PCI: endpoint: pci-epf-ntb: Add check to detect 'db_count' value of 0

epf_ntb->db_count value should be within 1 to MAX_DB_COUNT. Current code
only checks for the upper bound, while the lower bound is unchecked. This
can cause a lot of issues in the driver if the user passes 'db_count' as 0.

Add a check for 0 also. While at it, remove the redundant 'db_count'
variable from epf_ntb_configure_interrupt().

Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260407124421.282766-3-mani@kernel.org

diff --git a/drivers/pci/endpoint/functions/pci-epf-ntb.c b/drivers/pci/endpoint/functions/pci-epf-ntb.c
index 2bdcc35b652cfb4d72f93c2d3a5dffb6a2d5258b..5314aca2188a00cdc14bf0094631e289014353cc 100644 (file)
--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c
@@ -559,12 +559,15 @@ static int epf_ntb_configure_db(struct epf_ntb *ntb,
        struct pci_epc *epc;
        int ret;
 
-       if (db_count > MAX_DB_COUNT)
-               return -EINVAL;
-
        ntb_epc = ntb->epc[type];
        epc = ntb_epc->epc;
 
+       if (!db_count || db_count > MAX_DB_COUNT) {
+               dev_err(&epc->dev, "DB count %d out of range (1 - %d)\n",
+                       db_count, MAX_DB_COUNT);
+               return -EINVAL;
+       }
+
        if (msix)
                ret = epf_ntb_configure_msix(ntb, type, db_count);
        else
@@ -1278,7 +1281,6 @@ static int epf_ntb_configure_interrupt(struct epf_ntb *ntb,
        u8 func_no, vfunc_no;
        struct pci_epc *epc;
        struct device *dev;
-       u32 db_count;
        int ret;
 
        ntb_epc = ntb->epc[type];
@@ -1296,17 +1298,16 @@ static int epf_ntb_configure_interrupt(struct epf_ntb *ntb,
        func_no = ntb_epc->func_no;
        vfunc_no = ntb_epc->vfunc_no;
 
-       db_count = ntb->db_count;
-       if (db_count > MAX_DB_COUNT) {
-               dev_err(dev, "DB count cannot be more than %d\n", MAX_DB_COUNT);
+       if (!ntb->db_count || ntb->db_count > MAX_DB_COUNT) {
+               dev_err(dev, "DB count %d out of range (1 - %d)\n",
+                       ntb->db_count, MAX_DB_COUNT);
                return -EINVAL;
        }
 
-       ntb->db_count = db_count;
        epc = ntb_epc->epc;
 
        if (msi_capable) {
-               ret = pci_epc_set_msi(epc, func_no, vfunc_no, db_count);
+               ret = pci_epc_set_msi(epc, func_no, vfunc_no, ntb->db_count);
                if (ret) {
                        dev_err(dev, "%s intf: MSI configuration failed\n",
                                pci_epc_interface_string(type));
@@ -1315,7 +1316,7 @@ static int epf_ntb_configure_interrupt(struct epf_ntb *ntb,
        }
 
        if (msix_capable) {
-               ret = pci_epc_set_msix(epc, func_no, vfunc_no, db_count,
+               ret = pci_epc_set_msix(epc, func_no, vfunc_no, ntb->db_count,
                                       ntb_epc->msix_bar,
                                       ntb_epc->msix_table_offset);
                if (ret) {