From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Kees Cook <kees@kernel.org>
Cc: linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-hardening@vger.kernel.org
Subject: [PATCH][next] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()
Date: Fri, 8 May 2026 21:28:43 -0600 [thread overview]
Message-ID: <af6p68531gNsTM5U@kspp> (raw)
Document the designated initializer behavior for overlapping storage
between NAME and MEMBERS, and clarify the implications for static
initialization to help avoid unintended overwrites.
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
include/linux/stddef.h | 56 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/include/linux/stddef.h b/include/linux/stddef.h
index 80b6bfb944f0..36c91c725546 100644
--- a/include/linux/stddef.h
+++ b/include/linux/stddef.h
@@ -100,6 +100,62 @@ enum {
* Creates a union between a flexible-array member (FAM) in a struct and a set
* of additional members that would otherwise follow it.
*
+ * Beware that, as this helper encloses TYPE NAME and MEMBERS in the same
+ * union, designated initializers for MEMBERS may overwrite portions
+ * previously initialized through NAME.
+ *
+ * For example:
+ *
+ * struct flex {
+ * size_t count;
+ * u8 fam[];
+ * };
+ *
+ * struct composite {
+ * ...
+ * __TRAILING_OVERLAP(struct flex, flex, fam, __packed,
+ * u8 data;
+ * );
+ * } __packed;
+ *
+ * static struct composite comp = {
+ * .flex = {
+ * .count = 1,
+ * },
+ * .data = 2,
+ * };
+ *
+ * In the example above, .flex and .data initialize different views of the same
+ * union storage. Since .data is initialized last, it _may_ overwrite portions
+ * previously initialized through .flex, leading to .flex.count being zeroed
+ * out.
+ *
+ * A couple of alternatives are show below.
+ *
+ * Initialize only one view of the overlapped storage and assign the rest
+ * at run time:
+ *
+ * static struct composite comp = {
+ * .flex = {
+ * .count = 1,
+ * },
+ * };
+ *
+ * static void foo(void)
+ * {
+ * comp.data = 2;
+ * ...
+ * }
+ *
+ * (Compiler Explorer test code: https://godbolt.org/z/zz4K1Ejvf)
+ *
+ * Alternatively, move the entire initialization to run time.
+ *
+ * For an example of stack-based inialization see commit 5e54510a9389
+ * ("acpi: nfit: intel: avoid multiple -Wflex-array-member-not-at-end warnings")
+ *
+ * Link: https://git.kernel.org/linus/5e54510a9389caa9
+ *
* @TYPE: Flexible structure type name, including "struct" keyword.
* @NAME: Name for a variable to define.
* @FAM: The flexible-array member within @TYPE
--
2.51.0
reply other threads:[~2026-05-09 3:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af6p68531gNsTM5U@kspp \
--to=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.