From: Chenxi Hou Date: Thu, 22 Jan 2026 01:32:50 +0000 (-0500) Subject: mtd: jedec_probe: fix shift-out-of-bounds UB in JEDEC ID masking X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b14660c1caf0b67adf99428a225f71ed653437d;p=thirdparty%2Fkernel%2Flinux.git mtd: jedec_probe: fix shift-out-of-bounds UB in JEDEC ID masking UBSAN reports shift-out-of-bounds in jedec_read_mfr() and jedec_read_id():   UBSAN: shift-out-of-bounds in drivers/mtd/chips/jedec_probe.c:1924:13   shift exponent 32 is too large for 32-bit type 'int'   UBSAN: shift-out-of-bounds in drivers/mtd/chips/jedec_probe.c:1940:12   shift exponent 32 is too large for 32-bit type 'int' The JEDEC manufacturer/device ID masking uses:   (1 << (cfi->device_type * 8)) - 1 When cfi->device_type is 4, this evaluates to 1 << 32. Since the literal '1' has type int, this is a 32-bit shift and is undefined behavior. Fix it by using a 64-bit literal (1ULL) so the shift is performed in a 64-bit type. Co-developed-by: Hui Peng Signed-off-by: Hui Peng Co-developed-by: Zhihao Yao (Zephyr) Signed-off-by: Zhihao Yao (Zephyr) Signed-off-by: Chenxi Hou Signed-off-by: Miquel Raynal --- diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c index b285962eee2a9..3c631608f6d6e 100644 --- a/drivers/mtd/chips/jedec_probe.c +++ b/drivers/mtd/chips/jedec_probe.c @@ -1921,7 +1921,7 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base, */ do { uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); - mask = (1 << (cfi->device_type * 8)) - 1; + mask = (1ULL << (cfi->device_type * 8)) - 1; if (ofs >= map->size) return 0; result = map_read(map, base + ofs); @@ -1937,7 +1937,7 @@ static inline u32 jedec_read_id(struct map_info *map, uint32_t base, map_word result; unsigned long mask; u32 ofs = cfi_build_cmd_addr(1, map, cfi); - mask = (1 << (cfi->device_type * 8)) -1; + mask = (1ULL << (cfi->device_type * 8)) - 1; result = map_read(map, base + ofs); return result.x[0] & mask; }