Bug#1116643: UBSAN: shift-out-of-bounds in .../drivers/gpu/drm/display/drm_dp_mst_topology.c (shift exponent -1)

To: Vincent Lefevre <vincent@vinc17.net>, 1116643@bugs.debian.org
Subject: Bug#1116643: UBSAN: shift-out-of-bounds in .../drivers/gpu/drm/display/drm_dp_mst_topology.c (shift exponent -1)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Nov 2025 20:59:16 +0100
Message-id: <[🔎] aSYKlF-qoe4_RDur@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1116643@bugs.debian.org
In-reply-to: <20250929155605.GA2963@qaa.vinc17.org>
References: <20250929155605.GA2963@qaa.vinc17.org> <20250929155605.GA2963@qaa.vinc17.org>

Control: tags -1 + moreinfo

Hi Vincent,

On Mon, Sep 29, 2025 at 05:56:05PM +0200, Vincent Lefevre wrote:
> Package: src:linux
> Version: 6.16.8-1
> Severity: important
> 
> When logging out:
> 
> Sep 29 10:01:20 qaa kernel: ------------[ cut here ]------------
> Sep 29 10:01:20 qaa kernel: UBSAN: shift-out-of-bounds in /build/reproducible-path/linux-6.16.8/drivers/gpu/drm/display/drm_dp_mst_topology.c:4574:36
> Sep 29 10:01:20 qaa kernel: shift exponent -1 is negative
> Sep 29 10:01:20 qaa kernel: CPU: 4 UID: 0 PID: 490795 Comm: Xorg Not tainted 6.16.8+deb14-amd64 #1 PREEMPT(lazy)  Debian 6.16.8-1 
> Sep 29 10:01:20 qaa kernel: Hardware name: Dell Inc. Precision 5570/01Y4G1, BIOS 1.32.1 04/28/2025
> Sep 29 10:01:20 qaa kernel: Call Trace:
> Sep 29 10:01:20 qaa kernel:  <TASK>
> Sep 29 10:01:20 qaa kernel:  dump_stack_lvl+0x5d/0x80
> Sep 29 10:01:20 qaa kernel:  ubsan_epilogue+0x5/0x2b
> Sep 29 10:01:20 qaa kernel:  __ubsan_handle_shift_out_of_bounds.cold+0x5e/0x113
> Sep 29 10:01:20 qaa kernel:  drm_dp_atomic_release_time_slots.cold+0x18/0x61 [drm_display_helper]
> Sep 29 10:01:20 qaa kernel:  drm_atomic_helper_check_modeset+0x484/0xe30 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  intel_atomic_check+0xec/0x2b10 [i915]
> Sep 29 10:01:20 qaa kernel:  drm_atomic_check_only+0x63a/0xab0 [drm]
> Sep 29 10:01:20 qaa kernel:  drm_atomic_commit+0x71/0xe0 [drm]
> Sep 29 10:01:20 qaa kernel:  ? __pfx___drm_printfn_info+0x10/0x10 [drm]
> Sep 29 10:01:20 qaa kernel:  drm_client_modeset_commit_atomic+0x201/0x250 [drm]
> Sep 29 10:01:20 qaa kernel:  drm_client_modeset_commit_locked+0x5a/0x160 [drm]
> Sep 29 10:01:20 qaa kernel:  ? drm_setup_crtcs_fb+0xfa/0x150 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  __drm_fb_helper_restore_fbdev_mode_unlocked+0x5e/0xd0 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  drm_fb_helper_hotplug_event+0xe6/0x100 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  __drm_fb_helper_restore_fbdev_mode_unlocked+0xbd/0xd0 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  drm_fb_helper_set_par+0x30/0x40 [drm_kms_helper]
> Sep 29 10:01:20 qaa kernel:  intel_fbdev_set_par+0x38/0x80 [i915]
> Sep 29 10:01:20 qaa kernel:  fb_set_var+0x248/0x430
> Sep 29 10:01:20 qaa kernel:  ? __slab_free+0xdf/0x310
> Sep 29 10:01:20 qaa kernel:  ? __slab_free+0xdf/0x310
> Sep 29 10:01:20 qaa kernel:  ? __slab_free+0xdf/0x310
> Sep 29 10:01:20 qaa kernel:  fbcon_blank+0x28e/0x390
> Sep 29 10:01:20 qaa kernel:  do_unblank_screen+0xd6/0x1e0
> Sep 29 10:01:20 qaa kernel:  vt_ioctl+0x583/0x15b0
> Sep 29 10:01:20 qaa kernel:  tty_ioctl+0xe8/0x8c0
> Sep 29 10:01:20 qaa kernel:  __x64_sys_ioctl+0x93/0xe0
> Sep 29 10:01:20 qaa kernel:  do_syscall_64+0x84/0x320
> Sep 29 10:01:20 qaa kernel:  ? __x64_sys_close+0x3d/0x80
> Sep 29 10:01:20 qaa kernel:  ? kmem_cache_free+0x3a3/0x450
> Sep 29 10:01:20 qaa kernel:  ? do_syscall_64+0x30c/0x320
> Sep 29 10:01:20 qaa kernel:  ? do_user_addr_fault+0x2c3/0x7f0
> Sep 29 10:01:20 qaa kernel:  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> Sep 29 10:01:20 qaa kernel: RIP: 0033:0x7f8285d648db
> Sep 29 10:01:20 qaa kernel: Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
> Sep 29 10:01:20 qaa kernel: RSP: 002b:00007ffec1647a00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> Sep 29 10:01:20 qaa kernel: RAX: ffffffffffffffda RBX: 000055fbd6e6ab80 RCX: 00007f8285d648db
> Sep 29 10:01:20 qaa kernel: RDX: 0000000000000000 RSI: 0000000000004b3a RDI: 000000000000000e
> Sep 29 10:01:20 qaa kernel: RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> Sep 29 10:01:20 qaa kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 000055fbd6ea5794
> Sep 29 10:01:20 qaa kernel: R13: 00007ffec1647c48 R14: 000055fbd6e90c10 R15: 000055fbd6e90bf8
> Sep 29 10:01:20 qaa kernel:  </TASK>
> Sep 29 10:01:20 qaa kernel: ---[ end trace ]---
> 
> What I did:
>   * Earlier, the laptop was connected to a dock.
>   * I logged out.
>   * I disconnected the machine from the dock.
>   * I closed the lid, which suspended the machine as expected:
>     Sep 29 09:19:53 qaa systemd-logind[1241]: Lid closed.
>     Sep 29 09:19:53 qaa systemd-logind[1241]: Suspending...
> 
> The above occurred after I opened the lid.

Assuming you can reproduce this, can you test the patch from
https://lore.kernel.org/all/20251119094650.799135-1-suraj.kandpal@intel.com/
and report back if that fixes the issue?

In case it does, can you please followup to the upstream patch
sumission adding your Tested-by (and ideally get as well a Closes tag
for this bug for easier tracking).

I might be completely wrong on it.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1116643: UBSAN: shift-out-of-bounds in .../drivers/gpu/drm/display/drm_dp_mst_topology.c (shift exponent -1)
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Processed: Re: Bug#1116643: UBSAN: shift-out-of-bounds in .../drivers/gpu/drm/display/drm_dp_mst_topology.c (shift exponent -1)
Next by Date: Bug#1116554: linux-image-6.12.43+deb12-amd64: hard freeze during normal operation with stacktraces in the syslog
Previous by thread: Processed: tagging 1116643 ...
Next by thread: Processed: Re: Bug#1116643: UBSAN: shift-out-of-bounds in .../drivers/gpu/drm/display/drm_dp_mst_topology.c (shift exponent -1)
Index(es):
- Date
- Thread