Re: [PATCH] PCI: endpoint: pci-epf-vntb: Use array_index_nospec() on mws_size[] access

[Koichiro Den]

On Wed, Feb 18, 2026 at 07:31:44PM +0530, Manivannan Sadhasivam wrote:
> On Wed, Feb 18, 2026 at 01:47:33PM +0900, Koichiro Den wrote:
> > On Tue, Feb 17, 2026 at 07:20:23PM +0530, Manivannan Sadhasivam wrote:
> > > On Mon, Jan 05, 2026 at 04:56:06PM +0900, Koichiro Den wrote:
> > > > Follow common kernel idioms for indices derived from configfs attributes
> > > > and suppress Smatch warnings:
> > > > 
> > > >   epf_ntb_mw1_show() warn: potential spectre issue 'ntb->mws_size' [r]
> > > >   epf_ntb_mw1_store() warn: potential spectre issue 'ntb->mws_size' [w]
> > > > 
> > > > Also fix the error message for out-of-range MW indices and %lld format
> > > > for unsigned values.
> > > > 
> > > > Reviewed-by: Frank Li <Frank.Li@xxxxxxx>
> > > > Signed-off-by: Koichiro Den <den@xxxxxxxxxxxxx>
> > > > ---
> > > > Base: https://github.com/jonmason/ntb/commit/68113d260674 (ntb-next)
> > > > This is a spin-off patch from the following series:
> > > > https://lore.kernel.org/all/20251217151609.3162665-2-den@xxxxxxxxxxxxx/
> > > > 
> > > >  drivers/pci/endpoint/functions/pci-epf-vntb.c | 24 +++++++++++--------
> > > >  1 file changed, 14 insertions(+), 10 deletions(-)
> > > > 
> > > > diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > > index 83e9ab10f9c4..192dd4f4de8d 100644
> > > > --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > > +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > > @@ -876,17 +876,19 @@ static ssize_t epf_ntb_##_name##_show(struct config_item *item,		\
> > > >  	struct config_group *group = to_config_group(item);		\
> > > >  	struct epf_ntb *ntb = to_epf_ntb(group);			\
> > > >  	struct device *dev = &ntb->epf->dev;				\
> > > > -	int win_no;							\
> > > > +	int win_no, idx;						\
> > > >  									\
> > > >  	if (sscanf(#_name, "mw%d", &win_no) != 1)			\
> > > >  		return -EINVAL;						\
> > > >  									\
> > > > -	if (win_no <= 0 || win_no > ntb->num_mws) {			\
> > > > -		dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > > +	idx = win_no - 1;						\
> > > > +	if (idx < 0 || idx >= ntb->num_mws) {				\
> > > > +		dev_err(dev, "MW%d out of range (num_mws=%d)\n",	\
> > > > +			win_no, ntb->num_mws);				\
> > > >  		return -EINVAL;						\
> > > 
> > > This should be -ERANGE, but in a separate patch.
> > > 
> > > >  	}								\
> > > > -									\
> > > > -	return sprintf(page, "%lld\n", ntb->mws_size[win_no - 1]);	\
> > > > +	idx = array_index_nospec(idx, ntb->num_mws);			\
> > > > +	return sprintf(page, "%llu\n", ntb->mws_size[idx]);		\
> > > >  }
> > > >  
> > > >  #define EPF_NTB_MW_W(_name)						\
> > > > @@ -896,7 +898,7 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item,	\
> > > >  	struct config_group *group = to_config_group(item);		\
> > > >  	struct epf_ntb *ntb = to_epf_ntb(group);			\
> > > >  	struct device *dev = &ntb->epf->dev;				\
> > > > -	int win_no;							\
> > > > +	int win_no, idx;						\
> > > >  	u64 val;							\
> > > >  	int ret;							\
> > > >  									\
> > > > @@ -907,12 +909,14 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item,	\
> > > >  	if (sscanf(#_name, "mw%d", &win_no) != 1)			\
> > > >  		return -EINVAL;						\
> > > >  									\
> > > > -	if (win_no <= 0 || win_no > ntb->num_mws) {			\
> > > > -		dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > > +	idx = win_no - 1;						\
> > > > +	if (idx < 0 || idx >= ntb->num_mws) {				\
> > > > +		dev_err(dev, "MW%d out of range (num_mws=%d)\n",	\
> > > > +			win_no, ntb->num_mws);				\
> > > >  		return -EINVAL;						\
> > > 
> > > Same here.
> > > 
> > > - Mani
> > 
> > Thanks for the comment. I will send a separate patch for that.
> > 
> > Before doing so, I have a quick question regarding the routing of pci-epf-vntb
> > patches.
> > 
> > Commit e4fe2a2fc423 ("MAINTAINERS: add PCI Endpoint NTB drivers to NTB files")
> > places pci-epf-vntb under the NTB subsystem. However, I'm not entirely sure
> > which tree (NTB or PCI EP) is expected to take changes to pci-epf-vntb.
> > 
> > Should updates be based on the NTB tree or the PCI EP tree?
> 
> There is no specific entry for the VNTB driver and we usually pick this driver
> patches through the PCI tree. Initially this driver patches went through NTB
> tree, but that got changed long back.

Thanks for the clarification.

Understood. I'll make sure to CC both Mani and Krzysztof explicitly for future
pci-epf-vntb related patches (e.g. the thread below).
https://lore.kernel.org/linux-pci/aqxjlfdqincb4yszn3ngjzvyiuybeoo2pyno4t2iz6ant337n4@bz37hl5nofzy/

Best regards,
Koichiro

> 
> > Sorry if this has already been clarified and I just overlooked it.
> > 
> 
> No worries.
> 
> - Mani
> 
> -- 
> மணிவண்ணன் சதாசிவம்