writable:             false

mtd3
Name:                           xe.nvm.3584.DAM
Type:                           dataflash
Eraseblock size:                4096 bytes, 4.0 KiB
Amount of eraseblocks:          16 (65536 bytes, 64.0 KiB)
Minimum input/output unit size: 1 byte
Sub-page size:                  1 byte
Character device major/minor:   90:6
Bad blocks are allowed:         false
Device is writable:             false

Re: Possible bug?

[Jani Nikula]

On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote:
> Hello, I just got Intel Arc B570. It seems to work fine but every boot I 
> get this in dmesg:
>
> [  342.865944] ------------[ cut here ]------------
> [  342.865950] UBSAN: array-index-out-of-bounds in 
> drivers/mtd/devices/mtd_intel_dg.c:750:15
> [  342.865954] index 0 is out of range for type '<unknown> [*]'

Cc: Alexander and linux-mtd.

It's probably due to struct intel_dg_nvm regions[] member being
__counted_by(nregions) but regions[] is indexed before nregions has been
initialized.

BR,
Jani.


> [  342.865957] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 
> 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy)
> [  342.865961] Hardware name: ASUS System Product Name/ROG CROSSHAIR 
> VIII HERO (WI-FI), BIOS 5302 10/03/2025
> [  342.865963] Call Trace:
> [  342.865967]  <TASK>
> [  342.865972]  dump_stack_lvl+0x5d/0x80
> [  342.865979]  ubsan_epilogue+0x5/0x2b
> [  342.865984]  __ubsan_handle_out_of_bounds.cold+0x54/0x59
> [  342.865991]  intel_dg_mtd_probe+0x21b/0x240 [mtd_intel_dg]
> [  342.865998]  ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg]
> [  342.866002]  auxiliary_bus_probe+0x49/0x80
> [  342.866006]  ? srso_return_thunk+0x5/0x5f
> [  342.866012]  really_probe+0xde/0x340
> [  342.866015]  ? pm_runtime_barrier+0x55/0x90
> [  342.866019]  __driver_probe_device+0x78/0x140
> [  342.866022]  driver_probe_device+0x1f/0xa0
> [  342.866025]  ? __pfx___driver_attach+0x10/0x10
> [  342.866027]  __driver_attach+0xcb/0x1e0
> [  342.866030]  bus_for_each_dev+0x85/0xd0
> [  342.866036]  bus_add_driver+0x12f/0x210
> [  342.866040]  ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg]
> [  342.866044]  driver_register+0x75/0xe0
> [  342.866047]  __auxiliary_driver_register+0x6e/0xd0
> [  342.866050]  do_one_initcall+0x5b/0x300
> [  342.866058]  do_init_module+0x84/0x280
> [  342.866063]  init_module_from_file+0x8a/0xe0
> [  342.866071]  idempotent_init_module+0x114/0x310
> [  342.866078]  __x64_sys_finit_module+0x6d/0xd0
> [  342.866081]  ? syscall_trace_enter+0x108/0x1d0
> [  342.866086]  do_syscall_64+0x7e/0x250
> [  342.866090]  ? srso_return_thunk+0x5/0x5f
> [  342.866092]  ? switch_fpu_return+0x4e/0xd0
> [  342.866097]  ? srso_return_thunk+0x5/0x5f
> [  342.866099]  ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80
> [  342.866102]  ? srso_return_thunk+0x5/0x5f
> [  342.866105]  ? do_syscall_64+0xb6/0x250
> [  342.866108]  ? srso_return_thunk+0x5/0x5f
> [  342.866111]  ? terminate_walk+0xef/0x100
> [  342.866115]  ? srso_return_thunk+0x5/0x5f
> [  342.866118]  ? path_openat+0x116/0x2a0
> [  342.866122]  ? srso_return_thunk+0x5/0x5f
> [  342.866125]  ? do_filp_open+0xd8/0x180
> [  342.866131]  ? __pfx_page_put_link+0x10/0x10
> [  342.866137]  ? srso_return_thunk+0x5/0x5f
> [  342.866141]  ? srso_return_thunk+0x5/0x5f
> [  342.866144]  ? do_sys_openat2+0xa2/0xe0
> [  342.866149]  ? srso_return_thunk+0x5/0x5f
> [  342.866152]  ? syscall_exit_work+0x143/0x1b0
> [  342.866155]  ? srso_return_thunk+0x5/0x5f
> [  342.866157]  ? do_syscall_64+0xb6/0x250
> [  342.866161]  ? srso_return_thunk+0x5/0x5f
> [  342.866163]  ? srso_return_thunk+0x5/0x5f
> [  342.866166]  ? irqentry_exit_to_user_mode+0x2c/0x1c0
> [  342.866169]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [  342.866172] RIP: 0033:0x7fc5052ff34d
> [  342.866187] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 
> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48
> [  342.866189] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 
> 0000000000000139
> [  342.866193] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 
> 00007fc5052ff34d
> [  342.866194] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 
> 0000000000000021
> [  342.866196] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 
> 00005572401f3fd0
> [  342.866197] R10: 0000000000000000 R11: 0000000000000246 R12: 
> 00007fc5059d85e1
> [  342.866199] R13: 0000000000020000 R14: 0000557240210540 R15: 
> 0000000000000000
> [  342.866205]  </TASK>
> [  342.866207] ---[ end trace ]---
> [  342.866225] ------------[ cut here ]------------
> [  342.866226] UBSAN: array-index-out-of-bounds in 
> drivers/mtd/devices/mtd_intel_dg.c:751:15
> [  342.866229] index 0 is out of range for type '<unknown> [*]'
> [  342.866232] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 
> 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy)
> [  342.866234] Hardware name: ASUS System Product Name/ROG CROSSHAIR 
> VIII HERO (WI-FI), BIOS 5302 10/03/2025
> [  342.866236] Call Trace:
> [  342.866237]  <TASK>
> [  342.866239]  dump_stack_lvl+0x5d/0x80
> [  342.866242]  ubsan_epilogue+0x5/0x2b
> [  342.866245]  __ubsan_handle_out_of_bounds.cold+0x54/0x59
> [  342.866249]  intel_dg_mtd_probe+0x1fa/0x240 [mtd_intel_dg]
> [  342.866254]  ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg]
> [  342.866258]  auxiliary_bus_probe+0x49/0x80
> [  342.866261]  ? srso_return_thunk+0x5/0x5f
> [  342.866264]  really_probe+0xde/0x340
> [  342.866266]  ? pm_runtime_barrier+0x55/0x90
> [  342.866269]  __driver_probe_device+0x78/0x140
> [  342.866272]  driver_probe_device+0x1f/0xa0
> [  342.866275]  ? __pfx___driver_attach+0x10/0x10
> [  342.866277]  __driver_attach+0xcb/0x1e0
> [  342.866280]  bus_for_each_dev+0x85/0xd0
> [  342.866284]  bus_add_driver+0x12f/0x210
> [  342.866289]  ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg]
> [  342.866292]  driver_register+0x75/0xe0
> [  342.866295]  __auxiliary_driver_register+0x6e/0xd0
> [  342.866298]  do_one_initcall+0x5b/0x300
> [  342.866304]  do_init_module+0x84/0x280
> [  342.866307]  init_module_from_file+0x8a/0xe0
> [  342.866316]  idempotent_init_module+0x114/0x310
> [  342.866322]  __x64_sys_finit_module+0x6d/0xd0
> [  342.866325]  ? syscall_trace_enter+0x108/0x1d0
> [  342.866329]  do_syscall_64+0x7e/0x250
> [  342.866331]  ? srso_return_thunk+0x5/0x5f
> [  342.866334]  ? switch_fpu_return+0x4e/0xd0
> [  342.866337]  ? srso_return_thunk+0x5/0x5f
> [  342.866340]  ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80
> [  342.866342]  ? srso_return_thunk+0x5/0x5f
> [  342.866345]  ? do_syscall_64+0xb6/0x250
> [  342.866348]  ? srso_return_thunk+0x5/0x5f
> [  342.866350]  ? terminate_walk+0xef/0x100
> [  342.866353]  ? srso_return_thunk+0x5/0x5f
> [  342.866356]  ? path_openat+0x116/0x2a0
> [  342.866360]  ? srso_return_thunk+0x5/0x5f
> [  342.866363]  ? do_filp_open+0xd8/0x180
> [  342.866369]  ? __pfx_page_put_link+0x10/0x10
> [  342.866374]  ? srso_return_thunk+0x5/0x5f
> [  342.866378]  ? srso_return_thunk+0x5/0x5f
> [  342.866381]  ? do_sys_openat2+0xa2/0xe0
> [  342.866385]  ? srso_return_thunk+0x5/0x5f
> [  342.866388]  ? syscall_exit_work+0x143/0x1b0
> [  342.866391]  ? srso_return_thunk+0x5/0x5f
> [  342.866394]  ? do_syscall_64+0xb6/0x250
> [  342.866397]  ? srso_return_thunk+0x5/0x5f
> [  342.866399]  ? srso_return_thunk+0x5/0x5f
> [  342.866402]  ? irqentry_exit_to_user_mode+0x2c/0x1c0
> [  342.866405]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [  342.866407] RIP: 0033:0x7fc5052ff34d
> [  342.866411] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 
> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48
> [  342.866413] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 
> 0000000000000139
> [  342.866415] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 
> 00007fc5052ff34d
> [  342.866416] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 
> 0000000000000021
> [  342.866418] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 
> 00005572401f3fd0
> [  342.866419] R10: 0000000000000000 R11: 0000000000000246 R12: 
> 00007fc5059d85e1
> [  342.866420] R13: 0000000000020000 R14: 0000557240210540 R15: 
> 0000000000000000
> [  342.866427]  </TASK>
> [  342.866451] ---[ end trace ]---
>
>
> I also double checked that it's not some config error in my end by 
> starting up Fedora 43 live enviroment what cave me this same error.
>
> As far as I know its related to mtd and here is what I can see:
>
> mtdinfo -a
> Count of MTD devices:           4
> Present MTD devices:            mtd0, mtd1, mtd2, mtd3
> Sysfs interface supported:      yes
>
> mtd0
> Name:                           xe.nvm.3584.DESCRIPTOR
> Type:                           dataflash
> Eraseblock size:                4096 bytes, 4.0 KiB
> Amount of eraseblocks:          1 (4096 bytes, 4.0 KiB)
> Minimum input/output unit size: 1 byte
> Sub-page size:                  1 byte
> Character device major/minor:   90:0
> Bad blocks are allowed:         false
> Device is writable:             false
>
> mtd1
> Name:                           xe.nvm.3584.GSC
> Type:                           dataflash
> Eraseblock size:                4096 bytes, 4.0 KiB
> Amount of eraseblocks:          1357 (5558272 bytes, 5.3 MiB)
> Minimum input/output unit size: 1 byte
> Sub-page size:                  1 byte
> Character device major/minor:   90:2
> Bad blocks are allowed:         false
> Device is writable:             false
>
> mtd2
> Name:                           xe.nvm.3584.OptionROM
> Type:                           dataflash
> Eraseblock size:                4096 bytes, 4.0 KiB
> Amount of eraseblocks:          512 (2097152 bytes, 2.0 MiB)
> Minimum input/output unit size: 1 byte
> Sub-page size:                  1 byte
> Character device major/minor:   90:4
> Bad blocks are allowed:         false
> Device is writable:             false
>
> mtd3
> Name:                           xe.nvm.3584.DAM
> Type:                           dataflash
> Eraseblock size:                4096 bytes, 4.0 KiB
> Amount of eraseblocks:          16 (65536 bytes, 64.0 KiB)
> Minimum input/output unit size: 1 byte
> Sub-page size:                  1 byte
> Character device major/minor:   90:6
> Bad blocks are allowed:         false
> Device is writable:             false
>

-- 
Jani Nikula, Intel

Re: Possible bug?

[Lucas De Marchi]

On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote:
>On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote:
>> Hello, I just got Intel Arc B570. It seems to work fine but every boot I
>> get this in dmesg:
>>
>> [  342.865944] ------------[ cut here ]------------
>> [  342.865950] UBSAN: array-index-out-of-bounds in
>> drivers/mtd/devices/mtd_intel_dg.c:750:15
>> [  342.865954] index 0 is out of range for type '<unknown> [*]'
>
>Cc: Alexander and linux-mtd.
>
>It's probably due to struct intel_dg_nvm regions[] member being
>__counted_by(nregions) but regions[] is indexed before nregions has been
>initialized.

yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
something like this?

Lucas De Marchi

----
diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
index b438ee5aacc34..114e69135b8d9 100644
--- a/drivers/mtd/devices/mtd_intel_dg.c
+++ b/drivers/mtd/devices/mtd_intel_dg.c
@@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
  
  	kref_init(&nvm->refcnt);
  	mutex_init(&nvm->lock);
+	nvm->nregions = nregions;
  
  	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
  		if (!invm->regions[i].name)
@@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
  
  		char *name = kasprintf(GFP_KERNEL, "%s.%s",
  				       dev_name(&aux_dev->dev), invm->regions[i].name);
-		if (!name)
-			continue;
+		if (!name) {
+			ret = -ENOMEM;
+			goto err;
+		}
+
  		nvm->regions[n].name = name;
  		nvm->regions[n].id = i;
  		n++;
  	}
-	nvm->nregions = n; /* in case where kasprintf fail */
  
  	nvm->base = devm_ioremap_resource(device, &invm->bar);
  	if (IS_ERR(nvm->base)) {

RE: Possible bug?

[Usyskin, Alexander]

> On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote:
> >On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote:
> >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I
> >> get this in dmesg:
> >>
> >> [  342.865944] ------------[ cut here ]------------
> >> [  342.865950] UBSAN: array-index-out-of-bounds in
> >> drivers/mtd/devices/mtd_intel_dg.c:750:15
> >> [  342.865954] index 0 is out of range for type '<unknown> [*]'
> >
> >Cc: Alexander and linux-mtd.
> >
> >It's probably due to struct intel_dg_nvm regions[] member being
> >__counted_by(nregions) but regions[] is indexed before nregions has been
> >initialized.
> 
> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
> something like this?
> 

In general, looks good for me, but I see that we can fill less entries because of
                if (!invm->regions[i].name)
                        continue;

Let's leave 'nvm->nregions = n;' in place, only need to fix the comment.

- - 
Thanks,
Sasha

> Lucas De Marchi
> 
> ----
> diff --git a/drivers/mtd/devices/mtd_intel_dg.c
> b/drivers/mtd/devices/mtd_intel_dg.c
> index b438ee5aacc34..114e69135b8d9 100644
> --- a/drivers/mtd/devices/mtd_intel_dg.c
> +++ b/drivers/mtd/devices/mtd_intel_dg.c
> @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device
> *aux_dev,
> 
>   	kref_init(&nvm->refcnt);
>   	mutex_init(&nvm->lock);
> +	nvm->nregions = nregions;
> 
>   	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
>   		if (!invm->regions[i].name)
> @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct
> auxiliary_device *aux_dev,
> 
>   		char *name = kasprintf(GFP_KERNEL, "%s.%s",
>   				       dev_name(&aux_dev->dev), invm-
> >regions[i].name);
> -		if (!name)
> -			continue;
> +		if (!name) {
> +			ret = -ENOMEM;
> +			goto err;
> +		}
> +
>   		nvm->regions[n].name = name;
>   		nvm->regions[n].id = i;
>   		n++;
>   	}
> -	nvm->nregions = n; /* in case where kasprintf fail */
> 
>   	nvm->base = devm_ioremap_resource(device, &invm->bar);
>   	if (IS_ERR(nvm->base)) {

RE: Possible bug?

[Jani Nikula]

On Tue, 11 Nov 2025, "Usyskin, Alexander" <alexander.usyskin@intel.com> wrote:
>> On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote:
>> >On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote:
>> >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I
>> >> get this in dmesg:
>> >>
>> >> [  342.865944] ------------[ cut here ]------------
>> >> [  342.865950] UBSAN: array-index-out-of-bounds in
>> >> drivers/mtd/devices/mtd_intel_dg.c:750:15
>> >> [  342.865954] index 0 is out of range for type '<unknown> [*]'
>> >
>> >Cc: Alexander and linux-mtd.
>> >
>> >It's probably due to struct intel_dg_nvm regions[] member being
>> >__counted_by(nregions) but regions[] is indexed before nregions has been
>> >initialized.
>> 
>> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
>> something like this?
>> 
>
> In general, looks good for me, but I see that we can fill less entries because of
>                 if (!invm->regions[i].name)
>                         continue;
>
> Let's leave 'nvm->nregions = n;' in place, only need to fix the comment.

You have this in place, nregions already accouns for them:

	/* count available regions */
	for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
		if (invm->regions[i].name)
			nregions++;
	}

BR,
Jani.


>
> - - 
> Thanks,
> Sasha
>
>> Lucas De Marchi
>> 
>> ----
>> diff --git a/drivers/mtd/devices/mtd_intel_dg.c
>> b/drivers/mtd/devices/mtd_intel_dg.c
>> index b438ee5aacc34..114e69135b8d9 100644
>> --- a/drivers/mtd/devices/mtd_intel_dg.c
>> +++ b/drivers/mtd/devices/mtd_intel_dg.c
>> @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device
>> *aux_dev,
>> 
>>   	kref_init(&nvm->refcnt);
>>   	mutex_init(&nvm->lock);
>> +	nvm->nregions = nregions;
>> 
>>   	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
>>   		if (!invm->regions[i].name)
>> @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct
>> auxiliary_device *aux_dev,
>> 
>>   		char *name = kasprintf(GFP_KERNEL, "%s.%s",
>>   				       dev_name(&aux_dev->dev), invm-
>> >regions[i].name);
>> -		if (!name)
>> -			continue;
>> +		if (!name) {
>> +			ret = -ENOMEM;
>> +			goto err;
>> +		}
>> +
>>   		nvm->regions[n].name = name;
>>   		nvm->regions[n].id = i;
>>   		n++;
>>   	}
>> -	nvm->nregions = n; /* in case where kasprintf fail */
>> 
>>   	nvm->base = devm_ioremap_resource(device, &invm->bar);
>>   	if (IS_ERR(nvm->base)) {

-- 
Jani Nikula, Intel

RE: Possible bug?

[Usyskin, Alexander]

> >> >
> >> >It's probably due to struct intel_dg_nvm regions[] member being
> >> >__counted_by(nregions) but regions[] is indexed before nregions has
> been
> >> >initialized.
> >>
> >> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
> >> something like this?
> >>
> >
> > In general, looks good for me, but I see that we can fill less entries because
> of
> >                 if (!invm->regions[i].name)
> >                         continue;
> >
> > Let's leave 'nvm->nregions = n;' in place, only need to fix the comment.
> 
> You have this in place, nregions already accouns for them:
> 
> 	/* count available regions */
> 	for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
> 		if (invm->regions[i].name)
> 			nregions++;
> 	}
> 

Yeah, missed this, so original fix from Lucas is ok

- - 
Thanks,
Sasha



> BR,
> Jani.
> 
> 

Re: Possible bug?

[Lucas De Marchi]

On Tue, Nov 11, 2025 at 10:58:03AM +0000, Usyskin, Alexander wrote:
>> >> >
>> >> >It's probably due to struct intel_dg_nvm regions[] member being
>> >> >__counted_by(nregions) but regions[] is indexed before nregions has
>> been
>> >> >initialized.
>> >>
>> >> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
>> >> something like this?
>> >>
>> >
>> > In general, looks good for me, but I see that we can fill less entries because
>> of
>> >                 if (!invm->regions[i].name)
>> >                         continue;
>> >
>> > Let's leave 'nvm->nregions = n;' in place, only need to fix the comment.
>>
>> You have this in place, nregions already accouns for them:
>>
>> 	/* count available regions */
>> 	for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
>> 		if (invm->regions[i].name)
>> 			nregions++;
>> 	}
>>
>
>Yeah, missed this, so original fix from Lucas is ok

I submitted it as a proper patch with commit message:

https://lore.kernel.org/all/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/

Lucas De Marchi