On Tue, Mar 24, 2026 at 12:03:37PM +0100, Paolo Abeni wrote: > > > On 3/21/26 11:04 AM, Simon Horman wrote: > > On Fri, Mar 20, 2026 at 05:21:01AM -0700, Erni Sri Satya Vennela wrote: > >> mana_gd_ring_doorbell() accesses doorbell offsets up to 0xFF8 + 8 = 4KB > >> within a doorbell page. When db_page_size is zero, the validation check > >> in mana_gd_register_device() reduces to: > >> db_page_off + 0 > bar0_size > >> which passes, even though mana_gd_ring_doorbell() will access > >> [db_page_off, db_page_off + 4KB) and may go beyond BAR0. > >> > >> Use max(SZ_4K, db_page_size) in the range check so that a zero or > >> unexpectedly small db_page_size still results in a rejection when the > >> doorbell page would fall outside BAR0. > > > > Thanks Erni, > > > > I understand the maths here. And to that extent this change makes sense to > > me. > > But I am curious to know how a db_page_size of zero works. I was expecting > > some space is required there. > > To rephrase Simon's question, this feels like papering over a > memory/state corruption. I think at best it deserves a cleaner explanation. > > /P Thanks for pointing it out Simon and Paolo. Now I understand the real issue, when db_page_sz is zero my patch rejects it, but doesn't explicitly point it out. Such case means something is wrong in hardware, which is silently escaped in this patch.
I will create another patch where I will reject db_page_size < SZ_4K at the source.
