[{"id":3676541,"web_url":"http://patchwork.ozlabs.org/comment/3676541/","msgid":"<871pgjnusl.fsf@bootlin.com>","list_archive_url":null,"date":"2026-04-13T08:12:10","subject":"Re: [PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary","submitter":{"id":73368,"url":"http://patchwork.ozlabs.org/api/people/73368/","name":"Miquel Raynal","email":"miquel.raynal@bootlin.com"},"content":"Hi Daniel,\n\nOn 12/04/2026 at 01:05:23 +01, Daniel Golle wrote:\n\n> When a BBT entry straddles an unsigned long boundary, the GENMASK in\n> nanddev_bbt_set_block_status() can potentially overflow because\n> offs + bits_per_block - 1 can theoretically exceed BITS_PER_LONG - 1.\n> Clamp the high bit so only bits within the current word are masked.\n> The cross-word portion is already handled by the pos[1] block below.\n>\n> Discovered by UBSAN: shift-out-of-bounds in\n> drivers/mtd/nand/bbt.c:116:13\n> shift exponent 18446744073709551614 is too large for 64-bit type\n> 'long unsigned int'\n\nHow likely is that? It doesn't matter how many bits you use per blocks\n(today is 2), it would require a NAND chip that covers an entire country\nto reach that number of blocks. If an attacker plays with that value,\ndoes it really matter? Apart from writing out of bounds -which is\nphysically impossible, we are not talking about virtual memory here- and\nget an error later on, I do not see a good reason for this.\n\nHonestly, I find the final result much less readable than before for no\nobvious added value IMO. But maybe I am looking at this the wrong way?\n\nThanks,\nMiquèl","headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xEBzpUNV;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=bootlin.com header.i=@bootlin.com header.a=rsa-sha256\n header.s=dkim header.b=lQfk6T5A;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvKrt4TfVz1yDG\n\tfor ; Mon, 13 Apr 2026 18:12:30 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCCPA-0000000FEt6-1bjA;\n\tMon, 13 Apr 2026 08:12:24 +0000","from smtpout-02.galae.net ([185.246.84.56])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCCP6-0000000FEsC-21tD\n\tfor linux-mtd@lists.infradead.org;\n\tMon, 13 Apr 2026 08:12:22 +0000","from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233])\n\tby smtpout-02.galae.net (Postfix) with ESMTPS id 980541A3261;\n\tMon, 13 Apr 2026 08:12:14 +0000 (UTC)","from mail.galae.net (mail.galae.net [212.83.136.155])\n\tby smtpout-01.galae.net (Postfix) with ESMTPS id 674F65FFB9;\n\tMon, 13 Apr 2026 08:12:14 +0000 (UTC)","from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)\n with ESMTPSA id 18E8B104501E1;\n\tMon, 13 Apr 2026 10:12:10 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:References\n\t:In-Reply-To:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=FMUwfDOAkZnk4cmGl9LPaFvBrZkdKi8ZFWU+dz82RjY=; b=xEBzpUNV+VoET4\n\tM02GHS94V60va8oec5vjTxYIPywvGaBb4BZRZ0ew7+SYsZzAnJy2riFhyw9Q/v0shhZIMXynqJIWh\n\toZWIuKbNhSPVlZS51O2NKnAc79ZxnmNUw14eWxixSotA4ZGoXoHt213TBySSyXKGFcQUXI0PmB4yc\n\tQa8pB7Yy9R9XzLg9OsvvzwLgeFXSEDhyhaoXQN1/pQLRLaOq/jH4T2DwRSXZJZvphlDJictgwg5co\n\tkH8Zxk2Zhkh+hAtT9mH3PGppPO2GzNYCi+AUh4mq0FF3SgDXzUmkbTbb6Jtg9q4DtpNnLaCtfOqnA\n\ta55kzuIJpVIr3CtHsWNA==;","v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim;\n\tt=1776067933; h=from:subject:date:message-id:to:cc:mime-version:content-type:\n\t content-transfer-encoding:in-reply-to:references;\n\tbh=xlQtUgRvCdGzSpIpobD+wGe1i3MkCxAfdWBh+KMd8Xc=;\n\tb=lQfk6T5AYzgo9MX66zvt/YI5O0ASiMvpjEGLfABg7HNL2Puv2/5MtAnbG0pI7oadppAd1/\n\tnfDCjjV/O7EIc86MEnRUE2y/3B7RC/gUCamg2KW5avqLhDZmIjtGHt+OeOCH5tt4uJMcqg\n\tm//FBKvp4mGCSCRmTRM354qm3nzeOCCRkvDYmAMf+VMSkLgrfNDR4tvGipM+/r/MUoFKau\n\tK99Imv9+y8gNz3FW/plLPI321ZB9PKuMNeAmAl0mmyJVPR5CAyqaxymbnQ/Uq3mgHj/r/L\n\t3vYMzhV2yYW+Y6LlfKq82Vj9BdMPCozluRlMC6W555mBQiLYlnlyeLrSo+iwmg=="],"From":"Miquel Raynal ","To":"Daniel Golle ","Cc":"Richard Weinberger , Vignesh Raghavendra\n , Boris Brezillon ,\n linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary","In-Reply-To":"\n <2a62dc1a58f2f8467d95444fa4b37a0af27aeb45.1775951973.git.daniel@makrotopia.org>\n\t(Daniel Golle's message of \"Sun, 12 Apr 2026 01:05:23 +0100\")","References":"\n <2a62dc1a58f2f8467d95444fa4b37a0af27aeb45.1775951973.git.daniel@makrotopia.org>","User-Agent":"mu4e 1.12.7; emacs 30.2","Date":"Mon, 13 Apr 2026 10:12:10 +0200","Message-ID":"<871pgjnusl.fsf@bootlin.com>","MIME-Version":"1.0","X-Last-TLS-Session-Version":"TLSv1.3","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260413_011220_679404_06E6935F ","X-CRM114-Status":"GOOD ( 11.16 )","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: Hi Daniel, On 12/04/2026 at 01:05:23 +01,\n Daniel Golle \n wrote: > When a BBT entry straddles an unsigned long boundary, the GENMASK\n in > nanddev_bbt_set_block_status() can potentially overflow because >\n offs\n + bits_per_block - 1 can theoretically exceed BITS_PER_L [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [185.246.84.56 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [185.246.84.56 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [185.246.84.56 listed in\n bl.score.senderscore.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]","X-BeenThere":"linux-mtd@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"Linux MTD discussion mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Sender":"\"linux-mtd\" ","Errors-To":"linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}},{"id":3676648,"web_url":"http://patchwork.ozlabs.org/comment/3676648/","msgid":"","list_archive_url":null,"date":"2026-04-13T10:57:02","subject":"Re: [PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary","submitter":{"id":64091,"url":"http://patchwork.ozlabs.org/api/people/64091/","name":"Daniel Golle","email":"daniel@makrotopia.org"},"content":"On Mon, Apr 13, 2026 at 10:12:10AM +0200, Miquel Raynal wrote:\n> Hi Daniel,\n> \n> On 12/04/2026 at 01:05:23 +01, Daniel Golle wrote:\n> \n> > When a BBT entry straddles an unsigned long boundary, the GENMASK in\n> > nanddev_bbt_set_block_status() can potentially overflow because\n> > offs + bits_per_block - 1 can theoretically exceed BITS_PER_LONG - 1.\n> > Clamp the high bit so only bits within the current word are masked.\n> > The cross-word portion is already handled by the pos[1] block below.\n> >\n> > Discovered by UBSAN: shift-out-of-bounds in\n> > drivers/mtd/nand/bbt.c:116:13\n> > shift exponent 18446744073709551614 is too large for 64-bit type\n> > 'long unsigned int'\n> \n> How likely is that? It doesn't matter how many bits you use per blocks\n> (today is 2), it would require a NAND chip that covers an entire country\n> to reach that number of blocks. If an attacker plays with that value,\n> does it really matter? Apart from writing out of bounds -which is\n> physically impossible, we are not talking about virtual memory here- and\n> get an error later on, I do not see a good reason for this.\n> \n> Honestly, I find the final result much less readable than before for no\n> obvious added value IMO. But maybe I am looking at this the wrong way?\n\nIt's just the only UBSAN warning I get to see on a recent kernel and my\nprimary goal here was to make the warning go away. Adding an assertion\nto ensure 'offs' is clamped to will likely also make the warning go\naway.","headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=kBVFzgwI;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvPWS3j85z1y2d\n\tfor ; Mon, 13 Apr 2026 20:57:35 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCEyj-0000000FWzr-0cYh;\n\tMon, 13 Apr 2026 10:57:17 +0000","from pidgin.makrotopia.org ([2a07:2ec0:3002::65])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCEyg-0000000FWvK-32RG\n\tfor linux-mtd@lists.infradead.org;\n\tMon, 13 Apr 2026 10:57:15 +0000","from local\n\tby pidgin.makrotopia.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256)\n\t (Exim 4.99)\n\t(envelope-from )\n\tid 1wCEyX-000000000Oa-07Fv;\n\tMon, 13 Apr 2026 10:57:05 +0000"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:\n\tMessage-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=aYnaLp+vMFg0Mmd/1Jz9KSgEumI9t4H9RI09XBEHDEM=; b=kBVFzgwIybqtSM\n\tVrnTui2PofI/Imnrbwn9vcdNhHFS4Rm2f/y70ZrSuC0aeziXFAsyaq3qJDoSxT3yQrIlxvd3DZiBA\n\tEMkaneMBDKcp7kHhzZvGUC3AFZZVbEzj9nyqnAePirDgVaQi5vBh5FxsmhgiX39FCz8lZaU+RrrHc\n\tLwa9rOifhJ9WnRuMk2cVp4vaxy89Tk1xZpeWf+Q/QR9+lEMLODfHDQn+ouVNrhFtKBsWY5d+qpYIT\n\t3XE8vkByaFyTG1jzbqyd2rm8boQGgX2TO8Orefs8w9qZ3LB0W2iWU2VLqhlNg9GUGgT9ty4AdB8zc\n\tdCkMGxeoBb71EQKoLTJA==;","Date":"Mon, 13 Apr 2026 11:57:02 +0100","From":"Daniel Golle ","To":"Miquel Raynal ","Cc":"Richard Weinberger ,\n\tVignesh Raghavendra ,\n\tBoris Brezillon ,\n\tlinux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH] mtd: nand: bbt: clamp GENMASK high bit to word boundary","Message-ID":"","References":"\n <2a62dc1a58f2f8467d95444fa4b37a0af27aeb45.1775951973.git.daniel@makrotopia.org>\n <871pgjnusl.fsf@bootlin.com>","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"<871pgjnusl.fsf@bootlin.com>","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260413_035714_802118_E244C266 ","X-CRM114-Status":"GOOD ( 20.16 )","X-Spam-Score":"-1.9 (-)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: On Mon, Apr 13, 2026 at 10:12:10AM +0200,\n Miquel Raynal wrote:\n > Hi Daniel, > > On 12/04/2026 at 01:05:23 +01,\n Daniel Golle \n wrote: > > > When a BBT entry straddles an unsigned [...]\n Content analysis details: (-1.9 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]","X-BeenThere":"linux-mtd@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"Linux MTD discussion mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"linux-mtd\" ","Errors-To":"linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}}]