* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
[not found] <20220627180432.GA136081@embeddedor>
@ 2022-06-27 18:27 ` Daniel Borkmann
[not found] ` <20220628004052.GM23621@ziepe.ca>
2022-06-27 19:53 ` Stephen Hemminger
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Daniel Borkmann @ 2022-06-27 18:27 UTC (permalink / raw)
To: Gustavo A. R. Silva, Kees Cook, linux-kernel
Cc: nvdimm, alsa-devel, kvm, dri-devel, virtualization, dm-devel,
target-devel, linux-mtd, linux-hardening, linux1394-devel,
linux-stm32, linux-s390, linux-scsi, linux-rdma, x86, kasan-dev,
lvs-devel, coreteam, v9fs-developer, intel-gfx, linux-can,
linux-raid, linux-m68k, io-uring, linux-arm-kernel, netdev,
linux-usb, linux-mmc, linux-mips, linux-perf-users, linux-sctp,
netfilter-devel, linux-fsdevel, bpf, linux-btrfs
On 6/27/22 8:04 PM, Gustavo A. R. Silva wrote:
> There is a regular need in the kernel to provide a way to declare
> having a dynamically sized set of trailing elements in a structure.
> Kernel code should always use “flexible array members”[1] for these
> cases. The older style of one-element or zero-length arrays should
> no longer be used[2].
>
> This code was transformed with the help of Coccinelle:
> (linux-5.19-rc2$ spatch --jobs $(getconf _NPROCESSORS_ONLN) --sp-file script.cocci --include-headers --dir . > output.patch)
>
> @@
> identifier S, member, array;
> type T1, T2;
> @@
>
> struct S {
> ...
> T1 member;
> T2 array[
> - 0
> ];
> };
>
> -fstrict-flex-arrays=3 is coming and we need to land these changes
> to prevent issues like these in the short future:
>
> ../fs/minix/dir.c:337:3: warning: 'strcpy' will always overflow; destination buffer has size 0,
> but the source string has length 2 (including NUL byte) [-Wfortify-source]
> strcpy(de3->name, ".");
> ^
>
> Since these are all [0] to [] changes, the risk to UAPI is nearly zero. If
> this breaks anything, we can use a union with a new member name.
>
> [1] https://en.wikipedia.org/wiki/Flexible_array_member
> [2] https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays
>
> Link: https://github.com/KSPP/linux/issues/78
> Build-tested-by: https://lore.kernel.org/lkml/62b675ec.wKX6AOZ6cbE71vtF%25lkp@intel.com/
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> Hi all!
>
> JFYI: I'm adding this to my -next tree. :)
Fyi, this breaks BPF CI:
https://github.com/kernel-patches/bpf/runs/7078719372?check_suite_focus=true
[...]
progs/map_ptr_kern.c:314:26: error: field 'trie_key' with variable sized type 'struct bpf_lpm_trie_key' not at the end of a struct or class is a GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
struct bpf_lpm_trie_key trie_key;
^
1 error generated.
make: *** [Makefile:519: /tmp/runner/work/bpf/bpf/tools/testing/selftests/bpf/map_ptr_kern.o] Error 1
make: *** Waiting for unfinished jobs....
Error: Process completed with exit code 2.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
[not found] <20220627180432.GA136081@embeddedor>
2022-06-27 18:27 ` [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members Daniel Borkmann
@ 2022-06-27 19:53 ` Stephen Hemminger
2022-06-27 22:31 ` Dan Williams
2022-06-28 7:27 ` Geert Uytterhoeven
3 siblings, 0 replies; 6+ messages in thread
From: Stephen Hemminger @ 2022-06-27 19:53 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: nvdimm, alsa-devel, kvm, dri-devel, linux-kernel, dm-devel,
target-devel, linux-mtd, linux-hardening, linux1394-devel,
linux-stm32, linux-s390, linux-scsi, linux-rdma, x86, kasan-dev,
lvs-devel, coreteam, v9fs-developer, Kees Cook, intel-gfx,
linux-can, linux-raid, linux-m68k, virtualization, io-uring,
linux-arm-kernel, netdev, linux-usb, linux-mmc, linux-mips,
linux-perf-users, linux-sctp, netfilter-devel, linux-fsdevel, bpf,
linux-btrfs
On Mon, 27 Jun 2022 20:04:32 +0200
"Gustavo A. R. Silva" <gustavoars@kernel.org> wrote:
> There is a regular need in the kernel to provide a way to declare
> having a dynamically sized set of trailing elements in a structure.
> Kernel code should always use “flexible array members”[1] for these
> cases. The older style of one-element or zero-length arrays should
> no longer be used[2].
>
> This code was transformed with the help of Coccinelle:
> (linux-5.19-rc2$ spatch --jobs $(getconf _NPROCESSORS_ONLN) --sp-file script.cocci --include-headers --dir . > output.patch)
>
> @@
> identifier S, member, array;
> type T1, T2;
> @@
>
> struct S {
> ...
> T1 member;
> T2 array[
> - 0
> ];
> };
>
> -fstrict-flex-arrays=3 is coming and we need to land these changes
> to prevent issues like these in the short future:
>
> ../fs/minix/dir.c:337:3: warning: 'strcpy' will always overflow; destination buffer has size 0,
> but the source string has length 2 (including NUL byte) [-Wfortify-source]
> strcpy(de3->name, ".");
> ^
>
> Since these are all [0] to [] changes, the risk to UAPI is nearly zero. If
> this breaks anything, we can use a union with a new member name.
>
> [1] https://en.wikipedia.org/wiki/Flexible_array_member
> [2] https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays
>
> Link: https://github.com/KSPP/linux/issues/78
> Build-tested-by: https://lore.kernel.org/lkml/62b675ec.wKX6AOZ6cbE71vtF%25lkp@intel.com/
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks this fixes warning with gcc-12 in iproute2.
In function ‘xfrm_algo_parse’,
inlined from ‘xfrm_state_modify.constprop’ at xfrm_state.c:573:5:
xfrm_state.c:162:32: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
162 | buf[j] = val;
| ~~~~~~~^~~~~
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
[not found] <20220627180432.GA136081@embeddedor>
2022-06-27 18:27 ` [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members Daniel Borkmann
2022-06-27 19:53 ` Stephen Hemminger
@ 2022-06-27 22:31 ` Dan Williams
2022-06-28 7:27 ` Geert Uytterhoeven
3 siblings, 0 replies; 6+ messages in thread
From: Dan Williams @ 2022-06-27 22:31 UTC (permalink / raw)
To: Gustavo A. R. Silva, Kees Cook, linux-kernel
Cc: nvdimm, alsa-devel, Gustavo A. R. Silva, kvm, dri-devel,
virtualization, dm-devel, target-devel, linux-mtd,
linux-hardening, linux1394-devel, linux-stm32, linux-s390,
linux-scsi, linux-rdma, x86, kasan-dev, lvs-devel, coreteam,
v9fs-developer, intel-gfx, linux-can, linux-raid, linux-m68k,
io-uring, linux-arm-kernel, netdev, linux-usb, linux-mmc,
linux-mips, linux-perf-users, linux-sctp, netfilter-devel,
linux-fsdevel, bpf, linux-btrfs
Gustavo A. R. Silva wrote:
> There is a regular need in the kernel to provide a way to declare
> having a dynamically sized set of trailing elements in a structure.
> Kernel code should always use “flexible array members”[1] for these
> cases. The older style of one-element or zero-length arrays should
> no longer be used[2].
>
> This code was transformed with the help of Coccinelle:
> (linux-5.19-rc2$ spatch --jobs $(getconf _NPROCESSORS_ONLN) --sp-file script.cocci --include-headers --dir . > output.patch)
>
> @@
> identifier S, member, array;
> type T1, T2;
> @@
>
> struct S {
> ...
> T1 member;
> T2 array[
> - 0
> ];
> };
>
> -fstrict-flex-arrays=3 is coming and we need to land these changes
> to prevent issues like these in the short future:
>
> ../fs/minix/dir.c:337:3: warning: 'strcpy' will always overflow; destination buffer has size 0,
> but the source string has length 2 (including NUL byte) [-Wfortify-source]
> strcpy(de3->name, ".");
> ^
>
> Since these are all [0] to [] changes, the risk to UAPI is nearly zero. If
> this breaks anything, we can use a union with a new member name.
>
> [1] https://en.wikipedia.org/wiki/Flexible_array_member
> [2] https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays
>
> Link: https://github.com/KSPP/linux/issues/78
> Build-tested-by: https://lore.kernel.org/lkml/62b675ec.wKX6AOZ6cbE71vtF%25lkp@intel.com/
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> Hi all!
>
> JFYI: I'm adding this to my -next tree. :)
>
[..]
> include/uapi/linux/ndctl.h | 10 +--
For ndctl.h
Acked-by: Dan Williams <dan.j.williams@intel.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
[not found] <20220627180432.GA136081@embeddedor>
` (2 preceding siblings ...)
2022-06-27 22:31 ` Dan Williams
@ 2022-06-28 7:27 ` Geert Uytterhoeven
2022-06-28 18:05 ` Kees Cook
3 siblings, 1 reply; 6+ messages in thread
From: Geert Uytterhoeven @ 2022-06-28 7:27 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: nvdimm, ALSA Development Mailing List, KVM list, DRI Development,
Linux Kernel Mailing List, dm-devel, target-devel,
MTD Maling List, linux-hardening, linux1394-devel, linux-stm32,
linux-s390, scsi, linux-rdma, the arch/x86 maintainers, kasan-dev,
lvs-devel, coreteam, V9FS Developers, Kees Cook,
Intel Graphics Development, linux-can, linux-raid, linux-m68k,
virtualization, io-uring, Linux ARM, netdev, USB list,
Linux MMC List, open list:BROADCOM NVRAM DRIVER, linux-perf-users,
linux-sctp, NetFilter, Linux FS Devel, bpf, linux-btrfs
Hi Gustavo,
Thanks for your patch!
On Mon, Jun 27, 2022 at 8:04 PM Gustavo A. R. Silva
<gustavoars@kernel.org> wrote:
> There is a regular need in the kernel to provide a way to declare
> having a dynamically sized set of trailing elements in a structure.
> Kernel code should always use “flexible array members”[1] for these
> cases. The older style of one-element or zero-length arrays should
> no longer be used[2].
These rules apply to the kernel, but uapi is not considered part of the
kernel, so different rules apply. Uapi header files should work with
whatever compiler that can be used for compiling userspace.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
[not found] ` <20220628004052.GM23621@ziepe.ca>
@ 2022-06-28 17:54 ` Kees Cook
0 siblings, 0 replies; 6+ messages in thread
From: Kees Cook @ 2022-06-28 17:54 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: nvdimm, alsa-devel, kvm, dri-devel, Gustavo A. R. Silva, dm-devel,
target-devel, linux-mtd, linux-hardening, linux1394-devel,
linux-stm32, linux-s390, Daniel Borkmann, linux-rdma, x86,
kasan-dev, lvs-devel, coreteam, v9fs-developer, linux-mips,
intel-gfx, linux-can, linux-raid, linux-m68k, virtualization,
io-uring, linux-arm-kernel, linux-scsi, netdev, linux-usb,
linux-mmc, linux-kernel, linux-perf-users, linux-sctp,
netfilter-devel, linux-fsdevel, bpf, linux-btrfs
On Mon, Jun 27, 2022 at 09:40:52PM -0300, Jason Gunthorpe wrote:
> On Mon, Jun 27, 2022 at 08:27:37PM +0200, Daniel Borkmann wrote:
> > [...]
> > Fyi, this breaks BPF CI:
> >
> > https://github.com/kernel-patches/bpf/runs/7078719372?check_suite_focus=true
> >
> > [...]
> > progs/map_ptr_kern.c:314:26: error: field 'trie_key' with variable sized type 'struct bpf_lpm_trie_key' not at the end of a struct or class is a GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
> > struct bpf_lpm_trie_key trie_key;
> > ^
The issue here seems to be a collision between "unknown array size"
and known sizes:
struct bpf_lpm_trie_key {
__u32 prefixlen; /* up to 32 for AF_INET, 128 for AF_INET6 */
__u8 data[0]; /* Arbitrary size */
};
struct lpm_key {
struct bpf_lpm_trie_key trie_key;
__u32 data;
};
This is treating trie_key as a header, which it's not: it's a complete
structure. :)
Perhaps:
struct lpm_key {
__u32 prefixlen;
__u32 data;
};
I don't see anything else trying to include bpf_lpm_trie_key.
>
> This will break the rdma-core userspace as well, with a similar
> error:
>
> /usr/bin/clang-13 -DVERBS_DEBUG -Dibverbs_EXPORTS -Iinclude -I/usr/include/libnl3 -I/usr/include/drm -g -O2 -fdebug-prefix-map=/__w/1/s=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wmissing-prototypes -Wmissing-declarations -Wwrite-strings -Wformat=2 -Wcast-function-type -Wformat-nonliteral -Wdate-time -Wnested-externs -Wshadow -Wstrict-prototypes -Wold-style-definition -Werror -Wredundant-decls -g -fPIC -std=gnu11 -MD -MT libibverbs/CMakeFiles/ibverbs.dir/cmd_flow.c.o -MF libibverbs/CMakeFiles/ibverbs.dir/cmd_flow.c.o.d -o libibverbs/CMakeFiles/ibverbs.dir/cmd_flow.c.o -c ../libibverbs/cmd_flow.c
> In file included from ../libibverbs/cmd_flow.c:33:
> In file included from include/infiniband/cmd_write.h:36:
> In file included from include/infiniband/cmd_ioctl.h:41:
> In file included from include/infiniband/verbs.h:48:
> In file included from include/infiniband/verbs_api.h:66:
> In file included from include/infiniband/ib_user_ioctl_verbs.h:38:
> include/rdma/ib_user_verbs.h:436:34: error: field 'base' with variable sized type 'struct ib_uverbs_create_cq_resp' not at the end of a struct or class is a GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
> struct ib_uverbs_create_cq_resp base;
> ^
> include/rdma/ib_user_verbs.h:644:34: error: field 'base' with variable sized type 'struct ib_uverbs_create_qp_resp' not at the end of a struct or class is a GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
> struct ib_uverbs_create_qp_resp base;
This looks very similar, a struct of unknown size is being treated as a
header struct:
struct ib_uverbs_create_cq_resp {
__u32 cq_handle;
__u32 cqe;
__aligned_u64 driver_data[0];
};
struct ib_uverbs_ex_create_cq_resp {
struct ib_uverbs_create_cq_resp base;
__u32 comp_mask;
__u32 response_length;
};
And it only gets used here:
DECLARE_UVERBS_WRITE(IB_USER_VERBS_CMD_CREATE_CQ,
ib_uverbs_create_cq,
UAPI_DEF_WRITE_UDATA_IO(
struct ib_uverbs_create_cq,
struct ib_uverbs_create_cq_resp),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UAPI_DEF_METHOD_NEEDS_FN(create_cq)),
which must also be assuming it's a header. So probably better to just
drop the driver_data field? I don't see anything using it (that I can
find) besides as a sanity-check that the field exists and is at the end
of the struct.
--
Kees Cook
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members
2022-06-28 7:27 ` Geert Uytterhoeven
@ 2022-06-28 18:05 ` Kees Cook
0 siblings, 0 replies; 6+ messages in thread
From: Kees Cook @ 2022-06-28 18:05 UTC (permalink / raw)
To: Geert Uytterhoeven
Cc: nvdimm, ALSA Development Mailing List, Gustavo A. R. Silva,
KVM list, DRI Development, open list:BROADCOM NVRAM DRIVER,
dm-devel, target-devel, MTD Maling List, linux-hardening,
linux1394-devel, linux-stm32, linux-s390, scsi, linux-rdma,
the arch/x86 maintainers, kasan-dev, lvs-devel, coreteam,
V9FS Developers, Intel Graphics Development, linux-can,
linux-raid, linux-m68k, virtualization, io-uring, Linux ARM,
netdev, USB list, Linux MMC List, Linux Kernel Mailing List,
linux-perf-users, linux-sctp, NetFilter, Linux FS Devel, bpf,
linux-btrfs
On Tue, Jun 28, 2022 at 09:27:21AM +0200, Geert Uytterhoeven wrote:
> Hi Gustavo,
>
> Thanks for your patch!
>
> On Mon, Jun 27, 2022 at 8:04 PM Gustavo A. R. Silva
> <gustavoars@kernel.org> wrote:
> > There is a regular need in the kernel to provide a way to declare
> > having a dynamically sized set of trailing elements in a structure.
> > Kernel code should always use “flexible array members”[1] for these
> > cases. The older style of one-element or zero-length arrays should
> > no longer be used[2].
>
> These rules apply to the kernel, but uapi is not considered part of the
> kernel, so different rules apply. Uapi header files should work with
> whatever compiler that can be used for compiling userspace.
Right, userspace isn't bound by these rules, but the kernel ends up
consuming these structures, so we need to fix them. The [0] -> []
changes (when they are not erroneously being used within other
structures) is valid for all compilers. Flexible arrays are C99; it's
been 23 years. :)
But, yes, where we DO break stuff we need to workaround it, etc.
--
Kees Cook
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-06-28 18:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220627180432.GA136081@embeddedor>
2022-06-27 18:27 ` [Intel-gfx] [PATCH][next] treewide: uapi: Replace zero-length arrays with flexible-array members Daniel Borkmann
[not found] ` <20220628004052.GM23621@ziepe.ca>
2022-06-28 17:54 ` Kees Cook
2022-06-27 19:53 ` Stephen Hemminger
2022-06-27 22:31 ` Dan Williams
2022-06-28 7:27 ` Geert Uytterhoeven
2022-06-28 18:05 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox