Re: [PATCH v3] ethtool: Replace 0-length array with flexible array

Re: [PATCH v3] ethtool: Replace 0-length array with flexible array

[Jann Horn]

On Fri, Jan 6, 2023 at 5:28 AM Kees Cook <keescook@chromium.org> wrote:
> Zero-length arrays are deprecated[1]. Replace struct ethtool_rxnfc's
> "rule_locs" 0-length array with a flexible array. Detected with GCC 13,
> using -fstrict-flex-arrays=3:
>
> net/ethtool/common.c: In function 'ethtool_get_max_rxnfc_channel':
> net/ethtool/common.c:558:55: warning: array subscript i is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=]
>   558 |                         .fs.location = info->rule_locs[i],
>       |                                        ~~~~~~~~~~~~~~~^~~
> In file included from include/linux/ethtool.h:19,
>                  from include/uapi/linux/ethtool_netlink.h:12,
>                  from include/linux/ethtool_netlink.h:6,
>                  from net/ethtool/common.c:3:
> include/uapi/linux/ethtool.h:1186:41: note: while referencing
> 'rule_locs'
>  1186 |         __u32                           rule_locs[0];
>       |                                         ^~~~~~~~~
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Andrew Lunn <andrew@lunn.ch>
> Cc: kernel test robot <lkp@intel.com>
> Cc: Oleksij Rempel <linux@rempel-privat.de>
> Cc: Sean Anderson <sean.anderson@seco.com>
> Cc: Alexandru Tachici <alexandru.tachici@analog.com>
> Cc: Amit Cohen <amcohen@nvidia.com>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v3: don't use helper (vincent)
> v2: https://lore.kernel.org/lkml/20230105233420.gonna.036-kees@kernel.org
> ---
>  include/uapi/linux/ethtool.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h
> index 58e587ba0450..3135fa0ba9a4 100644
> --- a/include/uapi/linux/ethtool.h
> +++ b/include/uapi/linux/ethtool.h
> @@ -1183,7 +1183,7 @@ struct ethtool_rxnfc {
>                 __u32                   rule_cnt;
>                 __u32                   rss_context;
>         };
> -       __u32                           rule_locs[0];
> +       __u32                           rule_locs[];

Stupid question: Is this syntax allowed in UAPI headers despite not
being part of standard C90 or C++? Are we relying on all C/C++
compilers for pre-C99 having gcc/clang extensions?

Re: [PATCH v3] ethtool: Replace 0-length array with flexible array

[Vincent MAILHOL]

On Fri. 6 Jan 2023 at 22:19, Jann Horn <jannh@google.com> wrote:
> On Fri, Jan 6, 2023 at 5:28 AM Kees Cook <keescook@chromium.org> wrote:
> > Zero-length arrays are deprecated[1]. Replace struct ethtool_rxnfc's
> > "rule_locs" 0-length array with a flexible array. Detected with GCC 13,
> > using -fstrict-flex-arrays=3:
> >
> > net/ethtool/common.c: In function 'ethtool_get_max_rxnfc_channel':
> > net/ethtool/common.c:558:55: warning: array subscript i is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=]
> >   558 |                         .fs.location = info->rule_locs[i],
> >       |                                        ~~~~~~~~~~~~~~~^~~
> > In file included from include/linux/ethtool.h:19,
> >                  from include/uapi/linux/ethtool_netlink.h:12,
> >                  from include/linux/ethtool_netlink.h:6,
> >                  from net/ethtool/common.c:3:
> > include/uapi/linux/ethtool.h:1186:41: note: while referencing
> > 'rule_locs'
> >  1186 |         __u32                           rule_locs[0];
> >       |                                         ^~~~~~~~~
> >
> > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> >
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Andrew Lunn <andrew@lunn.ch>
> > Cc: kernel test robot <lkp@intel.com>
> > Cc: Oleksij Rempel <linux@rempel-privat.de>
> > Cc: Sean Anderson <sean.anderson@seco.com>
> > Cc: Alexandru Tachici <alexandru.tachici@analog.com>
> > Cc: Amit Cohen <amcohen@nvidia.com>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> > Cc: netdev@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v3: don't use helper (vincent)
> > v2: https://lore.kernel.org/lkml/20230105233420.gonna.036-kees@kernel.org
> > ---
> >  include/uapi/linux/ethtool.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h
> > index 58e587ba0450..3135fa0ba9a4 100644
> > --- a/include/uapi/linux/ethtool.h
> > +++ b/include/uapi/linux/ethtool.h
> > @@ -1183,7 +1183,7 @@ struct ethtool_rxnfc {
> >                 __u32                   rule_cnt;
> >                 __u32                   rss_context;
> >         };
> > -       __u32                           rule_locs[0];
> > +       __u32                           rule_locs[];
>
> Stupid question: Is this syntax allowed in UAPI headers despite not
> being part of standard C90 or C++? Are we relying on all C/C++
> compilers for pre-C99 having gcc/clang extensions?

The [0] isn't part of the C90 standard either. So having to choose
between [0] and [], the latter is the most portable nowadays.

If I do a bit of speleology, I can see that C99 flexible array members
were used as early as v2.6.19 (released in November 2006):

  https://elixir.bootlin.com/linux/v2.6.19/source/include/linux/usb/audio.h#L36

This is prior to the include/linux and include/uapi/linux split, but
believe me, this usb/audio.h file is indeed part of the uapi.
So, yes, using C99 flexible array members in the UAPI is de facto
allowed because it was used for the last 16 years.

An interesting sub question would be:

  What are the minimum compiler requirements to build a program using
the Linux UAPI?

And, after research, I could not find the answer. The requirements to
build the kernel are well documented:

  https://docs.kernel.org/process/changes.html#changes

But no clue for the uapi. I guess that at one point in 2006, people
decided that it was time to set the minimum requirement to C99. Maybe
this matches the end of life of the latest pre-C99 GCC version? The
detailed answer must be hidden somewhere on lkml.


Yours sincerely,
Vincent Mailhol

Re: minimum compiler for Linux UAPI (was Re: [PATCH v3] ethtool: Replace 0-length array with flexible array)

[Kees Cook]

On Fri, Jan 06, 2023 at 11:25:14PM +0900, Vincent MAILHOL wrote:
> On Fri. 6 Jan 2023 at 22:19, Jann Horn <jannh@google.com> wrote:
> > On Fri, Jan 6, 2023 at 5:28 AM Kees Cook <keescook@chromium.org> wrote:
> > > Zero-length arrays are deprecated[1]. Replace struct ethtool_rxnfc's
> > > "rule_locs" 0-length array with a flexible array. Detected with GCC 13,
> > > using -fstrict-flex-arrays=3:
> [...]
> > > diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h
> > > index 58e587ba0450..3135fa0ba9a4 100644
> > > --- a/include/uapi/linux/ethtool.h
> > > +++ b/include/uapi/linux/ethtool.h
> > > @@ -1183,7 +1183,7 @@ struct ethtool_rxnfc {
> > >                 __u32                   rule_cnt;
> > >                 __u32                   rss_context;
> > >         };
> > > -       __u32                           rule_locs[0];
> > > +       __u32                           rule_locs[];
> >
> > Stupid question: Is this syntax allowed in UAPI headers despite not
> > being part of standard C90 or C++? Are we relying on all C/C++
> > compilers for pre-C99 having gcc/clang extensions?
> 
> The [0] isn't part of the C90 standard either. So having to choose
> between [0] and [], the latter is the most portable nowadays.
> 
> If I do a bit of speleology, I can see that C99 flexible array members
> were used as early as v2.6.19 (released in November 2006):
> 
>   https://elixir.bootlin.com/linux/v2.6.19/source/include/linux/usb/audio.h#L36
> 
> This is prior to the include/linux and include/uapi/linux split, but
> believe me, this usb/audio.h file is indeed part of the uapi.
> So, yes, using C99 flexible array members in the UAPI is de facto
> allowed because it was used for the last 16 years.
> 
> An interesting sub question would be:
> 
>   What are the minimum compiler requirements to build a program using
> the Linux UAPI?

You're right -- we haven't explicitly documented this. C99 seems like
the defacto minimum, though.

> And, after research, I could not find the answer. The requirements to
> build the kernel are well documented:
> 
>   https://docs.kernel.org/process/changes.html#changes
> 
> But no clue for the uapi. I guess that at one point in 2006, people
> decided that it was time to set the minimum requirement to C99. Maybe
> this matches the end of life of the latest pre-C99 GCC version? The
> detailed answer must be hidden somewhere on lkml.

I would make the argument that the requirements for building Linux UAPI
should match that of building the kernel...

-- 
Kees Cook

Re: minimum compiler for Linux UAPI (was Re: [PATCH v3] ethtool: Replace 0-length array with flexible array)

[Arnd Bergmann]

On Fri, Jan 6, 2023, at 21:13, Kees Cook wrote:
> On Fri, Jan 06, 2023 at 11:25:14PM +0900, Vincent MAILHOL wrote:
>> On Fri. 6 Jan 2023 at 22:19, Jann Horn <jannh@google.com> wrote:
>> 
>>   What are the minimum compiler requirements to build a program using
>> the Linux UAPI?
>
> You're right -- we haven't explicitly documented this. C99 seems like
> the defacto minimum, though.
>
>> And, after research, I could not find the answer. The requirements to
>> build the kernel are well documented:
>> 
>>   https://docs.kernel.org/process/changes.html#changes
>> 
>> But no clue for the uapi. I guess that at one point in 2006, people
>> decided that it was time to set the minimum requirement to C99. Maybe
>> this matches the end of life of the latest pre-C99 GCC version? The
>> detailed answer must be hidden somewhere on lkml.
>
> I would make the argument that the requirements for building Linux UAPI
> should match that of building the kernel...

I think it's a bit more nuanced than that: glibc does not require
C99 but does include some kernel headers from generic library
headers, so I would not make the assumption that it's always
safe to use C99 features. On the other hand, Linux specific
device drivers whose header is only really used from one
application are free to make assumptions about the toolchain.

      Arnd