* Possible bug? @ 2025-11-08 22:19 Jani Partanen 2025-11-10 13:49 ` Jani Nikula 0 siblings, 1 reply; 7+ messages in thread From: Jani Partanen @ 2025-11-08 22:19 UTC (permalink / raw) To: intel-xe Hello, I just got Intel Arc B570. It seems to work fine but every boot I get this in dmesg: [ 342.865944] ------------[ cut here ]------------ [ 342.865950] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15 [ 342.865954] index 0 is out of range for type '<unknown> [*]' [ 342.865957] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy) [ 342.865961] Hardware name: ASUS System Product Name/ROG CROSSHAIR VIII HERO (WI-FI), BIOS 5302 10/03/2025 [ 342.865963] Call Trace: [ 342.865967] <TASK> [ 342.865972] dump_stack_lvl+0x5d/0x80 [ 342.865979] ubsan_epilogue+0x5/0x2b [ 342.865984] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ 342.865991] intel_dg_mtd_probe+0x21b/0x240 [mtd_intel_dg] [ 342.865998] ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg] [ 342.866002] auxiliary_bus_probe+0x49/0x80 [ 342.866006] ? srso_return_thunk+0x5/0x5f [ 342.866012] really_probe+0xde/0x340 [ 342.866015] ? pm_runtime_barrier+0x55/0x90 [ 342.866019] __driver_probe_device+0x78/0x140 [ 342.866022] driver_probe_device+0x1f/0xa0 [ 342.866025] ? __pfx___driver_attach+0x10/0x10 [ 342.866027] __driver_attach+0xcb/0x1e0 [ 342.866030] bus_for_each_dev+0x85/0xd0 [ 342.866036] bus_add_driver+0x12f/0x210 [ 342.866040] ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg] [ 342.866044] driver_register+0x75/0xe0 [ 342.866047] __auxiliary_driver_register+0x6e/0xd0 [ 342.866050] do_one_initcall+0x5b/0x300 [ 342.866058] do_init_module+0x84/0x280 [ 342.866063] init_module_from_file+0x8a/0xe0 [ 342.866071] idempotent_init_module+0x114/0x310 [ 342.866078] __x64_sys_finit_module+0x6d/0xd0 [ 342.866081] ? syscall_trace_enter+0x108/0x1d0 [ 342.866086] do_syscall_64+0x7e/0x250 [ 342.866090] ? srso_return_thunk+0x5/0x5f [ 342.866092] ? switch_fpu_return+0x4e/0xd0 [ 342.866097] ? srso_return_thunk+0x5/0x5f [ 342.866099] ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80 [ 342.866102] ? srso_return_thunk+0x5/0x5f [ 342.866105] ? do_syscall_64+0xb6/0x250 [ 342.866108] ? srso_return_thunk+0x5/0x5f [ 342.866111] ? terminate_walk+0xef/0x100 [ 342.866115] ? srso_return_thunk+0x5/0x5f [ 342.866118] ? path_openat+0x116/0x2a0 [ 342.866122] ? srso_return_thunk+0x5/0x5f [ 342.866125] ? do_filp_open+0xd8/0x180 [ 342.866131] ? __pfx_page_put_link+0x10/0x10 [ 342.866137] ? srso_return_thunk+0x5/0x5f [ 342.866141] ? srso_return_thunk+0x5/0x5f [ 342.866144] ? do_sys_openat2+0xa2/0xe0 [ 342.866149] ? srso_return_thunk+0x5/0x5f [ 342.866152] ? syscall_exit_work+0x143/0x1b0 [ 342.866155] ? srso_return_thunk+0x5/0x5f [ 342.866157] ? do_syscall_64+0xb6/0x250 [ 342.866161] ? srso_return_thunk+0x5/0x5f [ 342.866163] ? srso_return_thunk+0x5/0x5f [ 342.866166] ? irqentry_exit_to_user_mode+0x2c/0x1c0 [ 342.866169] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 342.866172] RIP: 0033:0x7fc5052ff34d [ 342.866187] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48 [ 342.866189] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 342.866193] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 00007fc5052ff34d [ 342.866194] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 0000000000000021 [ 342.866196] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 00005572401f3fd0 [ 342.866197] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc5059d85e1 [ 342.866199] R13: 0000000000020000 R14: 0000557240210540 R15: 0000000000000000 [ 342.866205] </TASK> [ 342.866207] ---[ end trace ]--- [ 342.866225] ------------[ cut here ]------------ [ 342.866226] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:751:15 [ 342.866229] index 0 is out of range for type '<unknown> [*]' [ 342.866232] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy) [ 342.866234] Hardware name: ASUS System Product Name/ROG CROSSHAIR VIII HERO (WI-FI), BIOS 5302 10/03/2025 [ 342.866236] Call Trace: [ 342.866237] <TASK> [ 342.866239] dump_stack_lvl+0x5d/0x80 [ 342.866242] ubsan_epilogue+0x5/0x2b [ 342.866245] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ 342.866249] intel_dg_mtd_probe+0x1fa/0x240 [mtd_intel_dg] [ 342.866254] ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg] [ 342.866258] auxiliary_bus_probe+0x49/0x80 [ 342.866261] ? srso_return_thunk+0x5/0x5f [ 342.866264] really_probe+0xde/0x340 [ 342.866266] ? pm_runtime_barrier+0x55/0x90 [ 342.866269] __driver_probe_device+0x78/0x140 [ 342.866272] driver_probe_device+0x1f/0xa0 [ 342.866275] ? __pfx___driver_attach+0x10/0x10 [ 342.866277] __driver_attach+0xcb/0x1e0 [ 342.866280] bus_for_each_dev+0x85/0xd0 [ 342.866284] bus_add_driver+0x12f/0x210 [ 342.866289] ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg] [ 342.866292] driver_register+0x75/0xe0 [ 342.866295] __auxiliary_driver_register+0x6e/0xd0 [ 342.866298] do_one_initcall+0x5b/0x300 [ 342.866304] do_init_module+0x84/0x280 [ 342.866307] init_module_from_file+0x8a/0xe0 [ 342.866316] idempotent_init_module+0x114/0x310 [ 342.866322] __x64_sys_finit_module+0x6d/0xd0 [ 342.866325] ? syscall_trace_enter+0x108/0x1d0 [ 342.866329] do_syscall_64+0x7e/0x250 [ 342.866331] ? srso_return_thunk+0x5/0x5f [ 342.866334] ? switch_fpu_return+0x4e/0xd0 [ 342.866337] ? srso_return_thunk+0x5/0x5f [ 342.866340] ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80 [ 342.866342] ? srso_return_thunk+0x5/0x5f [ 342.866345] ? do_syscall_64+0xb6/0x250 [ 342.866348] ? srso_return_thunk+0x5/0x5f [ 342.866350] ? terminate_walk+0xef/0x100 [ 342.866353] ? srso_return_thunk+0x5/0x5f [ 342.866356] ? path_openat+0x116/0x2a0 [ 342.866360] ? srso_return_thunk+0x5/0x5f [ 342.866363] ? do_filp_open+0xd8/0x180 [ 342.866369] ? __pfx_page_put_link+0x10/0x10 [ 342.866374] ? srso_return_thunk+0x5/0x5f [ 342.866378] ? srso_return_thunk+0x5/0x5f [ 342.866381] ? do_sys_openat2+0xa2/0xe0 [ 342.866385] ? srso_return_thunk+0x5/0x5f [ 342.866388] ? syscall_exit_work+0x143/0x1b0 [ 342.866391] ? srso_return_thunk+0x5/0x5f [ 342.866394] ? do_syscall_64+0xb6/0x250 [ 342.866397] ? srso_return_thunk+0x5/0x5f [ 342.866399] ? srso_return_thunk+0x5/0x5f [ 342.866402] ? irqentry_exit_to_user_mode+0x2c/0x1c0 [ 342.866405] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 342.866407] RIP: 0033:0x7fc5052ff34d [ 342.866411] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48 [ 342.866413] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 342.866415] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: 00007fc5052ff34d [ 342.866416] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: 0000000000000021 [ 342.866418] RBP: 00007ffc54602770 R08: 0000000000000000 R09: 00005572401f3fd0 [ 342.866419] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc5059d85e1 [ 342.866420] R13: 0000000000020000 R14: 0000557240210540 R15: 0000000000000000 [ 342.866427] </TASK> [ 342.866451] ---[ end trace ]--- I also double checked that it's not some config error in my end by starting up Fedora 43 live enviroment what cave me this same error. As far as I know its related to mtd and here is what I can see: mtdinfo -a Count of MTD devices: 4 Present MTD devices: mtd0, mtd1, mtd2, mtd3 Sysfs interface supported: yes mtd0 Name: xe.nvm.3584.DESCRIPTOR Type: dataflash Eraseblock size: 4096 bytes, 4.0 KiB Amount of eraseblocks: 1 (4096 bytes, 4.0 KiB) Minimum input/output unit size: 1 byte Sub-page size: 1 byte Character device major/minor: 90:0 Bad blocks are allowed: false Device is writable: false mtd1 Name: xe.nvm.3584.GSC Type: dataflash Eraseblock size: 4096 bytes, 4.0 KiB Amount of eraseblocks: 1357 (5558272 bytes, 5.3 MiB) Minimum input/output unit size: 1 byte Sub-page size: 1 byte Character device major/minor: 90:2 Bad blocks are allowed: false Device is writable: false mtd2 Name: xe.nvm.3584.OptionROM Type: dataflash Eraseblock size: 4096 bytes, 4.0 KiB Amount of eraseblocks: 512 (2097152 bytes, 2.0 MiB) Minimum input/output unit size: 1 byte Sub-page size: 1 byte Character device major/minor: 90:4 Bad blocks are allowed: false Device is writable: false mtd3 Name: xe.nvm.3584.DAM Type: dataflash Eraseblock size: 4096 bytes, 4.0 KiB Amount of eraseblocks: 16 (65536 bytes, 64.0 KiB) Minimum input/output unit size: 1 byte Sub-page size: 1 byte Character device major/minor: 90:6 Bad blocks are allowed: false Device is writable: false ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible bug? 2025-11-08 22:19 Possible bug? Jani Partanen @ 2025-11-10 13:49 ` Jani Nikula 2025-11-10 18:10 ` Lucas De Marchi 0 siblings, 1 reply; 7+ messages in thread From: Jani Nikula @ 2025-11-10 13:49 UTC (permalink / raw) To: Jani Partanen, intel-xe; +Cc: Alexander Usyskin, linux-mtd On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote: > Hello, I just got Intel Arc B570. It seems to work fine but every boot I > get this in dmesg: > > [ 342.865944] ------------[ cut here ]------------ > [ 342.865950] UBSAN: array-index-out-of-bounds in > drivers/mtd/devices/mtd_intel_dg.c:750:15 > [ 342.865954] index 0 is out of range for type '<unknown> [*]' Cc: Alexander and linux-mtd. It's probably due to struct intel_dg_nvm regions[] member being __counted_by(nregions) but regions[] is indexed before nregions has been initialized. BR, Jani. > [ 342.865957] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted > 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy) > [ 342.865961] Hardware name: ASUS System Product Name/ROG CROSSHAIR > VIII HERO (WI-FI), BIOS 5302 10/03/2025 > [ 342.865963] Call Trace: > [ 342.865967] <TASK> > [ 342.865972] dump_stack_lvl+0x5d/0x80 > [ 342.865979] ubsan_epilogue+0x5/0x2b > [ 342.865984] __ubsan_handle_out_of_bounds.cold+0x54/0x59 > [ 342.865991] intel_dg_mtd_probe+0x21b/0x240 [mtd_intel_dg] > [ 342.865998] ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg] > [ 342.866002] auxiliary_bus_probe+0x49/0x80 > [ 342.866006] ? srso_return_thunk+0x5/0x5f > [ 342.866012] really_probe+0xde/0x340 > [ 342.866015] ? pm_runtime_barrier+0x55/0x90 > [ 342.866019] __driver_probe_device+0x78/0x140 > [ 342.866022] driver_probe_device+0x1f/0xa0 > [ 342.866025] ? __pfx___driver_attach+0x10/0x10 > [ 342.866027] __driver_attach+0xcb/0x1e0 > [ 342.866030] bus_for_each_dev+0x85/0xd0 > [ 342.866036] bus_add_driver+0x12f/0x210 > [ 342.866040] ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg] > [ 342.866044] driver_register+0x75/0xe0 > [ 342.866047] __auxiliary_driver_register+0x6e/0xd0 > [ 342.866050] do_one_initcall+0x5b/0x300 > [ 342.866058] do_init_module+0x84/0x280 > [ 342.866063] init_module_from_file+0x8a/0xe0 > [ 342.866071] idempotent_init_module+0x114/0x310 > [ 342.866078] __x64_sys_finit_module+0x6d/0xd0 > [ 342.866081] ? syscall_trace_enter+0x108/0x1d0 > [ 342.866086] do_syscall_64+0x7e/0x250 > [ 342.866090] ? srso_return_thunk+0x5/0x5f > [ 342.866092] ? switch_fpu_return+0x4e/0xd0 > [ 342.866097] ? srso_return_thunk+0x5/0x5f > [ 342.866099] ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80 > [ 342.866102] ? srso_return_thunk+0x5/0x5f > [ 342.866105] ? do_syscall_64+0xb6/0x250 > [ 342.866108] ? srso_return_thunk+0x5/0x5f > [ 342.866111] ? terminate_walk+0xef/0x100 > [ 342.866115] ? srso_return_thunk+0x5/0x5f > [ 342.866118] ? path_openat+0x116/0x2a0 > [ 342.866122] ? srso_return_thunk+0x5/0x5f > [ 342.866125] ? do_filp_open+0xd8/0x180 > [ 342.866131] ? __pfx_page_put_link+0x10/0x10 > [ 342.866137] ? srso_return_thunk+0x5/0x5f > [ 342.866141] ? srso_return_thunk+0x5/0x5f > [ 342.866144] ? do_sys_openat2+0xa2/0xe0 > [ 342.866149] ? srso_return_thunk+0x5/0x5f > [ 342.866152] ? syscall_exit_work+0x143/0x1b0 > [ 342.866155] ? srso_return_thunk+0x5/0x5f > [ 342.866157] ? do_syscall_64+0xb6/0x250 > [ 342.866161] ? srso_return_thunk+0x5/0x5f > [ 342.866163] ? srso_return_thunk+0x5/0x5f > [ 342.866166] ? irqentry_exit_to_user_mode+0x2c/0x1c0 > [ 342.866169] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 342.866172] RIP: 0033:0x7fc5052ff34d > [ 342.866187] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48 > [ 342.866189] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [ 342.866193] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: > 00007fc5052ff34d > [ 342.866194] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: > 0000000000000021 > [ 342.866196] RBP: 00007ffc54602770 R08: 0000000000000000 R09: > 00005572401f3fd0 > [ 342.866197] R10: 0000000000000000 R11: 0000000000000246 R12: > 00007fc5059d85e1 > [ 342.866199] R13: 0000000000020000 R14: 0000557240210540 R15: > 0000000000000000 > [ 342.866205] </TASK> > [ 342.866207] ---[ end trace ]--- > [ 342.866225] ------------[ cut here ]------------ > [ 342.866226] UBSAN: array-index-out-of-bounds in > drivers/mtd/devices/mtd_intel_dg.c:751:15 > [ 342.866229] index 0 is out of range for type '<unknown> [*]' > [ 342.866232] CPU: 6 UID: 0 PID: 6184 Comm: (udev-worker) Not tainted > 6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy) > [ 342.866234] Hardware name: ASUS System Product Name/ROG CROSSHAIR > VIII HERO (WI-FI), BIOS 5302 10/03/2025 > [ 342.866236] Call Trace: > [ 342.866237] <TASK> > [ 342.866239] dump_stack_lvl+0x5d/0x80 > [ 342.866242] ubsan_epilogue+0x5/0x2b > [ 342.866245] __ubsan_handle_out_of_bounds.cold+0x54/0x59 > [ 342.866249] intel_dg_mtd_probe+0x1fa/0x240 [mtd_intel_dg] > [ 342.866254] ? __pfx_intel_dg_mtd_probe+0x10/0x10 [mtd_intel_dg] > [ 342.866258] auxiliary_bus_probe+0x49/0x80 > [ 342.866261] ? srso_return_thunk+0x5/0x5f > [ 342.866264] really_probe+0xde/0x340 > [ 342.866266] ? pm_runtime_barrier+0x55/0x90 > [ 342.866269] __driver_probe_device+0x78/0x140 > [ 342.866272] driver_probe_device+0x1f/0xa0 > [ 342.866275] ? __pfx___driver_attach+0x10/0x10 > [ 342.866277] __driver_attach+0xcb/0x1e0 > [ 342.866280] bus_for_each_dev+0x85/0xd0 > [ 342.866284] bus_add_driver+0x12f/0x210 > [ 342.866289] ? __pfx_intel_dg_mtd_driver_init+0x10/0x10 [mtd_intel_dg] > [ 342.866292] driver_register+0x75/0xe0 > [ 342.866295] __auxiliary_driver_register+0x6e/0xd0 > [ 342.866298] do_one_initcall+0x5b/0x300 > [ 342.866304] do_init_module+0x84/0x280 > [ 342.866307] init_module_from_file+0x8a/0xe0 > [ 342.866316] idempotent_init_module+0x114/0x310 > [ 342.866322] __x64_sys_finit_module+0x6d/0xd0 > [ 342.866325] ? syscall_trace_enter+0x108/0x1d0 > [ 342.866329] do_syscall_64+0x7e/0x250 > [ 342.866331] ? srso_return_thunk+0x5/0x5f > [ 342.866334] ? switch_fpu_return+0x4e/0xd0 > [ 342.866337] ? srso_return_thunk+0x5/0x5f > [ 342.866340] ? arch_exit_to_user_mode_prepare.isra.0+0x6a/0x80 > [ 342.866342] ? srso_return_thunk+0x5/0x5f > [ 342.866345] ? do_syscall_64+0xb6/0x250 > [ 342.866348] ? srso_return_thunk+0x5/0x5f > [ 342.866350] ? terminate_walk+0xef/0x100 > [ 342.866353] ? srso_return_thunk+0x5/0x5f > [ 342.866356] ? path_openat+0x116/0x2a0 > [ 342.866360] ? srso_return_thunk+0x5/0x5f > [ 342.866363] ? do_filp_open+0xd8/0x180 > [ 342.866369] ? __pfx_page_put_link+0x10/0x10 > [ 342.866374] ? srso_return_thunk+0x5/0x5f > [ 342.866378] ? srso_return_thunk+0x5/0x5f > [ 342.866381] ? do_sys_openat2+0xa2/0xe0 > [ 342.866385] ? srso_return_thunk+0x5/0x5f > [ 342.866388] ? syscall_exit_work+0x143/0x1b0 > [ 342.866391] ? srso_return_thunk+0x5/0x5f > [ 342.866394] ? do_syscall_64+0xb6/0x250 > [ 342.866397] ? srso_return_thunk+0x5/0x5f > [ 342.866399] ? srso_return_thunk+0x5/0x5f > [ 342.866402] ? irqentry_exit_to_user_mode+0x2c/0x1c0 > [ 342.866405] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 342.866407] RIP: 0033:0x7fc5052ff34d > [ 342.866411] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 6a 0f 00 f7 d8 64 89 01 48 > [ 342.866413] RSP: 002b:00007ffc546026d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [ 342.866415] RAX: ffffffffffffffda RBX: 0000557240396680 RCX: > 00007fc5052ff34d > [ 342.866416] RDX: 0000000000000004 RSI: 00007fc5059d85e1 RDI: > 0000000000000021 > [ 342.866418] RBP: 00007ffc54602770 R08: 0000000000000000 R09: > 00005572401f3fd0 > [ 342.866419] R10: 0000000000000000 R11: 0000000000000246 R12: > 00007fc5059d85e1 > [ 342.866420] R13: 0000000000020000 R14: 0000557240210540 R15: > 0000000000000000 > [ 342.866427] </TASK> > [ 342.866451] ---[ end trace ]--- > > > I also double checked that it's not some config error in my end by > starting up Fedora 43 live enviroment what cave me this same error. > > As far as I know its related to mtd and here is what I can see: > > mtdinfo -a > Count of MTD devices: 4 > Present MTD devices: mtd0, mtd1, mtd2, mtd3 > Sysfs interface supported: yes > > mtd0 > Name: xe.nvm.3584.DESCRIPTOR > Type: dataflash > Eraseblock size: 4096 bytes, 4.0 KiB > Amount of eraseblocks: 1 (4096 bytes, 4.0 KiB) > Minimum input/output unit size: 1 byte > Sub-page size: 1 byte > Character device major/minor: 90:0 > Bad blocks are allowed: false > Device is writable: false > > mtd1 > Name: xe.nvm.3584.GSC > Type: dataflash > Eraseblock size: 4096 bytes, 4.0 KiB > Amount of eraseblocks: 1357 (5558272 bytes, 5.3 MiB) > Minimum input/output unit size: 1 byte > Sub-page size: 1 byte > Character device major/minor: 90:2 > Bad blocks are allowed: false > Device is writable: false > > mtd2 > Name: xe.nvm.3584.OptionROM > Type: dataflash > Eraseblock size: 4096 bytes, 4.0 KiB > Amount of eraseblocks: 512 (2097152 bytes, 2.0 MiB) > Minimum input/output unit size: 1 byte > Sub-page size: 1 byte > Character device major/minor: 90:4 > Bad blocks are allowed: false > Device is writable: false > > mtd3 > Name: xe.nvm.3584.DAM > Type: dataflash > Eraseblock size: 4096 bytes, 4.0 KiB > Amount of eraseblocks: 16 (65536 bytes, 64.0 KiB) > Minimum input/output unit size: 1 byte > Sub-page size: 1 byte > Character device major/minor: 90:6 > Bad blocks are allowed: false > Device is writable: false > -- Jani Nikula, Intel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible bug? 2025-11-10 13:49 ` Jani Nikula @ 2025-11-10 18:10 ` Lucas De Marchi 2025-11-11 7:02 ` Usyskin, Alexander 0 siblings, 1 reply; 7+ messages in thread From: Lucas De Marchi @ 2025-11-10 18:10 UTC (permalink / raw) To: Jani Nikula; +Cc: Jani Partanen, intel-xe, Alexander Usyskin, linux-mtd On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote: >On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote: >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I >> get this in dmesg: >> >> [ 342.865944] ------------[ cut here ]------------ >> [ 342.865950] UBSAN: array-index-out-of-bounds in >> drivers/mtd/devices/mtd_intel_dg.c:750:15 >> [ 342.865954] index 0 is out of range for type '<unknown> [*]' > >Cc: Alexander and linux-mtd. > >It's probably due to struct intel_dg_nvm regions[] member being >__counted_by(nregions) but regions[] is indexed before nregions has been >initialized. yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha, something like this? Lucas De Marchi ---- diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c index b438ee5aacc34..114e69135b8d9 100644 --- a/drivers/mtd/devices/mtd_intel_dg.c +++ b/drivers/mtd/devices/mtd_intel_dg.c @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev, kref_init(&nvm->refcnt); mutex_init(&nvm->lock); + nvm->nregions = nregions; for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { if (!invm->regions[i].name) @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev, char *name = kasprintf(GFP_KERNEL, "%s.%s", dev_name(&aux_dev->dev), invm->regions[i].name); - if (!name) - continue; + if (!name) { + ret = -ENOMEM; + goto err; + } + nvm->regions[n].name = name; nvm->regions[n].id = i; n++; } - nvm->nregions = n; /* in case where kasprintf fail */ nvm->base = devm_ioremap_resource(device, &invm->bar); if (IS_ERR(nvm->base)) { ^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: Possible bug? 2025-11-10 18:10 ` Lucas De Marchi @ 2025-11-11 7:02 ` Usyskin, Alexander 2025-11-11 8:06 ` Jani Nikula 0 siblings, 1 reply; 7+ messages in thread From: Usyskin, Alexander @ 2025-11-11 7:02 UTC (permalink / raw) To: De Marchi, Lucas, Jani Nikula Cc: Jani Partanen, intel-xe@lists.freedesktop.org, linux-mtd@lists.infradead.org > On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote: > >On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote: > >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I > >> get this in dmesg: > >> > >> [ 342.865944] ------------[ cut here ]------------ > >> [ 342.865950] UBSAN: array-index-out-of-bounds in > >> drivers/mtd/devices/mtd_intel_dg.c:750:15 > >> [ 342.865954] index 0 is out of range for type '<unknown> [*]' > > > >Cc: Alexander and linux-mtd. > > > >It's probably due to struct intel_dg_nvm regions[] member being > >__counted_by(nregions) but regions[] is indexed before nregions has been > >initialized. > > yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha, > something like this? > In general, looks good for me, but I see that we can fill less entries because of if (!invm->regions[i].name) continue; Let's leave 'nvm->nregions = n;' in place, only need to fix the comment. - - Thanks, Sasha > Lucas De Marchi > > ---- > diff --git a/drivers/mtd/devices/mtd_intel_dg.c > b/drivers/mtd/devices/mtd_intel_dg.c > index b438ee5aacc34..114e69135b8d9 100644 > --- a/drivers/mtd/devices/mtd_intel_dg.c > +++ b/drivers/mtd/devices/mtd_intel_dg.c > @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device > *aux_dev, > > kref_init(&nvm->refcnt); > mutex_init(&nvm->lock); > + nvm->nregions = nregions; > > for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { > if (!invm->regions[i].name) > @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct > auxiliary_device *aux_dev, > > char *name = kasprintf(GFP_KERNEL, "%s.%s", > dev_name(&aux_dev->dev), invm- > >regions[i].name); > - if (!name) > - continue; > + if (!name) { > + ret = -ENOMEM; > + goto err; > + } > + > nvm->regions[n].name = name; > nvm->regions[n].id = i; > n++; > } > - nvm->nregions = n; /* in case where kasprintf fail */ > > nvm->base = devm_ioremap_resource(device, &invm->bar); > if (IS_ERR(nvm->base)) { ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Possible bug? 2025-11-11 7:02 ` Usyskin, Alexander @ 2025-11-11 8:06 ` Jani Nikula 2025-11-11 10:58 ` Usyskin, Alexander 0 siblings, 1 reply; 7+ messages in thread From: Jani Nikula @ 2025-11-11 8:06 UTC (permalink / raw) To: Usyskin, Alexander, De Marchi, Lucas Cc: Jani Partanen, intel-xe@lists.freedesktop.org, linux-mtd@lists.infradead.org On Tue, 11 Nov 2025, "Usyskin, Alexander" <alexander.usyskin@intel.com> wrote: >> On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote: >> >On Sun, 09 Nov 2025, Jani Partanen <jiipee@sotapeli.fi> wrote: >> >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I >> >> get this in dmesg: >> >> >> >> [ 342.865944] ------------[ cut here ]------------ >> >> [ 342.865950] UBSAN: array-index-out-of-bounds in >> >> drivers/mtd/devices/mtd_intel_dg.c:750:15 >> >> [ 342.865954] index 0 is out of range for type '<unknown> [*]' >> > >> >Cc: Alexander and linux-mtd. >> > >> >It's probably due to struct intel_dg_nvm regions[] member being >> >__counted_by(nregions) but regions[] is indexed before nregions has been >> >initialized. >> >> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha, >> something like this? >> > > In general, looks good for me, but I see that we can fill less entries because of > if (!invm->regions[i].name) > continue; > > Let's leave 'nvm->nregions = n;' in place, only need to fix the comment. You have this in place, nregions already accouns for them: /* count available regions */ for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { if (invm->regions[i].name) nregions++; } BR, Jani. > > - - > Thanks, > Sasha > >> Lucas De Marchi >> >> ---- >> diff --git a/drivers/mtd/devices/mtd_intel_dg.c >> b/drivers/mtd/devices/mtd_intel_dg.c >> index b438ee5aacc34..114e69135b8d9 100644 >> --- a/drivers/mtd/devices/mtd_intel_dg.c >> +++ b/drivers/mtd/devices/mtd_intel_dg.c >> @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device >> *aux_dev, >> >> kref_init(&nvm->refcnt); >> mutex_init(&nvm->lock); >> + nvm->nregions = nregions; >> >> for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { >> if (!invm->regions[i].name) >> @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct >> auxiliary_device *aux_dev, >> >> char *name = kasprintf(GFP_KERNEL, "%s.%s", >> dev_name(&aux_dev->dev), invm- >> >regions[i].name); >> - if (!name) >> - continue; >> + if (!name) { >> + ret = -ENOMEM; >> + goto err; >> + } >> + >> nvm->regions[n].name = name; >> nvm->regions[n].id = i; >> n++; >> } >> - nvm->nregions = n; /* in case where kasprintf fail */ >> >> nvm->base = devm_ioremap_resource(device, &invm->bar); >> if (IS_ERR(nvm->base)) { -- Jani Nikula, Intel ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Possible bug? 2025-11-11 8:06 ` Jani Nikula @ 2025-11-11 10:58 ` Usyskin, Alexander 2025-11-12 14:57 ` Lucas De Marchi 0 siblings, 1 reply; 7+ messages in thread From: Usyskin, Alexander @ 2025-11-11 10:58 UTC (permalink / raw) To: Jani Nikula, De Marchi, Lucas Cc: Jani Partanen, intel-xe@lists.freedesktop.org, linux-mtd@lists.infradead.org > >> > > >> >It's probably due to struct intel_dg_nvm regions[] member being > >> >__counted_by(nregions) but regions[] is indexed before nregions has > been > >> >initialized. > >> > >> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha, > >> something like this? > >> > > > > In general, looks good for me, but I see that we can fill less entries because > of > > if (!invm->regions[i].name) > > continue; > > > > Let's leave 'nvm->nregions = n;' in place, only need to fix the comment. > > You have this in place, nregions already accouns for them: > > /* count available regions */ > for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { > if (invm->regions[i].name) > nregions++; > } > Yeah, missed this, so original fix from Lucas is ok - - Thanks, Sasha > BR, > Jani. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible bug? 2025-11-11 10:58 ` Usyskin, Alexander @ 2025-11-12 14:57 ` Lucas De Marchi 0 siblings, 0 replies; 7+ messages in thread From: Lucas De Marchi @ 2025-11-12 14:57 UTC (permalink / raw) To: Usyskin, Alexander Cc: Jani Nikula, Jani Partanen, intel-xe@lists.freedesktop.org, linux-mtd@lists.infradead.org On Tue, Nov 11, 2025 at 10:58:03AM +0000, Usyskin, Alexander wrote: >> >> > >> >> >It's probably due to struct intel_dg_nvm regions[] member being >> >> >__counted_by(nregions) but regions[] is indexed before nregions has >> been >> >> >initialized. >> >> >> >> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha, >> >> something like this? >> >> >> > >> > In general, looks good for me, but I see that we can fill less entries because >> of >> > if (!invm->regions[i].name) >> > continue; >> > >> > Let's leave 'nvm->nregions = n;' in place, only need to fix the comment. >> >> You have this in place, nregions already accouns for them: >> >> /* count available regions */ >> for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) { >> if (invm->regions[i].name) >> nregions++; >> } >> > >Yeah, missed this, so original fix from Lucas is ok I submitted it as a proper patch with commit message: https://lore.kernel.org/all/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/ Lucas De Marchi ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-11-12 14:58 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-08 22:19 Possible bug? Jani Partanen 2025-11-10 13:49 ` Jani Nikula 2025-11-10 18:10 ` Lucas De Marchi 2025-11-11 7:02 ` Usyskin, Alexander 2025-11-11 8:06 ` Jani Nikula 2025-11-11 10:58 ` Usyskin, Alexander 2025-11-12 14:57 ` Lucas De Marchi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox