1. Patchew
  2. linux
  3. View series

[PATCH] mtd: intel-dg: Fix accessing regions before setting nregions

Alexander Usyskin posted 1 patch 3 weeks, 2 days ago 
drivers/mtd/devices/mtd_intel_dg.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
[PATCH] mtd: intel-dg: Fix accessing regions before setting nregions
Posted by Alexander Usyskin 3 weeks, 2 days ago 
The regions array is counted by nregions, but it's set only after
accessing it:

[] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15
[] index 0 is out of range for type '<unknown> [*]'

Fix it by also fixing an undesired behavior: the loop silently ignores
ENOMEM and continues setting the other entries.

CC: Gustavo A. R. Silva <gustavoars@kernel.org>
CC: Raag Jadav <raag.jadav@intel.com>
Reported-by: Jani Partanen <jiipee@sotapeli.fi>
Closes: https://lore.kernel.org/all/caca6c67-4f1d-49f1-948f-e63b6b937b29@sotapeli.fi
Fixes: ceb5ab3cb646 ("mtd: add driver for intel graphics non-volatile memory device")
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
---
 drivers/mtd/devices/mtd_intel_dg.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
index 2bab30dcd35f..7f751c48a76d 100644
--- a/drivers/mtd/devices/mtd_intel_dg.c
+++ b/drivers/mtd/devices/mtd_intel_dg.c
@@ -770,6 +770,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
 
 	kref_init(&nvm->refcnt);
 	mutex_init(&nvm->lock);
+	nvm->nregions = nregions;
 
 	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
 		if (!invm->regions[i].name)
@@ -777,13 +778,15 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
 
 		char *name = kasprintf(GFP_KERNEL, "%s.%s",
 				       dev_name(&aux_dev->dev), invm->regions[i].name);
-		if (!name)
-			continue;
+		if (!name) {
+			ret = -ENOMEM;
+			goto err;
+		}
+
 		nvm->regions[n].name = name;
 		nvm->regions[n].id = i;
 		n++;
 	}
-	nvm->nregions = n; /* in case where kasprintf fail */
 
 	ret = devm_pm_runtime_enable(device);
 	if (ret < 0) {
-- 
2.43.0
Re: [PATCH] mtd: intel-dg: Fix accessing regions before setting nregions
Posted by Miquel Raynal 2 weeks, 5 days ago 
On Thu, 15 Jan 2026 07:22:37 +0200, Alexander Usyskin wrote:
> The regions array is counted by nregions, but it's set only after
> accessing it:
> 
> [] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15
> [] index 0 is out of range for type '<unknown> [*]'
> 
> Fix it by also fixing an undesired behavior: the loop silently ignores
> ENOMEM and continues setting the other entries.
> 
> [...]

Applied to mtd/next, thanks!

[1/1] mtd: intel-dg: Fix accessing regions before setting nregions
      commit: 779c59274d03cc5c07237a2c845dfb71cff77705

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl
Re: [PATCH] mtd: intel-dg: Fix accessing regions before setting nregions
Posted by Raag Jadav 3 weeks, 2 days ago 
On Thu, Jan 15, 2026 at 07:22:37AM +0200, Alexander Usyskin wrote:
> The regions array is counted by nregions, but it's set only after
> accessing it:
> 
> [] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15
> [] index 0 is out of range for type '<unknown> [*]'
> 
> Fix it by also fixing an undesired behavior: the loop silently ignores
> ENOMEM and continues setting the other entries.
> 
> CC: Gustavo A. R. Silva <gustavoars@kernel.org>
> CC: Raag Jadav <raag.jadav@intel.com>
> Reported-by: Jani Partanen <jiipee@sotapeli.fi>
> Closes: https://lore.kernel.org/all/caca6c67-4f1d-49f1-948f-e63b6b937b29@sotapeli.fi
> Fixes: ceb5ab3cb646 ("mtd: add driver for intel graphics non-volatile memory device")
> Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>

Reviewed-by: Raag Jadav <raag.jadav@intel.com>

> ---
>  drivers/mtd/devices/mtd_intel_dg.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
> index 2bab30dcd35f..7f751c48a76d 100644
> --- a/drivers/mtd/devices/mtd_intel_dg.c
> +++ b/drivers/mtd/devices/mtd_intel_dg.c
> @@ -770,6 +770,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
>  
>  	kref_init(&nvm->refcnt);
>  	mutex_init(&nvm->lock);
> +	nvm->nregions = nregions;
>  
>  	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
>  		if (!invm->regions[i].name)
> @@ -777,13 +778,15 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
>  
>  		char *name = kasprintf(GFP_KERNEL, "%s.%s",
>  				       dev_name(&aux_dev->dev), invm->regions[i].name);
> -		if (!name)
> -			continue;
> +		if (!name) {
> +			ret = -ENOMEM;
> +			goto err;
> +		}
> +
>  		nvm->regions[n].name = name;
>  		nvm->regions[n].id = i;
>  		n++;
>  	}
> -	nvm->nregions = n; /* in case where kasprintf fail */
>  
>  	ret = devm_pm_runtime_enable(device);
>  	if (ret < 0) {
> -- 
> 2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.