misc: pci_endpoint_test: Validate BAR index in doorbell test

pci_endpoint_test_doorbell() reads the BAR number directly from an endpoint
test register and uses it as an index into test->bar[].  Add a defensive
bounds check before the dereference: positive values >= PCI_STD_NUM_BARS
are out of range, and NO_BAR (-1) as a negative signed value would slip
past an upper-bound-only check.

Signed-off-by: Carlos Bilbao (Lambda) <carlos.bilbao@kernel.org>
[mani: changed errno to -ERANGE]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260410230300.135631-2-carlos.bilbao@kernel.org

diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c
index dbd017cabbb92394c20d07c478518f5fefe2067e..64ac7c7c90af9bd75ac3b89d06c18ecdaa642219 100644 (file)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -1108,6 +1108,11 @@ static int pci_endpoint_test_doorbell(struct pci_endpoint_test *test)
        pci_endpoint_test_writel(test, PCI_ENDPOINT_TEST_STATUS, 0);
 
        bar = pci_endpoint_test_readl(test, PCI_ENDPOINT_TEST_DB_BAR);
+       if (bar < BAR_0 || bar >= PCI_STD_NUM_BARS) {
+               dev_err(dev, "BAR %d reported by endpoint out of range [0, %u]\n",
+                       bar, PCI_STD_NUM_BARS - 1);
+               return -ERANGE;
+       }
 
        writel(data, test->bar[bar] + addr);