* Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
@ 2025-12-02 20:17 Louis Sautier
2025-12-08 18:54 ` Manikanta Guntupalli
2025-12-08 20:58 ` Alexandre Belloni
0 siblings, 2 replies; 15+ messages in thread
From: Louis Sautier @ 2025-12-02 20:17 UTC (permalink / raw)
To: linux-i3c
Hello,
I'm running into a bug when loading the dw-i3c-master module on kernel
6.18 on one specific server. I suspect it has to do with the large
number of CPUs on the machine (768 threads, from 2 AMD EPYC 9965
processors) but I am not sure.
The system is on Ubuntu 25.10 and a 6.18 kernel with
https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
(basically Ubuntu's).
These are the logs I see whenever I run "modprobe dw-i3c-master". Full
dmesg at
https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/dmesg
dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with
error -110
dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with
error -110
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 109 UID: 0 PID: 7574 Comm: (udev-worker) Not tainted 6.18.0 #1
PREEMPT(voluntary)
Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
11/28/2025
Call Trace:
<TASK>
dump_stack_lvl+0x5f/0x90
dump_stack+0x10/0x18
ubsan_epilogue+0x9/0x39
__ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master]
i3c_master_do_daa+0x30/0x90 [i3c]
i3c_master_register+0x616/0xa80 [i3c]
dw_i3c_common_probe+0x23f/0x2c0 [dw_i3c_master]
dw_i3c_probe+0x30/0x50 [dw_i3c_master]
platform_probe+0x42/0xc0
? driver_sysfs_add+0x63/0xd0
really_probe+0xf9/0x370
? pm_runtime_barrier+0x56/0xa0
__driver_probe_device+0x8b/0x160
driver_probe_device+0x24/0xd0
? __pfx___driver_attach+0x10/0x10
__driver_attach+0xef/0x220
? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
bus_for_each_dev+0x8a/0xe0
driver_attach+0x1e/0x30
bus_add_driver+0x13e/0x230
? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
driver_register+0x75/0xf0
__platform_driver_register+0x1e/0x30
dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master]
do_one_initcall+0x59/0x330
do_init_module+0x8b/0x290
load_module+0x1f2f/0x2320
init_module_from_file+0x9b/0x100
? init_module_from_file+0x9b/0x100
idempotent_init_module+0x10e/0x300
__x64_sys_finit_module+0x73/0xf0
? __secure_computing+0x84/0xe0
x64_sys_call+0x1f04/0x2350
do_syscall_64+0x82/0xc80
? exit_to_user_mode_loop+0xe6/0x190
? do_syscall_64+0x25c/0xc80
? restore_fpregs_from_fpstate+0x46/0xe0
? switch_fpu_return+0x5c/0xf0
? do_syscall_64+0x25c/0xc80
? switch_fpu_return+0x5c/0xf0
? do_syscall_64+0x25c/0xc80
? wait_for_completion_interruptible+0x24/0x50
? idempotent_init_module+0x1d5/0x300
? __rseq_handle_notify_resume+0xa2/0x4e0
? restore_fpregs_from_fpstate+0x46/0xe0
? switch_fpu_return+0x5c/0xf0
? do_syscall_64+0x25c/0xc80
? do_user_addr_fault+0x22b/0x6b0
? irqentry_exit_to_user_mode+0x2e/0x2a0
? irqentry_exit+0x43/0x50
? exc_page_fault+0x90/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7dff23f348cd
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007fff46db08c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 00005705ce7b5300 RCX: 00007dff23f348cd
RDX: 0000000000000000 RSI: 00007dff23c31336 RDI: 0000000000000078
RBP: 00007fff46db0960 R08: 0000000000000000 R09: 00005705ce77f530
R10: 0000000000000000 R11: 0000000000000246 R12: 00007dff23c31336
R13: 0000000000020000 R14: 00005705ce7bcb10 R15: 00005705ce7c4f00
</TASK>
---[ end trace ]---
dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with
error -110
I hope this is the right venue to report this. Please let me know if you
need more information or if you would like me to test a patch.
Can you also keep me CC'd to replies? I'm not subscribed to the list.
Cheers,
Louis
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier
@ 2025-12-08 18:54 ` Manikanta Guntupalli
2025-12-08 20:58 ` Alexandre Belloni
1 sibling, 0 replies; 15+ messages in thread
From: Manikanta Guntupalli @ 2025-12-08 18:54 UTC (permalink / raw)
To: Louis Sautier; +Cc: linux-i3c
Hi Louis,
What is the behavior when you build the dw-i3c-master as a static driver?
Thanks,
Manikanta
On Wed, 3 Dec 2025, 01:48 Louis Sautier, <louis.sautier@ovhcloud.com> wrote:
>
> Hello,
>
> I'm running into a bug when loading the dw-i3c-master module on kernel
> 6.18 on one specific server. I suspect it has to do with the large
> number of CPUs on the machine (768 threads, from 2 AMD EPYC 9965
> processors) but I am not sure.
>
> The system is on Ubuntu 25.10 and a 6.18 kernel with
> https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> (basically Ubuntu's).
>
> These are the logs I see whenever I run "modprobe dw-i3c-master". Full
> dmesg at
> https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/dmesg
>
> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with
> error -110
> dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with
> error -110
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 109 UID: 0 PID: 7574 Comm: (udev-worker) Not tainted 6.18.0 #1
> PREEMPT(voluntary)
> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> 11/28/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5f/0x90
> dump_stack+0x10/0x18
> ubsan_epilogue+0x9/0x39
> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master]
> i3c_master_do_daa+0x30/0x90 [i3c]
> i3c_master_register+0x616/0xa80 [i3c]
> dw_i3c_common_probe+0x23f/0x2c0 [dw_i3c_master]
> dw_i3c_probe+0x30/0x50 [dw_i3c_master]
> platform_probe+0x42/0xc0
> ? driver_sysfs_add+0x63/0xd0
> really_probe+0xf9/0x370
> ? pm_runtime_barrier+0x56/0xa0
> __driver_probe_device+0x8b/0x160
> driver_probe_device+0x24/0xd0
> ? __pfx___driver_attach+0x10/0x10
> __driver_attach+0xef/0x220
> ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
> bus_for_each_dev+0x8a/0xe0
> driver_attach+0x1e/0x30
> bus_add_driver+0x13e/0x230
> ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
> driver_register+0x75/0xf0
> __platform_driver_register+0x1e/0x30
> dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master]
> do_one_initcall+0x59/0x330
> do_init_module+0x8b/0x290
> load_module+0x1f2f/0x2320
> init_module_from_file+0x9b/0x100
> ? init_module_from_file+0x9b/0x100
> idempotent_init_module+0x10e/0x300
> __x64_sys_finit_module+0x73/0xf0
> ? __secure_computing+0x84/0xe0
> x64_sys_call+0x1f04/0x2350
> do_syscall_64+0x82/0xc80
> ? exit_to_user_mode_loop+0xe6/0x190
> ? do_syscall_64+0x25c/0xc80
> ? restore_fpregs_from_fpstate+0x46/0xe0
> ? switch_fpu_return+0x5c/0xf0
> ? do_syscall_64+0x25c/0xc80
> ? switch_fpu_return+0x5c/0xf0
> ? do_syscall_64+0x25c/0xc80
> ? wait_for_completion_interruptible+0x24/0x50
> ? idempotent_init_module+0x1d5/0x300
> ? __rseq_handle_notify_resume+0xa2/0x4e0
> ? restore_fpregs_from_fpstate+0x46/0xe0
> ? switch_fpu_return+0x5c/0xf0
> ? do_syscall_64+0x25c/0xc80
> ? do_user_addr_fault+0x22b/0x6b0
> ? irqentry_exit_to_user_mode+0x2e/0x2a0
> ? irqentry_exit+0x43/0x50
> ? exc_page_fault+0x90/0x1b0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x7dff23f348cd
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89
> f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
> f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48
> RSP: 002b:00007fff46db08c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 00005705ce7b5300 RCX: 00007dff23f348cd
> RDX: 0000000000000000 RSI: 00007dff23c31336 RDI: 0000000000000078
> RBP: 00007fff46db0960 R08: 0000000000000000 R09: 00005705ce77f530
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007dff23c31336
> R13: 0000000000020000 R14: 00005705ce7bcb10 R15: 00005705ce7c4f00
> </TASK>
> ---[ end trace ]---
> dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with
> error -110
>
>
> I hope this is the right venue to report this. Please let me know if you
> need more information or if you would like me to test a patch.
>
> Can you also keep me CC'd to replies? I'm not subscribed to the list.
>
> Cheers,
>
> Louis
>
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier
2025-12-08 18:54 ` Manikanta Guntupalli
@ 2025-12-08 20:58 ` Alexandre Belloni
2025-12-09 11:37 ` Louis Sautier
1 sibling, 1 reply; 15+ messages in thread
From: Alexandre Belloni @ 2025-12-08 20:58 UTC (permalink / raw)
To: Louis Sautier; +Cc: linux-i3c
Hello Louis,
On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> Hello,
>
> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> on one specific server. I suspect it has to do with the large number of
> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> not sure.
>
> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> (basically Ubuntu's).
Just to be sure, does this also happen with v6.17?
The only change is the shutdown handling so I would guess yes.
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-08 20:58 ` Alexandre Belloni
@ 2025-12-09 11:37 ` Louis Sautier
2025-12-09 12:48 ` Alexandre Belloni
0 siblings, 1 reply; 15+ messages in thread
From: Louis Sautier @ 2025-12-09 11:37 UTC (permalink / raw)
To: alexandre.belloni; +Cc: linux-i3c
On 12/8/25 21:58, Alexandre Belloni wrote:
> Hello Louis,
>
> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>> Hello,
>>
>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>> on one specific server. I suspect it has to do with the large number of
>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>> not sure.
>>
>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>> (basically Ubuntu's).
> Just to be sure, does this also happen with v6.17?
>
> The only change is the shutdown handling so I would guess yes.
>
Hello,
It does happen with 6.17. I initially discovered this while running
Ubuntu 25.10's stock kernel (6.17.0).
> What is the behavior when you build the dw-i3c-master as a static
driver? I'll try CONFIG_DW_I3C_MASTER=y and report back.
Someone also suggested (they didn't reply to the list though) that I add
a printk to see what the value of maxdevs is. I'll provide the log as
soon as I have rebuilt with:
--- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
+++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
@@ -1588,6 +1588,7 @@
ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
master->datstartaddr = ret;
master->maxdevs = ret >> 16;
+ printk("maxdevs: %d\n", master->maxdevs);
master->free_pos = GENMASK(master->maxdevs - 1, 0);
master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-09 11:37 ` Louis Sautier
@ 2025-12-09 12:48 ` Alexandre Belloni
2025-12-09 15:36 ` Louis Sautier
0 siblings, 1 reply; 15+ messages in thread
From: Alexandre Belloni @ 2025-12-09 12:48 UTC (permalink / raw)
To: Louis Sautier; +Cc: linux-i3c
On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> On 12/8/25 21:58, Alexandre Belloni wrote:
> > Hello Louis,
> >
> > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > Hello,
> > >
> > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > on one specific server. I suspect it has to do with the large number of
> > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > not sure.
> > >
> > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > (basically Ubuntu's).
> > Just to be sure, does this also happen with v6.17?
> >
> > The only change is the shutdown handling so I would guess yes.
> >
> Hello,
>
> It does happen with 6.17. I initially discovered this while running Ubuntu
> 25.10's stock kernel (6.17.0).
>
> > What is the behavior when you build the dw-i3c-master as a static driver?
> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>
> Someone also suggested (they didn't reply to the list though) that I add a
> printk to see what the value of maxdevs is. I'll provide the log as soon as
> I have rebuilt with:
>
> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> @@ -1588,6 +1588,7 @@
> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> master->datstartaddr = ret;
> master->maxdevs = ret >> 16;
> + printk("maxdevs: %d\n", master->maxdevs);
> master->free_pos = GENMASK(master->maxdevs - 1, 0);
> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>
Yes, that was going to be my suggestion.
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-09 12:48 ` Alexandre Belloni
@ 2025-12-09 15:36 ` Louis Sautier
2025-12-09 17:24 ` Frank Li
0 siblings, 1 reply; 15+ messages in thread
From: Louis Sautier @ 2025-12-09 15:36 UTC (permalink / raw)
To: alexandre.belloni; +Cc: linux-i3c
On 12/9/25 13:48, Alexandre Belloni wrote:
>
> On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
>> On 12/8/25 21:58, Alexandre Belloni wrote:
>>> Hello Louis,
>>>
>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>>>> Hello,
>>>>
>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>>>> on one specific server. I suspect it has to do with the large number of
>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>>>> not sure.
>>>>
>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>>>> (basically Ubuntu's).
>>> Just to be sure, does this also happen with v6.17?
>>>
>>> The only change is the shutdown handling so I would guess yes.
>>>
>> Hello,
>>
>> It does happen with 6.17. I initially discovered this while running Ubuntu
>> 25.10's stock kernel (6.17.0).
>>
>>> What is the behavior when you build the dw-i3c-master as a static driver?
>> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>>
>> Someone also suggested (they didn't reply to the list though) that I add a
>> printk to see what the value of maxdevs is. I'll provide the log as soon as
>> I have rebuilt with:
>>
>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
>> @@ -1588,6 +1588,7 @@
>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>> master->datstartaddr = ret;
>> master->maxdevs = ret >> 16;
>> + printk("maxdevs: %d\n", master->maxdevs);
>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>
> Yes, that was going to be my suggestion.
>
I haven't tried with the driver built-in yet. This is what the printk shows:
dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with
error -110
maxdevs: 65535
dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with
error -110
maxdevs: 11
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 0 UID: 0 PID: 7363 Comm: (udev-worker) Not tainted 6.18.0 #1
PREEMPT(voluntary)
Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
11/28/2025
Call Trace:
<TASK>
dump_stack_lvl+0x5f/0x90
dump_stack+0x10/0x18
ubsan_epilogue+0x9/0x39
__ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master]
i3c_master_do_daa+0x30/0x90 [i3c]
i3c_master_register+0x616/0xa80 [i3c]
dw_i3c_common_probe+0x298/0x2d0 [dw_i3c_master]
dw_i3c_probe+0x30/0x50 [dw_i3c_master]
platform_probe+0x42/0xc0
? driver_sysfs_add+0x63/0xd0
really_probe+0xf9/0x370
? pm_runtime_barrier+0x56/0xa0
__driver_probe_device+0x8b/0x160
driver_probe_device+0x24/0xd0
? __pfx___driver_attach+0x10/0x10
__driver_attach+0xef/0x220
? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
bus_for_each_dev+0x8a/0xe0
driver_attach+0x1e/0x30
bus_add_driver+0x13e/0x230
? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
driver_register+0x75/0xf0
__platform_driver_register+0x1e/0x30
dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master]
do_one_initcall+0x59/0x330
do_init_module+0x8b/0x290
load_module+0x1f2f/0x2320
init_module_from_file+0x9b/0x100
? init_module_from_file+0x9b/0x100
idempotent_init_module+0x10e/0x300
__x64_sys_finit_module+0x73/0xf0
? __secure_computing+0x84/0xe0
x64_sys_call+0x1f04/0x2350
do_syscall_64+0x82/0xc80
? vfs_read+0x179/0x3a0
? vfs_read+0x179/0x3a0
? __rseq_handle_notify_resume+0xa2/0x4e0
? exit_to_user_mode_loop+0xe6/0x190
? do_syscall_64+0x25c/0xc80
? irqentry_exit+0x43/0x50
? exc_page_fault+0x90/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x70c8bf1348cd
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd8d0e4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000059c987bf15c0 RCX: 000070c8bf1348cd
RDX: 0000000000000000 RSI: 000070c8be74b336 RDI: 0000000000000065
RBP: 00007ffd8d0e4d90 R08: 0000000000000000 R09: 000059c987bc1070
R10: 0000000000000000 R11: 0000000000000246 R12: 000070c8be74b336
R13: 0000000000020000 R14: 000059c987be8cd0 R15: 000059c987bb1440
</TASK>
---[ end trace ]---
maxdevs: 11
dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with
error -110
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-09 15:36 ` Louis Sautier
@ 2025-12-09 17:24 ` Frank Li
2025-12-09 19:52 ` Louis Sautier
0 siblings, 1 reply; 15+ messages in thread
From: Frank Li @ 2025-12-09 17:24 UTC (permalink / raw)
To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c
On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> On 12/9/25 13:48, Alexandre Belloni wrote:
> >
> > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > Hello Louis,
> > > >
> > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > Hello,
> > > > >
> > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > on one specific server. I suspect it has to do with the large number of
> > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > not sure.
> > > > >
> > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > (basically Ubuntu's).
> > > > Just to be sure, does this also happen with v6.17?
> > > >
> > > > The only change is the shutdown handling so I would guess yes.
> > > >
> > > Hello,
> > >
> > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > 25.10's stock kernel (6.17.0).
> > >
> > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > >
> > > Someone also suggested (they didn't reply to the list though) that I add a
> > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > I have rebuilt with:
> > >
> > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> > > @@ -1588,6 +1588,7 @@
> > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > master->datstartaddr = ret;
> > > master->maxdevs = ret >> 16;
> > > + printk("maxdevs: %d\n", master->maxdevs);
> > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > >
> > Yes, that was going to be my suggestion.
> >
> I haven't tried with the driver built-in yet. This is what the printk shows:
> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> -110
> maxdevs: 65535
Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
master->maxdevs = val >> 16;
Frank
> dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with error
> -110
> maxdevs: 11
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
> shift exponent 64 is too large for 64-bit type 'long unsigned int'
> CPU: 0 UID: 0 PID: 7363 Comm: (udev-worker) Not tainted 6.18.0 #1
> PREEMPT(voluntary)
> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> 11/28/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5f/0x90
> dump_stack+0x10/0x18
> ubsan_epilogue+0x9/0x39
> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master]
> i3c_master_do_daa+0x30/0x90 [i3c]
> i3c_master_register+0x616/0xa80 [i3c]
> dw_i3c_common_probe+0x298/0x2d0 [dw_i3c_master]
> dw_i3c_probe+0x30/0x50 [dw_i3c_master]
> platform_probe+0x42/0xc0
> ? driver_sysfs_add+0x63/0xd0
> really_probe+0xf9/0x370
> ? pm_runtime_barrier+0x56/0xa0
> __driver_probe_device+0x8b/0x160
> driver_probe_device+0x24/0xd0
> ? __pfx___driver_attach+0x10/0x10
> __driver_attach+0xef/0x220
> ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
> bus_for_each_dev+0x8a/0xe0
> driver_attach+0x1e/0x30
> bus_add_driver+0x13e/0x230
> ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master]
> driver_register+0x75/0xf0
> __platform_driver_register+0x1e/0x30
> dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master]
> do_one_initcall+0x59/0x330
> do_init_module+0x8b/0x290
> load_module+0x1f2f/0x2320
> init_module_from_file+0x9b/0x100
> ? init_module_from_file+0x9b/0x100
> idempotent_init_module+0x10e/0x300
> __x64_sys_finit_module+0x73/0xf0
> ? __secure_computing+0x84/0xe0
> x64_sys_call+0x1f04/0x2350
> do_syscall_64+0x82/0xc80
> ? vfs_read+0x179/0x3a0
> ? vfs_read+0x179/0x3a0
> ? __rseq_handle_notify_resume+0xa2/0x4e0
> ? exit_to_user_mode_loop+0xe6/0x190
> ? do_syscall_64+0x25c/0xc80
> ? irqentry_exit+0x43/0x50
> ? exc_page_fault+0x90/0x1b0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x70c8bf1348cd
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffd8d0e4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 000059c987bf15c0 RCX: 000070c8bf1348cd
> RDX: 0000000000000000 RSI: 000070c8be74b336 RDI: 0000000000000065
> RBP: 00007ffd8d0e4d90 R08: 0000000000000000 R09: 000059c987bc1070
> R10: 0000000000000000 R11: 0000000000000246 R12: 000070c8be74b336
> R13: 0000000000020000 R14: 000059c987be8cd0 R15: 000059c987bb1440
> </TASK>
> ---[ end trace ]---
> maxdevs: 11
> dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with error
> -110
>
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-09 17:24 ` Frank Li
@ 2025-12-09 19:52 ` Louis Sautier
2025-12-10 15:20 ` Frank Li
0 siblings, 1 reply; 15+ messages in thread
From: Louis Sautier @ 2025-12-09 19:52 UTC (permalink / raw)
To: Frank.li; +Cc: alexandre.belloni, linux-i3c
On 12/9/25 18:24, Frank Li wrote:
> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
>> On 12/9/25 13:48, Alexandre Belloni wrote:
>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
>>>> On 12/8/25 21:58, Alexandre Belloni wrote:
>>>>> Hello Louis,
>>>>>
>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>>>>>> on one specific server. I suspect it has to do with the large number of
>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>>>>>> not sure.
>>>>>>
>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>>>>>> (basically Ubuntu's).
>>>>> Just to be sure, does this also happen with v6.17?
>>>>>
>>>>> The only change is the shutdown handling so I would guess yes.
>>>>>
>>>> Hello,
>>>>
>>>> It does happen with 6.17. I initially discovered this while running Ubuntu
>>>> 25.10's stock kernel (6.17.0).
>>>>
>>>>> What is the behavior when you build the dw-i3c-master as a static driver?
>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>>>>
>>>> Someone also suggested (they didn't reply to the list though) that I add a
>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as
>>>> I have rebuilt with:
>>>>
>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
>>>> @@ -1588,6 +1588,7 @@
>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>> master->datstartaddr = ret;
>>>> master->maxdevs = ret >> 16;
>>>> + printk("maxdevs: %d\n", master->maxdevs);
>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>
>>> Yes, that was going to be my suggestion.
>>>
>> I haven't tried with the driver built-in yet. This is what the printk shows:
>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
>> -110
>> maxdevs: 65535
> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
>
> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>
> master->maxdevs = val >> 16;
>
> Frank
I tried this and CONFIG_DW_I3C_MASTER=y:
--- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
22:42:10.000000000 +0000
+++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
19:21:52.735366616 +0000
@@ -1585,9 +1585,10 @@
ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
- ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
- master->datstartaddr = ret;
- master->maxdevs = ret >> 16;
+ unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
+ master->datstartaddr = val;
+ master->maxdevs = val >> 16;
+ printk("maxdevs (unsigned): %d\n", master->maxdevs);
master->free_pos = GENMASK(master->maxdevs - 1, 0);
master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
And I get this log, so no change, really. I assume there's only one
"maxdevs" log because there is only one attempt to load the built-in driver?
maxdevs (unsigned): 65535
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
usb 1-1: new high-speed USB device number 2 using xhci_hcd
shift exponent 18446744073709486145 is too large for 64-bit type 'long
unsigned int'
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
PREEMPT(voluntary)
Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
11/28/2025
Call Trace:
<TASK>
dump_stack_lvl+0x5f/0x90
dump_stack+0x10/0x18
ubsan_epilogue+0x9/0x39
__ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
dw_i3c_common_probe.cold+0x16/0x1b
dw_i3c_probe+0x30/0x50
platform_probe+0x42/0xc0
? driver_sysfs_add+0x63/0xd0
really_probe+0xf9/0x370
? pm_runtime_barrier+0x56/0xa0
__driver_probe_device+0x8b/0x160
driver_probe_device+0x24/0xd0
? __pfx___driver_attach+0x10/0x10
__driver_attach+0xef/0x220
? __pfx_dw_i3c_driver_init+0x10/0x10
bus_for_each_dev+0x8a/0xe0
driver_attach+0x1e/0x30
bus_add_driver+0x13e/0x230
? __pfx_dw_i3c_driver_init+0x10/0x10
driver_register+0x75/0xf0
__platform_driver_register+0x1e/0x30
dw_i3c_driver_init+0x17/0x30
do_one_initcall+0x59/0x330
kernel_init_freeable+0x2bd/0x340
? __pfx_kernel_init+0x10/0x10
kernel_init+0x1b/0x160
? __pfx_kernel_init+0x10/0x10
ret_from_fork+0x202/0x230
? __pfx_kernel_init+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace ]---
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-09 19:52 ` Louis Sautier
@ 2025-12-10 15:20 ` Frank Li
2025-12-10 19:50 ` Louis Sautier
0 siblings, 1 reply; 15+ messages in thread
From: Frank Li @ 2025-12-10 15:20 UTC (permalink / raw)
To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c
On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
> On 12/9/25 18:24, Frank Li wrote:
> > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> > > On 12/9/25 13:48, Alexandre Belloni wrote:
> > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > > > Hello Louis,
> > > > > >
> > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > > > on one specific server. I suspect it has to do with the large number of
> > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > > > not sure.
> > > > > > >
> > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > > > (basically Ubuntu's).
> > > > > > Just to be sure, does this also happen with v6.17?
> > > > > >
> > > > > > The only change is the shutdown handling so I would guess yes.
> > > > > >
> > > > > Hello,
> > > > >
> > > > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > > > 25.10's stock kernel (6.17.0).
> > > > >
> > > > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > > > >
> > > > > Someone also suggested (they didn't reply to the list though) that I add a
> > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > > > I have rebuilt with:
> > > > >
> > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> > > > > @@ -1588,6 +1588,7 @@
> > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > master->datstartaddr = ret;
> > > > > master->maxdevs = ret >> 16;
> > > > > + printk("maxdevs: %d\n", master->maxdevs);
> > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > >
> > > > Yes, that was going to be my suggestion.
> > > >
> > > I haven't tried with the driver built-in yet. This is what the printk shows:
> > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> > > -110
> > > maxdevs: 65535
> > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
> >
> > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> >
> > master->maxdevs = val >> 16;
> >
> > Frank
>
> I tried this and CONFIG_DW_I3C_MASTER=y:
>
> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
> 22:42:10.000000000 +0000
> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
> 19:21:52.735366616 +0000
> @@ -1585,9 +1585,10 @@
> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>
> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> - master->datstartaddr = ret;
> - master->maxdevs = ret >> 16;
> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> + master->datstartaddr = val;
> + master->maxdevs = val >> 16;
> + printk("maxdevs (unsigned): %d\n", master->maxdevs);
> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>
> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>
> And I get this log, so no change, really. I assume there's only one
> "maxdevs" log because there is only one attempt to load the built-in driver?
It may have dependence missed at drivers. such as clock. when built-in,
this driver probe first before clock ready.
If build as module, other driver help enable this clock. So it can get
correct value.
Frank
>
> maxdevs (unsigned): 65535
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
> usb 1-1: new high-speed USB device number 2 using xhci_hcd
> shift exponent 18446744073709486145 is too large for 64-bit type 'long
> unsigned int'
> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
> PREEMPT(voluntary)
> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> 11/28/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5f/0x90
> dump_stack+0x10/0x18
> ubsan_epilogue+0x9/0x39
> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> dw_i3c_common_probe.cold+0x16/0x1b
> dw_i3c_probe+0x30/0x50
> platform_probe+0x42/0xc0
> ? driver_sysfs_add+0x63/0xd0
> really_probe+0xf9/0x370
> ? pm_runtime_barrier+0x56/0xa0
> __driver_probe_device+0x8b/0x160
> driver_probe_device+0x24/0xd0
> ? __pfx___driver_attach+0x10/0x10
> __driver_attach+0xef/0x220
> ? __pfx_dw_i3c_driver_init+0x10/0x10
> bus_for_each_dev+0x8a/0xe0
> driver_attach+0x1e/0x30
> bus_add_driver+0x13e/0x230
> ? __pfx_dw_i3c_driver_init+0x10/0x10
> driver_register+0x75/0xf0
> __platform_driver_register+0x1e/0x30
> dw_i3c_driver_init+0x17/0x30
> do_one_initcall+0x59/0x330
> kernel_init_freeable+0x2bd/0x340
> ? __pfx_kernel_init+0x10/0x10
> kernel_init+0x1b/0x160
> ? __pfx_kernel_init+0x10/0x10
> ret_from_fork+0x202/0x230
> ? __pfx_kernel_init+0x10/0x10
> ret_from_fork_asm+0x1a/0x30
> </TASK>
> ---[ end trace ]---
>
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-10 15:20 ` Frank Li
@ 2025-12-10 19:50 ` Louis Sautier
2025-12-11 16:52 ` Frank Li
0 siblings, 1 reply; 15+ messages in thread
From: Louis Sautier @ 2025-12-10 19:50 UTC (permalink / raw)
To: Frank.li; +Cc: alexandre.belloni, linux-i3c
On 12/10/25 16:20, Frank Li wrote:
> On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
>> On 12/9/25 18:24, Frank Li wrote:
>>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
>>>> On 12/9/25 13:48, Alexandre Belloni wrote:
>>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
>>>>>> On 12/8/25 21:58, Alexandre Belloni wrote:
>>>>>>> Hello Louis,
>>>>>>>
>>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>>>>>>>> on one specific server. I suspect it has to do with the large number of
>>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>>>>>>>> not sure.
>>>>>>>>
>>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>>>>>>>> (basically Ubuntu's).
>>>>>>> Just to be sure, does this also happen with v6.17?
>>>>>>>
>>>>>>> The only change is the shutdown handling so I would guess yes.
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu
>>>>>> 25.10's stock kernel (6.17.0).
>>>>>>
>>>>>>> What is the behavior when you build the dw-i3c-master as a static driver?
>>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>>>>>>
>>>>>> Someone also suggested (they didn't reply to the list though) that I add a
>>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as
>>>>>> I have rebuilt with:
>>>>>>
>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
>>>>>> @@ -1588,6 +1588,7 @@
>>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>> master->datstartaddr = ret;
>>>>>> master->maxdevs = ret >> 16;
>>>>>> + printk("maxdevs: %d\n", master->maxdevs);
>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>>>
>>>>> Yes, that was going to be my suggestion.
>>>>>
>>>> I haven't tried with the driver built-in yet. This is what the printk shows:
>>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
>>>> -110
>>>> maxdevs: 65535
>>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
>>>
>>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>
>>> master->maxdevs = val >> 16;
>>>
>>> Frank
>> I tried this and CONFIG_DW_I3C_MASTER=y:
>>
>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
>> 22:42:10.000000000 +0000
>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
>> 19:21:52.735366616 +0000
>> @@ -1585,9 +1585,10 @@
>> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
>> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>>
>> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>> - master->datstartaddr = ret;
>> - master->maxdevs = ret >> 16;
>> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>> + master->datstartaddr = val;
>> + master->maxdevs = val >> 16;
>> + printk("maxdevs (unsigned): %d\n", master->maxdevs);
>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>
>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>
>> And I get this log, so no change, really. I assume there's only one
>> "maxdevs" log because there is only one attempt to load the built-in driver?
> It may have dependence missed at drivers. such as clock. when built-in,
> this driver probe first before clock ready.
>
> If build as module, other driver help enable this clock. So it can get
> correct value.
>
> Frank
My bad, I checked yesterday's entire log again and actually, there are
still 4 maxdevs printk logs:
Built-in driver:
# journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
[ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
[ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
drivers/i3c/master/dw-i3c-master.c:1592:21
[ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
[ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
[ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
drivers/i3c/master/dw-i3c-master.c:885:12
[ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although
the timing differs a little:
# journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
[ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
[ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
drivers/i3c/master/dw-i3c-master.c:1592:21
[ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
[ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
[ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
drivers/i3c/master/dw-i3c-master.c:885:12
[ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
Did I miss something with the unsigned patch?
>
>> maxdevs (unsigned): 65535
>> ------------[ cut here ]------------
>> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
>> usb 1-1: new high-speed USB device number 2 using xhci_hcd
>> shift exponent 18446744073709486145 is too large for 64-bit type 'long
>> unsigned int'
>> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
>> PREEMPT(voluntary)
>> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
>> 11/28/2025
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x5f/0x90
>> dump_stack+0x10/0x18
>> ubsan_epilogue+0x9/0x39
>> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
>> dw_i3c_common_probe.cold+0x16/0x1b
>> dw_i3c_probe+0x30/0x50
>> platform_probe+0x42/0xc0
>> ? driver_sysfs_add+0x63/0xd0
>> really_probe+0xf9/0x370
>> ? pm_runtime_barrier+0x56/0xa0
>> __driver_probe_device+0x8b/0x160
>> driver_probe_device+0x24/0xd0
>> ? __pfx___driver_attach+0x10/0x10
>> __driver_attach+0xef/0x220
>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>> bus_for_each_dev+0x8a/0xe0
>> driver_attach+0x1e/0x30
>> bus_add_driver+0x13e/0x230
>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>> driver_register+0x75/0xf0
>> __platform_driver_register+0x1e/0x30
>> dw_i3c_driver_init+0x17/0x30
>> do_one_initcall+0x59/0x330
>> kernel_init_freeable+0x2bd/0x340
>> ? __pfx_kernel_init+0x10/0x10
>> kernel_init+0x1b/0x160
>> ? __pfx_kernel_init+0x10/0x10
>> ret_from_fork+0x202/0x230
>> ? __pfx_kernel_init+0x10/0x10
>> ret_from_fork_asm+0x1a/0x30
>> </TASK>
>> ---[ end trace ]---
>>
>>
>> --
>> linux-i3c mailing list
>> linux-i3c@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-10 19:50 ` Louis Sautier
@ 2025-12-11 16:52 ` Frank Li
2025-12-12 19:44 ` Louis Sautier
0 siblings, 1 reply; 15+ messages in thread
From: Frank Li @ 2025-12-11 16:52 UTC (permalink / raw)
To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c
On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote:
> On 12/10/25 16:20, Frank Li wrote:
> > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
> > > On 12/9/25 18:24, Frank Li wrote:
> > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> > > > > On 12/9/25 13:48, Alexandre Belloni wrote:
> > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > > > > > Hello Louis,
> > > > > > > >
> > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > > > > > on one specific server. I suspect it has to do with the large number of
> > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > > > > > not sure.
> > > > > > > > >
> > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > > > > > (basically Ubuntu's).
> > > > > > > > Just to be sure, does this also happen with v6.17?
> > > > > > > >
> > > > > > > > The only change is the shutdown handling so I would guess yes.
> > > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > > > > > 25.10's stock kernel (6.17.0).
> > > > > > >
> > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > > > > > >
> > > > > > > Someone also suggested (they didn't reply to the list though) that I add a
> > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > > > > > I have rebuilt with:
> > > > > > >
> > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> > > > > > > @@ -1588,6 +1588,7 @@
> > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > > master->datstartaddr = ret;
> > > > > > > master->maxdevs = ret >> 16;
> > > > > > > + printk("maxdevs: %d\n", master->maxdevs);
> > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > > > >
> > > > > > Yes, that was going to be my suggestion.
> > > > > >
> > > > > I haven't tried with the driver built-in yet. This is what the printk shows:
> > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> > > > > -110
> > > > > maxdevs: 65535
> > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
> > > >
> > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > >
> > > > master->maxdevs = val >> 16;
> > > >
> > > > Frank
> > > I tried this and CONFIG_DW_I3C_MASTER=y:
> > >
> > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
> > > 22:42:10.000000000 +0000
> > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
> > > 19:21:52.735366616 +0000
> > > @@ -1585,9 +1585,10 @@
> > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > >
> > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > - master->datstartaddr = ret;
> > > - master->maxdevs = ret >> 16;
> > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > + master->datstartaddr = val;
> > > + master->maxdevs = val >> 16;
> > > + printk("maxdevs (unsigned): %d\n", master->maxdevs);
> > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > >
> > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > >
> > > And I get this log, so no change, really. I assume there's only one
> > > "maxdevs" log because there is only one attempt to load the built-in driver?
> > It may have dependence missed at drivers. such as clock. when built-in,
> > this driver probe first before clock ready.
> >
> > If build as module, other driver help enable this clock. So it can get
> > correct value.
> >
> > Frank
>
> My bad, I checked yesterday's entire log again and actually, there are still
> 4 maxdevs printk logs:
>
> Built-in driver:
>
> # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
> [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
Look this instance miss config some resource, like clks. So clock have
not enable, all register return 0xFFFFFFFF.
Frank
> [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> drivers/i3c/master/dw-i3c-master.c:1592:21
> [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
> [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
> [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> drivers/i3c/master/dw-i3c-master.c:885:12
> [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
>
>
> I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the
> timing differs a little:
>
> # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
> [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
> [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> drivers/i3c/master/dw-i3c-master.c:1592:21
> [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
> [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
> [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> drivers/i3c/master/dw-i3c-master.c:885:12
> [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
>
> Did I miss something with the unsigned patch?
> >
> > > maxdevs (unsigned): 65535
> > > ------------[ cut here ]------------
> > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
> > > usb 1-1: new high-speed USB device number 2 using xhci_hcd
> > > shift exponent 18446744073709486145 is too large for 64-bit type 'long
> > > unsigned int'
> > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
> > > PREEMPT(voluntary)
> > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> > > 11/28/2025
> > > Call Trace:
> > > <TASK>
> > > dump_stack_lvl+0x5f/0x90
> > > dump_stack+0x10/0x18
> > > ubsan_epilogue+0x9/0x39
> > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> > > dw_i3c_common_probe.cold+0x16/0x1b
> > > dw_i3c_probe+0x30/0x50
> > > platform_probe+0x42/0xc0
> > > ? driver_sysfs_add+0x63/0xd0
> > > really_probe+0xf9/0x370
> > > ? pm_runtime_barrier+0x56/0xa0
> > > __driver_probe_device+0x8b/0x160
> > > driver_probe_device+0x24/0xd0
> > > ? __pfx___driver_attach+0x10/0x10
> > > __driver_attach+0xef/0x220
> > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > bus_for_each_dev+0x8a/0xe0
> > > driver_attach+0x1e/0x30
> > > bus_add_driver+0x13e/0x230
> > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > driver_register+0x75/0xf0
> > > __platform_driver_register+0x1e/0x30
> > > dw_i3c_driver_init+0x17/0x30
> > > do_one_initcall+0x59/0x330
> > > kernel_init_freeable+0x2bd/0x340
> > > ? __pfx_kernel_init+0x10/0x10
> > > kernel_init+0x1b/0x160
> > > ? __pfx_kernel_init+0x10/0x10
> > > ret_from_fork+0x202/0x230
> > > ? __pfx_kernel_init+0x10/0x10
> > > ret_from_fork_asm+0x1a/0x30
> > > </TASK>
> > > ---[ end trace ]---
> > >
> > >
> > > --
> > > linux-i3c mailing list
> > > linux-i3c@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/linux-i3c
>
>
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-11 16:52 ` Frank Li
@ 2025-12-12 19:44 ` Louis Sautier
2025-12-15 16:25 ` Frank Li
0 siblings, 1 reply; 15+ messages in thread
From: Louis Sautier @ 2025-12-12 19:44 UTC (permalink / raw)
To: Frank.li; +Cc: alexandre.belloni, linux-i3c
On 12/11/25 17:52, Frank Li wrote:
> On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote:
>> On 12/10/25 16:20, Frank Li wrote:
>>> On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
>>>> On 12/9/25 18:24, Frank Li wrote:
>>>>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
>>>>>> On 12/9/25 13:48, Alexandre Belloni wrote:
>>>>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
>>>>>>>> On 12/8/25 21:58, Alexandre Belloni wrote:
>>>>>>>>> Hello Louis,
>>>>>>>>>
>>>>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>>>>>>>>>> on one specific server. I suspect it has to do with the large number of
>>>>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>>>>>>>>>> not sure.
>>>>>>>>>>
>>>>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>>>>>>>>>> (basically Ubuntu's).
>>>>>>>>> Just to be sure, does this also happen with v6.17?
>>>>>>>>>
>>>>>>>>> The only change is the shutdown handling so I would guess yes.
>>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu
>>>>>>>> 25.10's stock kernel (6.17.0).
>>>>>>>>
>>>>>>>>> What is the behavior when you build the dw-i3c-master as a static driver?
>>>>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>>>>>>>>
>>>>>>>> Someone also suggested (they didn't reply to the list though) that I add a
>>>>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as
>>>>>>>> I have rebuilt with:
>>>>>>>>
>>>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
>>>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
>>>>>>>> @@ -1588,6 +1588,7 @@
>>>>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>>>> master->datstartaddr = ret;
>>>>>>>> master->maxdevs = ret >> 16;
>>>>>>>> + printk("maxdevs: %d\n", master->maxdevs);
>>>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>>>>>
>>>>>>> Yes, that was going to be my suggestion.
>>>>>>>
>>>>>> I haven't tried with the driver built-in yet. This is what the printk shows:
>>>>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
>>>>>> -110
>>>>>> maxdevs: 65535
>>>>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
>>>>>
>>>>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>
>>>>> master->maxdevs = val >> 16;
>>>>>
>>>>> Frank
>>>> I tried this and CONFIG_DW_I3C_MASTER=y:
>>>>
>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
>>>> 22:42:10.000000000 +0000
>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
>>>> 19:21:52.735366616 +0000
>>>> @@ -1585,9 +1585,10 @@
>>>> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
>>>> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>>>>
>>>> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>> - master->datstartaddr = ret;
>>>> - master->maxdevs = ret >> 16;
>>>> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>> + master->datstartaddr = val;
>>>> + master->maxdevs = val >> 16;
>>>> + printk("maxdevs (unsigned): %d\n", master->maxdevs);
>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>>
>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>
>>>> And I get this log, so no change, really. I assume there's only one
>>>> "maxdevs" log because there is only one attempt to load the built-in driver?
>>> It may have dependence missed at drivers. such as clock. when built-in,
>>> this driver probe first before clock ready.
>>>
>>> If build as module, other driver help enable this clock. So it can get
>>> correct value.
>>>
>>> Frank
>> My bad, I checked yesterday's entire log again and actually, there are still
>> 4 maxdevs printk logs:
>>
>> Built-in driver:
>>
>> # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
>> [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
> Look this instance miss config some resource, like clks. So clock have
> not enable, all register return 0xFFFFFFFF.
>
> Frank
Can you help me understand why this happens and how to fix this? Could
this be a hardware problem?
Should I open a downstream Ubuntu bug report, would that be helpful?
>
>> [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>> drivers/i3c/master/dw-i3c-master.c:1592:21
>> [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
>> [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
>> [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>> drivers/i3c/master/dw-i3c-master.c:885:12
>> [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
>>
>>
>> I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the
>> timing differs a little:
>>
>> # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
>> [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
>> [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>> drivers/i3c/master/dw-i3c-master.c:1592:21
>> [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
>> [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
>> [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>> drivers/i3c/master/dw-i3c-master.c:885:12
>> [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
>>
>> Did I miss something with the unsigned patch?
>>>> maxdevs (unsigned): 65535
>>>> ------------[ cut here ]------------
>>>> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
>>>> usb 1-1: new high-speed USB device number 2 using xhci_hcd
>>>> shift exponent 18446744073709486145 is too large for 64-bit type 'long
>>>> unsigned int'
>>>> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
>>>> PREEMPT(voluntary)
>>>> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
>>>> 11/28/2025
>>>> Call Trace:
>>>> <TASK>
>>>> dump_stack_lvl+0x5f/0x90
>>>> dump_stack+0x10/0x18
>>>> ubsan_epilogue+0x9/0x39
>>>> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
>>>> dw_i3c_common_probe.cold+0x16/0x1b
>>>> dw_i3c_probe+0x30/0x50
>>>> platform_probe+0x42/0xc0
>>>> ? driver_sysfs_add+0x63/0xd0
>>>> really_probe+0xf9/0x370
>>>> ? pm_runtime_barrier+0x56/0xa0
>>>> __driver_probe_device+0x8b/0x160
>>>> driver_probe_device+0x24/0xd0
>>>> ? __pfx___driver_attach+0x10/0x10
>>>> __driver_attach+0xef/0x220
>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>>>> bus_for_each_dev+0x8a/0xe0
>>>> driver_attach+0x1e/0x30
>>>> bus_add_driver+0x13e/0x230
>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>>>> driver_register+0x75/0xf0
>>>> __platform_driver_register+0x1e/0x30
>>>> dw_i3c_driver_init+0x17/0x30
>>>> do_one_initcall+0x59/0x330
>>>> kernel_init_freeable+0x2bd/0x340
>>>> ? __pfx_kernel_init+0x10/0x10
>>>> kernel_init+0x1b/0x160
>>>> ? __pfx_kernel_init+0x10/0x10
>>>> ret_from_fork+0x202/0x230
>>>> ? __pfx_kernel_init+0x10/0x10
>>>> ret_from_fork_asm+0x1a/0x30
>>>> </TASK>
>>>> ---[ end trace ]---
>>>>
>>>>
>>>> --
>>>> linux-i3c mailing list
>>>> linux-i3c@lists.infradead.org
>>>> http://lists.infradead.org/mailman/listinfo/linux-i3c
>>
>>
>> --
>> linux-i3c mailing list
>> linux-i3c@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-12 19:44 ` Louis Sautier
@ 2025-12-15 16:25 ` Frank Li
2025-12-30 1:30 ` Louis Sautier
2026-02-23 17:10 ` Boqun Feng
0 siblings, 2 replies; 15+ messages in thread
From: Frank Li @ 2025-12-15 16:25 UTC (permalink / raw)
To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c
On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote:
> On 12/11/25 17:52, Frank Li wrote:
> > On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote:
> > > On 12/10/25 16:20, Frank Li wrote:
> > > > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
> > > > > On 12/9/25 18:24, Frank Li wrote:
> > > > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> > > > > > > On 12/9/25 13:48, Alexandre Belloni wrote:
> > > > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > > > > > > > Hello Louis,
> > > > > > > > > >
> > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > > > > > > > Hello,
> > > > > > > > > > >
> > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > > > > > > > on one specific server. I suspect it has to do with the large number of
> > > > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > > > > > > > not sure.
> > > > > > > > > > >
> > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > > > > > > > (basically Ubuntu's).
> > > > > > > > > > Just to be sure, does this also happen with v6.17?
> > > > > > > > > >
> > > > > > > > > > The only change is the shutdown handling so I would guess yes.
> > > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > > > > > > > 25.10's stock kernel (6.17.0).
> > > > > > > > >
> > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > > > > > > > >
> > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a
> > > > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > > > > > > > I have rebuilt with:
> > > > > > > > >
> > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> > > > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> > > > > > > > > @@ -1588,6 +1588,7 @@
> > > > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > > > > master->datstartaddr = ret;
> > > > > > > > > master->maxdevs = ret >> 16;
> > > > > > > > > + printk("maxdevs: %d\n", master->maxdevs);
> > > > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > > > > > >
> > > > > > > > Yes, that was going to be my suggestion.
> > > > > > > >
> > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows:
> > > > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> > > > > > > -110
> > > > > > > maxdevs: 65535
> > > > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
> > > > > >
> > > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > >
> > > > > > master->maxdevs = val >> 16;
> > > > > >
> > > > > > Frank
> > > > > I tried this and CONFIG_DW_I3C_MASTER=y:
> > > > >
> > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
> > > > > 22:42:10.000000000 +0000
> > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
> > > > > 19:21:52.735366616 +0000
> > > > > @@ -1585,9 +1585,10 @@
> > > > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > > > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > > > >
> > > > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > - master->datstartaddr = ret;
> > > > > - master->maxdevs = ret >> 16;
> > > > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > + master->datstartaddr = val;
> > > > > + master->maxdevs = val >> 16;
> > > > > + printk("maxdevs (unsigned): %d\n", master->maxdevs);
> > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > >
> > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > >
> > > > > And I get this log, so no change, really. I assume there's only one
> > > > > "maxdevs" log because there is only one attempt to load the built-in driver?
> > > > It may have dependence missed at drivers. such as clock. when built-in,
> > > > this driver probe first before clock ready.
> > > >
> > > > If build as module, other driver help enable this clock. So it can get
> > > > correct value.
> > > >
> > > > Frank
> > > My bad, I checked yesterday's entire log again and actually, there are still
> > > 4 maxdevs printk logs:
> > >
> > > Built-in driver:
> > >
> > > # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
> > > [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
> > Look this instance miss config some resource, like clks. So clock have
> > not enable, all register return 0xFFFFFFFF.
> >
> > Frank
>
> Can you help me understand why this happens and how to fix this? Could this
> be a hardware problem?
>
> Should I open a downstream Ubuntu bug report, would that be helpful?
It may help, or report bug to hardware vendor. Or look for recently
contributor who may provide help.
git log drivers/i3c/master/dw-i3c-master.c
Frank
>
> >
> > > [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > drivers/i3c/master/dw-i3c-master.c:1592:21
> > > [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
> > > [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
> > > [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > drivers/i3c/master/dw-i3c-master.c:885:12
> > > [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
> > >
> > >
> > > I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the
> > > timing differs a little:
> > >
> > > # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
> > > [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
> > > [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > drivers/i3c/master/dw-i3c-master.c:1592:21
> > > [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
> > > [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
> > > [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > drivers/i3c/master/dw-i3c-master.c:885:12
> > > [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
> > >
> > > Did I miss something with the unsigned patch?
> > > > > maxdevs (unsigned): 65535
> > > > > ------------[ cut here ]------------
> > > > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
> > > > > usb 1-1: new high-speed USB device number 2 using xhci_hcd
> > > > > shift exponent 18446744073709486145 is too large for 64-bit type 'long
> > > > > unsigned int'
> > > > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
> > > > > PREEMPT(voluntary)
> > > > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> > > > > 11/28/2025
> > > > > Call Trace:
> > > > > <TASK>
> > > > > dump_stack_lvl+0x5f/0x90
> > > > > dump_stack+0x10/0x18
> > > > > ubsan_epilogue+0x9/0x39
> > > > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> > > > > dw_i3c_common_probe.cold+0x16/0x1b
> > > > > dw_i3c_probe+0x30/0x50
> > > > > platform_probe+0x42/0xc0
> > > > > ? driver_sysfs_add+0x63/0xd0
> > > > > really_probe+0xf9/0x370
> > > > > ? pm_runtime_barrier+0x56/0xa0
> > > > > __driver_probe_device+0x8b/0x160
> > > > > driver_probe_device+0x24/0xd0
> > > > > ? __pfx___driver_attach+0x10/0x10
> > > > > __driver_attach+0xef/0x220
> > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > > > bus_for_each_dev+0x8a/0xe0
> > > > > driver_attach+0x1e/0x30
> > > > > bus_add_driver+0x13e/0x230
> > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > > > driver_register+0x75/0xf0
> > > > > __platform_driver_register+0x1e/0x30
> > > > > dw_i3c_driver_init+0x17/0x30
> > > > > do_one_initcall+0x59/0x330
> > > > > kernel_init_freeable+0x2bd/0x340
> > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > kernel_init+0x1b/0x160
> > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > ret_from_fork+0x202/0x230
> > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > ret_from_fork_asm+0x1a/0x30
> > > > > </TASK>
> > > > > ---[ end trace ]---
> > > > >
> > > > >
> > > > > --
> > > > > linux-i3c mailing list
> > > > > linux-i3c@lists.infradead.org
> > > > > http://lists.infradead.org/mailman/listinfo/linux-i3c
> > >
> > >
> > > --
> > > linux-i3c mailing list
> > > linux-i3c@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/linux-i3c
>
>
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-15 16:25 ` Frank Li
@ 2025-12-30 1:30 ` Louis Sautier
2026-02-23 17:10 ` Boqun Feng
1 sibling, 0 replies; 15+ messages in thread
From: Louis Sautier @ 2025-12-30 1:30 UTC (permalink / raw)
To: Frank.li; +Cc: alexandre.belloni, linux-i3c
On 12/15/25 17:25, Frank Li wrote:
> On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote:
>> On 12/11/25 17:52, Frank Li wrote:
>>> On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote:
>>>> On 12/10/25 16:20, Frank Li wrote:
>>>>> On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
>>>>>> On 12/9/25 18:24, Frank Li wrote:
>>>>>>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
>>>>>>>> On 12/9/25 13:48, Alexandre Belloni wrote:
>>>>>>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
>>>>>>>>>> On 12/8/25 21:58, Alexandre Belloni wrote:
>>>>>>>>>>> Hello Louis,
>>>>>>>>>>>
>>>>>>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
>>>>>>>>>>>> on one specific server. I suspect it has to do with the large number of
>>>>>>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
>>>>>>>>>>>> not sure.
>>>>>>>>>>>>
>>>>>>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
>>>>>>>>>>>> (basically Ubuntu's).
>>>>>>>>>>> Just to be sure, does this also happen with v6.17?
>>>>>>>>>>>
>>>>>>>>>>> The only change is the shutdown handling so I would guess yes.
>>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu
>>>>>>>>>> 25.10's stock kernel (6.17.0).
>>>>>>>>>>
>>>>>>>>>>> What is the behavior when you build the dw-i3c-master as a static driver?
>>>>>>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back.
>>>>>>>>>>
>>>>>>>>>> Someone also suggested (they didn't reply to the list though) that I add a
>>>>>>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as
>>>>>>>>>> I have rebuilt with:
>>>>>>>>>>
>>>>>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
>>>>>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
>>>>>>>>>> @@ -1588,6 +1588,7 @@
>>>>>>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>>>>>> master->datstartaddr = ret;
>>>>>>>>>> master->maxdevs = ret >> 16;
>>>>>>>>>> + printk("maxdevs: %d\n", master->maxdevs);
>>>>>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>>>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>>>>>>>
>>>>>>>>> Yes, that was going to be my suggestion.
>>>>>>>>>
>>>>>>>> I haven't tried with the driver built-in yet. This is what the printk shows:
>>>>>>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
>>>>>>>> -110
>>>>>>>> maxdevs: 65535
>>>>>>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
>>>>>>>
>>>>>>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>>>
>>>>>>> master->maxdevs = val >> 16;
>>>>>>>
>>>>>>> Frank
>>>>>> I tried this and CONFIG_DW_I3C_MASTER=y:
>>>>>>
>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
>>>>>> 22:42:10.000000000 +0000
>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
>>>>>> 19:21:52.735366616 +0000
>>>>>> @@ -1585,9 +1585,10 @@
>>>>>> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
>>>>>> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>>>>>>
>>>>>> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>> - master->datstartaddr = ret;
>>>>>> - master->maxdevs = ret >> 16;
>>>>>> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>>>>> + master->datstartaddr = val;
>>>>>> + master->maxdevs = val >> 16;
>>>>>> + printk("maxdevs (unsigned): %d\n", master->maxdevs);
>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>>>>>
>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
>>>>>>
>>>>>> And I get this log, so no change, really. I assume there's only one
>>>>>> "maxdevs" log because there is only one attempt to load the built-in driver?
>>>>> It may have dependence missed at drivers. such as clock. when built-in,
>>>>> this driver probe first before clock ready.
>>>>>
>>>>> If build as module, other driver help enable this clock. So it can get
>>>>> correct value.
>>>>>
>>>>> Frank
>>>> My bad, I checked yesterday's entire log again and actually, there are still
>>>> 4 maxdevs printk logs:
>>>>
>>>> Built-in driver:
>>>>
>>>> # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
>>>> [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
>>> Look this instance miss config some resource, like clks. So clock have
>>> not enable, all register return 0xFFFFFFFF.
>>>
>>> Frank
>> Can you help me understand why this happens and how to fix this? Could this
>> be a hardware problem?
>>
>> Should I open a downstream Ubuntu bug report, would that be helpful?
> It may help, or report bug to hardware vendor. Or look for recently
> contributor who may provide help.
>
> git log drivers/i3c/master/dw-i3c-master.c
>
>
> Frank
>
>>>> [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>>>> drivers/i3c/master/dw-i3c-master.c:1592:21
>>>> [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
>>>> [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
>>>> [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>>>> drivers/i3c/master/dw-i3c-master.c:885:12
>>>> [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
>>>>
>>>>
>>>> I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the
>>>> timing differs a little:
>>>>
>>>> # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
>>>> [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
>>>> [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>>>> drivers/i3c/master/dw-i3c-master.c:1592:21
>>>> [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
>>>> [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
>>>> [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
>>>> drivers/i3c/master/dw-i3c-master.c:885:12
>>>> [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
>>>>
>>>> Did I miss something with the unsigned patch?
>>>>>> maxdevs (unsigned): 65535
>>>>>> ------------[ cut here ]------------
>>>>>> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
>>>>>> usb 1-1: new high-speed USB device number 2 using xhci_hcd
>>>>>> shift exponent 18446744073709486145 is too large for 64-bit type 'long
>>>>>> unsigned int'
>>>>>> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
>>>>>> PREEMPT(voluntary)
>>>>>> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
>>>>>> 11/28/2025
>>>>>> Call Trace:
>>>>>> <TASK>
>>>>>> dump_stack_lvl+0x5f/0x90
>>>>>> dump_stack+0x10/0x18
>>>>>> ubsan_epilogue+0x9/0x39
>>>>>> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
>>>>>> dw_i3c_common_probe.cold+0x16/0x1b
>>>>>> dw_i3c_probe+0x30/0x50
>>>>>> platform_probe+0x42/0xc0
>>>>>> ? driver_sysfs_add+0x63/0xd0
>>>>>> really_probe+0xf9/0x370
>>>>>> ? pm_runtime_barrier+0x56/0xa0
>>>>>> __driver_probe_device+0x8b/0x160
>>>>>> driver_probe_device+0x24/0xd0
>>>>>> ? __pfx___driver_attach+0x10/0x10
>>>>>> __driver_attach+0xef/0x220
>>>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>>>>>> bus_for_each_dev+0x8a/0xe0
>>>>>> driver_attach+0x1e/0x30
>>>>>> bus_add_driver+0x13e/0x230
>>>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10
>>>>>> driver_register+0x75/0xf0
>>>>>> __platform_driver_register+0x1e/0x30
>>>>>> dw_i3c_driver_init+0x17/0x30
>>>>>> do_one_initcall+0x59/0x330
>>>>>> kernel_init_freeable+0x2bd/0x340
>>>>>> ? __pfx_kernel_init+0x10/0x10
>>>>>> kernel_init+0x1b/0x160
>>>>>> ? __pfx_kernel_init+0x10/0x10
>>>>>> ret_from_fork+0x202/0x230
>>>>>> ? __pfx_kernel_init+0x10/0x10
>>>>>> ret_from_fork_asm+0x1a/0x30
>>>>>> </TASK>
>>>>>> ---[ end trace ]---
>>>>>>
>>>>>>
>>>>>> --
>>>>>> linux-i3c mailing list
>>>>>> linux-i3c@lists.infradead.org
>>>>>> http://lists.infradead.org/mailman/listinfo/linux-i3c
>>>>
>>>> --
>>>> linux-i3c mailing list
>>>> linux-i3c@lists.infradead.org
>>>> http://lists.infradead.org/mailman/listinfo/linux-i3c
>>
>>
>> --
>> linux-i3c mailing list
>> linux-i3c@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-i3c
I've reported the bug on Ubuntu's tracker:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2137235
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12
2025-12-15 16:25 ` Frank Li
2025-12-30 1:30 ` Louis Sautier
@ 2026-02-23 17:10 ` Boqun Feng
1 sibling, 0 replies; 15+ messages in thread
From: Boqun Feng @ 2026-02-23 17:10 UTC (permalink / raw)
To: Frank Li; +Cc: Louis Sautier, alexandre.belloni, linux-i3c, Shyam-sundar.S-k
On Mon, Dec 15, 2025 at 11:25:22AM -0500, Frank Li wrote:
> On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote:
> > On 12/11/25 17:52, Frank Li wrote:
> > > On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote:
> > > > On 12/10/25 16:20, Frank Li wrote:
> > > > > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote:
> > > > > > On 12/9/25 18:24, Frank Li wrote:
> > > > > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote:
> > > > > > > > On 12/9/25 13:48, Alexandre Belloni wrote:
> > > > > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote:
> > > > > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote:
> > > > > > > > > > > Hello Louis,
> > > > > > > > > > >
> > > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote:
> > > > > > > > > > > > Hello,
> > > > > > > > > > > >
> > > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18
> > > > > > > > > > > > on one specific server. I suspect it has to do with the large number of
> > > > > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am
> > > > > > > > > > > > not sure.
> > > > > > > > > > > >
> > > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config
> > > > > > > > > > > > (basically Ubuntu's).
> > > > > > > > > > > Just to be sure, does this also happen with v6.17?
> > > > > > > > > > >
> > > > > > > > > > > The only change is the shutdown handling so I would guess yes.
> > > > > > > > > > >
> > > > > > > > > > Hello,
> > > > > > > > > >
> > > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu
> > > > > > > > > > 25.10's stock kernel (6.17.0).
> > > > > > > > > >
> > > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver?
> > > > > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back.
> > > > > > > > > >
> > > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a
> > > > > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as
> > > > > > > > > > I have rebuilt with:
> > > > > > > > > >
> > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000
> > > > > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000
> > > > > > > > > > @@ -1588,6 +1588,7 @@
> > > > > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > > > > > master->datstartaddr = ret;
> > > > > > > > > > master->maxdevs = ret >> 16;
> > > > > > > > > > + printk("maxdevs: %d\n", master->maxdevs);
> > > > > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > > > > > > >
> > > > > > > > > Yes, that was going to be my suggestion.
> > > > > > > > >
> > > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows:
> > > > > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error
> > > > > > > > -110
> > > > > > > > maxdevs: 65535
> > > > > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1.
> > > > > > >
> > > > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > >
> > > > > > > master->maxdevs = val >> 16;
> > > > > > >
> > > > > > > Frank
> > > > > > I tried this and CONFIG_DW_I3C_MASTER=y:
> > > > > >
> > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30
> > > > > > 22:42:10.000000000 +0000
> > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09
> > > > > > 19:21:52.735366616 +0000
> > > > > > @@ -1585,9 +1585,10 @@
> > > > > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > > > > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > > > > >
> > > > > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > - master->datstartaddr = ret;
> > > > > > - master->maxdevs = ret >> 16;
> > > > > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > > > > > + master->datstartaddr = val;
> > > > > > + master->maxdevs = val >> 16;
> > > > > > + printk("maxdevs (unsigned): %d\n", master->maxdevs);
> > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > > > > >
> > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev);
> > > > > >
> > > > > > And I get this log, so no change, really. I assume there's only one
> > > > > > "maxdevs" log because there is only one attempt to load the built-in driver?
> > > > > It may have dependence missed at drivers. such as clock. when built-in,
> > > > > this driver probe first before clock ready.
> > > > >
> > > > > If build as module, other driver help enable this clock. So it can get
> > > > > correct value.
> > > > >
> > > > > Frank
> > > > My bad, I checked yesterday's entire log again and actually, there are still
> > > > 4 maxdevs printk logs:
> > > >
> > > > Built-in driver:
> > > >
> > > > # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic
> > > > [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535
> > > Look this instance miss config some resource, like clks. So clock have
> > > not enable, all register return 0xFFFFFFFF.
> > >
> > > Frank
> >
> > Can you help me understand why this happens and how to fix this? Could this
> > be a hardware problem?
> >
> > Should I open a downstream Ubuntu bug report, would that be helpful?
>
> It may help, or report bug to hardware vendor. Or look for recently
> contributor who may provide help.
>
> git log drivers/i3c/master/dw-i3c-master.c
>
[Cc Shyam Sundar S K who added the AMD support]
Shyam, I hit the similar issue as Louis reported here. Would you help us
on what may cause the DEVICE_ADDR_TABLE_POINTER register returns
0xFFFFFFFF? Thanks!
>
> Frank
>
> >
> > >
> > > > [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > > drivers/i3c/master/dw-i3c-master.c:1592:21
> > > > [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535
> > > > [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11
> > > > [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > > drivers/i3c/master/dw-i3c-master.c:885:12
> > > > [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11
> > > >
> > > >
> > > > I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the
> > > > timing differs a little:
> > > >
> > > > # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic
> > > > [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535
> > > > [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > > drivers/i3c/master/dw-i3c-master.c:1592:21
> > > > [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535
> > > > [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11
> > > > [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in
> > > > drivers/i3c/master/dw-i3c-master.c:885:12
> > > > [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11
> > > >
> > > > Did I miss something with the unsigned patch?
> > > > > > maxdevs (unsigned): 65535
> > > > > > ------------[ cut here ]------------
> > > > > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21
> > > > > > usb 1-1: new high-speed USB device number 2 using xhci_hcd
> > > > > > shift exponent 18446744073709486145 is too large for 64-bit type 'long
> > > > > > unsigned int'
> > > > > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4
> > > > > > PREEMPT(voluntary)
> > > > > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43
> > > > > > 11/28/2025
> > > > > > Call Trace:
> > > > > > <TASK>
> > > > > > dump_stack_lvl+0x5f/0x90
> > > > > > dump_stack+0x10/0x18
> > > > > > ubsan_epilogue+0x9/0x39
> > > > > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9
> > > > > > dw_i3c_common_probe.cold+0x16/0x1b
> > > > > > dw_i3c_probe+0x30/0x50
> > > > > > platform_probe+0x42/0xc0
> > > > > > ? driver_sysfs_add+0x63/0xd0
> > > > > > really_probe+0xf9/0x370
> > > > > > ? pm_runtime_barrier+0x56/0xa0
> > > > > > __driver_probe_device+0x8b/0x160
> > > > > > driver_probe_device+0x24/0xd0
> > > > > > ? __pfx___driver_attach+0x10/0x10
> > > > > > __driver_attach+0xef/0x220
> > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > > > > bus_for_each_dev+0x8a/0xe0
> > > > > > driver_attach+0x1e/0x30
> > > > > > bus_add_driver+0x13e/0x230
> > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10
> > > > > > driver_register+0x75/0xf0
> > > > > > __platform_driver_register+0x1e/0x30
> > > > > > dw_i3c_driver_init+0x17/0x30
> > > > > > do_one_initcall+0x59/0x330
> > > > > > kernel_init_freeable+0x2bd/0x340
> > > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > > kernel_init+0x1b/0x160
> > > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > > ret_from_fork+0x202/0x230
> > > > > > ? __pfx_kernel_init+0x10/0x10
> > > > > > ret_from_fork_asm+0x1a/0x30
> > > > > > </TASK>
> > > > > > ---[ end trace ]---
> > > > > >
> > > > > >
> > > > > > --
> > > > > > linux-i3c mailing list
> > > > > > linux-i3c@lists.infradead.org
> > > > > > http://lists.infradead.org/mailman/listinfo/linux-i3c
> > > >
> > > >
> > > > --
> > > > linux-i3c mailing list
> > > > linux-i3c@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/linux-i3c
> >
> >
> >
> > --
> > linux-i3c mailing list
> > linux-i3c@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-i3c
>
> --
> linux-i3c mailing list
> linux-i3c@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-i3c
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2026-02-23 17:10 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier
2025-12-08 18:54 ` Manikanta Guntupalli
2025-12-08 20:58 ` Alexandre Belloni
2025-12-09 11:37 ` Louis Sautier
2025-12-09 12:48 ` Alexandre Belloni
2025-12-09 15:36 ` Louis Sautier
2025-12-09 17:24 ` Frank Li
2025-12-09 19:52 ` Louis Sautier
2025-12-10 15:20 ` Frank Li
2025-12-10 19:50 ` Louis Sautier
2025-12-11 16:52 ` Frank Li
2025-12-12 19:44 ` Louis Sautier
2025-12-15 16:25 ` Frank Li
2025-12-30 1:30 ` Louis Sautier
2026-02-23 17:10 ` Boqun Feng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox