From nobody Mon Jun 15 16:29:58 2026 Received: from pidgin.makrotopia.org (pidgin.makrotopia.org [185.142.180.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96453273F9 for ; Sun, 12 Apr 2026 00:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.142.180.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775952336; cv=none; b=LZO+4sAWfNu0S8e8wLoMuTwF+JWa/34wxnRHBs8lfzdTwJ+QYsiTr3InuluuuknHX2gKXIt4m2A3uCSNHCSb2VNBd6k/yNN7OpiKmRNWPeY8NpcNmyfRRryN7wBPI7kfod4CTJ+HmXF+2+ak4N2NWxW3UPPKRGAZNAnmM77HTco= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775952336; c=relaxed/simple; bh=KNuiJE68PaaAx7iEiYraHEU5WpBKXTpB5ZsfS4LsD1Q=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=HK1cThejrYMKkuxKry+RFsN69q7DknQQm/47J9YkHWQfVXe+wTu9fZnjSI5IYsNsW1j1gGn6HV1lnbHlQcV9HmMINQp4e7YeGCl9iNiawr219emNaJIWqUIcazg4P/UqLSz474HtOal5i5nIdeIgrQ5m9qivWqQFBrSlN/1nBmQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=makrotopia.org; spf=pass smtp.mailfrom=makrotopia.org; arc=none smtp.client-ip=185.142.180.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=makrotopia.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=makrotopia.org Received: from local by pidgin.makrotopia.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.99) (envelope-from ) id 1wBiKL-000000005c9-2I2c; Sun, 12 Apr 2026 00:05:25 +0000 Date: Sun, 12 Apr 2026 01:05:23 +0100 From: Daniel Golle To: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Boris Brezillon , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary Message-ID: <2a62dc1a58f2f8467d95444fa4b37a0af27aeb45.1775951973.git.daniel@makrotopia.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a BBT entry straddles an unsigned long boundary, the GENMASK in nanddev_bbt_set_block_status() can potentially overflow because offs + bits_per_block - 1 can theoretically exceed BITS_PER_LONG - 1. Clamp the high bit so only bits within the current word are masked. The cross-word portion is already handled by the pos[1] block below. Discovered by UBSAN: shift-out-of-bounds in drivers/mtd/nand/bbt.c:116:13 shift exponent 18446744073709551614 is too large for 64-bit type 'long unsigned int' Fixes: 9c3736a3de21 ("mtd: nand: Add core infrastructure to deal with NAND = devices") Signed-off-by: Daniel Golle --- drivers/mtd/nand/bbt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/bbt.c b/drivers/mtd/nand/bbt.c index db4f93a903e48..dfe4a6a991c15 100644 --- a/drivers/mtd/nand/bbt.c +++ b/drivers/mtd/nand/bbt.c @@ -113,7 +113,8 @@ int nanddev_bbt_set_block_status(struct nand_device *na= nd, unsigned int entry, if (entry >=3D nanddev_neraseblocks(nand)) return -ERANGE; =20 - pos[0] &=3D ~GENMASK(offs + bits_per_block - 1, offs); + pos[0] &=3D ~GENMASK(min(offs + bits_per_block - 1, + BITS_PER_LONG - 1), offs); pos[0] |=3D val << offs; =20 if (bits_per_block + offs > BITS_PER_LONG) { --=20 2.53.0