lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aPvIIPHk0L4jSv9H@lizhi-Precision-Tower-5810>
Date: Fri, 24 Oct 2025 14:40:32 -0400
From: Frank Li <Frank.li@....com>
To: Koichiro Den <den@...inux.co.jp>
Cc: ntb@...ts.linux.dev, linux-pci@...r.kernel.org,
	dmaengine@...r.kernel.org, linux-kernel@...r.kernel.org,
	mani@...nel.org, kwilczynski@...nel.org, kishon@...nel.org,
	bhelgaas@...gle.com, corbet@....net, vkoul@...nel.org,
	jdmason@...zu.us, dave.jiang@...el.com, allenbh@...il.com,
	Basavaraj.Natikar@....com, Shyam-sundar.S-k@....com,
	kurt.schwemmer@...rosemi.com, logang@...tatee.com,
	jingoohan1@...il.com, lpieralisi@...nel.org, robh@...nel.org,
	jbrunet@...libre.com, fancer.lancer@...il.com, arnd@...db.de,
	pstanner@...hat.com, elfring@...rs.sourceforge.net
Subject: Re: [RFC PATCH 01/25] PCI: endpoint: pci-epf-vntb: Use
 array_index_nospec() on mws_size[] access

On Sat, Oct 25, 2025 at 01:24:29AM +0900, Koichiro Den wrote:
> On Thu, Oct 23, 2025 at 08:06:40PM -0400, Frank Li wrote:
> > On Thu, Oct 23, 2025 at 04:18:52PM +0900, Koichiro Den wrote:
> > > Follow common kernel idioms for indices derived from configfs attributes
> > > and suppress Smatch warnings:
> > >
> > >   epf_ntb_mw1_show() warn: potential spectre issue 'ntb->mws_size' [r]
> > >   epf_ntb_mw1_store() warn: potential spectre issue 'ntb->mws_size' [w]
> > >
> > > No functional changes.
> > >
> > > Signed-off-by: Koichiro Den <den@...inux.co.jp>
> > > ---
> > >  drivers/pci/endpoint/functions/pci-epf-vntb.c | 23 +++++++++++--------
> > >  1 file changed, 14 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > index 83e9ab10f9c4..55307cd613c9 100644
> > > --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
> > > @@ -876,17 +876,19 @@ static ssize_t epf_ntb_##_name##_show(struct config_item *item,		\
> > >  	struct config_group *group = to_config_group(item);		\
> > >  	struct epf_ntb *ntb = to_epf_ntb(group);			\
> > >  	struct device *dev = &ntb->epf->dev;				\
> > > -	int win_no;							\
> > > +	int win_no, idx;						\
> > >  									\
> > >  	if (sscanf(#_name, "mw%d", &win_no) != 1)			\
> > >  		return -EINVAL;						\
> > >  									\
> > > -	if (win_no <= 0 || win_no > ntb->num_mws) {			\
> > > -		dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > +	idx = win_no - 1;						\
> > > +	if (idx < 0 || idx >= ntb->num_mws) {				\
> > > +		dev_err(dev, "MW%d out of range (num_mws=%d)\n",	\
> > > +			win_no, ntb->num_mws);				\
> > >  		return -EINVAL;						\
> > >  	}								\
> > > -									\
> > > -	return sprintf(page, "%lld\n", ntb->mws_size[win_no - 1]);	\
> > > +	idx = array_index_nospec(idx, ntb->num_mws);			\
> > > +	return sprintf(page, "%lld\n", ntb->mws_size[idx]);		\
> >
> > keep original check if (win_no <= 0 || win_no > ntb->num_mws)
> >
> > just
> > 	idx = array_index_nospec(win_no - 1, ntb->num_mws);
> > 	return sprintf(page, "%lld\n", ntb->mws_size[idx]);
> >
> > It should be more simple.
>
> Thanks for the review.
>
> For minimal changes, that makes sense. I'd also like to update the dev_err
> message (the "num_nws" typo, and I think what's invalid is win_no, not
> num_mws). So how about combining your suggestion with the log message
> update?

Okay!

Frank

>
> -Koichiro
>
> >
> > Frank
> > >  }
> > >
> > >  #define EPF_NTB_MW_W(_name)						\
> > > @@ -896,7 +898,7 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item,	\
> > >  	struct config_group *group = to_config_group(item);		\
> > >  	struct epf_ntb *ntb = to_epf_ntb(group);			\
> > >  	struct device *dev = &ntb->epf->dev;				\
> > > -	int win_no;							\
> > > +	int win_no, idx;						\
> > >  	u64 val;							\
> > >  	int ret;							\
> > >  									\
> > > @@ -907,12 +909,15 @@ static ssize_t epf_ntb_##_name##_store(struct config_item *item,	\
> > >  	if (sscanf(#_name, "mw%d", &win_no) != 1)			\
> > >  		return -EINVAL;						\
> > >  									\
> > > -	if (win_no <= 0 || win_no > ntb->num_mws) {			\
> > > -		dev_err(dev, "Invalid num_nws: %d value\n", ntb->num_mws); \
> > > +	idx = win_no - 1;						\
> > > +	if (idx < 0 || idx >= ntb->num_mws) {				\
> > > +		dev_err(dev, "MW%d out of range (num_mws=%d)\n",	\
> > > +			win_no, ntb->num_mws);				\
> > >  		return -EINVAL;						\
> > >  	}								\
> > >  									\
> > > -	ntb->mws_size[win_no - 1] = val;				\
> > > +	idx = array_index_nospec(idx, ntb->num_mws);			\
> > > +	ntb->mws_size[idx] = val;					\
> > >  									\
> > >  	return len;							\
> > >  }
> > > --
> > > 2.48.1
> > >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ