* Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 @ 2025-12-02 20:17 Louis Sautier 2025-12-08 18:54 ` Manikanta Guntupalli 2025-12-08 20:58 ` Alexandre Belloni 0 siblings, 2 replies; 15+ messages in thread From: Louis Sautier @ 2025-12-02 20:17 UTC (permalink / raw) To: linux-i3c Hello, I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 on one specific server. I suspect it has to do with the large number of CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am not sure. The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config (basically Ubuntu's). These are the logs I see whenever I run "modprobe dw-i3c-master". Full dmesg at https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/dmesg dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error -110 dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with error -110 ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 109 UID: 0 PID: 7574 Comm: (udev-worker) Not tainted 6.18.0 #1 PREEMPT(voluntary) Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 11/28/2025 Call Trace: <TASK> dump_stack_lvl+0x5f/0x90 dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x39 __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master] i3c_master_do_daa+0x30/0x90 [i3c] i3c_master_register+0x616/0xa80 [i3c] dw_i3c_common_probe+0x23f/0x2c0 [dw_i3c_master] dw_i3c_probe+0x30/0x50 [dw_i3c_master] platform_probe+0x42/0xc0 ? driver_sysfs_add+0x63/0xd0 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x56/0xa0 __driver_probe_device+0x8b/0x160 driver_probe_device+0x24/0xd0 ? __pfx___driver_attach+0x10/0x10 __driver_attach+0xef/0x220 ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] bus_for_each_dev+0x8a/0xe0 driver_attach+0x1e/0x30 bus_add_driver+0x13e/0x230 ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] driver_register+0x75/0xf0 __platform_driver_register+0x1e/0x30 dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master] do_one_initcall+0x59/0x330 do_init_module+0x8b/0x290 load_module+0x1f2f/0x2320 init_module_from_file+0x9b/0x100 ? init_module_from_file+0x9b/0x100 idempotent_init_module+0x10e/0x300 __x64_sys_finit_module+0x73/0xf0 ? __secure_computing+0x84/0xe0 x64_sys_call+0x1f04/0x2350 do_syscall_64+0x82/0xc80 ? exit_to_user_mode_loop+0xe6/0x190 ? do_syscall_64+0x25c/0xc80 ? restore_fpregs_from_fpstate+0x46/0xe0 ? switch_fpu_return+0x5c/0xf0 ? do_syscall_64+0x25c/0xc80 ? switch_fpu_return+0x5c/0xf0 ? do_syscall_64+0x25c/0xc80 ? wait_for_completion_interruptible+0x24/0x50 ? idempotent_init_module+0x1d5/0x300 ? __rseq_handle_notify_resume+0xa2/0x4e0 ? restore_fpregs_from_fpstate+0x46/0xe0 ? switch_fpu_return+0x5c/0xf0 ? do_syscall_64+0x25c/0xc80 ? do_user_addr_fault+0x22b/0x6b0 ? irqentry_exit_to_user_mode+0x2e/0x2a0 ? irqentry_exit+0x43/0x50 ? exc_page_fault+0x90/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7dff23f348cd Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007fff46db08c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00005705ce7b5300 RCX: 00007dff23f348cd RDX: 0000000000000000 RSI: 00007dff23c31336 RDI: 0000000000000078 RBP: 00007fff46db0960 R08: 0000000000000000 R09: 00005705ce77f530 R10: 0000000000000000 R11: 0000000000000246 R12: 00007dff23c31336 R13: 0000000000020000 R14: 00005705ce7bcb10 R15: 00005705ce7c4f00 </TASK> ---[ end trace ]--- dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with error -110 I hope this is the right venue to report this. Please let me know if you need more information or if you would like me to test a patch. Can you also keep me CC'd to replies? I'm not subscribed to the list. Cheers, Louis -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier @ 2025-12-08 18:54 ` Manikanta Guntupalli 2025-12-08 20:58 ` Alexandre Belloni 1 sibling, 0 replies; 15+ messages in thread From: Manikanta Guntupalli @ 2025-12-08 18:54 UTC (permalink / raw) To: Louis Sautier; +Cc: linux-i3c Hi Louis, What is the behavior when you build the dw-i3c-master as a static driver? Thanks, Manikanta On Wed, 3 Dec 2025, 01:48 Louis Sautier, <louis.sautier@ovhcloud.com> wrote: > > Hello, > > I'm running into a bug when loading the dw-i3c-master module on kernel > 6.18 on one specific server. I suspect it has to do with the large > number of CPUs on the machine (768 threads, from 2 AMD EPYC 9965 > processors) but I am not sure. > > The system is on Ubuntu 25.10 and a 6.18 kernel with > https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > (basically Ubuntu's). > > These are the logs I see whenever I run "modprobe dw-i3c-master". Full > dmesg at > https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/dmesg > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with > error -110 > dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with > error -110 > ------------[ cut here ]------------ > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 > shift exponent 64 is too large for 64-bit type 'long unsigned int' > CPU: 109 UID: 0 PID: 7574 Comm: (udev-worker) Not tainted 6.18.0 #1 > PREEMPT(voluntary) > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > 11/28/2025 > Call Trace: > <TASK> > dump_stack_lvl+0x5f/0x90 > dump_stack+0x10/0x18 > ubsan_epilogue+0x9/0x39 > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master] > i3c_master_do_daa+0x30/0x90 [i3c] > i3c_master_register+0x616/0xa80 [i3c] > dw_i3c_common_probe+0x23f/0x2c0 [dw_i3c_master] > dw_i3c_probe+0x30/0x50 [dw_i3c_master] > platform_probe+0x42/0xc0 > ? driver_sysfs_add+0x63/0xd0 > really_probe+0xf9/0x370 > ? pm_runtime_barrier+0x56/0xa0 > __driver_probe_device+0x8b/0x160 > driver_probe_device+0x24/0xd0 > ? __pfx___driver_attach+0x10/0x10 > __driver_attach+0xef/0x220 > ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] > bus_for_each_dev+0x8a/0xe0 > driver_attach+0x1e/0x30 > bus_add_driver+0x13e/0x230 > ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] > driver_register+0x75/0xf0 > __platform_driver_register+0x1e/0x30 > dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master] > do_one_initcall+0x59/0x330 > do_init_module+0x8b/0x290 > load_module+0x1f2f/0x2320 > init_module_from_file+0x9b/0x100 > ? init_module_from_file+0x9b/0x100 > idempotent_init_module+0x10e/0x300 > __x64_sys_finit_module+0x73/0xf0 > ? __secure_computing+0x84/0xe0 > x64_sys_call+0x1f04/0x2350 > do_syscall_64+0x82/0xc80 > ? exit_to_user_mode_loop+0xe6/0x190 > ? do_syscall_64+0x25c/0xc80 > ? restore_fpregs_from_fpstate+0x46/0xe0 > ? switch_fpu_return+0x5c/0xf0 > ? do_syscall_64+0x25c/0xc80 > ? switch_fpu_return+0x5c/0xf0 > ? do_syscall_64+0x25c/0xc80 > ? wait_for_completion_interruptible+0x24/0x50 > ? idempotent_init_module+0x1d5/0x300 > ? __rseq_handle_notify_resume+0xa2/0x4e0 > ? restore_fpregs_from_fpstate+0x46/0xe0 > ? switch_fpu_return+0x5c/0xf0 > ? do_syscall_64+0x25c/0xc80 > ? do_user_addr_fault+0x22b/0x6b0 > ? irqentry_exit_to_user_mode+0x2e/0x2a0 > ? irqentry_exit+0x43/0x50 > ? exc_page_fault+0x90/0x1b0 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > RIP: 0033:0x7dff23f348cd > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 > f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48 > RSP: 002b:00007fff46db08c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 > RAX: ffffffffffffffda RBX: 00005705ce7b5300 RCX: 00007dff23f348cd > RDX: 0000000000000000 RSI: 00007dff23c31336 RDI: 0000000000000078 > RBP: 00007fff46db0960 R08: 0000000000000000 R09: 00005705ce77f530 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007dff23c31336 > R13: 0000000000020000 R14: 00005705ce7bcb10 R15: 00005705ce7c4f00 > </TASK> > ---[ end trace ]--- > dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with > error -110 > > > I hope this is the right venue to report this. Please let me know if you > need more information or if you would like me to test a patch. > > Can you also keep me CC'd to replies? I'm not subscribed to the list. > > Cheers, > > Louis > > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier 2025-12-08 18:54 ` Manikanta Guntupalli @ 2025-12-08 20:58 ` Alexandre Belloni 2025-12-09 11:37 ` Louis Sautier 1 sibling, 1 reply; 15+ messages in thread From: Alexandre Belloni @ 2025-12-08 20:58 UTC (permalink / raw) To: Louis Sautier; +Cc: linux-i3c Hello Louis, On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > Hello, > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > on one specific server. I suspect it has to do with the large number of > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > not sure. > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > (basically Ubuntu's). Just to be sure, does this also happen with v6.17? The only change is the shutdown handling so I would guess yes. -- Alexandre Belloni, co-owner and COO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-08 20:58 ` Alexandre Belloni @ 2025-12-09 11:37 ` Louis Sautier 2025-12-09 12:48 ` Alexandre Belloni 0 siblings, 1 reply; 15+ messages in thread From: Louis Sautier @ 2025-12-09 11:37 UTC (permalink / raw) To: alexandre.belloni; +Cc: linux-i3c On 12/8/25 21:58, Alexandre Belloni wrote: > Hello Louis, > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >> Hello, >> >> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >> on one specific server. I suspect it has to do with the large number of >> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >> not sure. >> >> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >> (basically Ubuntu's). > Just to be sure, does this also happen with v6.17? > > The only change is the shutdown handling so I would guess yes. > Hello, It does happen with 6.17. I initially discovered this while running Ubuntu 25.10's stock kernel (6.17.0). > What is the behavior when you build the dw-i3c-master as a static driver? I'll try CONFIG_DW_I3C_MASTER=y and report back. Someone also suggested (they didn't reply to the list though) that I add a printk to see what the value of maxdevs is. I'll provide the log as soon as I have rebuilt with: --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 @@ -1588,6 +1588,7 @@ ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); master->datstartaddr = ret; master->maxdevs = ret >> 16; + printk("maxdevs: %d\n", master->maxdevs); master->free_pos = GENMASK(master->maxdevs - 1, 0); master->quirks = (unsigned long)device_get_match_data(&pdev->dev); -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-09 11:37 ` Louis Sautier @ 2025-12-09 12:48 ` Alexandre Belloni 2025-12-09 15:36 ` Louis Sautier 0 siblings, 1 reply; 15+ messages in thread From: Alexandre Belloni @ 2025-12-09 12:48 UTC (permalink / raw) To: Louis Sautier; +Cc: linux-i3c On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > On 12/8/25 21:58, Alexandre Belloni wrote: > > Hello Louis, > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > Hello, > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > on one specific server. I suspect it has to do with the large number of > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > not sure. > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > (basically Ubuntu's). > > Just to be sure, does this also happen with v6.17? > > > > The only change is the shutdown handling so I would guess yes. > > > Hello, > > It does happen with 6.17. I initially discovered this while running Ubuntu > 25.10's stock kernel (6.17.0). > > > What is the behavior when you build the dw-i3c-master as a static driver? > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > Someone also suggested (they didn't reply to the list though) that I add a > printk to see what the value of maxdevs is. I'll provide the log as soon as > I have rebuilt with: > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > @@ -1588,6 +1588,7 @@ > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > master->datstartaddr = ret; > master->maxdevs = ret >> 16; > + printk("maxdevs: %d\n", master->maxdevs); > master->free_pos = GENMASK(master->maxdevs - 1, 0); > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > Yes, that was going to be my suggestion. -- Alexandre Belloni, co-owner and COO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-09 12:48 ` Alexandre Belloni @ 2025-12-09 15:36 ` Louis Sautier 2025-12-09 17:24 ` Frank Li 0 siblings, 1 reply; 15+ messages in thread From: Louis Sautier @ 2025-12-09 15:36 UTC (permalink / raw) To: alexandre.belloni; +Cc: linux-i3c On 12/9/25 13:48, Alexandre Belloni wrote: > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: >> On 12/8/25 21:58, Alexandre Belloni wrote: >>> Hello Louis, >>> >>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >>>> Hello, >>>> >>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >>>> on one specific server. I suspect it has to do with the large number of >>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >>>> not sure. >>>> >>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >>>> (basically Ubuntu's). >>> Just to be sure, does this also happen with v6.17? >>> >>> The only change is the shutdown handling so I would guess yes. >>> >> Hello, >> >> It does happen with 6.17. I initially discovered this while running Ubuntu >> 25.10's stock kernel (6.17.0). >> >>> What is the behavior when you build the dw-i3c-master as a static driver? >> I'll try CONFIG_DW_I3C_MASTER=y and report back. >> >> Someone also suggested (they didn't reply to the list though) that I add a >> printk to see what the value of maxdevs is. I'll provide the log as soon as >> I have rebuilt with: >> >> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 >> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 >> @@ -1588,6 +1588,7 @@ >> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >> master->datstartaddr = ret; >> master->maxdevs = ret >> 16; >> + printk("maxdevs: %d\n", master->maxdevs); >> master->free_pos = GENMASK(master->maxdevs - 1, 0); >> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >> > Yes, that was going to be my suggestion. > I haven't tried with the driver built-in yet. This is what the printk shows: dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error -110 maxdevs: 65535 dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with error -110 maxdevs: 11 ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 0 UID: 0 PID: 7363 Comm: (udev-worker) Not tainted 6.18.0 #1 PREEMPT(voluntary) Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 11/28/2025 Call Trace: <TASK> dump_stack_lvl+0x5f/0x90 dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x39 __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master] i3c_master_do_daa+0x30/0x90 [i3c] i3c_master_register+0x616/0xa80 [i3c] dw_i3c_common_probe+0x298/0x2d0 [dw_i3c_master] dw_i3c_probe+0x30/0x50 [dw_i3c_master] platform_probe+0x42/0xc0 ? driver_sysfs_add+0x63/0xd0 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x56/0xa0 __driver_probe_device+0x8b/0x160 driver_probe_device+0x24/0xd0 ? __pfx___driver_attach+0x10/0x10 __driver_attach+0xef/0x220 ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] bus_for_each_dev+0x8a/0xe0 driver_attach+0x1e/0x30 bus_add_driver+0x13e/0x230 ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] driver_register+0x75/0xf0 __platform_driver_register+0x1e/0x30 dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master] do_one_initcall+0x59/0x330 do_init_module+0x8b/0x290 load_module+0x1f2f/0x2320 init_module_from_file+0x9b/0x100 ? init_module_from_file+0x9b/0x100 idempotent_init_module+0x10e/0x300 __x64_sys_finit_module+0x73/0xf0 ? __secure_computing+0x84/0xe0 x64_sys_call+0x1f04/0x2350 do_syscall_64+0x82/0xc80 ? vfs_read+0x179/0x3a0 ? vfs_read+0x179/0x3a0 ? __rseq_handle_notify_resume+0xa2/0x4e0 ? exit_to_user_mode_loop+0xe6/0x190 ? do_syscall_64+0x25c/0xc80 ? irqentry_exit+0x43/0x50 ? exc_page_fault+0x90/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x70c8bf1348cd Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd8d0e4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000059c987bf15c0 RCX: 000070c8bf1348cd RDX: 0000000000000000 RSI: 000070c8be74b336 RDI: 0000000000000065 RBP: 00007ffd8d0e4d90 R08: 0000000000000000 R09: 000059c987bc1070 R10: 0000000000000000 R11: 0000000000000246 R12: 000070c8be74b336 R13: 0000000000020000 R14: 000059c987be8cd0 R15: 000059c987bb1440 </TASK> ---[ end trace ]--- maxdevs: 11 dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with error -110 -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-09 15:36 ` Louis Sautier @ 2025-12-09 17:24 ` Frank Li 2025-12-09 19:52 ` Louis Sautier 0 siblings, 1 reply; 15+ messages in thread From: Frank Li @ 2025-12-09 17:24 UTC (permalink / raw) To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: > On 12/9/25 13:48, Alexandre Belloni wrote: > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > > > On 12/8/25 21:58, Alexandre Belloni wrote: > > > > Hello Louis, > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > > > Hello, > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > > > on one specific server. I suspect it has to do with the large number of > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > > > not sure. > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > > > (basically Ubuntu's). > > > > Just to be sure, does this also happen with v6.17? > > > > > > > > The only change is the shutdown handling so I would guess yes. > > > > > > > Hello, > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu > > > 25.10's stock kernel (6.17.0). > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver? > > > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > > > > > Someone also suggested (they didn't reply to the list though) that I add a > > > printk to see what the value of maxdevs is. I'll provide the log as soon as > > > I have rebuilt with: > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > > > @@ -1588,6 +1588,7 @@ > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > master->datstartaddr = ret; > > > master->maxdevs = ret >> 16; > > > + printk("maxdevs: %d\n", master->maxdevs); > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > Yes, that was going to be my suggestion. > > > I haven't tried with the driver built-in yet. This is what the printk shows: > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error > -110 > maxdevs: 65535 Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); master->maxdevs = val >> 16; Frank > dw-i3c-master AMDI0015:01: probe with driver dw-i3c-master failed with error > -110 > maxdevs: 11 > ------------[ cut here ]------------ > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 > shift exponent 64 is too large for 64-bit type 'long unsigned int' > CPU: 0 UID: 0 PID: 7363 Comm: (udev-worker) Not tainted 6.18.0 #1 > PREEMPT(voluntary) > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > 11/28/2025 > Call Trace: > <TASK> > dump_stack_lvl+0x5f/0x90 > dump_stack+0x10/0x18 > ubsan_epilogue+0x9/0x39 > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > dw_i3c_master_daa.cold+0x1a/0x90 [dw_i3c_master] > i3c_master_do_daa+0x30/0x90 [i3c] > i3c_master_register+0x616/0xa80 [i3c] > dw_i3c_common_probe+0x298/0x2d0 [dw_i3c_master] > dw_i3c_probe+0x30/0x50 [dw_i3c_master] > platform_probe+0x42/0xc0 > ? driver_sysfs_add+0x63/0xd0 > really_probe+0xf9/0x370 > ? pm_runtime_barrier+0x56/0xa0 > __driver_probe_device+0x8b/0x160 > driver_probe_device+0x24/0xd0 > ? __pfx___driver_attach+0x10/0x10 > __driver_attach+0xef/0x220 > ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] > bus_for_each_dev+0x8a/0xe0 > driver_attach+0x1e/0x30 > bus_add_driver+0x13e/0x230 > ? __pfx_dw_i3c_driver_init+0x10/0x10 [dw_i3c_master] > driver_register+0x75/0xf0 > __platform_driver_register+0x1e/0x30 > dw_i3c_driver_init+0x1c/0xff0 [dw_i3c_master] > do_one_initcall+0x59/0x330 > do_init_module+0x8b/0x290 > load_module+0x1f2f/0x2320 > init_module_from_file+0x9b/0x100 > ? init_module_from_file+0x9b/0x100 > idempotent_init_module+0x10e/0x300 > __x64_sys_finit_module+0x73/0xf0 > ? __secure_computing+0x84/0xe0 > x64_sys_call+0x1f04/0x2350 > do_syscall_64+0x82/0xc80 > ? vfs_read+0x179/0x3a0 > ? vfs_read+0x179/0x3a0 > ? __rseq_handle_notify_resume+0xa2/0x4e0 > ? exit_to_user_mode_loop+0xe6/0x190 > ? do_syscall_64+0x25c/0xc80 > ? irqentry_exit+0x43/0x50 > ? exc_page_fault+0x90/0x1b0 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > RIP: 0033:0x70c8bf1348cd > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff > 73 01 c3 48 8b 0d 13 f5 0f 00 f7 d8 64 89 01 48 > RSP: 002b:00007ffd8d0e4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 > RAX: ffffffffffffffda RBX: 000059c987bf15c0 RCX: 000070c8bf1348cd > RDX: 0000000000000000 RSI: 000070c8be74b336 RDI: 0000000000000065 > RBP: 00007ffd8d0e4d90 R08: 0000000000000000 R09: 000059c987bc1070 > R10: 0000000000000000 R11: 0000000000000246 R12: 000070c8be74b336 > R13: 0000000000020000 R14: 000059c987be8cd0 R15: 000059c987bb1440 > </TASK> > ---[ end trace ]--- > maxdevs: 11 > dw-i3c-master AMDI0015:03: probe with driver dw-i3c-master failed with error > -110 > > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-09 17:24 ` Frank Li @ 2025-12-09 19:52 ` Louis Sautier 2025-12-10 15:20 ` Frank Li 0 siblings, 1 reply; 15+ messages in thread From: Louis Sautier @ 2025-12-09 19:52 UTC (permalink / raw) To: Frank.li; +Cc: alexandre.belloni, linux-i3c On 12/9/25 18:24, Frank Li wrote: > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: >> On 12/9/25 13:48, Alexandre Belloni wrote: >>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote: >>>> On 12/8/25 21:58, Alexandre Belloni wrote: >>>>> Hello Louis, >>>>> >>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >>>>>> Hello, >>>>>> >>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >>>>>> on one specific server. I suspect it has to do with the large number of >>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >>>>>> not sure. >>>>>> >>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >>>>>> (basically Ubuntu's). >>>>> Just to be sure, does this also happen with v6.17? >>>>> >>>>> The only change is the shutdown handling so I would guess yes. >>>>> >>>> Hello, >>>> >>>> It does happen with 6.17. I initially discovered this while running Ubuntu >>>> 25.10's stock kernel (6.17.0). >>>> >>>>> What is the behavior when you build the dw-i3c-master as a static driver? >>>> I'll try CONFIG_DW_I3C_MASTER=y and report back. >>>> >>>> Someone also suggested (they didn't reply to the list though) that I add a >>>> printk to see what the value of maxdevs is. I'll provide the log as soon as >>>> I have rebuilt with: >>>> >>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 >>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 >>>> @@ -1588,6 +1588,7 @@ >>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>> master->datstartaddr = ret; >>>> master->maxdevs = ret >> 16; >>>> + printk("maxdevs: %d\n", master->maxdevs); >>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>> >>> Yes, that was going to be my suggestion. >>> >> I haven't tried with the driver built-in yet. This is what the printk shows: >> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error >> -110 >> maxdevs: 65535 > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > master->maxdevs = val >> 16; > > Frank I tried this and CONFIG_DW_I3C_MASTER=y: --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 19:21:52.735366616 +0000 @@ -1585,9 +1585,10 @@ ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); - master->datstartaddr = ret; - master->maxdevs = ret >> 16; + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); + master->datstartaddr = val; + master->maxdevs = val >> 16; + printk("maxdevs (unsigned): %d\n", master->maxdevs); master->free_pos = GENMASK(master->maxdevs - 1, 0); master->quirks = (unsigned long)device_get_match_data(&pdev->dev); And I get this log, so no change, really. I assume there's only one "maxdevs" log because there is only one attempt to load the built-in driver? maxdevs (unsigned): 65535 ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 usb 1-1: new high-speed USB device number 2 using xhci_hcd shift exponent 18446744073709486145 is too large for 64-bit type 'long unsigned int' CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 PREEMPT(voluntary) Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 11/28/2025 Call Trace: <TASK> dump_stack_lvl+0x5f/0x90 dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x39 __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 dw_i3c_common_probe.cold+0x16/0x1b dw_i3c_probe+0x30/0x50 platform_probe+0x42/0xc0 ? driver_sysfs_add+0x63/0xd0 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x56/0xa0 __driver_probe_device+0x8b/0x160 driver_probe_device+0x24/0xd0 ? __pfx___driver_attach+0x10/0x10 __driver_attach+0xef/0x220 ? __pfx_dw_i3c_driver_init+0x10/0x10 bus_for_each_dev+0x8a/0xe0 driver_attach+0x1e/0x30 bus_add_driver+0x13e/0x230 ? __pfx_dw_i3c_driver_init+0x10/0x10 driver_register+0x75/0xf0 __platform_driver_register+0x1e/0x30 dw_i3c_driver_init+0x17/0x30 do_one_initcall+0x59/0x330 kernel_init_freeable+0x2bd/0x340 ? __pfx_kernel_init+0x10/0x10 kernel_init+0x1b/0x160 ? __pfx_kernel_init+0x10/0x10 ret_from_fork+0x202/0x230 ? __pfx_kernel_init+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace ]--- -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-09 19:52 ` Louis Sautier @ 2025-12-10 15:20 ` Frank Li 2025-12-10 19:50 ` Louis Sautier 0 siblings, 1 reply; 15+ messages in thread From: Frank Li @ 2025-12-10 15:20 UTC (permalink / raw) To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: > On 12/9/25 18:24, Frank Li wrote: > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: > > > On 12/9/25 13:48, Alexandre Belloni wrote: > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > > > > > On 12/8/25 21:58, Alexandre Belloni wrote: > > > > > > Hello Louis, > > > > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > > > > > Hello, > > > > > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > > > > > on one specific server. I suspect it has to do with the large number of > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > > > > > not sure. > > > > > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > > > > > (basically Ubuntu's). > > > > > > Just to be sure, does this also happen with v6.17? > > > > > > > > > > > > The only change is the shutdown handling so I would guess yes. > > > > > > > > > > > Hello, > > > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu > > > > > 25.10's stock kernel (6.17.0). > > > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver? > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as > > > > > I have rebuilt with: > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > > > > > @@ -1588,6 +1588,7 @@ > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > master->datstartaddr = ret; > > > > > master->maxdevs = ret >> 16; > > > > > + printk("maxdevs: %d\n", master->maxdevs); > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > Yes, that was going to be my suggestion. > > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows: > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error > > > -110 > > > maxdevs: 65535 > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > master->maxdevs = val >> 16; > > > > Frank > > I tried this and CONFIG_DW_I3C_MASTER=y: > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 > 22:42:10.000000000 +0000 > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 > 19:21:52.735366616 +0000 > @@ -1585,9 +1585,10 @@ > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > - master->datstartaddr = ret; > - master->maxdevs = ret >> 16; > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > + master->datstartaddr = val; > + master->maxdevs = val >> 16; > + printk("maxdevs (unsigned): %d\n", master->maxdevs); > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > And I get this log, so no change, really. I assume there's only one > "maxdevs" log because there is only one attempt to load the built-in driver? It may have dependence missed at drivers. such as clock. when built-in, this driver probe first before clock ready. If build as module, other driver help enable this clock. So it can get correct value. Frank > > maxdevs (unsigned): 65535 > ------------[ cut here ]------------ > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 > usb 1-1: new high-speed USB device number 2 using xhci_hcd > shift exponent 18446744073709486145 is too large for 64-bit type 'long > unsigned int' > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 > PREEMPT(voluntary) > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > 11/28/2025 > Call Trace: > <TASK> > dump_stack_lvl+0x5f/0x90 > dump_stack+0x10/0x18 > ubsan_epilogue+0x9/0x39 > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > dw_i3c_common_probe.cold+0x16/0x1b > dw_i3c_probe+0x30/0x50 > platform_probe+0x42/0xc0 > ? driver_sysfs_add+0x63/0xd0 > really_probe+0xf9/0x370 > ? pm_runtime_barrier+0x56/0xa0 > __driver_probe_device+0x8b/0x160 > driver_probe_device+0x24/0xd0 > ? __pfx___driver_attach+0x10/0x10 > __driver_attach+0xef/0x220 > ? __pfx_dw_i3c_driver_init+0x10/0x10 > bus_for_each_dev+0x8a/0xe0 > driver_attach+0x1e/0x30 > bus_add_driver+0x13e/0x230 > ? __pfx_dw_i3c_driver_init+0x10/0x10 > driver_register+0x75/0xf0 > __platform_driver_register+0x1e/0x30 > dw_i3c_driver_init+0x17/0x30 > do_one_initcall+0x59/0x330 > kernel_init_freeable+0x2bd/0x340 > ? __pfx_kernel_init+0x10/0x10 > kernel_init+0x1b/0x160 > ? __pfx_kernel_init+0x10/0x10 > ret_from_fork+0x202/0x230 > ? __pfx_kernel_init+0x10/0x10 > ret_from_fork_asm+0x1a/0x30 > </TASK> > ---[ end trace ]--- > > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-10 15:20 ` Frank Li @ 2025-12-10 19:50 ` Louis Sautier 2025-12-11 16:52 ` Frank Li 0 siblings, 1 reply; 15+ messages in thread From: Louis Sautier @ 2025-12-10 19:50 UTC (permalink / raw) To: Frank.li; +Cc: alexandre.belloni, linux-i3c On 12/10/25 16:20, Frank Li wrote: > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: >> On 12/9/25 18:24, Frank Li wrote: >>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: >>>> On 12/9/25 13:48, Alexandre Belloni wrote: >>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote: >>>>>> On 12/8/25 21:58, Alexandre Belloni wrote: >>>>>>> Hello Louis, >>>>>>> >>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >>>>>>>> on one specific server. I suspect it has to do with the large number of >>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >>>>>>>> not sure. >>>>>>>> >>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >>>>>>>> (basically Ubuntu's). >>>>>>> Just to be sure, does this also happen with v6.17? >>>>>>> >>>>>>> The only change is the shutdown handling so I would guess yes. >>>>>>> >>>>>> Hello, >>>>>> >>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu >>>>>> 25.10's stock kernel (6.17.0). >>>>>> >>>>>>> What is the behavior when you build the dw-i3c-master as a static driver? >>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back. >>>>>> >>>>>> Someone also suggested (they didn't reply to the list though) that I add a >>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as >>>>>> I have rebuilt with: >>>>>> >>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 >>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 >>>>>> @@ -1588,6 +1588,7 @@ >>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>> master->datstartaddr = ret; >>>>>> master->maxdevs = ret >> 16; >>>>>> + printk("maxdevs: %d\n", master->maxdevs); >>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>>>> >>>>> Yes, that was going to be my suggestion. >>>>> >>>> I haven't tried with the driver built-in yet. This is what the printk shows: >>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error >>>> -110 >>>> maxdevs: 65535 >>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. >>> >>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>> >>> master->maxdevs = val >> 16; >>> >>> Frank >> I tried this and CONFIG_DW_I3C_MASTER=y: >> >> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 >> 22:42:10.000000000 +0000 >> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 >> 19:21:52.735366616 +0000 >> @@ -1585,9 +1585,10 @@ >> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); >> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); >> >> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >> - master->datstartaddr = ret; >> - master->maxdevs = ret >> 16; >> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >> + master->datstartaddr = val; >> + master->maxdevs = val >> 16; >> + printk("maxdevs (unsigned): %d\n", master->maxdevs); >> master->free_pos = GENMASK(master->maxdevs - 1, 0); >> >> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >> >> And I get this log, so no change, really. I assume there's only one >> "maxdevs" log because there is only one attempt to load the built-in driver? > It may have dependence missed at drivers. such as clock. when built-in, > this driver probe first before clock ready. > > If build as module, other driver help enable this clock. So it can get > correct value. > > Frank My bad, I checked yesterday's entire log again and actually, there are still 4 maxdevs printk logs: Built-in driver: # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the timing differs a little: # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 Did I miss something with the unsigned patch? > >> maxdevs (unsigned): 65535 >> ------------[ cut here ]------------ >> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 >> usb 1-1: new high-speed USB device number 2 using xhci_hcd >> shift exponent 18446744073709486145 is too large for 64-bit type 'long >> unsigned int' >> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 >> PREEMPT(voluntary) >> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 >> 11/28/2025 >> Call Trace: >> <TASK> >> dump_stack_lvl+0x5f/0x90 >> dump_stack+0x10/0x18 >> ubsan_epilogue+0x9/0x39 >> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 >> dw_i3c_common_probe.cold+0x16/0x1b >> dw_i3c_probe+0x30/0x50 >> platform_probe+0x42/0xc0 >> ? driver_sysfs_add+0x63/0xd0 >> really_probe+0xf9/0x370 >> ? pm_runtime_barrier+0x56/0xa0 >> __driver_probe_device+0x8b/0x160 >> driver_probe_device+0x24/0xd0 >> ? __pfx___driver_attach+0x10/0x10 >> __driver_attach+0xef/0x220 >> ? __pfx_dw_i3c_driver_init+0x10/0x10 >> bus_for_each_dev+0x8a/0xe0 >> driver_attach+0x1e/0x30 >> bus_add_driver+0x13e/0x230 >> ? __pfx_dw_i3c_driver_init+0x10/0x10 >> driver_register+0x75/0xf0 >> __platform_driver_register+0x1e/0x30 >> dw_i3c_driver_init+0x17/0x30 >> do_one_initcall+0x59/0x330 >> kernel_init_freeable+0x2bd/0x340 >> ? __pfx_kernel_init+0x10/0x10 >> kernel_init+0x1b/0x160 >> ? __pfx_kernel_init+0x10/0x10 >> ret_from_fork+0x202/0x230 >> ? __pfx_kernel_init+0x10/0x10 >> ret_from_fork_asm+0x1a/0x30 >> </TASK> >> ---[ end trace ]--- >> >> >> -- >> linux-i3c mailing list >> linux-i3c@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-10 19:50 ` Louis Sautier @ 2025-12-11 16:52 ` Frank Li 2025-12-12 19:44 ` Louis Sautier 0 siblings, 1 reply; 15+ messages in thread From: Frank Li @ 2025-12-11 16:52 UTC (permalink / raw) To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote: > On 12/10/25 16:20, Frank Li wrote: > > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: > > > On 12/9/25 18:24, Frank Li wrote: > > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: > > > > > On 12/9/25 13:48, Alexandre Belloni wrote: > > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote: > > > > > > > > Hello Louis, > > > > > > > > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > > > > > > > on one specific server. I suspect it has to do with the large number of > > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > > > > > > > not sure. > > > > > > > > > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > > > > > > > (basically Ubuntu's). > > > > > > > > Just to be sure, does this also happen with v6.17? > > > > > > > > > > > > > > > > The only change is the shutdown handling so I would guess yes. > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu > > > > > > > 25.10's stock kernel (6.17.0). > > > > > > > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver? > > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > > > > > > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a > > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as > > > > > > > I have rebuilt with: > > > > > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > > > > > > > @@ -1588,6 +1588,7 @@ > > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > master->datstartaddr = ret; > > > > > > > master->maxdevs = ret >> 16; > > > > > > > + printk("maxdevs: %d\n", master->maxdevs); > > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > > > > > Yes, that was going to be my suggestion. > > > > > > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows: > > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error > > > > > -110 > > > > > maxdevs: 65535 > > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. > > > > > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > > master->maxdevs = val >> 16; > > > > > > > > Frank > > > I tried this and CONFIG_DW_I3C_MASTER=y: > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 > > > 22:42:10.000000000 +0000 > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 > > > 19:21:52.735366616 +0000 > > > @@ -1585,9 +1585,10 @@ > > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); > > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); > > > > > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > - master->datstartaddr = ret; > > > - master->maxdevs = ret >> 16; > > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > + master->datstartaddr = val; > > > + master->maxdevs = val >> 16; > > > + printk("maxdevs (unsigned): %d\n", master->maxdevs); > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > And I get this log, so no change, really. I assume there's only one > > > "maxdevs" log because there is only one attempt to load the built-in driver? > > It may have dependence missed at drivers. such as clock. when built-in, > > this driver probe first before clock ready. > > > > If build as module, other driver help enable this clock. So it can get > > correct value. > > > > Frank > > My bad, I checked yesterday's entire log again and actually, there are still > 4 maxdevs printk logs: > > Built-in driver: > > # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic > [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 Look this instance miss config some resource, like clks. So clock have not enable, all register return 0xFFFFFFFF. Frank > [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in > drivers/i3c/master/dw-i3c-master.c:1592:21 > [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 > [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 > [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in > drivers/i3c/master/dw-i3c-master.c:885:12 > [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 > > > I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the > timing differs a little: > > # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic > [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 > [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in > drivers/i3c/master/dw-i3c-master.c:1592:21 > [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 > [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 > [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in > drivers/i3c/master/dw-i3c-master.c:885:12 > [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 > > Did I miss something with the unsigned patch? > > > > > maxdevs (unsigned): 65535 > > > ------------[ cut here ]------------ > > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 > > > usb 1-1: new high-speed USB device number 2 using xhci_hcd > > > shift exponent 18446744073709486145 is too large for 64-bit type 'long > > > unsigned int' > > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 > > > PREEMPT(voluntary) > > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > > > 11/28/2025 > > > Call Trace: > > > <TASK> > > > dump_stack_lvl+0x5f/0x90 > > > dump_stack+0x10/0x18 > > > ubsan_epilogue+0x9/0x39 > > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > > > dw_i3c_common_probe.cold+0x16/0x1b > > > dw_i3c_probe+0x30/0x50 > > > platform_probe+0x42/0xc0 > > > ? driver_sysfs_add+0x63/0xd0 > > > really_probe+0xf9/0x370 > > > ? pm_runtime_barrier+0x56/0xa0 > > > __driver_probe_device+0x8b/0x160 > > > driver_probe_device+0x24/0xd0 > > > ? __pfx___driver_attach+0x10/0x10 > > > __driver_attach+0xef/0x220 > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > bus_for_each_dev+0x8a/0xe0 > > > driver_attach+0x1e/0x30 > > > bus_add_driver+0x13e/0x230 > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > driver_register+0x75/0xf0 > > > __platform_driver_register+0x1e/0x30 > > > dw_i3c_driver_init+0x17/0x30 > > > do_one_initcall+0x59/0x330 > > > kernel_init_freeable+0x2bd/0x340 > > > ? __pfx_kernel_init+0x10/0x10 > > > kernel_init+0x1b/0x160 > > > ? __pfx_kernel_init+0x10/0x10 > > > ret_from_fork+0x202/0x230 > > > ? __pfx_kernel_init+0x10/0x10 > > > ret_from_fork_asm+0x1a/0x30 > > > </TASK> > > > ---[ end trace ]--- > > > > > > > > > -- > > > linux-i3c mailing list > > > linux-i3c@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-11 16:52 ` Frank Li @ 2025-12-12 19:44 ` Louis Sautier 2025-12-15 16:25 ` Frank Li 0 siblings, 1 reply; 15+ messages in thread From: Louis Sautier @ 2025-12-12 19:44 UTC (permalink / raw) To: Frank.li; +Cc: alexandre.belloni, linux-i3c On 12/11/25 17:52, Frank Li wrote: > On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote: >> On 12/10/25 16:20, Frank Li wrote: >>> On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: >>>> On 12/9/25 18:24, Frank Li wrote: >>>>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: >>>>>> On 12/9/25 13:48, Alexandre Belloni wrote: >>>>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote: >>>>>>>> On 12/8/25 21:58, Alexandre Belloni wrote: >>>>>>>>> Hello Louis, >>>>>>>>> >>>>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >>>>>>>>>> on one specific server. I suspect it has to do with the large number of >>>>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >>>>>>>>>> not sure. >>>>>>>>>> >>>>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >>>>>>>>>> (basically Ubuntu's). >>>>>>>>> Just to be sure, does this also happen with v6.17? >>>>>>>>> >>>>>>>>> The only change is the shutdown handling so I would guess yes. >>>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu >>>>>>>> 25.10's stock kernel (6.17.0). >>>>>>>> >>>>>>>>> What is the behavior when you build the dw-i3c-master as a static driver? >>>>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back. >>>>>>>> >>>>>>>> Someone also suggested (they didn't reply to the list though) that I add a >>>>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as >>>>>>>> I have rebuilt with: >>>>>>>> >>>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 >>>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 >>>>>>>> @@ -1588,6 +1588,7 @@ >>>>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>>>> master->datstartaddr = ret; >>>>>>>> master->maxdevs = ret >> 16; >>>>>>>> + printk("maxdevs: %d\n", master->maxdevs); >>>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>>>>>> >>>>>>> Yes, that was going to be my suggestion. >>>>>>> >>>>>> I haven't tried with the driver built-in yet. This is what the printk shows: >>>>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error >>>>>> -110 >>>>>> maxdevs: 65535 >>>>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. >>>>> >>>>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>> >>>>> master->maxdevs = val >> 16; >>>>> >>>>> Frank >>>> I tried this and CONFIG_DW_I3C_MASTER=y: >>>> >>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 >>>> 22:42:10.000000000 +0000 >>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 >>>> 19:21:52.735366616 +0000 >>>> @@ -1585,9 +1585,10 @@ >>>> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); >>>> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); >>>> >>>> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>> - master->datstartaddr = ret; >>>> - master->maxdevs = ret >> 16; >>>> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>> + master->datstartaddr = val; >>>> + master->maxdevs = val >> 16; >>>> + printk("maxdevs (unsigned): %d\n", master->maxdevs); >>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>> >>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>> >>>> And I get this log, so no change, really. I assume there's only one >>>> "maxdevs" log because there is only one attempt to load the built-in driver? >>> It may have dependence missed at drivers. such as clock. when built-in, >>> this driver probe first before clock ready. >>> >>> If build as module, other driver help enable this clock. So it can get >>> correct value. >>> >>> Frank >> My bad, I checked yesterday's entire log again and actually, there are still >> 4 maxdevs printk logs: >> >> Built-in driver: >> >> # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic >> [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 > Look this instance miss config some resource, like clks. So clock have > not enable, all register return 0xFFFFFFFF. > > Frank Can you help me understand why this happens and how to fix this? Could this be a hardware problem? Should I open a downstream Ubuntu bug report, would that be helpful? > >> [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in >> drivers/i3c/master/dw-i3c-master.c:1592:21 >> [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 >> [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 >> [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in >> drivers/i3c/master/dw-i3c-master.c:885:12 >> [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 >> >> >> I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the >> timing differs a little: >> >> # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic >> [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 >> [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in >> drivers/i3c/master/dw-i3c-master.c:1592:21 >> [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 >> [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 >> [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in >> drivers/i3c/master/dw-i3c-master.c:885:12 >> [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 >> >> Did I miss something with the unsigned patch? >>>> maxdevs (unsigned): 65535 >>>> ------------[ cut here ]------------ >>>> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 >>>> usb 1-1: new high-speed USB device number 2 using xhci_hcd >>>> shift exponent 18446744073709486145 is too large for 64-bit type 'long >>>> unsigned int' >>>> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 >>>> PREEMPT(voluntary) >>>> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 >>>> 11/28/2025 >>>> Call Trace: >>>> <TASK> >>>> dump_stack_lvl+0x5f/0x90 >>>> dump_stack+0x10/0x18 >>>> ubsan_epilogue+0x9/0x39 >>>> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 >>>> dw_i3c_common_probe.cold+0x16/0x1b >>>> dw_i3c_probe+0x30/0x50 >>>> platform_probe+0x42/0xc0 >>>> ? driver_sysfs_add+0x63/0xd0 >>>> really_probe+0xf9/0x370 >>>> ? pm_runtime_barrier+0x56/0xa0 >>>> __driver_probe_device+0x8b/0x160 >>>> driver_probe_device+0x24/0xd0 >>>> ? __pfx___driver_attach+0x10/0x10 >>>> __driver_attach+0xef/0x220 >>>> ? __pfx_dw_i3c_driver_init+0x10/0x10 >>>> bus_for_each_dev+0x8a/0xe0 >>>> driver_attach+0x1e/0x30 >>>> bus_add_driver+0x13e/0x230 >>>> ? __pfx_dw_i3c_driver_init+0x10/0x10 >>>> driver_register+0x75/0xf0 >>>> __platform_driver_register+0x1e/0x30 >>>> dw_i3c_driver_init+0x17/0x30 >>>> do_one_initcall+0x59/0x330 >>>> kernel_init_freeable+0x2bd/0x340 >>>> ? __pfx_kernel_init+0x10/0x10 >>>> kernel_init+0x1b/0x160 >>>> ? __pfx_kernel_init+0x10/0x10 >>>> ret_from_fork+0x202/0x230 >>>> ? __pfx_kernel_init+0x10/0x10 >>>> ret_from_fork_asm+0x1a/0x30 >>>> </TASK> >>>> ---[ end trace ]--- >>>> >>>> >>>> -- >>>> linux-i3c mailing list >>>> linux-i3c@lists.infradead.org >>>> http://lists.infradead.org/mailman/listinfo/linux-i3c >> >> >> -- >> linux-i3c mailing list >> linux-i3c@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-12 19:44 ` Louis Sautier @ 2025-12-15 16:25 ` Frank Li 2025-12-30 1:30 ` Louis Sautier 2026-02-23 17:10 ` Boqun Feng 0 siblings, 2 replies; 15+ messages in thread From: Frank Li @ 2025-12-15 16:25 UTC (permalink / raw) To: Louis Sautier; +Cc: alexandre.belloni, linux-i3c On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote: > On 12/11/25 17:52, Frank Li wrote: > > On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote: > > > On 12/10/25 16:20, Frank Li wrote: > > > > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: > > > > > On 12/9/25 18:24, Frank Li wrote: > > > > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: > > > > > > > On 12/9/25 13:48, Alexandre Belloni wrote: > > > > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > > > > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote: > > > > > > > > > > Hello Louis, > > > > > > > > > > > > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > > > > > > > > > on one specific server. I suspect it has to do with the large number of > > > > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > > > > > > > > > not sure. > > > > > > > > > > > > > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > > > > > > > > > (basically Ubuntu's). > > > > > > > > > > Just to be sure, does this also happen with v6.17? > > > > > > > > > > > > > > > > > > > > The only change is the shutdown handling so I would guess yes. > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu > > > > > > > > > 25.10's stock kernel (6.17.0). > > > > > > > > > > > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver? > > > > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > > > > > > > > > > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a > > > > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as > > > > > > > > > I have rebuilt with: > > > > > > > > > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > > > > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > > > > > > > > > @@ -1588,6 +1588,7 @@ > > > > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > > > master->datstartaddr = ret; > > > > > > > > > master->maxdevs = ret >> 16; > > > > > > > > > + printk("maxdevs: %d\n", master->maxdevs); > > > > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > > > > > > > > > Yes, that was going to be my suggestion. > > > > > > > > > > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows: > > > > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error > > > > > > > -110 > > > > > > > maxdevs: 65535 > > > > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. > > > > > > > > > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > > > > > > master->maxdevs = val >> 16; > > > > > > > > > > > > Frank > > > > > I tried this and CONFIG_DW_I3C_MASTER=y: > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 > > > > > 22:42:10.000000000 +0000 > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 > > > > > 19:21:52.735366616 +0000 > > > > > @@ -1585,9 +1585,10 @@ > > > > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); > > > > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); > > > > > > > > > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > - master->datstartaddr = ret; > > > > > - master->maxdevs = ret >> 16; > > > > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > + master->datstartaddr = val; > > > > > + master->maxdevs = val >> 16; > > > > > + printk("maxdevs (unsigned): %d\n", master->maxdevs); > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > > And I get this log, so no change, really. I assume there's only one > > > > > "maxdevs" log because there is only one attempt to load the built-in driver? > > > > It may have dependence missed at drivers. such as clock. when built-in, > > > > this driver probe first before clock ready. > > > > > > > > If build as module, other driver help enable this clock. So it can get > > > > correct value. > > > > > > > > Frank > > > My bad, I checked yesterday's entire log again and actually, there are still > > > 4 maxdevs printk logs: > > > > > > Built-in driver: > > > > > > # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic > > > [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 > > Look this instance miss config some resource, like clks. So clock have > > not enable, all register return 0xFFFFFFFF. > > > > Frank > > Can you help me understand why this happens and how to fix this? Could this > be a hardware problem? > > Should I open a downstream Ubuntu bug report, would that be helpful? It may help, or report bug to hardware vendor. Or look for recently contributor who may provide help. git log drivers/i3c/master/dw-i3c-master.c Frank > > > > > > [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > drivers/i3c/master/dw-i3c-master.c:1592:21 > > > [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 > > > [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 > > > [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > drivers/i3c/master/dw-i3c-master.c:885:12 > > > [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 > > > > > > > > > I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the > > > timing differs a little: > > > > > > # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic > > > [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 > > > [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > drivers/i3c/master/dw-i3c-master.c:1592:21 > > > [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 > > > [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 > > > [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > drivers/i3c/master/dw-i3c-master.c:885:12 > > > [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 > > > > > > Did I miss something with the unsigned patch? > > > > > maxdevs (unsigned): 65535 > > > > > ------------[ cut here ]------------ > > > > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 > > > > > usb 1-1: new high-speed USB device number 2 using xhci_hcd > > > > > shift exponent 18446744073709486145 is too large for 64-bit type 'long > > > > > unsigned int' > > > > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 > > > > > PREEMPT(voluntary) > > > > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > > > > > 11/28/2025 > > > > > Call Trace: > > > > > <TASK> > > > > > dump_stack_lvl+0x5f/0x90 > > > > > dump_stack+0x10/0x18 > > > > > ubsan_epilogue+0x9/0x39 > > > > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > > > > > dw_i3c_common_probe.cold+0x16/0x1b > > > > > dw_i3c_probe+0x30/0x50 > > > > > platform_probe+0x42/0xc0 > > > > > ? driver_sysfs_add+0x63/0xd0 > > > > > really_probe+0xf9/0x370 > > > > > ? pm_runtime_barrier+0x56/0xa0 > > > > > __driver_probe_device+0x8b/0x160 > > > > > driver_probe_device+0x24/0xd0 > > > > > ? __pfx___driver_attach+0x10/0x10 > > > > > __driver_attach+0xef/0x220 > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > > > bus_for_each_dev+0x8a/0xe0 > > > > > driver_attach+0x1e/0x30 > > > > > bus_add_driver+0x13e/0x230 > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > > > driver_register+0x75/0xf0 > > > > > __platform_driver_register+0x1e/0x30 > > > > > dw_i3c_driver_init+0x17/0x30 > > > > > do_one_initcall+0x59/0x330 > > > > > kernel_init_freeable+0x2bd/0x340 > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > kernel_init+0x1b/0x160 > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > ret_from_fork+0x202/0x230 > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > ret_from_fork_asm+0x1a/0x30 > > > > > </TASK> > > > > > ---[ end trace ]--- > > > > > > > > > > > > > > > -- > > > > > linux-i3c mailing list > > > > > linux-i3c@lists.infradead.org > > > > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > > > > > > > > -- > > > linux-i3c mailing list > > > linux-i3c@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-15 16:25 ` Frank Li @ 2025-12-30 1:30 ` Louis Sautier 2026-02-23 17:10 ` Boqun Feng 1 sibling, 0 replies; 15+ messages in thread From: Louis Sautier @ 2025-12-30 1:30 UTC (permalink / raw) To: Frank.li; +Cc: alexandre.belloni, linux-i3c On 12/15/25 17:25, Frank Li wrote: > On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote: >> On 12/11/25 17:52, Frank Li wrote: >>> On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote: >>>> On 12/10/25 16:20, Frank Li wrote: >>>>> On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: >>>>>> On 12/9/25 18:24, Frank Li wrote: >>>>>>> On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: >>>>>>>> On 12/9/25 13:48, Alexandre Belloni wrote: >>>>>>>>> On 09/12/2025 12:37:12+0100, Louis Sautier wrote: >>>>>>>>>> On 12/8/25 21:58, Alexandre Belloni wrote: >>>>>>>>>>> Hello Louis, >>>>>>>>>>> >>>>>>>>>>> On 02/12/2025 21:17:31+0100, Louis Sautier wrote: >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 >>>>>>>>>>>> on one specific server. I suspect it has to do with the large number of >>>>>>>>>>>> CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am >>>>>>>>>>>> not sure. >>>>>>>>>>>> >>>>>>>>>>>> The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config >>>>>>>>>>>> (basically Ubuntu's). >>>>>>>>>>> Just to be sure, does this also happen with v6.17? >>>>>>>>>>> >>>>>>>>>>> The only change is the shutdown handling so I would guess yes. >>>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> It does happen with 6.17. I initially discovered this while running Ubuntu >>>>>>>>>> 25.10's stock kernel (6.17.0). >>>>>>>>>> >>>>>>>>>>> What is the behavior when you build the dw-i3c-master as a static driver? >>>>>>>>>> I'll try CONFIG_DW_I3C_MASTER=y and report back. >>>>>>>>>> >>>>>>>>>> Someone also suggested (they didn't reply to the list though) that I add a >>>>>>>>>> printk to see what the value of maxdevs is. I'll provide the log as soon as >>>>>>>>>> I have rebuilt with: >>>>>>>>>> >>>>>>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 >>>>>>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 >>>>>>>>>> @@ -1588,6 +1588,7 @@ >>>>>>>>>> ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>>>>>> master->datstartaddr = ret; >>>>>>>>>> master->maxdevs = ret >> 16; >>>>>>>>>> + printk("maxdevs: %d\n", master->maxdevs); >>>>>>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>>>>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>>>>>>>> >>>>>>>>> Yes, that was going to be my suggestion. >>>>>>>>> >>>>>>>> I haven't tried with the driver built-in yet. This is what the printk shows: >>>>>>>> dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error >>>>>>>> -110 >>>>>>>> maxdevs: 65535 >>>>>>> Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. >>>>>>> >>>>>>> unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>>> >>>>>>> master->maxdevs = val >> 16; >>>>>>> >>>>>>> Frank >>>>>> I tried this and CONFIG_DW_I3C_MASTER=y: >>>>>> >>>>>> --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 >>>>>> 22:42:10.000000000 +0000 >>>>>> +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 >>>>>> 19:21:52.735366616 +0000 >>>>>> @@ -1585,9 +1585,10 @@ >>>>>> ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); >>>>>> master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); >>>>>> >>>>>> - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>> - master->datstartaddr = ret; >>>>>> - master->maxdevs = ret >> 16; >>>>>> + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); >>>>>> + master->datstartaddr = val; >>>>>> + master->maxdevs = val >> 16; >>>>>> + printk("maxdevs (unsigned): %d\n", master->maxdevs); >>>>>> master->free_pos = GENMASK(master->maxdevs - 1, 0); >>>>>> >>>>>> master->quirks = (unsigned long)device_get_match_data(&pdev->dev); >>>>>> >>>>>> And I get this log, so no change, really. I assume there's only one >>>>>> "maxdevs" log because there is only one attempt to load the built-in driver? >>>>> It may have dependence missed at drivers. such as clock. when built-in, >>>>> this driver probe first before clock ready. >>>>> >>>>> If build as module, other driver help enable this clock. So it can get >>>>> correct value. >>>>> >>>>> Frank >>>> My bad, I checked yesterday's entire log again and actually, there are still >>>> 4 maxdevs printk logs: >>>> >>>> Built-in driver: >>>> >>>> # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic >>>> [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 >>> Look this instance miss config some resource, like clks. So clock have >>> not enable, all register return 0xFFFFFFFF. >>> >>> Frank >> Can you help me understand why this happens and how to fix this? Could this >> be a hardware problem? >> >> Should I open a downstream Ubuntu bug report, would that be helpful? > It may help, or report bug to hardware vendor. Or look for recently > contributor who may provide help. > > git log drivers/i3c/master/dw-i3c-master.c > > > Frank > >>>> [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in >>>> drivers/i3c/master/dw-i3c-master.c:1592:21 >>>> [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 >>>> [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 >>>> [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in >>>> drivers/i3c/master/dw-i3c-master.c:885:12 >>>> [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 >>>> >>>> >>>> I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the >>>> timing differs a little: >>>> >>>> # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic >>>> [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 >>>> [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in >>>> drivers/i3c/master/dw-i3c-master.c:1592:21 >>>> [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 >>>> [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 >>>> [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in >>>> drivers/i3c/master/dw-i3c-master.c:885:12 >>>> [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 >>>> >>>> Did I miss something with the unsigned patch? >>>>>> maxdevs (unsigned): 65535 >>>>>> ------------[ cut here ]------------ >>>>>> UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 >>>>>> usb 1-1: new high-speed USB device number 2 using xhci_hcd >>>>>> shift exponent 18446744073709486145 is too large for 64-bit type 'long >>>>>> unsigned int' >>>>>> CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 >>>>>> PREEMPT(voluntary) >>>>>> Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 >>>>>> 11/28/2025 >>>>>> Call Trace: >>>>>> <TASK> >>>>>> dump_stack_lvl+0x5f/0x90 >>>>>> dump_stack+0x10/0x18 >>>>>> ubsan_epilogue+0x9/0x39 >>>>>> __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 >>>>>> dw_i3c_common_probe.cold+0x16/0x1b >>>>>> dw_i3c_probe+0x30/0x50 >>>>>> platform_probe+0x42/0xc0 >>>>>> ? driver_sysfs_add+0x63/0xd0 >>>>>> really_probe+0xf9/0x370 >>>>>> ? pm_runtime_barrier+0x56/0xa0 >>>>>> __driver_probe_device+0x8b/0x160 >>>>>> driver_probe_device+0x24/0xd0 >>>>>> ? __pfx___driver_attach+0x10/0x10 >>>>>> __driver_attach+0xef/0x220 >>>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10 >>>>>> bus_for_each_dev+0x8a/0xe0 >>>>>> driver_attach+0x1e/0x30 >>>>>> bus_add_driver+0x13e/0x230 >>>>>> ? __pfx_dw_i3c_driver_init+0x10/0x10 >>>>>> driver_register+0x75/0xf0 >>>>>> __platform_driver_register+0x1e/0x30 >>>>>> dw_i3c_driver_init+0x17/0x30 >>>>>> do_one_initcall+0x59/0x330 >>>>>> kernel_init_freeable+0x2bd/0x340 >>>>>> ? __pfx_kernel_init+0x10/0x10 >>>>>> kernel_init+0x1b/0x160 >>>>>> ? __pfx_kernel_init+0x10/0x10 >>>>>> ret_from_fork+0x202/0x230 >>>>>> ? __pfx_kernel_init+0x10/0x10 >>>>>> ret_from_fork_asm+0x1a/0x30 >>>>>> </TASK> >>>>>> ---[ end trace ]--- >>>>>> >>>>>> >>>>>> -- >>>>>> linux-i3c mailing list >>>>>> linux-i3c@lists.infradead.org >>>>>> http://lists.infradead.org/mailman/listinfo/linux-i3c >>>> >>>> -- >>>> linux-i3c mailing list >>>> linux-i3c@lists.infradead.org >>>> http://lists.infradead.org/mailman/listinfo/linux-i3c >> >> >> -- >> linux-i3c mailing list >> linux-i3c@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/linux-i3c I've reported the bug on Ubuntu's tracker: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2137235 -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 2025-12-15 16:25 ` Frank Li 2025-12-30 1:30 ` Louis Sautier @ 2026-02-23 17:10 ` Boqun Feng 1 sibling, 0 replies; 15+ messages in thread From: Boqun Feng @ 2026-02-23 17:10 UTC (permalink / raw) To: Frank Li; +Cc: Louis Sautier, alexandre.belloni, linux-i3c, Shyam-sundar.S-k On Mon, Dec 15, 2025 at 11:25:22AM -0500, Frank Li wrote: > On Fri, Dec 12, 2025 at 08:44:41PM +0100, Louis Sautier wrote: > > On 12/11/25 17:52, Frank Li wrote: > > > On Wed, Dec 10, 2025 at 08:50:24PM +0100, Louis Sautier wrote: > > > > On 12/10/25 16:20, Frank Li wrote: > > > > > On Tue, Dec 09, 2025 at 08:52:46PM +0100, Louis Sautier wrote: > > > > > > On 12/9/25 18:24, Frank Li wrote: > > > > > > > On Tue, Dec 09, 2025 at 04:36:30PM +0100, Louis Sautier wrote: > > > > > > > > On 12/9/25 13:48, Alexandre Belloni wrote: > > > > > > > > > On 09/12/2025 12:37:12+0100, Louis Sautier wrote: > > > > > > > > > > On 12/8/25 21:58, Alexandre Belloni wrote: > > > > > > > > > > > Hello Louis, > > > > > > > > > > > > > > > > > > > > > > On 02/12/2025 21:17:31+0100, Louis Sautier wrote: > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > > > > > I'm running into a bug when loading the dw-i3c-master module on kernel 6.18 > > > > > > > > > > > > on one specific server. I suspect it has to do with the large number of > > > > > > > > > > > > CPUs on the machine (768 threads, from 2 AMD EPYC 9965 processors) but I am > > > > > > > > > > > > not sure. > > > > > > > > > > > > > > > > > > > > > > > > The system is on Ubuntu 25.10 and a 6.18 kernel with https://gist.githubusercontent.com/sbraz/a6f37fafbcf9354bbe4eace9e9eb48cb/raw/115da594dc9d7ea99b06754847571e6fd76d9da5/config > > > > > > > > > > > > (basically Ubuntu's). > > > > > > > > > > > Just to be sure, does this also happen with v6.17? > > > > > > > > > > > > > > > > > > > > > > The only change is the shutdown handling so I would guess yes. > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > It does happen with 6.17. I initially discovered this while running Ubuntu > > > > > > > > > > 25.10's stock kernel (6.17.0). > > > > > > > > > > > > > > > > > > > > > What is the behavior when you build the dw-i3c-master as a static driver? > > > > > > > > > > I'll try CONFIG_DW_I3C_MASTER=y and report back. > > > > > > > > > > > > > > > > > > > > Someone also suggested (they didn't reply to the list though) that I add a > > > > > > > > > > printk to see what the value of maxdevs is. I'll provide the log as soon as > > > > > > > > > > I have rebuilt with: > > > > > > > > > > > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 22:42:10.000000000 +0000 > > > > > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-08 18:17:33.151567225 +0000 > > > > > > > > > > @@ -1588,6 +1588,7 @@ > > > > > > > > > > ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > > > > master->datstartaddr = ret; > > > > > > > > > > master->maxdevs = ret >> 16; > > > > > > > > > > + printk("maxdevs: %d\n", master->maxdevs); > > > > > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > > > > > > > > > > > Yes, that was going to be my suggestion. > > > > > > > > > > > > > > > > > I haven't tried with the driver built-in yet. This is what the printk shows: > > > > > > > > dw-i3c-master AMDI0015:00: probe with driver dw-i3c-master failed with error > > > > > > > > -110 > > > > > > > > maxdevs: 65535 > > > > > > > Maybe ret is bigger 0x8000_0000, and ret is sign int. so >>16 because -1. > > > > > > > > > > > > > > unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > > > > > > > > > master->maxdevs = val >> 16; > > > > > > > > > > > > > > Frank > > > > > > I tried this and CONFIG_DW_I3C_MASTER=y: > > > > > > > > > > > > --- linux-6.18.orig/drivers/i3c/master/dw-i3c-master.c 2025-11-30 > > > > > > 22:42:10.000000000 +0000 > > > > > > +++ linux-6.18/drivers/i3c/master/dw-i3c-master.c 2025-12-09 > > > > > > 19:21:52.735366616 +0000 > > > > > > @@ -1585,9 +1585,10 @@ > > > > > > ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); > > > > > > master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); > > > > > > > > > > > > - ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > - master->datstartaddr = ret; > > > > > > - master->maxdevs = ret >> 16; > > > > > > + unsigned int val = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > > > > > + master->datstartaddr = val; > > > > > > + master->maxdevs = val >> 16; > > > > > > + printk("maxdevs (unsigned): %d\n", master->maxdevs); > > > > > > master->free_pos = GENMASK(master->maxdevs - 1, 0); > > > > > > > > > > > > master->quirks = (unsigned long)device_get_match_data(&pdev->dev); > > > > > > > > > > > > And I get this log, so no change, really. I assume there's only one > > > > > > "maxdevs" log because there is only one attempt to load the built-in driver? > > > > > It may have dependence missed at drivers. such as clock. when built-in, > > > > > this driver probe first before clock ready. > > > > > > > > > > If build as module, other driver help enable this clock. So it can get > > > > > correct value. > > > > > > > > > > Frank > > > > My bad, I checked yesterday's entire log again and actually, there are still > > > > 4 maxdevs printk logs: > > > > > > > > Built-in driver: > > > > > > > > # journalctl -b -2 --grep "maxdevs|UBSAN" -o short-monotonic > > > > [ 23.162996] ns31482903 kernel: maxdevs (unsigned): 65535 > > > Look this instance miss config some resource, like clks. So clock have > > > not enable, all register return 0xFFFFFFFF. > > > > > > Frank > > > > Can you help me understand why this happens and how to fix this? Could this > > be a hardware problem? > > > > Should I open a downstream Ubuntu bug report, would that be helpful? > > It may help, or report bug to hardware vendor. Or look for recently > contributor who may provide help. > > git log drivers/i3c/master/dw-i3c-master.c > [Cc Shyam Sundar S K who added the AMD support] Shyam, I hit the similar issue as Louis reported here. Would you help us on what may cause the DEVICE_ADDR_TABLE_POINTER register returns 0xFFFFFFFF? Thanks! > > Frank > > > > > > > > > > [ 23.163008] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > > drivers/i3c/master/dw-i3c-master.c:1592:21 > > > > [ 23.166508] ns31482903 kernel: maxdevs (unsigned): 65535 > > > > [ 23.166568] ns31482903 kernel: maxdevs (unsigned): 11 > > > > [ 23.166576] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > > drivers/i3c/master/dw-i3c-master.c:885:12 > > > > [ 23.166748] ns31482903 kernel: maxdevs (unsigned): 11 > > > > > > > > > > > > I rebuilt with CONFIG_DW_I3C_MASTER=m and I get the same logs although the > > > > timing differs a little: > > > > > > > > # journalctl -b -1 --grep "maxdevs|UBSAN" -o short-monotonic > > > > [ 14.507929] ns31482903 kernel: maxdevs (unsigned): 65535 > > > > [ 14.507957] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > > drivers/i3c/master/dw-i3c-master.c:1592:21 > > > > [ 16.683035] ns31482903 kernel: maxdevs (unsigned): 65535 > > > > [ 18.872323] ns31482903 kernel: maxdevs (unsigned): 11 > > > > [ 18.872362] ns31482903 kernel: UBSAN: shift-out-of-bounds in > > > > drivers/i3c/master/dw-i3c-master.c:885:12 > > > > [ 18.882020] ns31482903 kernel: maxdevs (unsigned): 11 > > > > > > > > Did I miss something with the unsigned patch? > > > > > > maxdevs (unsigned): 65535 > > > > > > ------------[ cut here ]------------ > > > > > > UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:1592:21 > > > > > > usb 1-1: new high-speed USB device number 2 using xhci_hcd > > > > > > shift exponent 18446744073709486145 is too large for 64-bit type 'long > > > > > > unsigned int' > > > > > > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0 #4 > > > > > > PREEMPT(voluntary) > > > > > > Hardware name: Giga Computing MZ73-LM2-000/MZ73-LM2-000, BIOS R23_F43 > > > > > > 11/28/2025 > > > > > > Call Trace: > > > > > > <TASK> > > > > > > dump_stack_lvl+0x5f/0x90 > > > > > > dump_stack+0x10/0x18 > > > > > > ubsan_epilogue+0x9/0x39 > > > > > > __ubsan_handle_shift_out_of_bounds.cold+0xdd/0x1c9 > > > > > > dw_i3c_common_probe.cold+0x16/0x1b > > > > > > dw_i3c_probe+0x30/0x50 > > > > > > platform_probe+0x42/0xc0 > > > > > > ? driver_sysfs_add+0x63/0xd0 > > > > > > really_probe+0xf9/0x370 > > > > > > ? pm_runtime_barrier+0x56/0xa0 > > > > > > __driver_probe_device+0x8b/0x160 > > > > > > driver_probe_device+0x24/0xd0 > > > > > > ? __pfx___driver_attach+0x10/0x10 > > > > > > __driver_attach+0xef/0x220 > > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > > > > bus_for_each_dev+0x8a/0xe0 > > > > > > driver_attach+0x1e/0x30 > > > > > > bus_add_driver+0x13e/0x230 > > > > > > ? __pfx_dw_i3c_driver_init+0x10/0x10 > > > > > > driver_register+0x75/0xf0 > > > > > > __platform_driver_register+0x1e/0x30 > > > > > > dw_i3c_driver_init+0x17/0x30 > > > > > > do_one_initcall+0x59/0x330 > > > > > > kernel_init_freeable+0x2bd/0x340 > > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > > kernel_init+0x1b/0x160 > > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > > ret_from_fork+0x202/0x230 > > > > > > ? __pfx_kernel_init+0x10/0x10 > > > > > > ret_from_fork_asm+0x1a/0x30 > > > > > > </TASK> > > > > > > ---[ end trace ]--- > > > > > > > > > > > > > > > > > > -- > > > > > > linux-i3c mailing list > > > > > > linux-i3c@lists.infradead.org > > > > > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > > > > > > > > > > > -- > > > > linux-i3c mailing list > > > > linux-i3c@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > > > > > > > -- > > linux-i3c mailing list > > linux-i3c@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/linux-i3c > > -- > linux-i3c mailing list > linux-i3c@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-i3c -- linux-i3c mailing list linux-i3c@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-i3c ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2026-02-23 17:10 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-02 20:17 Error while loading dw-i3c-master: UBSAN: shift-out-of-bounds in drivers/i3c/master/dw-i3c-master.c:885:12 Louis Sautier 2025-12-08 18:54 ` Manikanta Guntupalli 2025-12-08 20:58 ` Alexandre Belloni 2025-12-09 11:37 ` Louis Sautier 2025-12-09 12:48 ` Alexandre Belloni 2025-12-09 15:36 ` Louis Sautier 2025-12-09 17:24 ` Frank Li 2025-12-09 19:52 ` Louis Sautier 2025-12-10 15:20 ` Frank Li 2025-12-10 19:50 ` Louis Sautier 2025-12-11 16:52 ` Frank Li 2025-12-12 19:44 ` Louis Sautier 2025-12-15 16:25 ` Frank Li 2025-12-30 1:30 ` Louis Sautier 2026-02-23 17:10 ` Boqun Feng
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox