1. Patchew
  2. linux
  3. View series

[PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()

Gustavo A. R. Silva posted 1 patch 1 month, 2 weeks ago 
drivers/mtd/devices/mtd_intel_dg.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Gustavo A. R. Silva 1 month, 2 weeks ago 
Fix the UBSAN: array-index-out-of-bounds issue below by updating
counter nvm->nregions before the first access to flexible-array
member nvm->regions[].

from kernel bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=220823

Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15

Notice that this flexible array is annotated with the counted_by()
attribute, hence the counter must always be updated before the
first access to the array.

Cc: stable@vger.kernel.org
Fixes: ceb5ab3cb646 ("mtd: add driver for intel graphics non-volatile memory device")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Closes: https://lore.kernel.org/linux-hardening/90e419ad-4036-4669-a4cc-8ce5d29e464b@infradead.org/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/mtd/devices/mtd_intel_dg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
index 2bab30dcd35f..d3e89fe324b8 100644
--- a/drivers/mtd/devices/mtd_intel_dg.c
+++ b/drivers/mtd/devices/mtd_intel_dg.c
@@ -768,6 +768,9 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
 	if (!nvm)
 		return -ENOMEM;
 
+	/* Update nvm->nregions before first access to nvm->regions[] below. */
+	nvm->nregions = nregions;
+
 	kref_init(&nvm->refcnt);
 	mutex_init(&nvm->lock);
 
-- 
2.43.0
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Randy Dunlap 1 month, 2 weeks ago 
Hi,

On 12/19/25 10:41 PM, Gustavo A. R. Silva wrote:
> Fix the UBSAN: array-index-out-of-bounds issue below by updating
> counter nvm->nregions before the first access to flexible-array
> member nvm->regions[].

Yeah, I suspected something like that but didn't find any in-tree
documentation about it.

> from kernel bugzilla:
> https://bugzilla.kernel.org/show_bug.cgi?id=220823
> 
> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
> 
> Notice that this flexible array is annotated with the counted_by()
> attribute, hence the counter must always be updated before the
> first access to the array.
> 
> Cc: stable@vger.kernel.org
> Fixes: ceb5ab3cb646 ("mtd: add driver for intel graphics non-volatile memory device")
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Closes: https://lore.kernel.org/linux-hardening/90e419ad-4036-4669-a4cc-8ce5d29e464b@infradead.org/

More appropriately:
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220823

Acked-by: Randy Dunlap <rdunlap@infradead.org>

Thanks.

> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/mtd/devices/mtd_intel_dg.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
> index 2bab30dcd35f..d3e89fe324b8 100644
> --- a/drivers/mtd/devices/mtd_intel_dg.c
> +++ b/drivers/mtd/devices/mtd_intel_dg.c
> @@ -768,6 +768,9 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
>  	if (!nvm)
>  		return -ENOMEM;
>  
> +	/* Update nvm->nregions before first access to nvm->regions[] below. */
> +	nvm->nregions = nregions;
> +
>  	kref_init(&nvm->refcnt);
>  	mutex_init(&nvm->lock);
>  

-- 
~Randy
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Raag Jadav 1 month, 2 weeks ago 
On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
> Fix the UBSAN: array-index-out-of-bounds issue below by updating
> counter nvm->nregions before the first access to flexible-array
> member nvm->regions[].
> 
> from kernel bugzilla:
> https://bugzilla.kernel.org/show_bug.cgi?id=220823
> 
> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
> 
> Notice that this flexible array is annotated with the counted_by()
> attribute, hence the counter must always be updated before the
> first access to the array.

Already fixed[1], but not sure if it's landed yet.

[1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/

Raag

> Cc: stable@vger.kernel.org
> Fixes: ceb5ab3cb646 ("mtd: add driver for intel graphics non-volatile memory device")
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Closes: https://lore.kernel.org/linux-hardening/90e419ad-4036-4669-a4cc-8ce5d29e464b@infradead.org/
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/mtd/devices/mtd_intel_dg.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/mtd/devices/mtd_intel_dg.c b/drivers/mtd/devices/mtd_intel_dg.c
> index 2bab30dcd35f..d3e89fe324b8 100644
> --- a/drivers/mtd/devices/mtd_intel_dg.c
> +++ b/drivers/mtd/devices/mtd_intel_dg.c
> @@ -768,6 +768,9 @@ static int intel_dg_mtd_probe(struct auxiliary_device *aux_dev,
>  	if (!nvm)
>  		return -ENOMEM;
>  
> +	/* Update nvm->nregions before first access to nvm->regions[] below. */
> +	nvm->nregions = nregions;
> +
>  	kref_init(&nvm->refcnt);
>  	mutex_init(&nvm->lock);
>  
> -- 
> 2.43.0
>
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Randy Dunlap 1 month ago 
Hi,

On 12/19/25 11:07 PM, Raag Jadav wrote:
> On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
>> Fix the UBSAN: array-index-out-of-bounds issue below by updating
>> counter nvm->nregions before the first access to flexible-array
>> member nvm->regions[].
>>
>> from kernel bugzilla:
>> https://bugzilla.kernel.org/show_bug.cgi?id=220823
>>
>> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
>>
>> Notice that this flexible array is annotated with the counted_by()
>> attribute, hence the counter must always be updated before the
>> first access to the array.
> 
> Already fixed[1], but not sure if it's landed yet.
> 
> [1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/

What's the status of this patch, please?

-- 
~Randy
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Raag Jadav 4 weeks, 1 day ago 
On Wed, Jan 07, 2026 at 03:17:40PM -0800, Randy Dunlap wrote:
> Hi,
> 
> On 12/19/25 11:07 PM, Raag Jadav wrote:
> > On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
> >> Fix the UBSAN: array-index-out-of-bounds issue below by updating
> >> counter nvm->nregions before the first access to flexible-array
> >> member nvm->regions[].
> >>
> >> from kernel bugzilla:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=220823
> >>
> >> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
> >>
> >> Notice that this flexible array is annotated with the counted_by()
> >> attribute, hence the counter must always be updated before the
> >> first access to the array.
> > 
> > Already fixed[1], but not sure if it's landed yet.
> > 
> > [1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/
> 
> What's the status of this patch, please?

I'm assuming it'll go through mtd tree? Miquel?

Raag
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Miquel Raynal 4 weeks, 1 day ago 
On 09/01/2026 at 10:41:08 +01, Raag Jadav <raag.jadav@intel.com> wrote:

> On Wed, Jan 07, 2026 at 03:17:40PM -0800, Randy Dunlap wrote:
>> Hi,
>> 
>> On 12/19/25 11:07 PM, Raag Jadav wrote:
>> > On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
>> >> Fix the UBSAN: array-index-out-of-bounds issue below by updating
>> >> counter nvm->nregions before the first access to flexible-array
>> >> member nvm->regions[].
>> >>
>> >> from kernel bugzilla:
>> >> https://bugzilla.kernel.org/show_bug.cgi?id=220823
>> >>
>> >> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in
>> >> /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
>> >>
>> >> Notice that this flexible array is annotated with the counted_by()
>> >> attribute, hence the counter must always be updated before the
>> >> first access to the array.
>> > 
>> > Already fixed[1], but not sure if it's landed yet.
>> > 
>> > [1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/
>> 
>> What's the status of this patch, please?
>
> I'm assuming it'll go through mtd tree? Miquel?

It should indeed. However only the mtd list has been included, so it
won't appear in "my" todo list. Lucas can you please resend, and use a
tool such as b4 to manage the series or at least run get_maintainers.pl?

Thanks,
Miquèl
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Raag Jadav 4 weeks ago 
On Fri, Jan 09, 2026 at 02:50:18PM +0100, Miquel Raynal wrote:
> On 09/01/2026 at 10:41:08 +01, Raag Jadav <raag.jadav@intel.com> wrote:
> > On Wed, Jan 07, 2026 at 03:17:40PM -0800, Randy Dunlap wrote:
> >> Hi,
> >> 
> >> On 12/19/25 11:07 PM, Raag Jadav wrote:
> >> > On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
> >> >> Fix the UBSAN: array-index-out-of-bounds issue below by updating
> >> >> counter nvm->nregions before the first access to flexible-array
> >> >> member nvm->regions[].
> >> >>
> >> >> from kernel bugzilla:
> >> >> https://bugzilla.kernel.org/show_bug.cgi?id=220823
> >> >>
> >> >> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in
> >> >> /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
> >> >>
> >> >> Notice that this flexible array is annotated with the counted_by()
> >> >> attribute, hence the counter must always be updated before the
> >> >> first access to the array.
> >> > 
> >> > Already fixed[1], but not sure if it's landed yet.
> >> > 
> >> > [1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/
> >> 
> >> What's the status of this patch, please?
> >
> > I'm assuming it'll go through mtd tree? Miquel?
> 
> It should indeed. However only the mtd list has been included, so it
> won't appear in "my" todo list. Lucas can you please resend, and use a
> tool such as b4 to manage the series or at least run get_maintainers.pl?

Lucas is no longer with Intel. Sasha, would you be up for it?

Raag
Re: [PATCH] mtd: intel-dg: fix array-index-out-of-bounds in intel_dg_mtd_probe()
Posted by Gustavo A. R. Silva 1 month, 2 weeks ago 

On 12/20/25 16:07, Raag Jadav wrote:
> On Sat, Dec 20, 2025 at 03:41:49PM +0900, Gustavo A. R. Silva wrote:
>> Fix the UBSAN: array-index-out-of-bounds issue below by updating
>> counter nvm->nregions before the first access to flexible-array
>> member nvm->regions[].
>>
>> from kernel bugzilla:
>> https://bugzilla.kernel.org/show_bug.cgi?id=220823
>>
>> Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15
>>
>> Notice that this flexible array is annotated with the counted_by()
>> attribute, hence the counter must always be updated before the
>> first access to the array.
> 
> Already fixed[1], but not sure if it's landed yet.
> 
> [1] https://lore.kernel.org/linux-mtd/20251111-mtd-nregions-v1-1-61db61e78c63@intel.com/

Great! :)

Thanks
-Gustavo

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.