CVE-2021-47497

In the Linux kernel, the following vulnerability has been resolved:

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

If a cell has 'nbits' equal to a multiple of BITSPERBYTE the logic

*p &= GENMASK((cell->nbits%BITSPERBYTE) - 1, 0);

will become undefined behavior because nbits modulo BITSPERBYTE is 0, and we subtract one from that making a large number that is then shifted more than the number of bits that fit into an unsigned long.

UBSAN reports this problem:

UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 shift exponent 64 is too large for 64-bit type 'unsigned long' CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 Hardware name: Google Lazor (rev3+) with KB Backlight (DT) Workqueue: eventsunbound deferredprobeworkfunc Call trace: dumpbacktrace+0x0/0x170 showstack+0x24/0x30 dumpstacklvl+0x64/0x7c dumpstack+0x18/0x38 ubsanepilogue+0x10/0x54 _ubsanhandleshiftoutofbounds+0x180/0x194 _nvmemcellread+0x1ec/0x21c nvmemcellread+0x58/0x94 nvmemcellreadvariablecommon+0x4c/0xb0 nvmemcellreadvariableleu32+0x40/0x100 a6xxgpuinit+0x170/0x2f4 adrenobind+0x174/0x284 componentbindall+0xf0/0x264 msmdrmbind+0x1d8/0x7a0 trytobringupmaster+0x164/0x1ac _componentadd+0xbc/0x13c componentadd+0x20/0x2c dpdisplayprobe+0x340/0x384 platformprobe+0xc0/0x100 reallyprobe+0x110/0x304 _driverprobedevice+0xb8/0x120 driverprobedevice+0x4c/0xfc _deviceattachdriver+0xb0/0x128 busforeachdrv+0x90/0xdc _deviceattach+0xc8/0x174 deviceinitialprobe+0x20/0x2c busprobedevice+0x40/0xa4 deferredprobeworkfunc+0x7c/0xb8 processonework+0x128/0x21c processscheduledworks+0x40/0x54 workerthread+0x1ec/0x2a8 kthread+0x138/0x158 retfrom_fork+0x10/0x20

Fix it by making sure there are any bits to mask out.