[PATCH] drm/amdgpu: fix shift-out-of-bounds in amdgpu_debugfs_jpeg_sched_mask_set

Lazar, Lijo Lijo.Lazar at amd.com
Mon Aug 25 07:43:04 UTC 2025 

[Public]

You may use BIT_ULL. That aside,

        Reviewed-by: Lijo Lazar <lijo.lazar at amd.com>

Thanks,
Lijo

-----Original Message-----
From: amd-gfx <amd-gfx-bounces at lists.freedesktop.org> On Behalf Of Jesse.Zhang
Sent: Monday, August 25, 2025 6:46 AM
To: amd-gfx at lists.freedesktop.org
Cc: Deucher, Alexander <Alexander.Deucher at amd.com>; Koenig, Christian <Christian.Koenig at amd.com>; Zhang, Jesse(Jie) <Jesse.Zhang at amd.com>
Subject: [PATCH] drm/amdgpu: fix shift-out-of-bounds in amdgpu_debugfs_jpeg_sched_mask_set

Fix a UBSAN shift-out-of-bounds warning in amdgpu_debugfs_jpeg_sched_mask_set
when the shift exponent reaches or exceeds 32 bits. The issue occurred because a 32-bit integer '1' was being shifted by up to 32 bits, which is undefined behavior.

Replace '1' with '1ULL' to ensure 64-bit arithmetic, matching the u64 type of 'val' and preventing the shift overflow. This is consistent with the existing mask calculation that already uses 1ULL.

The error manifested as:
UBSAN: shift-out-of-bounds in drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c:373:17
shift exponent 32 is too large for 32-bit type 'int'

Signed-off-by: Jesse Zhang <Jesse.Zhang at amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c
index 5d5e9ee83a5d..2c84f69b5bc9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c
@@ -370,7 +370,8 @@ static int amdgpu_debugfs_jpeg_sched_mask_set(void *data, u64 val)
        for (i = 0; i < adev->jpeg.num_jpeg_inst; ++i) {
                for (j = 0; j < adev->jpeg.num_jpeg_rings; ++j) {
                        ring = &adev->jpeg.inst[i].ring_dec[j];
-                       if (val & (1 << ((i * adev->jpeg.num_jpeg_rings) + j)))
+                       dev_info(adev->dev, "%s[%d] num_jpeg_rings:0x%x #### \n",__func__,__LINE__, adev->jpeg.num_jpeg_rings);
+                       if (val & (1ULL << ((i * adev->jpeg.num_jpeg_rings) + j)))
                                ring->sched.ready = true;
                        else
                                ring->sched.ready = false;
--
2.49.0

More information about the amd-gfx mailing list