From: Kees Cook <kees@kernel.org>
To: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dave Jiang <dave.jiang@intel.com>,
Ira Weiny <ira.weiny@intel.com>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Len Brown <lenb@kernel.org>,
nvdimm@lists.linux.dev, linux-acpi@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2][next] acpi: nfit: intel: Avoid multiple -Wflex-array-member-not-at-end warnings
Date: Wed, 30 Apr 2025 14:19:46 -0700 [thread overview]
Message-ID: <202504301400.3B1EACEB@keescook> (raw)
In-Reply-To: <c4828c41-e46c-43c9-a73a-38ce8ab2c1c4@embeddedor.com>
On Wed, Apr 30, 2025 at 02:07:24PM -0600, Gustavo A. R. Silva wrote:
>
>
> On 30/04/25 13:41, Gustavo A. R. Silva wrote:
> >
> >
> > On 27/03/25 08:03, Dan Williams wrote:
> > > Gustavo A. R. Silva wrote:
> > > > -Wflex-array-member-not-at-end was introduced in GCC-14, and we are
> > > > getting ready to enable it, globally.
> > > >
> > > > Use the `DEFINE_RAW_FLEX()` helper for on-stack definitions of
> > > > a flexible structure where the size of the flexible-array member
> > > > is known at compile-time, and refactor the rest of the code,
> > > > accordingly.
> > > >
> > > > So, with these changes, fix a dozen of the following warnings:
> > > >
> > > > drivers/acpi/nfit/intel.c:692:35: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
> > > >
> > > > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > > > ---
> > > > Changes in v2:
> > > > - Use DEFINE_RAW_FLEX() instead of __struct_group().
> > > >
> > > > v1:
> > > > - Link: https://lore.kernel.org/linux-hardening/Z618ILbAR8YAvTkd@kspp/
> > > >
> > > > drivers/acpi/nfit/intel.c | 388 ++++++++++++++++++--------------------
> > > > 1 file changed, 179 insertions(+), 209 deletions(-)
> > > >
> > > > diff --git a/drivers/acpi/nfit/intel.c b/drivers/acpi/nfit/intel.c
> > > > index 3902759abcba..114d5b3bb39b 100644
> > > > --- a/drivers/acpi/nfit/intel.c
> > > > +++ b/drivers/acpi/nfit/intel.c
> > > > @@ -55,21 +55,17 @@ static unsigned long intel_security_flags(struct nvdimm *nvdimm,
> > > > {
> > > > struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
> > > > unsigned long security_flags = 0;
> > > > - struct {
> > > > - struct nd_cmd_pkg pkg;
> > > > - struct nd_intel_get_security_state cmd;
> > > > - } nd_cmd = {
> > > > - .pkg = {
> > > > - .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
> > > > - .nd_family = NVDIMM_FAMILY_INTEL,
> > > > - .nd_size_out =
> > > > - sizeof(struct nd_intel_get_security_state),
> > > > - .nd_fw_size =
> > > > - sizeof(struct nd_intel_get_security_state),
> > > > - },
> > > > - };
> > > > + DEFINE_RAW_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
> > > > + sizeof(struct nd_intel_get_security_state));
> > > > + struct nd_intel_get_security_state *cmd =
> > > > + (struct nd_intel_get_security_state *)nd_cmd->nd_payload;
> > > > int rc;
> > > > + nd_cmd->nd_command = NVDIMM_INTEL_GET_SECURITY_STATE;
> > > > + nd_cmd->nd_family = NVDIMM_FAMILY_INTEL;
> > > > + nd_cmd->nd_size_out = sizeof(struct nd_intel_get_security_state);
> > > > + nd_cmd->nd_fw_size = sizeof(struct nd_intel_get_security_state);
> > >
> > > Can this keep the C99 init-style with something like (untested):
> > >
> > > _DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
> > > sizeof(struct nd_intel_get_security_state), {
> > > .pkg = {
> > > .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
> > > .nd_family = NVDIMM_FAMILY_INTEL,
> > > .nd_size_out =
> > > sizeof(struct nd_intel_get_security_state),
> > > .nd_fw_size =
> > > sizeof(struct nd_intel_get_security_state),
> > > },
> > > });
> > >
> > >
> > > ?
> >
> > The code below works - however, notice that in this case we should
> > go through 'obj', which is an object defined in _DEFINE_FLEX().
> >
> > _DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
> > sizeof(struct nd_intel_get_security_state), = {
> > .obj = {
> > .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
> > .nd_family = NVDIMM_FAMILY_INTEL,
> > .nd_size_out =
> > sizeof(struct nd_intel_get_security_state),
> > .nd_fw_size =
> > sizeof(struct nd_intel_get_security_state),
> > },
> > });
> >
>
> Now, I can modify the helper like this:
>
> diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> index 69533e703be5..170d3cfe7ecc 100644
> --- a/include/linux/overflow.h
> +++ b/include/linux/overflow.h
> @@ -404,7 +404,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
> union { \
> u8 bytes[struct_size_t(type, member, count)]; \
> type obj; \
> - } name##_u initializer; \
> + } name##_u = { .obj initializer }; \
> type *name = (type *)&name##_u
Ah yeah, nice. That could work!
I wish we could make it more idiomatic, but even if we pushed the
initializer to the end, we have to repeat the type...
#define _DEFINE_FLEX(type, name, member, count, initializer...) \
_Static_assert(__builtin_constant_p(count), \
"onstack flex array members require compile-time const count"); \
union { \
u8 bytes[struct_size_t(type, member, count)]; \
type obj; \
} name##_u = { }; \
type *name = (type *)&name##_u; \
*name
_DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
sizeof(struct nd_intel_get_security_state))
= (struct nd_cmd_pkg){
.nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
.nd_family = NVDIMM_FAMILY_INTEL,
.nd_size_out =
sizeof(struct nd_intel_get_security_state),
.nd_fw_size =
sizeof(struct nd_intel_get_security_state),
};
So, I think what you have is more readable (or perhaps less surprising),
even if a little "weird". :)
>
> /**
>
> and then we can use the helper as follows:
>
> _DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
> sizeof(struct nd_intel_get_security_state), = {
> .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
> .nd_family = NVDIMM_FAMILY_INTEL,
> .nd_size_out =
> sizeof(struct nd_intel_get_security_state),
> .nd_fw_size =
> sizeof(struct nd_intel_get_security_state),
> });
>
> OK, I'll go and update the helper.
Sounds good!
-Kees
--
Kees Cook
prev parent reply other threads:[~2025-04-30 21:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 16:20 [PATCH v2][next] acpi: nfit: intel: Avoid multiple -Wflex-array-member-not-at-end warnings Gustavo A. R. Silva
2025-03-27 3:19 ` Ira Weiny
2025-03-27 14:03 ` Dan Williams
2025-04-30 19:41 ` Gustavo A. R. Silva
2025-04-30 20:07 ` Gustavo A. R. Silva
2025-04-30 21:19 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202504301400.3B1EACEB@keescook \
--to=kees@kernel.org \
--cc=alison.schofield@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=gustavo@embeddedor.com \
--cc=gustavoars@kernel.org \
--cc=ira.weiny@intel.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nvdimm@lists.linux.dev \
--cc=rafael@kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox