From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dl1-f47.google.com (mail-dl1-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E648E334681 for ; Fri, 10 Apr 2026 22:48:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775861282; cv=none; b=gMwtTD3KqDyJEBpqLs1S1y6141fq3gKVB9Cg3/f3MHxkgjjkbY8yuFOxSGJU8sPDqx3DWHDJxipqQAMIgbLOeOpveHuw/38/Bg8ABOU71UJsEtkI9YW4BaYQHTA0H4q/qax8DvNYCF5VtLDu+/HQqRdCbzTX9XIPANMi8W7IpzQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775861282; c=relaxed/simple; bh=hPru58oWwU9otMvcO3a67mvX+0gv3ropSQ062zAqvsE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=eV6ELVnQgocF0dymlW0LUNzx9AjcthbVp+8mu9JQImq/wLxg+xBZj4Pyiz2Kf2nFFlPyVT5dwnsbPeJeNpFQIF+g2Zsqgj6xENYUq+zClGLhPnscmAqhBmQKQIYzgQPMo6nvOOwqft2fA+BA6J8hx2hjFV+sfBw1IhJ8QAuTy6Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VIyCECSw; arc=none smtp.client-ip=74.125.82.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VIyCECSw" Received: by mail-dl1-f47.google.com with SMTP id a92af1059eb24-1279eced0b9so3865138c88.0 for ; Fri, 10 Apr 2026 15:48:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775861280; x=1776466080; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=QTxNYnizVQS5DoTeHSomY7vjG5MdvS+/woov2XbZ558=; b=VIyCECSwvhO+ox4ANOpY96zpCb7Y3XoaIA1QVDuz5jKU9ja8E8qGefGPk4S8eOXTyx 1ADUHufXqbinPWPbDtrfiZzpS7r58bIYFXGN2hnnL9/lmW0JHk/7MER/CkjWZPY9gN4c vAMM5cPP61pq44LxZ2ydHzDy5UAQoFY/wE+yuOsLYsSoXjmn32eK+BL/xPi0PDGzQ6H+ 3OLppRTZtnHUZydciHF0I1M4DjovSqvUaxdgwWBU5lNdLZvVv6VgoV+caE6Kglxt4uL8 j1PWpe2BtxVCJe4LwWf+zMk+ap/HwqgGpaO3uhWXGPwG9kydVvk7rczgRHRUXVWF7XYN mWXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775861280; x=1776466080; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QTxNYnizVQS5DoTeHSomY7vjG5MdvS+/woov2XbZ558=; b=q9AiimoE5OrYDGpOjmLKcS7iB5BcLIP8qdeGTL3YJPxl8hAbIxkAt0bp43rq6WAl6z KDM5fqB9TOVmxjmrjrMrvnGjEdwEFaotjG53L3ZnL9tZp3RHRUZcTbc7GB26gkvWVoaP MjIS5dUuy2rQbqoLyzlVwqqzZQ5GQqQNnYx43wtL5Mm7tt10ioBFWfEXBBcjFgqU2F7K ndth4YgiW0OYHEVzfAJTABVb0f+VAS2ts/k3gM6FcdGpLwU8U7Hth4Ncfnxan9souCh6 +bim2I8tWgzMEFBDuyD6SGE0HL26C9RKaDV4T8OWq1z/s3opu+246N3lZbABrVJKWQXD hhdg== X-Forwarded-Encrypted: i=1; AJvYcCVvjpcX6REHua0F03G1f0iJmfSHu93be5oLJ/6kRYCzr8FAucQLMPyy8h+pbNN0TLJKu/KBnhCfEvWygZM=@vger.kernel.org X-Gm-Message-State: AOJu0Yw3YllQQ0plZ3HsKT4nTXL6hRlwdpFo+RN6CamNIU6/qhIlZmv8 oQzInaShL+P6aLjQeKqlITt33Mafpd4j/v6E9Xk4RvZnHk8ChncXpbw+ X-Gm-Gg: AeBDieviMNoJ3FsCEVrjqvgZCy5erH54QRYTE6NacQw1OiNaVZToq/1gPM19STgo9V3 7U1z2m7G5bLWlPoRUnWzdLNG8e5YUaEok8wb3UYZZrMVWIF3wlXp5WGaoVuTLAZPDaf5nwsjRer i5K6vd3gjBdwzwb0Rvl2ppsFX3Nff1UVHivxMPwiGCqz1y7rrA+pQzt443aPMMjJbTJ/2lJ4QWZ 3wQHUBLBEIW0GlyJrH5ckYIgMZqBIw3GCIY1LRFYa/yWXHpuG3JNlAyTTeb0MRpIpEXKP2Xe5ah xNjkVBXXQPtxFB4+8gMGpp6bLrY8yu8gUJdhX9eeZh4sH4lNoXFzpsnuVqeHOiQDICGbgPHKPUl 1xTVhKRUctcpGkMXaO9A+EH5lJMx6koV9VA/UpK5m5z8Ll0ubuSNM8UD/8/YQjjKiUzZznDg5GD C9I2hPrPROG8oySjlAl9oIHjs3+fXJSVhhpgmGn7i9 X-Received: by 2002:a05:7300:6d03:b0:2d2:fe3e:b763 with SMTP id 5a478bee46e88-2d589462e7bmr2955704eec.22.1775861279883; Fri, 10 Apr 2026 15:47:59 -0700 (PDT) Received: from [192.168.86.23] ([136.25.189.61]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2d561cd2a4esm7957243eec.16.2026.04.10.15.47.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Apr 2026 15:47:59 -0700 (PDT) Message-ID: Date: Fri, 10 Apr 2026 15:47:58 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/2] misc: pci_endpoint_test: validate BAR index in doorbell test To: Koichiro Den , carlos.bilbao@kernel.org Cc: mani@kernel.org, kwilczynski@kernel.org, kishon@kernel.org, arnd@arndb.de, gregkh@linuxfoundation.org, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, bilbao@vt.edu References: <20260404012002.111873-1-carlos.bilbao@kernel.org> <20260404012002.111873-2-carlos.bilbao@kernel.org> Content-Language: en-US From: Carlos Bilbao In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hello, On 4/6/26 09:39, Koichiro Den wrote: > On Fri, Apr 03, 2026 at 06:20:01PM -0700, carlos.bilbao@kernel.org wrote: >> From: Carlos Bilbao >> >> pci_endpoint_test_doorbell() reads the BAR number directly from an endpoint >> test register and uses it as an index into test->bar[] without bounds >> checking. Since the value is a raw u32 from device MMIO, any value is >> possible and if greater than or equal to PCI_STD_NUM_BARS the access goes >> out of bounds. >> >> Add a bounds check before dereferencing test->bar[bar]. >> >> Fixes: eefb83790a0d ("misc: pci_endpoint_test: Add doorbell test case") >> Signed-off-by: Carlos Bilbao (Lambda) >> --- >> drivers/misc/pci_endpoint_test.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c >> index 74ab5b5b9011..276bed3f1c18 100644 >> --- a/drivers/misc/pci_endpoint_test.c >> +++ b/drivers/misc/pci_endpoint_test.c >> @@ -1089,6 +1089,11 @@ static int pci_endpoint_test_doorbell(struct pci_endpoint_test *test) >> pci_endpoint_test_writel(test, PCI_ENDPOINT_TEST_STATUS, 0); >> >> bar = pci_endpoint_test_readl(test, PCI_ENDPOINT_TEST_DB_BAR); >> + if (bar >= PCI_STD_NUM_BARS) { >> + dev_err(dev, "BAR %u reported by endpoint out of range [0, %u]\n", >> + bar, PCI_STD_NUM_BARS - 1); >> + return -EINVAL; >> + } > Hi, > > On the EP-side (pci-epf-test.c), doorbell_bar is set to NO_BAR or a valid BAR > number in the range 0..(PCI_STD_NUM_BARS-1), so if we add such a safeguard here, > we might as well handle NO_BAR explicitly. > > That said, I'm not sure this check is really needed. At this point > COMMAND_ENABLE_DOORBELL should have succeeded, so bar is expected to always be > within the valid range. Whether such defensive checks are desirable probably > depends on the maintainers' preference. In any case, I don't think a Fixes tag > is appropriate here. > > Also, even if the intention is also to guard against an "all 1's" value scenario > on errors, then I think it might be better to handle that in a more centralized > way, since the same concern would apply to other similar reads as well. Thanks for the feedback. I'll send a v2 with changes here to handle bar < BAR_0 as well as dropping the Fixes tag. > > Best regards, > Koichiro > >> >> writel(data, test->bar[bar] + addr); >> >> -- >> 2.43.0 >> >> Thanks, Carlos