Re: [PATCH] PCI: endpoint: pci-epf-vntb: Use array_index_nospec() on mws_size[] access
From: Manivannan Sadhasivam
Date: Wed Feb 18 2026 - 09:02:15 EST
On Wed, Feb 18, 2026 at 01:47:33PM +0900, Koichiro Den wrote:
> On Tue, Feb 17, 2026 at 07:20:23PM +0530, Manivannan Sadhasivam wrote:
> > On Mon, Jan 05, 2026 at 04:56:06PM +0900, Koichiro Den wrote:
> > > Follow common kernel idioms for indices derived from configfs attributes
> > > and suppress Smatch warnings:
> > >
> > > epf_ntb_mw1_show() warn: potential spectre issue 'ntb->mws_size' [r]
> > > epf_ntb_mw1_store() warn: potential spectre issue 'ntb->mws_size' [w]
> > >
> > > Also fix the error message for out-of-range MW indices and %lld format
> > > for unsigned values.
> > >
> > > Reviewed-by: Frank Li <Frank.Li@xxxxxxx>
> > > Signed-off-by: Koichiro Den <den@xxxxxxxxxxxxx>
> > > ---
> > > Base: https://github.com/jonmason/ntb/commit/68113d260674 (ntb-next)
> > > This is a spin-off patch from the following series:
> > > https://lore.kernel.org/all/20251217151609.3162665-2-den@xxxxxxxxxxxxx/
> > >
> > > drivers/pci/endpoint/functions/pci-epf-vntb.c | 24 +++++++++++--------
> > > 1 file changed, 14 insertions(+), 10 deletions(-)
> > >
> > > diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > index 83e9ab10f9c4..192dd4f4de8d 100644
> > > --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > @@ -876,17 +876,19 @@ static ssize_t epf_ntb_##_name##_show(struct config_item *item, \
> > > struct config_group *group = to_config_group(item); \
> > > struct epf_ntb *ntb = to_epf_ntb(group); \
> > > struct device *dev = &ntb->epf->dev; \
> > > - int win_no; \
> > > + int win_no, idx; \
> > > \
> > > if (sscanf(#_name, "mw%d", &win_no) != 1) \
> > > return -EINVAL; \
> > > \
> > > - if (win_no <= 0 || win_no > ntb->num_mws) { \
> > > - dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > + idx = win_no - 1; \
> > > + if (idx < 0 || idx >= ntb->num_mws) { \
> > > + dev_err(dev, "MW%d out of range (num_mws=%d)\n", \
> > > + win_no, ntb->num_mws); \
> > > return -EINVAL; \
> >
> > This should be -ERANGE, but in a separate patch.
> >
> > > } \
> > > - \
> > > - return sprintf(page, "%lld\n", ntb->mws_size[win_no - 1]); \
> > > + idx = array_index_nospec(idx, ntb->num_mws); \
> > > + return sprintf(page, "%llu\n", ntb->mws_size[idx]); \
> > > }
> > >
> > > #define EPF_NTB_MW_W(_name) \
> > > @@ -896,7 +898,7 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item, \
> > > struct config_group *group = to_config_group(item); \
> > > struct epf_ntb *ntb = to_epf_ntb(group); \
> > > struct device *dev = &ntb->epf->dev; \
> > > - int win_no; \
> > > + int win_no, idx; \
> > > u64 val; \
> > > int ret; \
> > > \
> > > @@ -907,12 +909,14 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item, \
> > > if (sscanf(#_name, "mw%d", &win_no) != 1) \
> > > return -EINVAL; \
> > > \
> > > - if (win_no <= 0 || win_no > ntb->num_mws) { \
> > > - dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > + idx = win_no - 1; \
> > > + if (idx < 0 || idx >= ntb->num_mws) { \
> > > + dev_err(dev, "MW%d out of range (num_mws=%d)\n", \
> > > + win_no, ntb->num_mws); \
> > > return -EINVAL; \
> >
> > Same here.
> >
> > - Mani
>
> Thanks for the comment. I will send a separate patch for that.
>
> Before doing so, I have a quick question regarding the routing of pci-epf-vntb
> patches.
>
> Commit e4fe2a2fc423 ("MAINTAINERS: add PCI Endpoint NTB drivers to NTB files")
> places pci-epf-vntb under the NTB subsystem. However, I'm not entirely sure
> which tree (NTB or PCI EP) is expected to take changes to pci-epf-vntb.
>
> Should updates be based on the NTB tree or the PCI EP tree?
There is no specific entry for the VNTB driver and we usually pick this driver
patches through the PCI tree. Initially this driver patches went through NTB
tree, but that got changed long back.
> Sorry if this has already been clarified and I just overlooked it.
>
No worries.
- Mani
--
மணிவண்ணன் சதாசிவம்