Re: [RFC PATCH v3 01/35] PCI: endpoint: pci-epf-vntb: Use array_index_nospec() on mws_size[] access
From: Frank Li <Frank.li@nxp.com>
Date: 2025-12-19 03:08:20
Also in:
dmaengine, linux-pci, linux-renesas-soc, lkml
On Thu, Dec 18, 2025 at 12:15:35AM +0900, Koichiro Den wrote:
Follow common kernel idioms for indices derived from configfs attributes and suppress Smatch warnings: epf_ntb_mw1_show() warn: potential spectre issue 'ntb->mws_size' [r] epf_ntb_mw1_store() warn: potential spectre issue 'ntb->mws_size' [w] Also fix the error message for out-of-range MW indices and %lld format for unsigned values. Signed-off-by: Koichiro Den <redacted> ---
Reviewed-by: Frank Li <Frank.Li@nxp.com>
quoted hunk ↗ jump to hunk
Note: I noticed [RFC PATCH v2 01/27] resurrected the Smatch warnings https://lore.kernel.org/all/20251129160405.2568284-2-den@valinux.co.jp/ (local) This RFC v3 version therefore reverts to the RFC v1 style, with one additional fix to correct the sprintf format specifier (%lld->%llu). --- drivers/pci/endpoint/functions/pci-epf-vntb.c | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-)diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c index 3ecc5059f92b..56aab5d354d6 100644 --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c@@ -995,17 +995,19 @@ static ssize_t epf_ntb_##_name##_show(struct config_item *item, \ struct config_group *group = to_config_group(item); \ struct epf_ntb *ntb = to_epf_ntb(group); \ struct device *dev = &ntb->epf->dev; \ - int win_no; \ + int win_no, idx; \ \ if (sscanf(#_name, "mw%d", &win_no) != 1) \ return -EINVAL; \ \ - if (win_no <= 0 || win_no > ntb->num_mws) { \ - dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \ + idx = win_no - 1; \ + if (idx < 0 || idx >= ntb->num_mws) { \ + dev_err(dev, "MW%d out of range (num_mws=%d)\n", \ + win_no, ntb->num_mws); \ return -EINVAL; \ } \ - \ - return sprintf(page, "%lld\n", ntb->mws_size[win_no - 1]); \ + idx = array_index_nospec(idx, ntb->num_mws); \ + return sprintf(page, "%llu\n", ntb->mws_size[idx]); \ } #define EPF_NTB_MW_W(_name) \@@ -1015,7 +1017,7 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item, \ struct config_group *group = to_config_group(item); \ struct epf_ntb *ntb = to_epf_ntb(group); \ struct device *dev = &ntb->epf->dev; \ - int win_no; \ + int win_no, idx; \ u64 val; \ int ret; \ \@@ -1026,12 +1028,14 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item, \ if (sscanf(#_name, "mw%d", &win_no) != 1) \ return -EINVAL; \ \ - if (win_no <= 0 || win_no > ntb->num_mws) { \ - dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \ + idx = win_no - 1; \ + if (idx < 0 || idx >= ntb->num_mws) { \ + dev_err(dev, "MW%d out of range (num_mws=%d)\n", \ + win_no, ntb->num_mws); \ return -EINVAL; \ } \ - \ - ntb->mws_size[win_no - 1] = val; \ + idx = array_index_nospec(idx, ntb->num_mws); \ + ntb->mws_size[idx] = val; \ \ return len; \ } --2.51.0